Re: Email Pen-testing

hwertz_at_voltron.homelinux.org
Date: 03/22/04

  • Next message: Mike Sues: "RE: Email Pen-testing" 
    Date: Sun, 21 Mar 2004 18:38:38 -0600 (CST)
To: pen-test@securityfocus.com

    > Doing a pen-test for a small bank which was proving very difficult to
    > get it. A friend of mine suggested I send a backdoor trojan attachment
    > via an email. If they clicked on it, the backdoor performs maybe a
    > boxscan, grab passwords, and connects out to the Internet. --Much like
    > a virus.
    *cut*
    > I spoke with a previous customer of mine about the idea. He said he
    > would be very upset if he was not told prior to that type of test as
    > part of normal pen-testing.
    *cut*
    > What's your ideas on the email pen-tesing?

         I would certainly not send a worm that sends out passwords or do a
    box scan or anything (without previous permission). I would consider
    sending an attachment that "phones home" with IP and perhaps some
    identifiable info (like the E-Mail addr of the person if they're running
    Outlook, or NetBIOS machine name or something.) The extra info would be
    so if they're behind NAT or on DHCP, it'll help narrow down the source of
    trouble. I would not have the executable even install, just have it
    execute once in RAM. I would feel free to use any Outlook exploits to
    attempt to force execution though.

         Then if you do get some IPs etc. sent back, you can put in your
    report that your attachment was harmless but people (or unpatched
    software) automatically running attachments can cause a leak of passwords,
    backdoors installed, etc. I don't think you need to actually *get*
    passwords to show this 8-).

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Mike Sues: "RE: Email Pen-testing"

    Relevant Pages

    • Re: Apache exploit ?
      ... Apache 2.0.55, so how is it possible for someone to download a backdoor, store it in /tmp and execute it? ... Our OS is Debian GNU/Linux. ...
      (comp.infosystems.www.servers.unix)
    • Re: Users Log in issue
      ... you will also need to have a backdoor into ... that table that will allow you or someone to turn that flag off. ... considered logged in and will not be able to get in FOREVER. ... open the table or execute some code to clear out the table in ...
      (comp.databases.ms-access)