This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it’s happened to them before, or one of a million different justifications.
[UPDATE] This module (enum_delicious) has been pulled from Metasploit since Delicious no longer allows searching by site. In the last post I showed off how Archive.org’s Wayback machine can be used to pull urls for a domain, another place where URLs are stored and can be searched by domain is Delicious.com (a bookmarking service). I’ve seen people bookmark everything from internal web portals to urls with special no-auth passwords in them.
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is great for enumerating a web applications, many times you’ll find parts of web apps that have been long forgotten (and usually vulnerable). This module doesn’t make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.
Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting. These don’t really help the server admins very much. Project Honeypot does an amazing job at keeping detailed information on scanners / harvesters and brute forcers, the likes of which are the daily enemy of said admins. They offer a service called HTTP Block List or ‘HTTP:BL’. Another way this list differs from the rest is it isn’t a list you can download.
This is definitely not my content, but I did want to highlight the talk Nicholas  gave at NoVA Hackers  this last November. Nicholas B. gives a talk about SSH Patching for Offensive and Defense at NoVa Hackers November 2010  http://twitter.com/nberthaume  http://novahackers.blogspot.com/2010/10/november-meeting-monday-nov-15th-2010.html
Uninstallation is not new Deleting and removing things on a box you own isn’t new This method and how to do it remotely was posted in Feb 2007 But I didn’t know how to do it, and I thought it was hilarious, so I made a video:
“There is no stupid question” but, if it doesn’t meet this checklist, it’s officially a time wasting one. Acceptable questions checklist: 1. Have I tried it 2. Have I checked the manual, wiki, or forum 3. Have I googled and searched for an answer All marks must be achieved before a question is asked unless the target of the question is getting paid to answer the source’s inquires “Have I tried it” mark can only be skipped in the case of life threatening actions PDF version is available upon request.
Revenge of the Bind Shell from Practical Exploitation on Vimeo. BACKGROUND At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks. Well, around that time Microsoft issued a patch to all of the supported versions of Windows that broke my methodology. Obviously I wasn’t the only one doing this ;-) Before I get ahead of myself lets explain what Teredo is.
This is part one in a series of presentations I will be giving at the NoVAHackers meetings on forensics of all kinds as it can be leveraged in a penetration test. Memory Forensics for Pentesters: Firefox from Rob Fuller
When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.