.

Penetration Testing in the Real World

<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Mon May 03, 2010 9:37 am

Penetration Testing in the Real World

Offensive Security recently posted a 20 minute video at their blog in which they reconstructed a pentest they performed. It's an excellent video IMHO. Muts has again done a fantastic job and tried to explain every single step he took.

Penetration Testing in the real world. If you are tired of “Hacking with Netcat” webcasts or “Penetration Testing with RPC DCOM”, then this movie is for you. It’s a quick reconstruction of a Security Audit we preformed over a year ago, replicated in our labs. The video is under 20 minutes long, and highly edited – attacks rarely go as quickly and smoothly as this !

Check the video here:-
http://www.offensive-security.com/video ... eal-world/
Last edited by Xen on Sun May 16, 2010 12:25 am, edited 1 time in total.
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Mon May 03, 2010 12:57 pm

Re: Penetration Testing in the Real World

Muts strikes back with another great network scenario. Great find Equix3n- - Nice and comprehensive video.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

kriscamaro68

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Thu Mar 11, 2010 2:48 pm

Post Mon May 03, 2010 4:26 pm

Re: Penetration Testing in the Real World

That was a great video thanks for sharing.
A+, Net+, Server+, Security+, MCP/XP
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon May 03, 2010 10:40 pm

Re: Penetration Testing in the Real World

Thanks for sharing.  That was a great video!
~~~~~~~~~~~~~~
Ketchup
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon May 03, 2010 11:48 pm

Re: Penetration Testing in the Real World

I still need to find 20 minutes where I can sit down and watch it.  :-\
OSWP, Sec+
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 04, 2010 6:29 am

Re: Penetration Testing in the Real World

I think EHNet members can post similar videos constructing scenarios from their actual pentests. That would be an awesome resource as almost everyone has his own little tricks and we can learn from each other. Even writing articles explaining how they approached a pentest would be very useful.
Last edited by Xen on Sun May 16, 2010 12:23 am, edited 1 time in total.
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Tue May 04, 2010 8:34 am

Re: Penetration Testing in the Real World

Excellent demo and explanation for how they did it and the mindset they used to work into the environment. Some great work and clever thinking.

What I take from it, from the defense side, is that some simple, good practices would have stopped the attack in its tracks.

As an example, if the servers weren't allow outbound access to any locations, the tunneling would have failed. Simple controlled egress filters would have successful "saved" the target from being exploited in this way.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 9:59 am

Re: Penetration Testing in the Real World

Equix3n- wrote:I think EHNet members can post similar videos constructing scenarios from their actual pentests. That would be an awesome resource as almost everyone has his own little tricks and we can learn from each other.


The OffSec folks built a replica lab environment of the actual pen test.  You can't really include the results of a live pentest in a training video.  Most clients wouldn't go for that.  I am wondering how many hours were spent on recreating the environment and creating the video.
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue May 04, 2010 10:54 am

Re: Penetration Testing in the Real World

I dunno, but based on the detail that I've heard they have in the OSCP lab (I signed up, today, for the 60-day OSCP v3,) I'd bet they did it pretty quickly.  After all, if you KNOW what you exploited, it shouldn't be too hard to recreate, right?  ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Tue May 04, 2010 2:18 pm

Re: Penetration Testing in the Real World

I showed this video to my developers.  I used it to interest them in the actual threats posed by "minor holes." It was an attempt to help them understand how a bad guy leverages various holes to gain control of the entire network.

I also showed a sanitized screenshot of sqlmap dumping a HR DB through a simple website.  This was an effort to show them the danger of reusing accounts repeatedly.

I think that the combination worked well.  I immediately received email questions and comments. 

Anyone else try this?
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Sun May 09, 2010 3:14 am

Re: Penetration Testing in the Real World

Thanks for sharing! downloading now and i will check it later. If it is a DCOM exploit it should be that hard to build it in a replica environment?
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Tue May 11, 2010 2:13 pm

Re: Penetration Testing in the Real World

Great movie!  Keep em coming if anyone have more such videos.  Kinda great when it's not just a tut on a single method, but when its all put together its awesome =)
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Tue May 11, 2010 2:34 pm

Re: Penetration Testing in the Real World

Sweet video! Thanks!
ZF
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed May 12, 2010 3:44 am

Re: Penetration Testing in the Real World

watched the video the other day and i must say i'm impressed! this truely shows the hacker mindset you need to thourougly scan a complete network, finding the right puzzle pieces to finish and to think out of the box. this one goes into my collection!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed May 12, 2010 7:08 am

Re: Penetration Testing in the Real World

Hey,

@mtgarden: I have showed the video to the developers, managers and even a director where I work. I paused the video every  minute or so and explained in simple words what he was doing. It was very, very well received!!!

I will probably start demos and presentations during lunch time on topics such as "How to secure a wireless router", "SQL Injection", "How to code securely", etc...

Even if it wasn't my goal at all, it kind of put me on the map!  ;D

I encourage you guys to do the same.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software