The Ethical Hacker Network - Steps to hack a network

H1t M0nk3y

Hero Member

Offline

Posts: 865

Steps to hack a network

« on: June 23, 2010, 07:16:20 AM »

Ok, here's the deal. I am having an hard time getting into many servers in the OSCP lab and I feel like a "chicken with no head"! Let me abstract the problem a bit. I have 2 questions:

1) Once you have enumerated a network, let's say there are 10 different servers, how to you proceed to exploit them? Time is precious and I feel like I go everywhere, try one service on server A, then trying another server on server B, and so on. For example, do you try all FTP servers, then all HTTP servers, etc or do you try all services on one machine then you go to the next one?

2) If you have a single host to root, how do you proceed? Would you go, in order (if applicable!):
a) Reconnaissance
b) Scanning (nmap, nessus, nikto)
c) Attack SMB, use metasploit, hydra
d) If c) didn't work out, Look for SQL injection vulnerabilities
e) If d) didn't work out, try fuzzing
f) ...

I stuck after c)... I know it really depends on which services are available on a server, but generally, how do you proceed?

I am tired... Undecided


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

sil

Hero Member

Offline

Posts: 549

Re: Steps to hack a network

« Reply #1 on: June 23, 2010, 08:19:05 AM »

Quote from: H1t M0nk3y on June 23, 2010, 07:16:20 AM

a) Reconnaissance
b) Scanning (nmap, nessus, nikto)
c) Attack SMB, use metasploit, hydra
d) If c) didn't work out, Look for SQL injection vulnerabilities
e) If d) didn't work out, try fuzzing
f) ...

Without giving away keys to the kingdom, here is how I would proceed...

1) Recon + Scanning
Don't always believe what you see during the recon phase and don't rely on the output of solely one scan. Check your parameters and fiddle with them. For example nmap reports back the most common ports usually between 1000-2000 services however, that is a huge gap. Think big and tell nmap what services/ports YOU WANT to look for on both protocols UDP and TCP.

2) Attack
Don't aim blindly at the servers with useless exploits. Create a targeted attack focused specifically on the machine and what its running. For example, why would you shoot off Windows based attacks at a Linux machine. Every machine will have an exploitable service/program/script. Your goal is to find out *WHAT* is exploitable. Be creative:

Code:

# nmap [b]-sX[/b] 10.20.30.40 -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:24 EDT

The XMAS Scan took 34.76s to scan 1680 total ports.
Host misos (10.20.30.40) appears to be up ... good.
All 1680 scanned ports on misos (10.20.30.40) are open|filtered

Nmap finished: 1 IP address (1 host up) scanned in 35.105 seconds
Raw packets sent: 3361 (134.442KB) | Rcvd: 1 (42B)

# nmap [b]-[u]sS[/u][/b] 10.20.30.40 -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:26 EDT
The SYN Stealth Scan took 65.32s to scan 1680 total ports.
Host misos (10.20.30.40) appears to be up ... good.

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
912/tcp open unknown
1026/tcp open LSA-or-nterm

Nmap finished: 1 IP address (1 host up) scanned in 65.668 seconds
Raw packets sent: 5039 (221.714KB) | Rcvd: 20 (956B)

# nmap -sS 10.20.30.40 [b][u]-p[/b] 1-60000[/u] -v

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:27 EDT
The SYN Stealth Scan took 261.60s to scan 60000 total ports.
Host misos (10.20.30.40) appears to be up ... good.

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
912/tcp open unknown
1026/tcp open LSA-or-nterm
1028/tcp open unknown
3865/tcp open unknown
5357/tcp open unknown
8222/tcp open unknown
8333/tcp open unknown
9127/tcp open unknown
9704/tcp open unknown
21112/tcp open unknown
23791/tcp open unknown
23943/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 262.092 seconds
Raw packets sent: 120028 (5.281MB) | Rcvd: 65 (3106B)

Same machine, three different outputs. As you can see, if I relied on a typical NMAP scan, all I would yield would be 7 services when there are 17 TCP based services running on this machine. So what are these other "unknown" services?

