Yesterday I was invited to meet my friend Matt, who was recently fired by an overbearing manager, at some bar near a local university, and fell to talking with his roommate. Said roommate I think is a network admin, based on what follows. I told him about the incredibly challenging pentest from several weeks back, when me and my colleague encountered what is basically the "doomsday" scenario: Several FireEye devices, plus some much more advanced hardware or software solution, blocked every exploit we tried to throw against the multitude of open ports and vulnerabilities we found. There were even two hosts with MS08-067! But nada. Even when we used Veil-Evasion to obfuscate the payloads, still didn't work.
So Roommate suggested overlapping packets, with something such as Scapy, i.e. taking the payload and running it through Scapy to obfuscate it, then relying on the application layer of the receiving end to properly reassemble the packets, to the receiving end's detriment. Google shows a few results about dropping malformed packets in security recommendations.
Certainly interesting. Roomate then discussed some stuff he was thinking about to obfuscate payloads or exploits from VirusTotal.
Another cool tip he offered was to always examine the TTL values of packets, because you can identify operating systems and even versions based off the TTL values. Roommate said that he's the type of person who will change X-Proxy-By responses to pretend a Linux server is a Windows server, etc, but TTL values don't lie. So if Wireshark says it's one thing, but something's fishy, look at the TTL values. Wireshark actually has a TTL-breakdown in the Statistics dropdown, to group all packets by TTL (0-5, 5-20, whatever).
Some more recommendations Roommate had: Use bettercap instead of ettercap, and look into reading the Open Source Security Testing Methodology Manual. We also discussed what it's like at Toorcamp, which I hope to attend this year, even though it overlaps with both days of Shavuot.
So Roommate suggested overlapping packets, with something such as Scapy, i.e. taking the payload and running it through Scapy to obfuscate it, then relying on the application layer of the receiving end to properly reassemble the packets, to the receiving end's detriment. Google shows a few results about dropping malformed packets in security recommendations.
Certainly interesting. Roomate then discussed some stuff he was thinking about to obfuscate payloads or exploits from VirusTotal.
Another cool tip he offered was to always examine the TTL values of packets, because you can identify operating systems and even versions based off the TTL values. Roommate said that he's the type of person who will change X-Proxy-By responses to pretend a Linux server is a Windows server, etc, but TTL values don't lie. So if Wireshark says it's one thing, but something's fishy, look at the TTL values. Wireshark actually has a TTL-breakdown in the Statistics dropdown, to group all packets by TTL (0-5, 5-20, whatever).
Some more recommendations Roommate had: Use bettercap instead of ettercap, and look into reading the Open Source Security Testing Methodology Manual. We also discussed what it's like at Toorcamp, which I hope to attend this year, even though it overlaps with both days of Shavuot.
No comments:
Post a Comment