 |
| |
| |
|
Who's Online |
|
We have 78 guests and 1 member online |
|
| |
|
|
 |
|
EH-Net
|
|
May 24, 2013, 12:56:05 PM
|
|
632
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: using SSL Tunnel to bypass IDS and firewalls?
|
on: October 05, 2010, 08:27:57 AM
|
1) is there any tools available out there that can provide a tunneled ssl connection between me and that target? 2)Also i am sure if they will have some stateful firewalls ,so if they see an huge amount of out-bound traffic to a specific ip,they will get more suspicious,So how can i manage this? 3)Also they may have IDS in place,mostly a signature based 1,they may have a signature detection for ssl tunnel,how we can use our "methods" to deviate from the IDS signature,I am looking forward to modify or do some changes in the attack pattern,which needs to confuses the IDS and need to bypass it's patterns? how can i do this? 4)what are some of the other attacks i can use against a state-full firewall?/quote] 1. Try out the following programs and play with them: - SSL Tunnel: http://www.stunnel.org/- ICMP Tunnels: http://neverfear.org/blog/view/9/Using_ICMP_tunneling_to_steal_Internethttp://icmpshell.sourceforge.net/http://phrack.org/issues.html?issue=49&id=6#articleAnd so forth, there's plenty of tools available. You can even install a VPN client on the target victim, and then set up a VPN server too with e.g. OpenVPN and SSL. 2. This is harder to manage, but if you relay your traffic via e.g. facebook, twitter or google then it may not look that suspicious. I remember I saw.. I think it was a botnet (for testing purposes) which was run via twitter. Quite evil, but it worked. 3. Install Snort and these "SSL filters" you're talking about. Then try to bypass them. That's what I would do, if I don't know the exact filters I would do a general bypass without making the packets look obscure since some firewalls and filters may put a red flag on them. Furthermore, using other kinds of packets such as ICMP (tunneling data through it), may be even better. 4. Spoofed (UDP) packets is just one kind of attack. You can't use that, to actually "attack" the firewall except if the SPI interface is vulnerable to certain types of obscure packets. Best regards, MaXe |
|
|
|
|
633
|
Ethical Hacking Discussions and Related Certifications / Other / Re: Sniffing HTTP packets
|
on: October 04, 2010, 09:29:46 AM
|
Arp Spoof the entire network (with permission) so all the clients are going through your machine. (MAKE SURE it is capable of handling the amount of connections and that you're forwarding the traffic to the gateway so you won't experience a network wide DoS.) You can also set up a new server as a router which uses perhaps an IDS to monitor the connections made and instead of possible intrusions it is configured to detect sites such as facebook.com etc. There is a third alternative and that is to use an enforced web proxy such as Squid. Well, I hope it helped just a little bit  |
|
|
|
|
636
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Image files in Penetration testing
|
on: September 30, 2010, 07:31:31 AM
|
If it's a Web Application, the content of the JPEG files will most likely not matter except if the application reads and parses the input somehow in a vulnerable way. There are of course, usually other vulnerabilities included with file uploading formulas where it is occasionally possible to upload php files with a simple %00 byte added to the end of the filename. If it's a client application aka a real program, use the jpeg fuzzer dante recommended or create your own fuzzer  |
|
|
|
|
638
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Pentest: Working in team or alone?
|
on: September 21, 2010, 11:08:02 AM
|
I worked alone (for free / fun) at a company once, but later on I had to train another employee the basics to get started so I worked in a team but it wasn't really a team when the other employee was at that time just a trainee But it was nice to have company instead of stressing about everything myself (I was under huge time pressure every time, like.. You got 2 hours to prove there's something big time wrong with their network  ) However, back on topic. I believe a team of experienced Penetration Testers is definitely a big plus, in fact I believe they are probably able to achieve more if one is e.g. expert in Web App Sec, another in Software Exploitation, a third in Reverse Engineering, a fourth in Social Engineering etc. |
|
|
|
|
641
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Some Network Reconnaissance question's about determining DMZ Network structure?
|
on: September 17, 2010, 09:10:49 AM
|
Here's a few ideas of mine I want know what sort of network architecture they are using ?
