Category: Infrastructure Security

Hacking a Corporation From the Inside: Internal Penetration Tests

This is one part of a two part series, maybe take a look at Hacking a Corporation From the Outside: External Penetration Tests too!

Introduction

Occasionally I get asked by clients how I approach the technical aspects of a Penetration Test, you know, what are all those little black boxes with green text that I’ve got open on my screen? Also occasionally, when I’m talking to new testers and people interested in becoming a penetration tester, they understand tool use and they often understand the specifics of vulnerabilities but don’t necessarily know how it all goes together.

Additionally, GracefulSecurity.com is filled with information on Infrastructure security, but there’s no guide about how it all fits together!  So I plan here, to write up a step-by-step example of how I go from plugging in to a corporate network and end up leaving that day as a Domain Administrator.

Continue reading: Hacking a Corporation From the Inside: Internal Penetration Tests

Adventures in Anti-Virus Evasion

Preamble

Anti-virus is often the last line of defense to users, the ability to bypass that system is a critical one for Penetration Testers but I’m still not comfortable in giving out a complete walk through as that kind of knowledge offers great advantage to attackers but little benefit to defenders. For me, that’s the ultimate test for ethics: are we assisting defense more than attack, if we are not then the tactic or system is dangerous. Tools like Veil-Evasion often makes evasion trivial the tool is well documented. I will present in this article my findings and research in anti-virus evasion, but will not offer a complete walk through of how to get a zero score on sites like virustotal.com. Consider this an adventure, not a guide.

Continue reading: Adventures in Anti-Virus Evasion

BMC/Numara Track-It! Decrypt Pass Tool

Today during a Penetration Test of a client I came across a piece of software called “Track-It!” by Numara, who was since acquired by BMC. Now this application is used by IT Helpdesks to offer centralised control of assets, so it was definitely worth a look at from a testing point of view. I found an open (Readable by Domain Users) network share on the installation server named “TrackIt” which internally exposed configuration files such as trackit.cfg which contained intersting lines such as:

RemoteInstallPass=AAABASE64HEREAAA==
DomainAdminPass=BBBBASE64HEREBBB==

Continue reading: BMC/Numara Track-It! Decrypt Pass Tool

Introduction to Metasploit

Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#

Continue reading: Introduction to Metasploit