okay guys here I have a little challenge to see how much we can think out of the box
Conditions:
*No use of social engineering
*No use of physical penetration
Let's say we have a network where there are important informations on the inside computers
You know no ip of the computers but you know only the ip of a web server
The web server is completely patched, no open ports and only port 80 is open which means a website is runing on the server.You found no way through the webapps,all of them are safe and secure which means there is no way through webapps vulns or server vulns
what would you do in such situation?
Out of the box challenge
Re: Out of the box challenge
the web server can still contain links to employees email -the email server they use.
not quite physical but you got to get closer - check for wifi in use on the network.
Attack DNS, even BGP. Try for MiTm.
DNR
not quite physical but you got to get closer - check for wifi in use on the network.
Attack DNS, even BGP. Try for MiTm.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Re: Out of the box challenge
DNR wrote:the web server can still contain links to employees email -the email server they use.
not quite physical but you got to get closer - check for wifi in use on the network.
Attack DNS, even BGP. Try for MiTm.
DNR
possible but all the server is secure including the email server and u can't attack wifi because if you go close someone may shoot u :p
physical access is not included
( I know this is not realistic but I found a way to solve that but I want to see other opinions )
Re: Out of the box challenge
Similar to what DNR said, if they upload data like PDFs or images, they sometimes contain meta data like email or usernames that can be used in another attack.
Another attack would count as physical, but wouldn't require you to be there, but it also counts as some social engineering so I guess it wont count.
But it would be to send them a USB-stick with some malware on it, and attach a document with a business proposal that refers to the content on the stick.
If the web app is secure from all I can see, I would find names of the people who work there and go after them outside of the company servers and domain, break into sites that they use for other things and get passwords that I would then try against the company site.
Also checking domain records for subdomain, or checking for sites under the same IP and so on.
Brute forcing sub folders on the machine is another common approach as they usually forget data, or wont expect someone to look in unlinked folders.
There are so many methods you could use.
And there's always a way in ... always.
Another attack would count as physical, but wouldn't require you to be there, but it also counts as some social engineering so I guess it wont count.
But it would be to send them a USB-stick with some malware on it, and attach a document with a business proposal that refers to the content on the stick.
If the web app is secure from all I can see, I would find names of the people who work there and go after them outside of the company servers and domain, break into sites that they use for other things and get passwords that I would then try against the company site.
Also checking domain records for subdomain, or checking for sites under the same IP and so on.
Brute forcing sub folders on the machine is another common approach as they usually forget data, or wont expect someone to look in unlinked folders.
There are so many methods you could use.
And there's always a way in ... always.
"The best place to hide a tree, is in a forest"
Re: Out of the box challenge
cats wrote:Similar to what DNR said, if they upload data like PDFs or images, they sometimes contain meta data like email or usernames that can be used in another attack.
Another attack would count as physical, but wouldn't require you to be there, but it also counts as some social engineering so I guess it wont count.
But it would be to send them a USB-stick with some malware on it, and attach a document with a business proposal that refers to the content on the stick.
If the web app is secure from all I can see, I would find names of the people who work there and go after them outside of the company servers and domain, break into sites that they use for other things and get passwords that I would then try against the company site.
Also checking domain records for subdomain, or checking for sites under the same IP and so on.
Brute forcing sub folders on the machine is another common approach as they usually forget data, or wont expect someone to look in unlinked folders.
There are so many methods you could use.
And there's always a way in ... always.
well you mentionned many ways of S.E but we said its not included and the server is well secure but here is my idea
a simple traceroute can get u the other ips of the computers inside the network but lets say all of them r also well hardened and secure, someone may steal the windows update signature and make those in offices receive an alarm of critical windows update but these updates r the fake updates u made and they won't be detected as you already stole the signature.I never did that but it's my idea without touching any physical thing or any interaction (so no S.E)
doing some research to see how it can be done step by stepRe: Out of the box challenge
In most cases what you see is their external IP, and if you were to traceroute it, the IP before it would normally be their ISP.scatter wrote: well you mentionned many ways of S.E but we said its not included and the server is well secure but here is my idea
a simple traceroute can get u the other ips of the computers inside the network but lets say all of them r also well hardened and secure, someone may steal the windows update signature and make those in offices receive an alarm of critical windows update but these updates r the fake updates u made and they won't be detected as you already stole the signature.I never did that but it's my idea without touching any physical thing or any interaction (so no S.E)
The traceroute would not be able to get any information from their internal network, especially if it's NATed, which it is in most cases,
How would you steal the signature though?
And how would you route their traffic to go to your fake update server instead of the legit one?
"The best place to hide a tree, is in a forest"
Re: Out of the box challenge
In most cases what you see is their external IP, and if you were to traceroute it, the IP before it would normally be their ISP.
The traceroute would not be able to get any information from their internal network, especially if it's NATed, which it is in most cases,
How would you steal the signature though?
And how would you route their traffic to go to your fake update server instead of the legit one?[/quote]
nope the traceroute will give infos about which other ips r under same network and talking about sniffing the signature of updates and route the traffic ,that's the point as I said it wasn't done before ( well it was but maybe in pm I can tell that ) but that's what I'm trying to find out
The traceroute would not be able to get any information from their internal network, especially if it's NATed, which it is in most cases,
How would you steal the signature though?
And how would you route their traffic to go to your fake update server instead of the legit one?[/quote]
nope the traceroute will give infos about which other ips r under same network and talking about sniffing the signature of updates and route the traffic ,that's the point as I said it wasn't done before ( well it was but maybe in pm I can tell that ) but that's what I'm trying to find out
Re: Out of the box challenge
No, the traceroute will only give information about the "hops", that is what other machines it passes.scatter wrote: nope the traceroute will give infos about which other ips r under same network and talking about sniffing the signature of updates and route the traffic ,that's the point as I said it wasn't done before ( well it was but maybe in pm I can tell that ) but that's what I'm trying to find out
These machines are mostly routers and switches, and wont be other servers on the network.
In the normal case the web server will be behind a firewall or router, and be in an internal NATed network.
So when you ping "www.whateversite.tld", you will get their external IP, and even if you traceroute that, it wont pass the
router/gateway and into the network.
This does not mean that they can't own some of the machines on the way, but it also doesn't mean that you can get any access
to those machines, which will mostly be routers, switches and firewalls. And it wont mean that you can access the internal network
where most of the data is that you want to get.
Of course, IF you were to manage to get into such a machine on the way, then you could of course
start sniffing traffic from that location. But SSL traffic will still be encrypted, and any mitm attacks
without a valid certificate to your target, will render the attack hard since they will get a warning
about the invalid cert. And of course this is a very big IF. These machines are usually big cisco routers
which are very expensive and hard to get by yourself if you want to test it for vulnerabilities.
How would you go about sniffing the data then, if you are doing this from a remote connection without any access to their network, not physical nor remotely?
And don't see this as pure criticism
I'm interested in this and want to discuss it.
"The best place to hide a tree, is in a forest"
Re: Out of the box challenge
Critisim? come on man I am here to learn and you all have more experience and knowledge than me so every word is a treasure for me , I will finish my research and come to u to discuss that more but before I have to fix what I missed on what you said
and you all have more experience and knowledge than me so every word is a treasure for me , I will finish my research and come to u to discuss that more but before I have to fix what I missed on what you said Re: Out of the box challenge
I look forward to your results!scatter wrote:Critisim? come on man I am here to learn
"The best place to hide a tree, is in a forest"