Home
Calendar
Certifications
Columns
Features
Forum
Resources
Vitals
Latest Additions
Jan 2009 Free Giveaway Sponsor - Black Hat DC
Scooby Doo and the Crypto Caper - Answers and Winners
Daemon - A Contest Revealed
Hacking: The Art of Exploitation 2nd Edition
Nov 2008 Free Giveaway - Winners
Dec 2008 Free Giveaway Sponsor - SANS
Santa Claus is Hacking to Town
Plug-N-Play Network Hacking
Nov 2008 Free Giveaway Sponsor - CWNP
Daemon - A Contest Begins Now
It Happened One Friday - Answers and Winners
Daemon - A Contest
Scooby Doo and the Crypto Caper
MS Blue Hat Hackers Headline Chicago Security Con
The Pen Testing Perfect Storm Webcast Series with Skoudis, Wright, Johnson
EH-Net Login
Welcome Guest.
Username:
Password:
Remember me
Lost Password?
No account yet?
Register
Who's Online
We have 28 guests and 1 member online
EH-Net Donations
Enter Amount:
$
CAD
USD
GBP
AUD
JPY
EUR
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations
You are here:
Home
Forum
Ethical Hacking Discussions and Related Certifications
Network Pen Testing
Guidance on Black Box Testing
Ethical Hacker Community Forums
January 08, 2009, 02:57:16 AM
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
News
: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100!
www.chicagocon.com/content/view/103/51/
Home
Help
Calendar
Login
Register
Ethical Hacker Community Forums
>
Ethical Hacking Discussions and Related Certifications
>
Network Pen Testing
(Moderator:
don
) >
Guidance on Black Box Testing
Pages: [
1
]
Go Down
« previous
next »
Print
Author
Topic: Guidance on Black Box Testing (Read 2160 times)
0 Members and 1 Guest are viewing this topic.
det_security08
Newbie
Offline
Posts: 8
Guidance on Black Box Testing
«
on:
October 10, 2008, 08:42:49 AM »
In the middle of a black box test, external network, social engineering, client-side attacks, the whole nine yards. We started off with an external recon of open ports and services and then to the social engineering. We've already obtained several usable usernames and passwords, but the issue externally is that only a few open ports and services are available. No golden nuggests such as RDP unfortunately. THere is a Citrix portal which we managed to discover that one user has access to (the rest do not). We installed the Citrix client and are able to open a Windows Explorer window on the Citrix box itself for this one user. I've already tried all the basics to create local users and even launching AD Users and Computers for their domain and adding IDs or changing permissions on acounts but the environment is fairly locked down and the user does not have permission to install software on the box, etc.
I can attempt to map drives and try some light brute forcing, since ive been enable to enumerate who the domain admins are, etc, etc and i have a list of every internal host name. I just don't yet have that 'in' that affords me access to a desktop or internal domain. I simply have 'domain user' creds in a locked down environment and a citrix portal...so far. We're still in the middle of testing but I was wondering if anyone had guidance on things we can do from this Citrix server since its officially some sort of internal session. I can also browse network drives and I've been downloading sensitive information left and right...so we're partly successful but we would like to eventually add ourselves as a domain user or admin/domain admin (would be our end game).
Logged
geekyone
Full Member
Offline
Posts: 132
Re: Guidance on Black Box Testing
«
Reply #1 on:
October 10, 2008, 04:09:22 PM »
If they haven't locked down Internet access when using Citrix. You could setup a web server with a privilege escalation browser exploit and surf to that website while logged in as your user.
Logged
CISSP, CEH, GPEN, GCIH
toggmeister
Newbie
Offline
Posts: 22
Re: Guidance on Black Box Testing
«
Reply #2 on:
October 13, 2008, 11:15:42 PM »
Hi,
Have you seen the thread I started on Citrix Testing here, if not the resource specified is:
http://www.vulnerabilityassessment.co.uk/Citrix.html
Have you got command-line access or just gui tools, if not how about using ikat to pop shell or attempt, other tools also:
http://ikat.ha.cked.net/
Hope this helps
Logged
det_security08
Newbie
Offline
Posts: 8
Re: Guidance on Black Box Testing
«
Reply #3 on:
October 14, 2008, 09:43:01 AM »
Geeky...yeah we definitely tried that as well...and they did lock down access to the Internet on that Citrix browser...that would have made life very easy for us!
