.

Pent test question

<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Fri Oct 18, 2013 6:54 am

Pent test question

Ok so i'm still really new to this. I'm working on out own internal environment and cant seem to find anything that I could use. I did find one application Veritas - outdated and found the remote agent exploit but when i run it it gets to sending authentication request and then goes back to the main prompt for the exploit. The systems admin has applied most of the critical security patches there are some service packs missing but im not really sure where to go next. :/ All help will be greatly appreciated!
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Oct 18, 2013 8:33 am

Re: Pent test question

There's not much information to go off of here. I assume from your statements that you're running metasploit. Is there anti-virus running on the target? HIDS? Have you tried a different payload? There are a number of things that could be happening - it may not even be vulnerable.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Fri Oct 18, 2013 8:39 am

Re: Pent test question

There is anti-virus it is AVG. I have tried other exploits for the Veritas application and none of them work. Yes i am running metasploit other tool that you would recommend? Im really looking for other possible ways of finding vulnerable applications other than an nmap scan that shows the ports and what service version there is.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Oct 18, 2013 9:04 am

Re: Pent test question

All depends on the scope of your testing, what you're testing, etc. The more details you can provide, the more helpful we can be.

You could run a vulnerability scan using OpenVAS. If you have credentials to provide, this could also show you many client-side vulnerabilities to take advantage of. You could be watching network traffic. You could be manipulating network traffic. The anti-virus could be detecting your uploaded payload and deleting it, this is likely happening based on what you've said. Maybe you can use hardware keyloggers. Reboot a system to a bootable environment. Again, all depends on the scope of testing and what you can do.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Fri Oct 18, 2013 9:12 am

Re: Pent test question

this is going to sound funny but the CEO gave me a the go ahead as long as I don't crash anything in production it really is a free for all. I suppose now that I saw that out loud i could find an unlocked computer and use a rubber ducky script to call back to my testing machine and get shell that way. I hadn't heard of Open VAS I am going to scan with that and see what I get. I guess i was so caught up in trying to get remote shell using metasploit I lost sight of everything else I could be trying! Thank you so much!
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Oct 18, 2013 9:22 am

Re: Pent test question

Well then there you go, you've got all sorts of possibilities. Time to use your imagination and be creative! Maybe create a rogue wifi access point with a captive portal that looks like an internal site/intranet page requiring login to capture credentials. When you have the freedom to do things, you can think up all sorts of crazy ideas :-) Good luck!
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sat Oct 19, 2013 12:23 am

Re: Pent test question

Do you have any web application?

Can you get any credentials with active sniffing? Some users use the same credentials for the domain.

Takes some time and effort, you will not success in all the attacks, you are still trying.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Oct 24, 2013 5:50 am

Re: Pent test question

Careful with a rouge access point - you're likely to trap both devices within your scope (your companies) and devices out of scope (Personal devices).

Personally when I do things like this I avoid the obvious stuff (anyone can run Nessus and fix the basic bits) and go for the configuration items that no-one ever changes:

Weak passwords (Password1....anyone?)
Password reuse (Are Domain Admins using the same password on their own logins...?)
3rd party Applications using poorly quoted service paths (Symantec I'm looking at you...)
Passwords in clear-text on Windows machines (Minikatz + default configuration FTW)

So my usual route goes:

1. Check all accounts for "Password1" as their password
2. Log into random machine / Terminal Server using account
3. Priv escalate using badly quoted services
4. Disable AV/Security on machine
5. WCE to grab all clear text passwords
6. Login to Domain Controller with Stolen Creds
7. Make CEO panic.

Good luck.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Oct 24, 2013 6:35 am

Re: Pent test question

Thanks UKSecurityGuy ! I made my CEO freak out so bad she sent out an email with in minutes stating that no random USB drives be plugged in something I had been trying to get done for a while! Thank you Rubber Ducky :) I do agree with the Rouge AP point that you made i wouldn't want to grab anyone's personal info during the test. Thanks for the tip's though! I love this job ;D
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Oct 24, 2013 7:44 am

Re: Pent test question

Don't give us any details that might void your current terms of employment - but out of curiousity what did you find / what did you do that made your CEO freak out?

Theoretical attack proceedures (like mine above) are all well and good, but knowledge of results of actual localised Pen tests (like you've just done) help the rest of us tune our attack strategies better (by knowing what the most common flaws are in businesses still)
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Oct 24, 2013 8:09 am

Re: Pent test question

It was a physical style attack(use imagination) and it was easier to bypass a-lot of things, already being employed gets you by a-lot of security. so hypothetical situation.... you go to a conference as upper management and think nothing of it when companies like dell are handing out free USB drives then you plug it in. (Insert type of attack here). I think you could probably imagine where it went from there, thus the freak out. Also thanks for the heads up on terms of employment I will keep that in mind if I ever get an actual pen-testing job and not IT/Support/Security lol
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Oct 24, 2013 8:39 am

Re: Pent test question

Thanks for the info.

I missed the "Rubber ducky" reference in your previous post, it all makes sense now.
<<

n37sh@rk

User avatar

Jr. Member
Jr. Member

Posts: 70

Joined: Thu Jan 24, 2013 1:07 pm

Location: Anywhere

Post Thu Oct 24, 2013 8:45 am

Re: Pent test question

No Problem! If i've learned anything its that sharing is caring :D lol

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software