Pent test question

Viewing 12 reply threads
  • Author
    Posts
    • #8606
      n37sh@rk
      Participant

      Ok so i’m still really new to this. I’m working on out own internal environment and cant seem to find anything that I could use. I did find one application Veritas – outdated and found the remote agent exploit but when i run it it gets to sending authentication request and then goes back to the main prompt for the exploit. The systems admin has applied most of the critical security patches there are some service packs missing but im not really sure where to go next. :/ All help will be greatly appreciated!

    • #53584
      BillV
      Participant

      There’s not much information to go off of here. I assume from your statements that you’re running metasploit. Is there anti-virus running on the target? HIDS? Have you tried a different payload? There are a number of things that could be happening – it may not even be vulnerable.

    • #53585
      n37sh@rk
      Participant

      There is anti-virus it is AVG. I have tried other exploits for the Veritas application and none of them work. Yes i am running metasploit other tool that you would recommend? Im really looking for other possible ways of finding vulnerable applications other than an nmap scan that shows the ports and what service version there is.

    • #53586
      BillV
      Participant

      All depends on the scope of your testing, what you’re testing, etc. The more details you can provide, the more helpful we can be.

      You could run a vulnerability scan using OpenVAS. If you have credentials to provide, this could also show you many client-side vulnerabilities to take advantage of. You could be watching network traffic. You could be manipulating network traffic. The anti-virus could be detecting your uploaded payload and deleting it, this is likely happening based on what you’ve said. Maybe you can use hardware keyloggers. Reboot a system to a bootable environment. Again, all depends on the scope of testing and what you can do.

    • #53587
      n37sh@rk
      Participant

      this is going to sound funny but the CEO gave me a the go ahead as long as I don’t crash anything in production it really is a free for all. I suppose now that I saw that out loud i could find an unlocked computer and use a rubber ducky script to call back to my testing machine and get shell that way. I hadn’t heard of Open VAS I am going to scan with that and see what I get. I guess i was so caught up in trying to get remote shell using metasploit I lost sight of everything else I could be trying! Thank you so much!

    • #53588
      BillV
      Participant

      Well then there you go, you’ve got all sorts of possibilities. Time to use your imagination and be creative! Maybe create a rogue wifi access point with a captive portal that looks like an internal site/intranet page requiring login to capture credentials. When you have the freedom to do things, you can think up all sorts of crazy ideas πŸ™‚ Good luck!

    • #53589
      impelse
      Participant

      Do you have any web application?

      Can you get any credentials with active sniffing? Some users use the same credentials for the domain.

      Takes some time and effort, you will not success in all the attacks, you are still trying.

    • #53590
      UKSecurityGuy
      Participant

      Careful with a rouge access point – you’re likely to trap both devices within your scope (your companies) and devices out of scope (Personal devices).

      Personally when I do things like this I avoid the obvious stuff (anyone can run Nessus and fix the basic bits) and go for the configuration items that no-one ever changes:

      Weak passwords (Password1….anyone?)
      Password reuse (Are Domain Admins using the same password on their own logins…?)
      3rd party Applications using poorly quoted service paths (Symantec I’m looking at you…)
      Passwords in clear-text on Windows machines (Minikatz + default configuration FTW)

      So my usual route goes:

      1. Check all accounts for “Password1” as their password
      2. Log into random machine / Terminal Server using account
      3. Priv escalate using badly quoted services
      4. Disable AV/Security on machine
      5. WCE to grab all clear text passwords
      6. Login to Domain Controller with Stolen Creds
      7. Make CEO panic.

      Good luck.

    • #53591
      n37sh@rk
      Participant

      Thanks UKSecurityGuy ! I made my CEO freak out so bad she sent out an email with in minutes stating that no random USB drives be plugged in something I had been trying to get done for a while! Thank you Rubber Ducky πŸ™‚ I do agree with the Rouge AP point that you made i wouldn’t want to grab anyone’s personal info during the test. Thanks for the tip’s though! I love this job ;D

    • #53592
      UKSecurityGuy
      Participant

      Don’t give us any details that might void your current terms of employment – but out of curiousity what did you find / what did you do that made your CEO freak out?

      Theoretical attack proceedures (like mine above) are all well and good, but knowledge of results of actual localised Pen tests (like you’ve just done) help the rest of us tune our attack strategies better (by knowing what the most common flaws are in businesses still)

    • #53593
      n37sh@rk
      Participant

      It was a physical style attack(use imagination) and it was easier to bypass a-lot of things, already being employed gets you by a-lot of security. so hypothetical situation…. you go to a conference as upper management and think nothing of it when companies like dell are handing out free USB drives then you plug it in. (Insert type of attack here). I think you could probably imagine where it went from there, thus the freak out. Also thanks for the heads up on terms of employment I will keep that in mind if I ever get an actual pen-testing job and not IT/Support/Security lol

    • #53594
      UKSecurityGuy
      Participant

      Thanks for the info.

      I missed the “Rubber ducky” reference in your previous post, it all makes sense now.

    • #53595
      n37sh@rk
      Participant

      No Problem! If i’ve learned anything its that sharing is caring πŸ˜€ lol

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright Β©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?