Pentesting Real World

Penetration Testing in the Real World

Penetration Testing in the real world. If you are tired of “Hacking with Netcat” webcasts or “Penetration Testing with RPC DCOM”, then this movie is for you. It’s a quick reconstruction of a Security Audit we preformed over a year ago, replicated in our labs. The video is under 20 minutes long, and highly edited – attacks rarely go as quickly and smoothly as this ! Check it out here :

http://www.vimeo.com/11213607

  1. jidb04-28-2010

    It isn’t clearly explained how did you transfer malicious UDF library from compromised web server to the file system on MySQL server. Please explain what exactly the script up.php has done ?

    Thank you

  2. Marco04-28-2010

    The video looks great, but i do not get the picture completely as the video is telling that a connection is made from the Internal SQL server on port 3306 to the attacker. But the NC listener at attacker is listening on port 80. How does the connection comes too the attacker? Directly from SQL server or proxied via webserver?. If the latter which binary was used on the webserver as that is not shown. Also the tunnels are using port 445, 4444. Are these ports also open from teh SQL Server to the attacker. I would expect that these ports are closed on the firewall as only port 21 and 80 inbound should be open. Is it me or is the video a bit manipulated :-)

  3. Aditya04-28-2010

    First of all your videos are always awesome…. I have opted for PWB but postponed till i get my hands on backtrack…And ya if am not wrong muts must be the one who prepared that video…Hats off Sir

  4. admin04-28-2010

    @Marco – Firstly, the video is MOST DEFINITELY manipulated. No attack is as fast and smooth as that. I’m not sure i managed to follow your question fully though…

  5. admin04-28-2010

    @ Jidb – up.php inserted a binary blob payload to the Internal MySQL server, which was then dumped to the local filesystem of the REMOTE MySQL server. Google “MySQL binary Blob” or check out links like this – http://onlamp.com/pub/a/php/2000/09/15/php_mysql.html

  6. Marco04-28-2010

    @admin to make it a bit clear. How is the SQL server get its connection through the webserver which is its default gateway if it is non routable. Did you enabled NAT on the webserver to get the SQL server do a reverse bind shell to port 3306 which is in the video port 80 when you get the reverse shell of the webserver..
    Kind regards

  7. Matt04-28-2010

    Admin, I would like to get this video to some CS teachers but they can’t access the video from the classroom (web filtering restrictions). Would you have a copy that I can get to these teachers so they can use it for classroom education?

    Matt

  8. admin04-28-2010

    @Marco – Yes, it was a reverse shell from the internal MySQL server to the attacker.

  9. admin04-28-2010

    @ Matt – I believe you can download the movie from here – http://www.vimeo.com/11213607 – but need to login for the download.

Leave a Reply

You must be logged in to post a comment.