SANS Penetration Testing

SANS Penetration Testing

Custom Payloads in Metasploit

[Editor's Note: Mark Baggett shares some useful insights into delivering custom payloads using Metasploit, with a little Python magic to boot! --Ed.]

By Mark Baggett

You launch your Metasploit exploit. It looks like it is working but no session is created. What happened? Your exploit just got popped by antivirus software. Such a bummer. Antivirus software is a hurdle that you have to overcome as a penetration tester, modeling the techniques of the real-world bad guys. The best way to avoid antivirus software is to stop using a payload that someone else created. Time and time again, penetration testers find they have a basic need to use custom payloads.

Createyour own custom payload, and then you won't have to worry about an AV signature catching your payload and eating it! It is easy and it gives you the flexibility to go after any target. There are lots of tools and articles for helping you doing so, including the

...

EXTRA EXTRA! The New SANS Pen Test Poster

Extra! Extra! Read all about it! This week, many of you will be receiving our brand-spankin' new SANS Pen Test Poster in the mail. Please be on the lookout, because it's got some really cool stuff on attack surfaces, tools, and techniques. It's included in the mailing with the SANS Security West brochure.

IMG_20150211_184232

The poster is chock full of some really nifty pen test advice from some of the best pen testers I know, including:

Tim Medin
Seth Misenar
Larry Pesce
Justin Searle
Steve Sims
John Strand
Josh Wright

The poster includes several sections. On one side, we've got a description of the SANS

...

2014 SANS Holiday Hack Winners and Official Answers

[Editor's Note: Every year for eleven seasons now, SANS creates a Holiday Hack challenge for you to build your skills with real-world infosec tools and techniques, all the while having some good holiday-inspired fun, for everyone to participate in, no charge at all. If you haven't checked out our most recent SANS Holiday Hack Challenge, you should definitely read through it. This years' challenge was written by Ed Skoudis and Josh Wright, with support from Tom Hessman and the vocal stylings of James Lyne. We'll keep the challenge itself, the target servers, and the file system image available for as long as possible, so you can continue to work through it, either on your own, or referencing the official answers cited below. Have fun!!! Following immediately below is our official announcement of winners and answers. --Ed.]

Lynn Cratchit emerged from the rather toasty

...

How Pen Testers Can Deal with Changes to Android SD Card Permissions

By Lee Neely & Chris Crowley

Recent updates to the Android OS have changed the permission model for external storage, and these changes will likely impact the way pen testers assess the actions and corresponding risks associated with applications, both malicious and benign, particularly when analyzing how they interact with external storage.

Consider this scenario: You are provided an application from an unknown third party to assess. Your assignment is to assess both the behavior and trustworthiness of the application. Because of the permission model changes, the application behaves differently when trying to access external storage than it would have in earlier releases of the Android OS.

In this article, we'll provide information on how the permission model changed and some tips and techniques you can leverage when you are assessing an application in your next Android pen test.

What changed?


There were two changes ...

PHP Weak Typing Woes -- With Some Pontification about Code and Pen Testing

By Josh Wright

The other day I was reading Jos Wetzels' post on the Full Disclosure mailing list regarding a vulnerability in the open source social networking kit HumHub. One of the issues he pointed out was a PHP 'type juggling' attack where an attacker can force a password reset against HumHub for a user many times until a specific value is selected that reduces the password entropy (uniqueness), allowing her to access accounts without authorization.

I have not previously worked with HumHub, but the illustrative code Jos pointed out was intriguing (press CTRL+C to close the cat output after the closing PHP ?> tag):

$ cat >bahhumhubbug.php 
<?php
if (md5('240610708') == md5('QNKCDZO')) { print "Yes, these are the same ...