Logged
ChrisG
EH-Net Columnist
Hero Member
Offline
Posts: 1049
Re: Guidance on Black Box Testing
«
Reply #4 on:
October 15, 2008, 05:55:27 PM »
well in that case can you escape out of it? some of the citrix applications can be escaped from an you can run system commands
Logged
...tests i took go here...
http://carnal0wnage.blogspot.com/
det_security08
Newbie
Offline
Posts: 8
Re: Guidance on Black Box Testing
«
Reply #5 on:
October 16, 2008, 10:20:47 AM »
ok...we have had some great progress, including several RDP and TS sessions into servers on the client network. We've managed to extract some SAM data, but so far have not been able to capture any administrator (for the domain) credentials. we've placed keyloggers and have other things going, but no luck so far.
I do have one question with regards to NTLM, LM password cracking. We've managed to extract two separate administrator ID password hashes from two separate servers. Unfortunately the password policy is at least 8 characters long. Using LM Hashes, we've managed to get the first 7 characters of both accounts...but no more than that. Is there anyone with hashing experience who can provide guidance on what to do after capturing the first 7 characters of a LM hash? we've in the process of creating our own rainbow table, including alpha numberic, complex characters. we decided to just do three more spaces, and start at index space 8...so that the hash may give us characters 8-10 and we could possible start some brute force combos from there.
If anyone has any other advice, it would be much appreciated.
Logged
Pages: [
1
]
Go Up
Print
« previous
next »
Jump to:
Please select a destination:
-----------------------------
EH-Net
-----------------------------
=> Special Events
=> Calendar Of Events
===> ChicagoCon 2007
===> ChicagoCon 2008s
===> ChicagoCon 2008f
===> ChicagoCon 2009
=> News Items and General Discussion About EH-Net
-----------------------------
Ethical Hacking Discussions and Related Certifications
-----------------------------
=> Certification
===> The Charter Study Group - Pen Test
=> Network Pen Testing
===> CEH - Certified Ethical Hacker
=====> CEH - Official Course Modules v4
=====> CEH - Official Course Modules v5
=====> CEH - Official Course Modules v6
===> CPTS - Certified Pen Testing Specialist
=====> CPTS - Official Course Modules v5
===> CPTE - Certified Pen Testing Expert
=====> CPTE - Official Course Modules v1
===> ECSA - EC-Council Certified Security Analyst
=====> ECSA - Official Course Modules v1.2
=====> ECSA / LPT - Official Course Modules v3
===> OSCP - Offensive Security Certified Professional
===> GPEN - GIAC Certified Penetration Tester
=> Forensics
===> CCE / MCCE - (Master) Certified Computer Examiner
===> CHFI - Computer Hacking Forensic Investigator
=====> CHFI - Official Course Modules v2
===> EnCE - EnCase® Certified Examiner
=> Incident Response
===> CSIH - Computer Security Incident Handler
===> GCIH - GIAC Certified Incident Handler
=> Hardware
=> Malware
=> Physical Security
=> Programming
=> Social Engineering
=> Web Applications
=> Wireless
===> CWNP Certs
===> GAWN - GIAC Assessing Wireless Networks
===> OSWP - Offensive Security Wireless Professional
=> Other
-----------------------------
Columns
-----------------------------
=> Editor-In-Chief
=> Gates
=> Heffner
=> Hoffman
=> RichM
=> Murray
=> J. Peltier
=> Wilson
-----------------------------
Features
-----------------------------
=> /root
=> Book Reviews
=> Opinions
=> Skillz
===> Examples
===> May 06 - Star Hacks, Episode V: The Empire Hacks Back
===> July 06 - Hack Bill!
===> Sept 06 - Netcat in the Hat
===> Nov 06 - Hitch-Hackers Guide to the Galaxy
===> Dec 06 - A Christmas (Hacking) Story
===> Feb 07 - Charlottes Web Site
===> April 07 - Microsoft Office Space
===> June 07 - Serenity Hack
===> Oct 07 - Worst. Ethical. Hacker. Challenge. Ever.
