Also remember, netcat is your friend at the end of the day:
http://www.scribd.com/Penetration-Testing-Ninjitsu2-Infrastructure-and-Netcat-without-Netcat/d/3064507A thing to keep in mind is HIDS. I try to act as if HIDS are always going to be installed on a machine. This means any introduction of new code, applications, or filename and timestamps changes can trigger bells and whistles. If you keep this in mind, it will allow you to take a step away from being too reliant on say metasploit or any other tool. E.g., you got your access however, you need more X... *nix provides a variety of tools already on the system that will allow you to do whatever you want to do. (nc, forward may be installed on some systems
http://linux.die.net/man/1/forward, socat)
I've been tinkering with something on the Windows side of pentesting for situations like this... I call it TaiChiRedTeaming for lack of a cooler name. The goal is to use the system against itself. This morning I started tinkering with wmic and came up with Amphibios...
rem The purpose of Amphibios is to accumulate detailed information
rem on the system in which launches Amphibios without introducing
rem or installing applications on the system itself. The use of
rem Amphibios can be correlated with either a system administrator
rem documenting and detailing information on the system, or one can
rem use the information for other means. For example, in performing
rem a host based penetration test, the information gathered via say
rem installed patches will allow a tester to determine the possible
rem exposure state due to patches that weren't installed.
rem Amphibios gathers information on all applications, patches,
rem users, groups and diskspace on a machine. By putting this info
rem all into one repository, the data can be used for quite a few
rem purposes. While Amphibios is my first Windows based script (I
rem come from a *nix background), I may or may not alter it to
rem have the capabilities of sending data to a DB however, at this
rem point in time, Amphibios is nothing more than a test slash
rem work in progress. I may make it post to a remote db then have
rem that system parse out which updates are installed, check for
rem missing patches, updates, vulnerable software, then create a
rem a structured and tactical penetration test against the output.
rem ************************ NOTE ************************
rem Right now, I'm just familiarizing myself with wmic and
rem powershell so - yes I do know this is butt ugly
rem ************************ NOTE ************************
So far it's butt ugly but I've got it to do what I've set out to do so far.
http://www.infiltrated.net/amphibiosxp.txthttp://www.infiltrated.net/amphibiosxp.bat (same file as above just renamed)
It's something I can literally copy and paste once I'm on a machine. I plan on eventually making it an xml file and parsing data from what it obtains into populating an attack plan on a machine. Think: "pseudo-heuristi-yet-focused pre-pentest tool". The beauty of it is, I install zero to get me enough information to see what I can use on the system to escalate, maintain status, subvert, etc.
Wish I had more time though, I plan on rewriting it from scratch. It's conceptual but a horribly good concept/idea. If I can get it working the way I want, I can probably automate more effective pentests with better results. Or... I can probably just learn powershell and win commands and accomplish nothing. In either event... Think outside the box
#########################################################
ADDED 3:57PMESTForgot to add Paketto (
http://freshmeat.net/projects/paketto/). Has some interesting tools and there was an interesting document I read years back, can't remember who wrote it or what the name was. Went something like this (in terms of covertness)...
So you compromise a machine and need data OFF or ON. You choose an ICMP covert shell with the destination address going to ... WHO CARES, ANYONE. Your goal is to sniff the ICMP traffic and recompile the data you need. There is minimal pointing back to you.
You --> compromise machine
You --> create a covert ICMP tunnel somewhere along a line of site between you and compromised host
You --> sanitize compromise
You --> blindly spoof data
TO machine from another machine along the line of site (remember, blind spoofing you don't care about the results)
Machine --> responds via ICMP messages to ... WHO CARES ... All you care about is seeing (sniffing) the data
Within the ICMP tunnel you can pretty much do whatever you'd like. Although you are blindly spoofing, you won't get an immediate response from the machine, but via sniffing you would see the results going to someone else. ... Make sense?
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