Code:

telnet 10.20.30.40 5357
Trying 10.20.30.40...
Connected to 10.20.30.40.
Escape character is '^]'.
[b]POST[/b]
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 23 Jun 2010 12:41:33 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
Connection closed by foreign host.

Since I own the machine, I know exactly what's running on it however, let's assume I didn't. Let me Google it: http://seclists.org/pen-test/2008/Jul/130 Now I have more information to go on. From here, what do you do? You dig down for potentially exploitable code (dis)affecting that program. Fuzz that port and so on and so forth.

Enumeration 101 ... Again, be creative with your enumeration whether it's scanning, lists, etc. Create your own userlist, your own password lists. Are you solely relying on say three usernames? I'd use the top 50 common names as UID's. Try not to focus on the tools and their generic methods of working. The tools only do what you tell them to do. Your brain is the key.

Another post follows The message exceeds the maximum allowed length (30000 characters).


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

sil

Hero Member

Offline

Posts: 549

Re: Steps to hack a network

« Reply #2 on: June 23, 2010, 08:31:54 AM »

Again, think a little outside the box:

Code:

nmap -[b]sSV -sR -PP[/b] -O 10.4.64.105 -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 > Output

LONG OUTPUT OMITTED ...

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetR
SF:equest,4E8D,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x2020
SF:10\x2013:07:45\x20GMT\r\nServer:\x20Oracle\x20Containers\x20for\x20J2EE
SF:\r\nLast-Modified:\x20Tue,\x2020\x20Apr\x202010\x2018:23:20\x20GMT\r\nA
SF:ccept-Ranges:\x20bytes\r\nContent-Length:\x2019882\r\nConnection:\x20cl
SF:ose\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x2
SF:0\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\">\n<html\x20lang=\
SF:"en,us\">\n\n<HEAD>\n\n\x20\x20\x20\x20<TITLE>Welcome\x20to\x20Oracle\x
SF:20Containers\x20for\x20J2EE\x2010g\x20$10\.1\.3\.1\.0$</TITLE>\n\n\x2
SF:0\x20\x20\x20<META\x20content=\"text/html;\x20charset=windows-1252\"\x2
SF:0http-equiv=Content-Type>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\
SF:x20href=\"ohs_images/portals\.css\">\n</HEAD>\n<body\x20bgcolor=\"#FFFF
SF:FF\"\x20link=\"#663300\"\x20vlink=\"#996633\"\x20alink=\"#FF6600\"\x20t
SF:ext=\"#000000\">\n<span\x20style=\"font-size:\x201pt;\"><a\x20href=\"#p
SF:ortlets\"\x20title=\"List\x20topics\x20on\x20this\x20page\"><img\x20src
SF:=\"ohs_images/space\.gif\"\x20alt=\"Skip\x20tabs\"\x20height=1\x20width
SF:=1\x20align=\"right\"\x20border=0></a></span>\n\n\n<
SF:a\x20name=\"tabs\"></a>\n<table\x20summary=\"\"\x20width=\"100%\"\x20bo
SF:rder=\"0\"\x20cellspacing=\"0\"")%r(HTTPOptions,2A0A,"HTTP/1\.1\x20200\
SF:x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x202010\x2013:07:46\x20GMT\r\nServe
SF:r:\x20Oracle\x20Containers\x20for\x20J2EE\r\nLast-Modified:\x20Tue,\x20
SF:20\x20Apr\x202010\x2018:23:20\x20GMT\r\nAccept-Ranges:\x20bytes\r\nCont
SF:ent-Length:\x2019882\r\nConnection:\x20close\r\nContent-Type:\x20text/h
SF:tml\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS,\x20TRACE\r\n\r\nHTTP/1\.1\x2
SF:0200\x20OK\r\nDate:\x20Wed,\x2023\x20Jun\x202010\x2013:07:46\x20GMT\r\n
SF:Server:\x20Oracle\x20Containers\x20for\x20J2EE\r\nLast-Modified:\x20Tue
SF:,\x2020\x20Apr\x202010\x2018:23:20\x20GMT\r\nAccept-Ranges:\x20bytes\r\
SF:nContent-Length:\x2019882\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS,\x20TRACE\r\n\r\n\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");

