October 18, 2013 at 11:54 am #8606
Ok so i’m still really new to this. I’m working on out own internal environment and cant seem to find anything that I could use. I did find one application Veritas – outdated and found the remote agent exploit but when i run it it gets to sending authentication request and then goes back to the main prompt for the exploit. The systems admin has applied most of the critical security patches there are some service packs missing but im not really sure where to go next. :/ All help will be greatly appreciated!
October 18, 2013 at 1:33 pm #53584
There’s not much information to go off of here. I assume from your statements that you’re running metasploit. Is there anti-virus running on the target? HIDS? Have you tried a different payload? There are a number of things that could be happening – it may not even be vulnerable.
October 18, 2013 at 1:39 pm #53585
There is anti-virus it is AVG. I have tried other exploits for the Veritas application and none of them work. Yes i am running metasploit other tool that you would recommend? Im really looking for other possible ways of finding vulnerable applications other than an nmap scan that shows the ports and what service version there is.
October 18, 2013 at 2:04 pm #53586
All depends on the scope of your testing, what you’re testing, etc. The more details you can provide, the more helpful we can be.
You could run a vulnerability scan using OpenVAS. If you have credentials to provide, this could also show you many client-side vulnerabilities to take advantage of. You could be watching network traffic. You could be manipulating network traffic. The anti-virus could be detecting your uploaded payload and deleting it, this is likely happening based on what you’ve said. Maybe you can use hardware keyloggers. Reboot a system to a bootable environment. Again, all depends on the scope of testing and what you can do.
October 18, 2013 at 2:12 pm #53587
this is going to sound funny but the CEO gave me a the go ahead as long as I don’t crash anything in production it really is a free for all. I suppose now that I saw that out loud i could find an unlocked computer and use a rubber ducky script to call back to my testing machine and get shell that way. I hadn’t heard of Open VAS I am going to scan with that and see what I get. I guess i was so caught up in trying to get remote shell using metasploit I lost sight of everything else I could be trying! Thank you so much!
October 18, 2013 at 2:22 pm #53588
Well then there you go, you’ve got all sorts of possibilities. Time to use your imagination and be creative! Maybe create a rogue wifi access point with a captive portal that looks like an internal site/intranet page requiring login to capture credentials. When you have the freedom to do things, you can think up all sorts of crazy ideas 🙂 Good luck!
October 19, 2013 at 5:23 am #53589impelseParticipant
Do you have any web application?
Can you get any credentials with active sniffing? Some users use the same credentials for the domain.
Takes some time and effort, you will not success in all the attacks, you are still trying.
October 24, 2013 at 10:50 am #53590
Careful with a rouge access point – you’re likely to trap both devices within your scope (your companies) and devices out of scope (Personal devices).
Personally when I do things like this I avoid the obvious stuff (anyone can run Nessus and fix the basic bits) and go for the configuration items that no-one ever changes:
Weak passwords (Password1….anyone?)
Password reuse (Are Domain Admins using the same password on their own logins…?)
3rd party Applications using poorly quoted service paths (Symantec I’m looking at you…)
Passwords in clear-text on Windows machines (Minikatz + default configuration FTW)
So my usual route goes:
1. Check all accounts for “Password1” as their password
2. Log into random machine / Terminal Server using account
3. Priv escalate using badly quoted services
4. Disable AV/Security on machine
5. WCE to grab all clear text passwords
6. Login to Domain Controller with Stolen Creds
7. Make CEO panic.
October 24, 2013 at 11:35 am #53591
Thanks UKSecurityGuy ! I made my CEO freak out so bad she sent out an email with in minutes stating that no random USB drives be plugged in something I had been trying to get done for a while! Thank you Rubber Ducky 🙂 I do agree with the Rouge AP point that you made i wouldn’t want to grab anyone’s personal info during the test. Thanks for the tip’s though! I love this job ;D
October 24, 2013 at 12:44 pm #53592
Don’t give us any details that might void your current terms of employment – but out of curiousity what did you find / what did you do that made your CEO freak out?
Theoretical attack proceedures (like mine above) are all well and good, but knowledge of results of actual localised Pen tests (like you’ve just done) help the rest of us tune our attack strategies better (by knowing what the most common flaws are in businesses still)
October 24, 2013 at 1:09 pm #53593
It was a physical style attack(use imagination) and it was easier to bypass a-lot of things, already being employed gets you by a-lot of security. so hypothetical situation…. you go to a conference as upper management and think nothing of it when companies like dell are handing out free USB drives then you plug it in. (Insert type of attack here). I think you could probably imagine where it went from there, thus the freak out. Also thanks for the heads up on terms of employment I will keep that in mind if I ever get an actual pen-testing job and not IT/Support/Security lol
October 24, 2013 at 1:39 pm #53594
Thanks for the info.
I missed the “Rubber ducky” reference in your previous post, it all makes sense now.
October 24, 2013 at 1:45 pm #53595
No Problem! If i’ve learned anything its that sharing is caring 😀 lol
- You must be logged in to reply to this topic.