Recently I was conducting an internal penetration test for a client that is part of the financial industry. Since this client is a financial institution they are required to have an independent 3rd party company audit their security once a year per NCUA and FDIC requirements. That’s where I come in, I get paid to hack companies like banks and credit unions. Internal penetration testing is probably one of my favorite engagements to conduct because of the wealth of information you can obtain on an internal network. Devices on the internal network typically do not have firewalls so you have unrestricted access to every port a network device will serve up. There are so many devices on the internal network, and each one tells a story.
During this recent assessment I had brought out my typical attack vectors but was striking out. I typically run Nessus as my primary vulnerability scanner, but like every tool I don’t trust it to be the holy grail. Understanding how a tool works is the best way to get a better understanding of how to find more vulnerabilities in the case that your tools don’t find anything, or malfunction. I’ve met penetration testers that will see zero high risk findings in Nessus and throw up their hands thinking there is no way to penetrate this network. When I see a scan that comes back clean with zero high risk findings, I get excited thinking this one’s gonna be a challenge.
Sitting on this internal network the Nessus scan had completed and came up pretty clean. I brought out my typical arsenal of attacks including but not limited to brute forcing mssql accounts, searching for Apache Tomcat servers that had weak or easily guessable password, sending medusa after the built-in local Administrator account since I enumerated it via null sessions along with the fact this account cannot be locked out by default, nbns_spoofing harvested network hashes but the netLM was disabled leaving me only with netNTLM which is difficult to crack, numerous metasploit auxiliary modules were run along with various other scripts and tools.
It seems that more and more these days I find myself battling head to head against my client’s Antivirus Software. Payloads I encoded to successfully bypass one solution get picked up by another. An executable that walked effortlessly past one AV this week gets stopped dead in its tracks by the very same software build at a different client the week later. This is a frustrating and constant problem for myself and many others I am sure.
The topic of Antivirus avoidance is not a new one by any means. Currently there exist several methodologies that work well and I don’t think anyone (at least no one I know) can respectfully make a claim for a particular method being the De facto standard that works every time.
This article aims to provide some insight into one such method that I have become fond of and has proven quite successful in many of my recent pen tests. I first became aware of the technique by reading This Great Writeup from exploit-db. I’m not sure if the author is responsible for coining the term or not but they refer to this ancient wisdom and all of its magical powers under the alias “Ghost Writing” which I think sounds super cool!
Sometimes when you fill the role of a consultant you never know what type of engagements will be thrown your way. How can you train someone to expect the unexpected with computer security. The topic is so huge, and there is so much to learn in this gigantic sea of knowledge.
Recently I was sent on an engagement in Trinidad while it’s country was in a state of emergency. I had never traveled international before so I was required to get a passport. I had to expedite my passport since I was supposed to be in Trinidad in less than a week. Once the passport arrived, I was smooth sailing; so I thought.
I missed my flight to Trinidad which was supposed to leave Minnesota around 9am CST. I panicked and thought I would never find a flight to Trinidad in time. I called my travel agent and was very surprised to find there was an afternoon flight heading to Trinidad. The only catch was that it had a six hour layover in Newark, New Jersey and the connecting flight to Trinidad was between 12am – 6am EST. I didn’t have any other options at this point, so I took it.