.

How to discover traces of a compromised system

<<

Bushman4u

User avatar

Newbie
Newbie

Posts: 15

Joined: Fri Jul 09, 2010 4:05 pm

Post Fri Feb 11, 2011 6:27 pm

How to discover traces of a compromised system

He folks,

I was wondering about this scenario. You are hired to do pentest and while doing your pentest, you have to successfully compromise the target system (Windows or Linux). You started to look around for Windows, you run sc or sc query commands, net and etc sommands.
How would you know that the target system(s) had been compromised so that you can turn the pentest into investigation/forensic phase, given that fact that you are a pentester pro. not incident handler or forensic invetigator?
Are there specific skills that you need to have being a pentester in order to find traces of a compromised systems?

Your turn, any idea/suggestions?
Certifications: CISSP, GISP, GPEN, GAWN, MCSE, Network+ and A+
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sun Feb 13, 2011 11:23 pm

Re: How to discover traces of a compromised system

I'm just a college student so I'm not in a position to give any professional advice, but I do remember these SANS intrusion discovery cheatsheets. Lots of good stuff there :)

Intrusion Discovery Cheat Sheet v1.4 for Linux
http://www.sans.org/resources/linsacheatsheet.pdf

Intrusion Discovery Cheat Sheet v1.4 for Windows
http://www.sans.org/resources/winsacheatsheet.pdf
<<

Bushman4u

User avatar

Newbie
Newbie

Posts: 15

Joined: Fri Jul 09, 2010 4:05 pm

Post Mon Feb 14, 2011 1:24 pm

Re: How to discover traces of a compromised system

Thanks to everyone who has responded to this and your links to other sites.
However, I am thinking here purely on the prospective of a pentester doing his job without any knowledge of a breached on the network.

Also, when looking around after he compromised the target system, he is looking to further escalate privileges, delve deeper into the system but before doing all of these, he wanted to make sure that he is not contaminating any previous compromised by the real bad guy.

Is there any commands for him to run to verify previous breach? If rules of engagment allow, what tools could he utilize to determine any previous compromised?

Does this little explanation help in understanding what I am saying?

Any idea/suggestions would be appreciated.
Certifications: CISSP, GISP, GPEN, GAWN, MCSE, Network+ and A+
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Feb 14, 2011 2:31 pm

Re: How to discover traces of a compromised system

There is nothing that I know of that when you double click it will shout at you that "this system has been compromised." Your client antivirus would be the closest I can think of. You're in the realm of investigation here.

I would start with the basic stuff.... Do a netstat and see what connections there are, do any of them look goofy? IE Do you see an https connection from the domain controller out to an IP in China? Use FPORT to see what processes are making what connections. Do you see any weird processes in taskmanager? Do you see imstealingallyourstuff.exe in taskmgr? Things like this would be a good place to start. Other than that you would have to look at an IDS, packet capture etc. Those links above are really what you want to look at....

If the system has been compromised well enough......you wont ever know.... muuuahhhaa.
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Feb 15, 2011 6:53 am

Re: How to discover traces of a compromised system

Check out the paper at the link below. This maybe an interesting read for you

http://labs.mwrinfosecurity.com/files/P ... Breach.pdf
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Tue Feb 15, 2011 7:09 am

Re: How to discover traces of a compromised system

My thought is that as a pentester, you do not have the knowledge of the system to make a determination as to whether its been compromised and your efforts are better suited to other pursuits.

Unless someone has left a text file on the Desktop saying "You've been pwned.", I'd say its not in your lane. However, in the rare case that you do come across a system that has obviously been pwned, I'd immediately alert my POC and move on.

Besides....if you're on the console of the machine, haven't you already given proof that the machine has likely been compromised? That's kinda' the point of the pentest - to find and exploit vulnerabilities...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software