Blog: SANS Penetration Testing: Category - Post Exploitation

Blog: SANS Penetration Testing:

Announcing the Awesome New SANS Brochure Challenge

Here's some fun news. SANS just released a new kind of challenge — one that unfolds from the pages of a SANS brochure itself. Created by Jeff McJunkin and a group of challenge-writing collaborators, we launched it this week with the mailing of the SANS Network Security brochure for the upcoming conference in Las Vegas in October 2014. This challenge will take you across many domains of knowledge, including (but not limited to!): infosec fundamentals, pen testing, digital forensics, steganography, social media, mobile devices, and much, much more, all wrapped up in some geeky fun!

You'll enjoy all these areas and more from the comfort of your brochure (paper or pdf) and local computer, along with everyone's favorite global network, the Internet itself. You'll be able to advance all the way through this challenge from anywhere in the world. If

...

Netcat without -e? No Problem!

by Ed Skoudis

Many pen testers know how to create a reverse backdoor shell with Netcat. But, what do you do if you have a Netcat that doesn't support the —e or —c options to run a shell? And, what if your target doesn't support /dev/tcp? In this article, I'll show you a nifty little work-around using some command-line kung fu with shell redirects.

Background

Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:

First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:

skodo@pentestbox# nc —nvlp 443

Here, I'm telling Netcat (nc) to not resolve names (-n), to be

...

Using Volume Shadow Copies from Python

[Editor's note: Volume Shadow copies on Windows completely rock. They give administrative tools (and penetration testers) access to all kinds of wonderful things on Windows, including recently deleted files, files with a lock on them, and much more. They are almost like a nifty side channel into the guts of the Windows file system, making it ripe for exploration, research, and pwnage with a heavy does of plundering mixed in for good measure. Mark Baggett has been one of the main gents (along with Tim Tomes) leading the charge in researching how pen testers can use Volume Shadow copies. In this post, Mark shows how you can use Python to interact with Volume Shadow copies, so you can explore them in-depth. After describing how to list, create, and access such copies from Python, he provides a nifty Python script called vssown.py that does all the work for you. I'm hoping that the info Mark provides here inspires readers to start more aggressive analysis of Volume Shadow

...

Putting the MY in phpMyAdmin

[Editor's note: In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he provides some good insight into exploiting PHP flaws via a MySQL instance running on a Windows target as well. Nice! --Ed.]

A wee time ago on a pen test not far, far away, I was looking for that first toehold; the first shell that split the test wide open; my entry into the target; the toe in the door; the camel's nose in the tent; the first part of the whatever that gets into there wherever that it shouldn't be in the first place. I kicked off an nmap sweep using the http-enum script, in hopes of finding an interesting web server with an even more interesting set of directories. Here is my command:

$ nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080   ...

A Penetration Tester's Pledge

by Ed Skoudis

Over the weekend, I was thinking about the wonderful psexec capabilities of tools like Metasploit, the Nmap Scripting engine smb-psexec script, and the psexec tool itself from Microsoft Sysinternals. It's my go-to exploit on Windows targets, once I have gained SMB access and admin credentials (username and password, or username and hash for pass-the-hash attacks). It works on a fully patched Windows environment, giving you code execution with local system privileges of a program or Metasploit payload of your choice. That's especially helpful in a penetration test once you gain access to an internal network that is relatively well patched. We talk a lot about how to leverage this capability creatively and effectively in my SANS 560 course on Network

...