Kind of noisy no? Clean it up

Code:

perl -p -e 's!x20! !g;s!SF:! !g;s!\\n!\n!g;s!x20! !g;s:\\: :g' /tmp/Output

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetRequest,4E8D,"HTTP/1 .1 200 OK
Date: Wed, 23 Jun 20 10 13:07:45 GMT
Server: Oracle Containers for J2EE
Last-Modified: Tue, 20 Apr 2010 18:23:20 GMT
Accept-Ranges: bytes
Content-Length: 19882
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC x2
0 "-//W3C//DTD HTML 4 .01 Transitional//EN ">
<html lang="en,us ">

<HEAD>

<TITLE>Welcome to Oracle Containers for J2EE 10g (10 .1 .3 .1 .0 )</TITLE>

<META content= "text/html; charset=windows-1252 "http-equiv=Content-Type>
<link rel= "stylesheet" href= "ohs_images/portals.css">
</HEAD>
(HTTPOptions,2A0A,"HTTP/1 .1 200 OK
Date: Wed, 23 Jun 2010 13:07:46 GMT
Server: Oracle Containers for J2EE
Last-Modified: Tue, 20 Apr 2010 18:23:20 GMT
Accept-Ranges: bytes
Content-Length: 19882
Connection: close
Content-Type: text/html
Allow: GET, HEAD, OPTIONS, TRACE

HTTP/1 .1
200 OK
Date: Wed, 23 Jun 2010 13:07:46 GMT

Server: Oracle Containers for J2EE
Last-Modified: Tue, 20 Apr 2010 18:23:20 GMT
Accept-Ranges: bytes
Content-Length: 19882
Connection: close
Content-Type: text/html
Allow: GET, HEAD, OPTIONS, TRACE

I now have better information to work with. Stay focused on your goal. Find what's running, then focus on what might potentially break it instead of trying to throw the toolshed at it.


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: Steps to hack a network

« Reply #3 on: June 23, 2010, 08:36:02 AM »

Sil, I am so humble right now!

Thanks a lot, I wasn't doing the right thing. You examples are priceless!!!
I will keep you posted.


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: Steps to hack a network

« Reply #4 on: June 23, 2010, 08:44:39 AM »

Another related question: If you find 10 services listening on a machine, I guess you try the easy stuff first than you make your way up to the more "difficult" ones?!?

In Sil example:

Quote

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
912/tcp open unknown
1026/tcp open LSA-or-nterm

Wouldn't you try these ones first and if you don't find anything, you continue scanning all the other ports (TCP and UDP)?

Or would you scan everything in depth (which I believe makes a lot of sense!), then try to attack the most common ones and finally go for the most difficult services?


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

sil

Hero Member

Offline

Posts: 549

Re: Steps to hack a network

« Reply #5 on: June 23, 2010, 10:17:25 AM »

Low hanging fruit is often the easiest to pick Wink

So for the sample scan you posted:

Code:

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
912/tcp open unknown
1026/tcp open LSA-or-nterm

Thorough solution: (version_trace + -O)

Code:

# nmap -sSV -sR -PP -O 10.20.30.40 -p 80 --version_trace

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 11:06 EDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
scan-delay: TCP 1000, UDP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
---------------------------------------------

Interesting ports on misos (10.20.30.40):
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 7.0

Personally... It would depend on the OS fingerprint Wink

Is it Win2k, 2k3, XP, Vista? ... On 2K and 2K3, you're more likely to find SMB "exploitable" then you would on XP, Vista, 2008. So it all depends if you obtained a nice fingerprint.

Now, there are two things going on... There is the OSCP exam, and there is compromising a machine, recon, analysis...

Code:

for i in `lynx --dump "http://labs.google.com/sets?hl=en&q1=window&q2=unix&q3=&q4=&q5=&btn=Small+Set+%2815+items+or+fewer%29"|grep "\["|sed -n '3,10p'|awk -F ] '{print $2}'`

do

echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 139/SMB|sh
echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 135/TCP|sh
echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 445/SMB|sh

done

Will yield you a lot of information on SMB processes, try it.. What you do with that information is up to you. You need to think like an attacker. Not solely based on the content of the exam. The goal is to compromise the machines by any means necessary. This does not stop you from using your own tools here.

