- This topic has 12 replies, 4 voices, and was last updated 7 years, 7 months ago by
.
-
Posts
-
-
Ok so i’m still really new to this. I’m working on out own internal environment and cant seem to find anything that I could use. I did find one application Veritas – outdated and found the remote agent exploit but when i run it it gets to sending authentication request and then goes back to the main prompt for the exploit. The systems admin has applied most of the critical security patches there are some service packs missing but im not really sure where to go next. :/ All help will be greatly appreciated!
-
-
There is anti-virus it is AVG. I have tried other exploits for the Veritas application and none of them work. Yes i am running metasploit other tool that you would recommend? Im really looking for other possible ways of finding vulnerable applications other than an nmap scan that shows the ports and what service version there is.
-
All depends on the scope of your testing, what you’re testing, etc. The more details you can provide, the more helpful we can be.
You could run a vulnerability scan using OpenVAS. If you have credentials to provide, this could also show you many client-side vulnerabilities to take advantage of. You could be watching network traffic. You could be manipulating network traffic. The anti-virus could be detecting your uploaded payload and deleting it, this is likely happening based on what you’ve said. Maybe you can use hardware keyloggers. Reboot a system to a bootable environment. Again, all depends on the scope of testing and what you can do.
-
this is going to sound funny but the CEO gave me a the go ahead as long as I don’t crash anything in production it really is a free for all. I suppose now that I saw that out loud i could find an unlocked computer and use a rubber ducky script to call back to my testing machine and get shell that way. I hadn’t heard of Open VAS I am going to scan with that and see what I get. I guess i was so caught up in trying to get remote shell using metasploit I lost sight of everything else I could be trying! Thank you so much!
-
Well then there you go, you’ve got all sorts of possibilities. Time to use your imagination and be creative! Maybe create a rogue wifi access point with a captive portal that looks like an internal site/intranet page requiring login to capture credentials. When you have the freedom to do things, you can think up all sorts of crazy ideas 🙂 Good luck!
-
-
Careful with a rouge access point – you’re likely to trap both devices within your scope (your companies) and devices out of scope (Personal devices).
Personally when I do things like this I avoid the obvious stuff (anyone can run Nessus and fix the basic bits) and go for the configuration items that no-one ever changes:
Weak passwords (Password1….anyone?)
Password reuse (Are Domain Admins using the same password on their own logins…?)
3rd party Applications using poorly quoted service paths (Symantec I’m looking at you…)
Passwords in clear-text on Windows machines (Minikatz + default configuration FTW)So my usual route goes:
1. Check all accounts for “Password1” as their password
2. Log into random machine / Terminal Server using account
3. Priv escalate using badly quoted services
4. Disable AV/Security on machine
5. WCE to grab all clear text passwords
6. Login to Domain Controller with Stolen Creds
7. Make CEO panic.Good luck.
-
Thanks UKSecurityGuy ! I made my CEO freak out so bad she sent out an email with in minutes stating that no random USB drives be plugged in something I had been trying to get done for a while! Thank you Rubber Ducky 🙂 I do agree with the Rouge AP point that you made i wouldn’t want to grab anyone’s personal info during the test. Thanks for the tip’s though! I love this job ;D
-
Don’t give us any details that might void your current terms of employment – but out of curiousity what did you find / what did you do that made your CEO freak out?
Theoretical attack proceedures (like mine above) are all well and good, but knowledge of results of actual localised Pen tests (like you’ve just done) help the rest of us tune our attack strategies better (by knowing what the most common flaws are in businesses still)
-
It was a physical style attack(use imagination) and it was easier to bypass a-lot of things, already being employed gets you by a-lot of security. so hypothetical situation…. you go to a conference as upper management and think nothing of it when companies like dell are handing out free USB drives then you plug it in. (Insert type of attack here). I think you could probably imagine where it went from there, thus the freak out. Also thanks for the heads up on terms of employment I will keep that in mind if I ever get an actual pen-testing job and not IT/Support/Security lol
-
-
-
- You must be logged in to reply to this topic.
