RE: Mpack

From: Jay (jay.tomas@infosecguru.com)
Date: Wed Jun 27 2007 - 14:34:22 EDT


When you contract with the Client you should explictly document the tools and processes that will be used. For example they should understand that you are using shrink wrapped applications like AppScan or Core Impact, or other products that are Open Source.

Unless you haveexpertise to do code review you need to be careful what tools you use. You can't download everything you read about on this list and then fire away at your clients environment. If the software is backdoor'd or if its insecure you could cause unpredicted results or compromise.

This = Liability to you

I'm not endorsing any one product set or platform just bringing up the point that you must be able to defend your process if there are problems.

I dont think I'd like to be in front of a jury and say yeah and then I launched up some cool malware and turned it lose not knowing what may happen.

<shamelessplus> I did read about it on Full Disclosure </shamelessplug> your honor =)

Jay

----- Original Message -----
From: Matt Steer [mailto:Matt.Steer@marstons.co.uk]
To: amoeba@amoebazone.com
Cc: kish_pent@yahoo.com,lorddoskias@gmail.com,pen-test@securityfocus.com
Sent: Wed, 27 Jun 2007 11:11:02 +0100
Subject: RE: Mpack

Erin and List,

In my opinion a comprehensive Pen test is seen from the eyes of an
attacker and I cannot see a reason for an attacker to consider the
ethicality of launching an attack from a tool, be it MPack, Metasploit
or any other program that could be used with malicious intent.

I have not conducted any professional pen tests so please, people with
the experience speak up!

I thought the whole idea I would be employed to conduct a Pen test would
be to disclose information on the clients network(s) through the eyes of
a person, or a piece of code, with malicious intent and, should it be
required, information on how to patch any vulnerability I find.
(I actually find this is a little narrow minded, but you catch my drift)

To answer your questions,

>>Is using the "bad guy" tools for "good guy"
>>purposes wrong?

I would use any tools and techniques I see fit to provide the most
complete, accurate report I could within the given timeframe.

>>And if so, where do we draw the line?

I thought the contract that the client and I would have signed was the
proverbial line itself!

My two cents.

Regards,
 
Matt Steer

 
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Erin Carroll
Sent: 27 June 2007 06:41
To: kish_pent@yahoo.com; 'Nikolaj'; pen-test@securityfocus.com
Subject: RE: Mpack

All,

Any discussion or information on where to obtain the Mpack tookit for
purchase or malicious means will be rejected outright. The pen-test list
will not be used to facilitate illegal activities.

That said, I don't see danger in discussing the capabilities and
potential
of this or similar toolkits. I'm interested in malicious code. I need to
be
interested in malicious code to know how to help clients defend against
it.
Some of the newest malware out there is amazingly complex and
sophisticated.
To be blunt, the "bad guys" will always be slightly ahead of the "good
guys"
in this arms race. I have pondered for quite some time the potential of
using "malware" toolkit platforms (Mpack, Agobot, etc) for legitimate
pen-testing purposes and this thread does provide a nice segue into that
realm. To paraphrase an oft-quoted phrase, "the tool isn't the problem,
it's
how it is applied."

If the scope and legal contractual needs are such from a client to
approve
utilizing social engineering or other "grey" methodologies which would
normally be construed as illegal (depending on local laws... yadda yadda
yadda) outside of that legal agreement, how is creating custom exploits
using Mpack different than creating exploit payloads for a Metasploit or
Core Impact toolkit? Are there practicing pen-test professionals out
there
who have done this legally? I'm aware that the "bad guys" use "good guy"
tools for nefarious purposes... Is using the "bad guy" tools for "good
guy"
purposes wrong? And if so, where do we draw the line?

I'm interested to hear your responses.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 
> -----Original Message-----
> From: listbounce@securityfocus.com 
> [mailto:listbounce@securityfocus.com] On Behalf Of Kish Pent
> Sent: Tuesday, June 26, 2007 9:56 PM
> To: Nikolaj; pen-test@securityfocus.com
> Subject: Re: Mpack
> 
> Please go away :)
> 
> It's a polite request, and you've come to the other side, to 
> ask what you want. This is a list for professionals, not 
> people who are interested in malicious code.
> 
> Cheers :)
> Kish
> 
> PS: Erin, delete this thread ASAP, in the best interest of 
> the list's reputation. ;)
> 
> --- Nikolaj <lorddoskias@gmail.com> wrote:
> 
> > Anyone has some first-hand info about this exploitation toolkit? Or 
> > any info where it can be bought?
> 
> 
> 
> Kishore
> Penetration Tester
> Smart Security
> T.Nagar , Chennai
> Phone: 91 98841 80767
> 
> 
>  
> ______________________________________________________________
> ______________________
> Finding fabulous fares is fun.  
> Let Yahoo! FareChase search your favorite travel sites to 
> find flight and hotel bargains.
> http://farechase.yahoo.com/promo-generic-14795097
> 
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
> 
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic See HOW Now with 
> our 20/20 program!
> 
> http://www.cenzic.com/c/2020
> --------------------------------------------------------------
> ----------
> 
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
____________________________________________________
This message has been checked for Viruses and has been found
to be clean.
Marston's PLC Group Services IT Department
____________________________________________________
**********************************************************************************
                      Visit our Web site at www.marstons.co.uk !!
This email is confidential and may be legally privileged as are any files
 transmitted with it. It is intended solely for the use by the person to
 whom it is addressed. If you are not the intended recipient, be advised
 that you have received this e-mail in error and that any disclosure,
 copying, distribution or any action taken or omitted to be taken in
 reliance on it is strictly prohibited and may be unlawful. 
Any views or opinions presented are solely those of the author and do 
not necessarily represent those of Marston's PLC. 
If you have received this e-mail in error please notify 
The Marston's IT Service Desk on 01902 329500. 
"Marston's PLC is a public limited company registered in England and Wales.  Registered number: 31461 Registered office: Marston's House, Wolverhampton, WV1 4JT."
**********************************************************************************
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT