I think it all depends - is it a linux or windows box that you have ssh access too? I've never seen a meterpreter payload available for linux os's.

Ha, that's awesome. I went throughout the whole pwb course without knowing about this payload. Would've came in handy in multiple situations.

Maybe this'll help:
http://www.offensive-security.com/metasploit-unleashed/Binary-Linux-Trojans

Also remember, netcat is your friend at the end of the day:

http://www.scribd.com/Penetration-Testing-Ninjitsu2-Infrastructure-and-Netcat-without-Netcat/d/3064507

A thing to keep in mind is HIDS. I try to act as if HIDS are always going to be installed on a machine. This means any introduction of new code, applications, or filename and timestamps changes can trigger bells and whistles. If you keep this in mind, it will allow you to take a step away from being too reliant on say metasploit or any other tool. E.g., you got your access however, you need more X... *nix provides a variety of tools already on the system that will allow you to do whatever you want to do. (nc, forward may be installed on some systems http://linux.die.net/man/1/forward, socat)

I've been tinkering with something on the Windows side of pentesting for situations like this... I call it TaiChiRedTeaming for lack of a cooler name. The goal is to use the system against itself. This morning I started tinkering with wmic and came up with Amphibios...


So far it's butt ugly but I've got it to do what I've set out to do so far.

http://www.infiltrated.net/amphibiosxp.txt
http://www.infiltrated.net/amphibiosxp.bat (same file as above just renamed)

It's something I can literally copy and paste once I'm on a machine. I plan on eventually making it an xml file and parsing data from what it obtains into populating an attack plan on a machine. Think: "pseudo-heuristi-yet-focused pre-pentest tool". The beauty of it is, I install zero to get me enough information to see what I can use on the system to escalate, maintain status, subvert, etc.

Wish I had more time though, I plan on rewriting it from scratch. It's conceptual but a horribly good concept/idea. If I can get it working the way I want, I can probably automate more effective pentests with better results. Or... I can probably just learn powershell and win commands and accomplish nothing. In either event... Think outside the box


#########################################################

ADDED 3:57PMEST

Forgot to add Paketto (http://freshmeat.net/projects/paketto/). Has some interesting tools and there was an interesting document I read years back, can't remember who wrote it or what the name was. Went something like this (in terms of covertness)...

So you compromise a machine and need data OFF or ON. You choose an ICMP covert shell with the destination address going to ... WHO CARES, ANYONE. Your goal is to sniff the ICMP traffic and recompile the data you need. There is minimal pointing back to you.

You --> compromise machine
You --> create a covert ICMP tunnel somewhere along a line of site between you and compromised host
You --> sanitize compromise
You --> blindly spoof data TO machine from another machine along the line of site (remember, blind spoofing you don't care about the results)
Machine --> responds via ICMP messages to ... WHO CARES ... All you care about is seeing (sniffing) the data

Within the ICMP tunnel you can pretty much do whatever you'd like. Although you are blindly spoofing, you won't get an immediate response from the machine, but via sniffing you would see the results going to someone else. ... Make sense?