===> Dec 07 - Frosty the Snow Crash
===> March 2008 - It Happened One Friday
===> Oct 2008 - Scooby Doo and the Crypto Caper
===> Dec 08 - Santa Claus Is Hacking to Town
-----------------------------
Resources
-----------------------------
=> Career Central
===> Looking For Work
===> Looking To Hire
=> Links to cool sites.
=> Mass Media
=> News from the Outside World
=> Tools
=> Tutorials
Loading...
Sponsors
Polls
How many security events including conferences and training do you attend a year:
1 - 2
3 - 4
5 - 6
7+
None - But want to
None - Choose not to
Support EH-Net
Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
Try CBT Nuggets Free!
Recent Forum Topics
CEH - Certified Ethical Hacker
: CEH is a scam
(20) by
K3lV1n
Malware
: uninstall trend mciro officescan clients
(0) by
Hack_80
Mass Media
: Daniel Suarez Interview
(9) by
blackazarro
Malware
: Security Forecast for 2009
(5) by
jason
News from the Outside World
: Is this acceptable?
(9) by
jason
Wireless
: Wireless Pen Testing Cards
(6) by
jason
Oct 2008 - Scooby Doo and the Crypto Caper
: Skillz October 08 Winning Entry - Technical
(1) by
jason
Gates
: Oracle version module for metasploit
(2) by
BillV
Book Reviews
: [Article]-Mitnick - The Art Of Intrusion: Ch 1 - Hacking The Casinos For A Million Bu...
(5) by
jason
Links to cool sites.
: Free Computer Engineering Classes From Stanford
(3) by
jason
Oct 2008 - Scooby Doo and the Crypto Caper
: Skillz October 08 Winning Entry - Creative
(1) by
jason
Oct 2008 - Scooby Doo and the Crypto Caper
: [Article]-Scooby Doo and the Crypto Caper - Answers and Winners
(2) by
jason
News Items and General Discussion About EH-Net
: [Article]-Jan 2009 Free Giveaway Sponsor - Black Hat DC
(1) by
jason
Book Reviews
: Need a book suggestion!
(2) by
jason
News Items and General Discussion About EH-Net
: EH-Net Milestone - 2 Articles Cross 1 Million Page Views
(3) by
BillV
Other
: What kind of lab, machines you have for your security testing?
(12) by
charlottebandit
Malware
: Network Virus Problem
(9) by
RoleReversal
Wireless
: WUSB600N good usb ?
(2) by
nap191
Other
: FBI code cracking challenge
(3) by
jimbob
Calendar Of Events
: RSA 2009
(0) by
don
Forensics
: Network Forensic tools/practice/techniques
(2) by
jimbob
Malware
: Autoplay when i try to open the drive.
(4) by
jimbob
Physical Security
: Magnetic stripe card spoofing
(4) by
jimbob
Malware
: THe website is Evil but what to do??
(1) by
jimbob
Other
: Insanity?
(3) by
jason
CEH - Certified Ethical Hacker
: Any Practice Environment for learning tool for CEH?
(15) by
don
Wireless
: a petri-dish bridge
(2) by
don
CEH - Certified Ethical Hacker
: TFTP Tranfer time out
(5) by
jason
Tools
: tool to trace users
(8) by
pseud0
Malware
: Malware Challenge 2008 Analysis
(0) by
blackazarro
Programming
: Python 3.0 Released
(0) by
don
Forensics
: SANS SIFT Forensic toolkit
(1) by
don
Links to cool sites.
: Omgili Hacking - Another Search Engine dedicated to Hacking Related Forums
(2) by
RoleReversal
Tools
: Insecure.org's 2006 Top 100 Security Tools List Released
(10) by
shednik
Other
: Happy New Year!
(8) by
vijay2
CEH - Official Course Modules v6
: Community-built CEH Wiki
(2) by
yehg
Vote For EH-Net
progenic.com
binarica.com
technorati fave
Privacy Notice
for TDCC & All Properties
© 2009 The Ethical Hacker Network
Joomla!
is Free Software released under the GNU/GPL License.
CEH - Certified Ethical Hacker : CEH is a scam