In the case of low hanging fruit... Take not of the nmap syntax I re-use:

Code:

root@axios:/pentest/exploits/framework3# ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 567 exploits - 271 auxiliary
+ -- --=[ 272 payloads - 26 encoders - 8 nops
=[ svn r9532 updated 8 days ago (2010.06.15)

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_connect hitmonkeytest
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: hitmonkeytest

msf > db_nmap -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 10.20.30.40

Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-23 10:28 EDT
Interesting ports on misos (10.20.30.40):
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open unknown
1026/tcp open LSA-or-nterm
1028/tcp open unknown
3865/tcp open unknown
5357/tcp open unknown
8222/tcp open unknown
8333/tcp open unknown
9127/tcp filtered unknown
9704/tcp filtered unknown
21112/tcp open unknown
23791/tcp filtered unknown
23943/tcp filtered unknown
MAC Address: 00:14:C1:4C:53:DC (U.S. Robotics)

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
msf >

The low hanging fruit would be to try autopwn but that would be the easy wait out. Not only the easy way out, but you've accomplished nothing (besides I don't believe you're allowed to use Metasploit or Autopwn during the exam... I don't recall). You've done your --version_trace so you already know that there is no need to run ALL http based exploits against this machine anyway. Think about autopwn and how it will work. It's pointless as an Apache exploit won't work on IIS7, secondly it's noisy so autopwn is useless. You DID get specifics on your scan: So you should perform a search on those specifics:

Code:

msf > search oracle
[*] Searching loaded modules for pattern 'oracle'...

Remember, my recon told me Oracle was running here. So now I have a choice, I could tamper with Oracle, check exploit-db, CVSS lists, milw0rm, etc.

Code:

# find /pentest/exploits/framework3/modules/exploits/windows|xargs grep 9127

No luck with finding an exploit that targets Oracle on that port (9127) or any other exploit that uses that port. It all depends on various factors when I perform a pentest. Usually I try not to rely too deeply on specific tools and when I do, I use them in lesser known methods. I've yet to see many people use tools like Scapy and even nmap at their finest usage. I suggest understanding the relationship between tools, ports, etc., before wandering aimlessly (and I don't mean that in a derogatory way).

When I did my recon for the exam, I literally had Open Office open posting the output to ALL services I found on the servers. Then I began focusing on what I saw and ONLY what I saw in regards to versions, the operating system running those versions, etc. Same applies to my real world work. When I do recon now, I try to get EVERY little morsel of information I can from every possible source before I even think of an exploitable method for those processes.

http://www.google.com/search?q=oracle+9704+%2Bexploit+%2Bbi&btnG=Search&hl=en&client=firefox-a&hs=uvm&rls=org.mozilla%3Aen-US%3Aofficial&sa=2

Why lookie here: http://netifera.com/research/ (POET). You won't get that information from the content on the OSCP, but I don't believe there is anything telling you that you CAN'T use other tools. I do believe though that you can't use metasploit, autopwn and or Core Impact and or Canvas. (That is of course if you have Core or Canvas.) Things may have changed though I took the exam in 07 or 08 (don't remember)


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: Steps to hack a network

« Reply #6 on: June 23, 2010, 12:32:17 PM »

Sil, I have to pay you a beer!!! Cheesy

I will spend as much time as I can tin the next few days applying these words of wisdom in the lab!!!

I can't try anything at work today, but I can't wait to be home!!!

I really appreciate your comments...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Ignatius

Jr. Member

Offline

Posts: 91

Re: Steps to hack a network

« Reply #7 on: June 23, 2010, 01:00:39 PM »

Hey sil, I've been watching this thread with great interest. Thank you for your thorough and logical presentation of what you'd do and why. I see comments on other sites about simply following recipe 1), 2) then 3) to penetrate a system but that is far too simplistic. I'd rather understand what's happening "under the hood", exactly what I'm doing and why, so I can apply the principles to another system.

