RE: pen test help please asap

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 01/11/02


From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
To: "'Kimberly S.'" <kimsehhing@hotmail.com>, pen-test@securityfocus.com, focus-ms@securityfocus.com
Date: Fri, 11 Jan 2002 09:30:28 +0200

What I have found to be the simplest way of confusing Virus scanners is to
compress the file, using one of the "PKLite" style self-decompressing
executable tools.

i.e.

Take BackOrifice 2000, build it and link it with your config.
Run it - Virus scanner busts you.
Run upx on the file.
Run the result - no virus scanner

Rogan

http://upx.sourceforge.net/

> -----Original Message-----
> From: Kimberly S. [mailto:kimsehhing@hotmail.com]
> Sent: 10 January 2002 10:28
> To: pen-test@securityfocus.com; focus-ms@securityfocus.com
> Subject: pen test help please asap
> Importance: High
>
>
> Hi all,
>
> I am currently working on a no holds barred pen test that
> includes social
> engineering.
> As such, I intend to get a trojan installed onto the clients
> network via
> email or autostarting CDROM, but want something that is going
> to not be
> caught by AV software (they say they have Norton AV enterprise wide).
> I was hoping that someone out there in pen test land already
> had developed
> something of the same ilk and could save me some time by
> sending me a copy
> or linking to something I could use.
>
> Features desired are:
>
> 1>>
> Machine A on client site makes a configurable encrypted
> OUTBOUND connection
> to Machine B. Desire a netcat type outbound connection on
> port 80 that will
> detect and use the clients existing Internet Browser proxy
> settings. Once
> the connection is made to the outbound host (Machine B), a
> smtp mail will be
> sent out to notify that it is active. At that point I want to
> be able to
> connect to machine B from Machine C and leverage that
> outbound tunnel from
> Machine Ato get back into the organization, and have a remote
> command prompt
> and or remote desktop control of the target (Machine A)
>
> -------------------------------
> | |
> | My slave system |
> | (machine B) |
> ---------------------------------
> /|\
> /|\
> |
> |
> Port 80 / 443 encrypted SSH
> connection or
> equivalent
> |
> |
> --------------------------------
> -----------------
> ---------------
> | | |
> |
> | Client Target sys | |
> my control
> system |
> | (machine A) | |
> (machine C)
> |
> ---------------------------------
> ------------------
> ---------------
>
>
>
> 2>> Source code available so I can confirm no "hidden extras" ;-)
>
> 3>> Autoinstalls on machine A by leveraging a bug in IE or Outlook if
> possible; tho not essential
>
> 4>> Attached to some joke or funny, so the recipient is not suspicious
>
> 5>> Not detected by AV software
>
> 6>> Detects OS; installs as a SERVICE on NT/Win2k/XP systems,
> else in the
> Run sections of HKLM on Win9x
>
> 7>> Installs at the same level as TinyFirewall or ZoneAlarm,
> and thus will
> bypass these products (if possible)
>
> 8>> Incorporate a keystroke or screen capture element (if possible)
>
>
>
> I know this is quite a tall order; really the most important
> element is that
> Machine A makes the outbound connection, and that the traffic
> at least looks
> a bit like HTTP and it survives a reboot.
>
> Any help would be *so* appreciated!
>
> Sincerely
> Kimberly
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: pen test help please asap
    ... > I was hoping that someone out there in pen test land already had developed ... > Machine A on client site makes a configurable encrypted OUTBOUND connection ... This in combination with social engineering the help ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • pen test help please asap
    ... I intend to get a trojan installed onto the clients network via ... I was hoping that someone out there in pen test land already had developed ... Machine A on client site makes a configurable encrypted OUTBOUND connection ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)