Re: Corporate Intranet

[Zack Payton <zpayton () gmail com>]

Yo,

Use the recent DNS vuln on their resolving DNS server, overwrite the
record for google.com with a webserver you control... load up activex
or flash/java/script app that calls home and sets up some kind of
proxy server or vpn tunnel back to you and use that to pwn all.

Quick, easy, and efficient.  Usually, you only get to pick two of the three.
Z

On Wed, Apr 29, 2009 at 4:27 AM, Aarón Mizrachi <unmanarc () gmail com> wrote:
> On Lunes 27 Abril 2009 14:14:52 iadcc escribió:
> > Has anybody done a penetration test, in trying to access a companies
> > corporate intranet, from outside the Network? If so can you give me some
> > pointers how you attempted to do so?
>
> Indeed.
>
> there are various vectors of attack. But, generally, try this scheme.
>
> 1. Try to map or figure out how is the network inside... There are too many
> ways to do that.
>
> First of all, you must know where are the public IP address of your company.
> If you are under blackbox, try using google and maltego to identify useful
> information about the company. Other method is sending a legitim request by
> email to a coorporative email, and wait for reply...
>
> On reply, you may found useful information.
>
> Next, scan external services and possible ip addresses, sometimes there are
> useful information and information leakage over ip external addresses.
>
> 2. When the map is done, do an exhaustive service scan and identification over
> all ip addresses involved, specially on routers. And If you found exploits on
> there (routers), all the work is done.
>
> If no success:
> 3. With the previous information, make a dictionary, and try bruteforce
> attacks on sensitive services (VPN, Router logins, whatever)
>
> 4. Try to exploit founded vulns (all depends on updates and configuration of
> every service).
>
> - On routers, many exploits involves download config, if you are lucky, you
> will found password there. Another option is create a VPN user or a route/nat
> entry.
>
> - On Webserver (or similar), if the webserver are shared on the intranet, you
> may try to get access on there. Then, you may redirect your connections to the
> intranet with a VPN (like openvpn)
>
> - On misconfigured proxies, a common mechanism are the "reverse proxy" method,
> remember that you need to know internal ip addresses notation or bruteforce
> it.
>
> - On internet browsers combined with Social Engineering, you could try to
> identify and exploit internet navigator bugs to put your reverse connection
> code inside the network.
>
> 5. If no success, you may try to use social engineering to put a trojan inside
> the network, then, redirect your connections over the trojan. Outgoing traffic
> usually can be bypassed with systems like IODINE, or OpenVPN using 443 port...
>
> To avoid IDS/IPS detection, you could use different ip addresses and delay
> timing policies.
>
> And finally, this is a scheme to do that, but never the definitive guide to
> external pentesting. All depends on internal configuration, updates, managment
> policies, and others.
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Tired of using other people's tools? Why not learn how to write your own exploits?
> InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits 
> for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.
>
> http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------