I'll keep an eye on further fascinating developments ...


« Last Edit: June 24, 2010, 09:00:00 AM by Ignatius »	Logged

Dengar13

Sr. Member

Offline

Posts: 380

Re: Steps to hack a network

« Reply #8 on: June 23, 2010, 01:18:11 PM »

Agreed. Sil, you truly are an asset to this site. Thank you.


	Logged

A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

sil

Hero Member

Offline

Posts: 549

Re: Steps to hack a network

« Reply #9 on: June 23, 2010, 02:45:31 PM »

Quote from: Dengar13 on June 23, 2010, 01:18:11 PM

Agreed. Sil, you truly are an asset to this site. Thank you.

Thanks to both you and Ignatius. I just try to offer a different perspective on things. Tools are cool, no one can get by without them. Understanding their place and value should come first. I come from the system/network administration background almost exclusive on *nix based systems (Solaris, BSD, Linux... Google + Archive.org would attest to this) so I take an administrative + security approach. I've always tried to do - without... Meaning, replicating tools without using them because after all, most tools are prettified command line scripts anyway, you just have to be familiar with what commands to use.

I argued slash debated at one point about using specific tools because they were noisy. Most IPS/IDS even home based firewalls will smell nmap coming a mile away, let alone any scanner. That doesn't mean I couldn't run say netcat in a sleep script. With netcat I'm less likely to trigger an alarm for one, secondly if I'm already on a machine, no need to introduce programs that may trigger a HIPS. Sort of "tai chi" the machine's own self.

I also threw this same concept out before as an "all inclusive" backdoor retainer: http://www.infiltrated.net/scripts/plague the concept was based off of simple files already on a system (no need to download and trigger any alarms). Would be completely undetectable by AV. I did this in response to a few things at the time... To prove a point to an engineer at Symantec during Joanna Rutkowska's Red Pill Blue Pill dare. It was said that an undetectable backdoor couldn't be made... I made one then the contest was "re-described" to state an "undetectable backdoor hook for ring0" couldn't be made. Sad

How sad... I could have won 10k for a 4 liner.

The point I'm trying to make sometimes is, understand as best as possible what you are doing (stay focused and be extremely versatile). Things fall into place after some practice. Heck on a daily basis I almost always say: "Aha!!!!" and learn something new. This to me is the beauty of security - so vast... Networking, forensics, reverse engineering, scripting... There is always something to do and something new to learn. I've been fortunate enough to know a lot of people through the years and have always despised those who thought they were "too leet/good" to share.

Heck I learn from anyone I can. You never know what you might miss being shortsighted/arrogant/elitist. On the flip side, my descriptions at times tend to seem arrogant. I don't mean to post that way, just the way I am Wink


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: Steps to hack a network

« Reply #10 on: June 23, 2010, 03:14:12 PM »

Sil, you don't sound arrogant at all!

There was an earthquake this afternoon in Ottawa, Canada and the government sent us home (even if NOTHING happened!!!). Anyway I got home early and have been applying what you said for the last hour. I am sooooooo new to this world!

My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.

But as you mentionned, that's why I love it so much: you never stop learning!

All that to say, a server in the lab I thought had 9 ports open really have... 24 listening services! Oh well, back to work now! Grin


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

sil

Hero Member

Offline

Posts: 549

Re: Steps to hack a network

« Reply #11 on: June 23, 2010, 03:48:59 PM »

Quote from: H1t M0nk3y on June 23, 2010, 03:14:12 PM

My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.

When it comes to programming... I only program what I need to run (specifics) so I'm very sharp at creating something I specifically need however, this is usually because a) I've either done it so many times I felt a need to program something so I don't have to keep doing it b) I can re-hash/re-use existing code (why reinvent wheels). I have little patience to go out and be a programmer. I try to gain enough of an understanding to get a job done It's only until now that I'm literally pouring over ASM from scratch not to program in ASM, but to understand reversing a bit more. At the same time it's a bit difficult for me because I can't devote as much time as I'd like to it.


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

Pages: [1] Go Up

« previous next »