.

Non-Framework Exploits in Professional Tests?

<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Aug 11, 2010 7:42 pm

Non-Framework Exploits in Professional Tests?

I'm just curious how often anyone else uses stand-alone exploits from sources such as Exploit DB in professional tests. I think I've only done so once.

If so, do you expect to have internet (unfiltered) access while on site?

Do you maintain an archive that you bring with you?

Or do you primarily stick to Metasploit, Canvas, Core Impact, etc.?
The day you stop learning is the day you start becoming obsolete.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Aug 11, 2010 9:01 pm

Re: Non-Framework Exploits in Professional Tests?

I use non-framework exploits.  I use any exploit I can reasonably verify won't do too much damage.  The way I look at it is the bad guys will use anything available to them. 

I usually have an archive or two on my laptop, but they are almost always too outdated.  I just forget to update them.  What I usually do is maintain an SSH account on a standard port and some odd port.  Part of pen testing is to see what egress filtering and content filtering is present on the network.  If I can't get to a site like exploit-db.com, I use my SSH account to proxy out.  This is actually another good test to see what outbound services are permitted. 

Just my thoughts.
~~~~~~~~~~~~~~
Ketchup
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Aug 11, 2010 11:23 pm

Re: Non-Framework Exploits in Professional Tests?

Thanks for the response. I do the same thing :)

I have an OpenBSD VPS ($10/mo with ARP Networks - They ROCK), and I have SSH listening on 443, amongst others. It's pretty nasty as I only get stopped if they're doing application-level inspection or are a deny-all shop and are only allowing specific IPs/URLs.

I used to do port-redirection to TinyProxy until I found out about the ssh -D option. That's been working out great. It's nice for keeping away from eavesdroppers on Hilton's network too.

If all else fails, I can often just get back online once I return to the hotel and prepare for the next day. It'd be nice if work would spring for some sort of air card though.

I think the issue I run into is simply a lack of time. Like this week, I had to perform social engineering, a security assessment with physical inspection, and a pen test in three days. I'm not even going to be able to get all the low-hanging fruit on this one, let alone go after anything more obscure.
The day you stop learning is the day you start becoming obsolete.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 12, 2010 1:37 pm

Re: Non-Framework Exploits in Professional Tests?

I hear you!  Budget and time constraints are probably one of the biggest challenges.  Three days isn't much time. 
~~~~~~~~~~~~~~
Ketchup
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Aug 12, 2010 3:10 pm

Re: Non-Framework Exploits in Professional Tests?

dynamik wrote:Thanks for the response. I do the same thing :)

If all else fails, I can often just get back online once I return to the hotel and prepare for the next day. It'd be nice if work would spring for some sort of air card though.


Shame on you!... ;)

mkdir /usr/work/exploits/{linux,bsd,solaris,windows}
mkdir /usr/work/exploits/bsd/{open,net,free}
mkdir /usr/worl/exploits/windows/{xp,vista,nt,9x,2003,2008}

I have a large repository of stuff not found on typical sites (exploit-db, packetstorm, etc) stored in both compiled and uncompiled modes for both x86 and 64bits under as many operating systems as it's portable to get it running on. I try to find as much exploit code as I can and further divide it into remote/local folder inside the operating system folders. It's a pain but definitely handy in tight situations. Just make sure you hit

It pays to put together a sandbox of most operating systems to test against, I have most operating systems with the exception of things like z/OS, Tru64 and a few others. Each sandbox (VMWare by the way) has a snapshot so I can download w/e I want, unhook the sandbox from network to avoid it cooking my network/malware(reversed)exploits, run it, fix it if need be, then throw it into the tool kit if it accomplishes what I need.

PITA it is, but it will save you time in the long run. When you need them, plop them on a USB key... Re-writeable DVD/CD and instamagic access ;) Who cares if you have no connectivity to download. The downside is sorting them out and trying to fix toasty sploits (ones that don't work for those unaccustomed to slang).


http://www.0xdeadbeef.info/ (Solaris stuff rocks)
http://inj3ct0r.com/ (wanna be milw0rm)
http://rawlab.mindcreations.com/#exploit
http://www.exploit-db.com/
http://triviasecurity.net/exploits

Best bet to find hardcore PoC's and exploits, follow the coder or mesh another coder's work into your own. Why reinvent wheels ;)


Prematurely hit the save button...


Just make sure you hit "Take Snapshot" ALL the time ;) I've learned this the hard way.
Last edited by sil on Thu Aug 12, 2010 3:12 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 12, 2010 3:30 pm

Re: Non-Framework Exploits in Professional Tests?

So you're an exploit whore with OCD? ;)

I figured that was the route I was going to have to go. I was just wondering if there was an easier way to acquire and manage everything since that is a major PITA.

I <3 snapshots. I'm a VMware junkie, without a doubt!

I appreciate the response. Also, ISACA *said* they will be email results out today or tomorrow.
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Aug 12, 2010 3:36 pm

Re: Non-Framework Exploits in Professional Tests?

Kind of have to hit the main sites, and download to your heart's content, dynamik, archiving those sploits for rainy days.  I do the same, as time and resources permit.  Saves a whole lot of time and energy, in the end.  Make sure you understand what you're playing with, anytime you're using someone else's sploits from a site you're not used to, however, as I've seen a few people do serious damage because of malware, fronted as a sploit.  I've been called in after the fact, on quite a few occasions, to explain what someone (not working with me) had done to hork up someone's servers...  Nothing like knowing the competition isn't on the ball, though!  :P

It's just like having rainbow tables for windows password security, etc.  The more you have, even when you don't need them immediately, the better off you'll be, when you DO need them.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Aug 13, 2010 1:31 pm

Re: Non-Framework Exploits in Professional Tests?

sil wrote:
Shame on you!... ;)

mkdir /usr/work/exploits/{linux,bsd,solaris,windows}
mkdir /usr/work/exploits/bsd/{open,net,free}
mkdir /usr/worl/exploits/windows/{xp,vista,nt,9x,2003,2008}



You are absolutely correct.  I need more up to date archives.  I am going to try to make this a project.  I can't tell you how many times I have searched long and hard for some exploit code for a weird service.  Next time I needed to use the same exploit, I ended up searching again.  :)
~~~~~~~~~~~~~~
Ketchup
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Aug 16, 2010 3:18 pm

Re: Non-Framework Exploits in Professional Tests?

I just noticed that Exploit DB provides an Archive. That simplifies things a bit. I really should pay more attention to navigational menus...
The day you stop learning is the day you start becoming obsolete.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Aug 16, 2010 3:46 pm

Re: Non-Framework Exploits in Professional Tests?

If I'm not mistaken, the archive gets updated with an 'apt-get upgrade' in BT4. You'll also notice a nifty little script to search through your local copy of the archive in /pentest/exploits/exploitdb.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software