SANS Penetration Testing: Category - Post Exploitation

SANS Penetration Testing:

Awkward Binary File Transfers with Cut and Paste

[Editor's note: Josh Wright spins up another useful blog article about different ways to move files to and from Linux systems. Lots of nice little tricks in this one. Thanks, Josh! --Ed.]

By Josh Wright

Sometimes I find myself with access to a remote Linux or Unix box, with limited opportunity to transfer files to my target. I appreciate the "Living off the Land" mentality and relying on locally-available resources instead of adding tools to my host as much as the next guy (or gal), but sometimes I need a binary to get the job done.

Fortunately, I've been working with Unix and Linux for a long time, and I remember old techniques back when modems made that horrible screeching sound. As long as you have a terminal, you can upload and download files regardless of other network accesswith a little awkwardness.

Encode and Clip


In the example that follows, ...

Using Built-Ins to Explore a REALLY Restricted Shell

By Ed Skoudis and Josh Wright

Josh Wright and I were working on a project recently which involved a target machine with a really restricted shell environment. I'm not talking about a mere rbash with some limits on the executables we could access, but instead a shell so restricted we could not run any binaries at all, save for the shell itself. No ls no cat no netcat we could access very little. It was some sort of ghastly chroot specter.

Still, Josh and I wanted to explore the target machine as much as we could given these shell restrictions. Of course we could have tried escaping our restricted shell (as Doug Stilwell describes in more detail here) and even doing privilege escalation, but before that, we wanted to just look around. Thankfully, we had many shell built-in capabilities we could rely on.

For the uninitiated, shell built-ins are

...

Announcing the Awesome New SANS Brochure Challenge

Here's some fun news. SANS just released a new kind of challenge — one that unfolds from the pages of a SANS brochure itself. Created by Jeff McJunkin and a group of challenge-writing collaborators, we launched it this week with the mailing of the SANS Network Security brochure for the upcoming conference in Las Vegas in October 2014. This challenge will take you across many domains of knowledge, including (but not limited to!): infosec fundamentals, pen testing, digital forensics, steganography, social media, mobile devices, and much, much more, all wrapped up in some geeky fun!

You'll enjoy all these areas and more from the comfort of your brochure (paper or pdf) and local computer, along with everyone's favorite global network, the Internet itself. You'll be able to advance all the way through this challenge from anywhere in the world. If

...

Netcat without -e? No Problem!

by Ed Skoudis

Many pen testers know how to create a reverse backdoor shell with Netcat. But, what do you do if you have a Netcat that doesn't support the —e or —c options to run a shell? And, what if your target doesn't support /dev/tcp? In this article, I'll show you a nifty little work-around using some command-line kung fu with shell redirects.

Background

Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:

First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:

skodo@pentestbox# nc —nvlp 443

Here, I'm telling Netcat (nc) to not resolve names (-n), to be

...

Using Volume Shadow Copies from Python

[Editor's note: Volume Shadow copies on Windows completely rock. They give administrative tools (and penetration testers) access to all kinds of wonderful things on Windows, including recently deleted files, files with a lock on them, and much more. They are almost like a nifty side channel into the guts of the Windows file system, making it ripe for exploration, research, and pwnage with a heavy does of plundering mixed in for good measure. Mark Baggett has been one of the main gents (along with Tim Tomes) leading the charge in researching how pen testers can use Volume Shadow copies. In this post, Mark shows how you can use Python to interact with Volume Shadow copies, so you can explore them in-depth. After describing how to list, create, and access such copies from Python, he provides a nifty Python script called vssown.py that does all the work for you. I'm hoping that the info Mark provides here inspires readers to start more aggressive analysis of Volume Shadow

...