SANS Penetration Testing

[Editor's Note: In his previous blog post, Yori Kvitchko provided a bunch of tips penetration testers could use to analyze binary files, focusing on network communications. This time around, Yori looks at application data files, a hugely important source of information that could include passwords, hashes, or other sensitive stuff leaking out of an application. The techniques Yori describes here are some important building blocks for all pen testers to apply to the applications we analyze. --Ed.]

by Yori Kvitchko

This blog post is the second in a series of three blog posts dedicated to quick and useful techniques for analyzing binaries. In my first post, I talked about how penetration testers and other analysts can find and isolate network traffic generated by a binary. This time we'll look at pillaging the various data files

by Ed Skoudis

Many pen testers know how to create a reverse backdoor shell with Netcat. But, what do you do if you have a Netcat that doesn't support the —e or —c options to run a shell? And, what if your target doesn't support /dev/tcp? In this article, I'll show you a nifty little work-around using some command-line kung fu with shell redirects.

Background

Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:

First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:

skodo@pentestbox# nc —nvlp 443

Here, I'm telling Netcat (nc) to not resolve names (-n), to be

[Editor's Note: Mobile devices, their associated infrastructures, and their juicy juicy apps are a fascinating arena that we pen testers are increasingly called upon to evaluate in target environments. In this article, Chris Crowley zooms in on a particularly important part of Android permissions known as "intents", which help control interprocess communication. Chris describes their features and outlines a process and some tools penetration testers can use to analyze them. --Ed.]

By Chris Crowley

Great pen testers strive to move through target environments seamlessly, transitioning from one platform to another. With more organizations adopting a "bring your own device" approach to mobile platforms without careful enforcement of security, attackers have new avenues for undermining organizations. Even in those organizations that officially forbid personally owned mobile devices, employees still sometimes connect their own devices to their networks

By Ed Skoudis

Below are the slides for my talk called "The Bad Guys Are Winning, So Now What?" It's my most requested talk ever.

In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving onto another topic. My butterfly attention span doesn't let me stay on a particular topic for longer than that. In the past year, I've written talks titled "Please Keep Your Brain Juice Off My Enigma" (Debuted at SANS in Sept 2012 and posted here), "Unleashing the Dogs of Cyber War" (Debuted at BruCON in Sept 2012), and "Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World" (Debuted at SOURCE Boston in April 2013 a week and a half ago).

But, of all the talks I've ever written, there is one that I get more requests for than ever: my talk titled "The Bad Guys Are Winning, So Now What". I originally wrote the talk a couple of years ago, and have

By Mark Baggett

[Editor's Note: In this _excellent_ article, Mark Baggett explains in detail how the very powerful SMBRelay attack works and offers tips for how penetration testers can operationalize around it. And, bet yet, about 2/3rds of the way in, Mark shows how you can use a Python module to perform these attacks in an environment that uses only NTLMv2, a more secure Windows authentication mechanism. Really good stuff! --Ed.]

The SMB Relay attack is one of those awesome tactics that really helps penetration testers demonstrate significant risk in a target organization; it is reliable, effective, and almost always works. Even when the organization has good patch management practices, the SMB Relay attack can still get you access to critical assets. Most networks have several automated systems that connect to all the hosts on the network to perform various management tasks. For example, software inventory systems, antivirus updates, nightly backups,