-- Social Engineering including spoofed e-mails may help you.
Also, check if they've outsourced their website to a 3rd party hoster. If yes then you need to know how that hoster functions etc. etc.
how can i determine the number of DMZ they are having?
-- By hacking the router. From the router it's virtually impossible except if it's a misconfigured (and probably older version of a) Cisco router where you can in some cases read the configuration directly via SNMP.
will they have a seperate DMZ for running database servers?if yes how to detect it?
-- Depends on how they configured their network. Some websites uses a local socket to connect to a database hosted locally while other sites uses a database hosted externally on another server or perhaps, virtual machine. The easiest way to find out where the database is, is to hack the website and read the config.php file if you can't find any hosts with port 3306 (mysql) open in their network range. You should only look for MySQL if the site is running PHP since this is the most common setup.
Is it possible to get the kernel version of the linux-sever they are using?
Also,i already nmapped it,it is saying the kernel version is from 2.4-2.6 kernel,I need to know exact version of kernel ,what should i do?
-- Again, by hacking the website you can in some scenarios run commands directly on the server, e.g. via LFI, RFI, RCE and in some cases SQLi. On linux a simple "uname -a" will tell you what you need, but you need to find a way to get remote code execution which can also be done with Social Engineering and bruteforcing too. (FTP, SSH, website and perhaps their e-mails too.)
Also i seen some smtp and pop3 services on the cisco firewalls/routers,
This looks strange to me,why a router/firewall is running smtp/pop3 services?
-- Probably "port forwarded" services. (They typically use the same IP as the router.)
want to finger print the web-Application firewall being used on the target,how can i do it?
-- Not exactly sure, are you certain there is one? In many cases there isn't though I have seen many companies use IDS's and IPS's where the last is kinda the same as a WAF. Input / Output checking is one way to check this in some cases though the problem is that it could also be the actual web application doing this.
I hope it helped a little  Update:It's nice to see you're doing a good amount of recon, but I believe you're focusing more on the setup than actual targets. The reason why I do recon is to find services and machines to exploit, not how their network is configured. I can always check that one out later. First priority for me is to gain entry and remote code execution |
|
|
|
|
642
|
Ethical Hacking Discussions and Related Certifications / OSCP - Offensive Security Certified Professional / Re: OSCP Walkthrough
|
on: September 17, 2010, 08:57:23 AM
|
Don't forget to take (short) breaks too If you don't take a small break occasionally you will probably overheat your brain and you may end up in a deadlock. I know there is a big stress factor that you shouldn't eat, relax, or take long breaks while you're doing the exam because it's running and you need to get the right amount of points. But if you're going in circles and you need fresh ideas, take a short break (perhaps a walk outside to the nearest store for refreshments you want and need) and think creatively about how you can solve the problem even though it may seem impossible it is not. |
|
|
|
|
644
|
Ethical Hacking Discussions and Related Certifications / Malware / Re: Is it possible to have a keylogger and Avast running at same time?
|
on: September 17, 2010, 02:53:45 AM
|
|
Instead of installing potentially infected malware programs, why don't you just configure and install VNC correctly to run in the background? (A few cellphones can actually connect to VNC servers.)
Alternatively, use TrueCrypt to perform a full disk encryption of your harddisk with a master key or a password which he or she cannot guess. That's a proactive solution since the entire contents of your computer is encrypted if you got secret stuff on it. (Even without a harddisk he or she can just insert a Live CD though.)
Of course, the easiest way is just to put a password in BIOS and before the computer boots. But that's relatively easy to reset on most computers nowadays.
|
|
|
|
|
Loading...
|
|
|
|
Show Posts
Tools : Symbolic Exploit Assistant project is looking for collaborators
