iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
"The Seen VS the Unseen"
  • McKittrick
    Posts: 194
    i was not really sure if one could call this a paper, per say, but i felt the need to put it out there anyway

    i have dabbled with this pen-testing stuff for over 10 years (off and on)
    the one thing i have always seen prevalent is that people continue to scan/analyze/drilldown---always in the "dark". let me elaborate:

    i always see screenshots of kids posting they are using nmap or metasploit, yet that is all you see. you seem to never see the most important piece that should be in place---THE TRAFFIC/PACKET ANALYZER!

    for one to be scanning a host/hosts, or to be firing off various payloads at a target, one should ALWAYS be running a sniffer in the background to see what he/she is even "hitting", if anything

    this may seem like common sense, but you would be surprised to know how much of that is lacking in this world of ours! i find running TCP/Windump on ANYTHING i do on a remote level to be absolutley critical in what i am doing. how many are aware of that?

    a perfect example of why you should always have one running (and refer to it as well) is this case in point:

    one running a test on a POP3 server once, i simply got back from output from the Telnet session "error...cannot connect"
    one would usually leave it at that. but i delved further and after looking at what traffic was involved, i saw that is was an authentication issue and i did not have proper credentials

    not a big deal you say, but if i was never to actually look into what was REALLY going on, i would just assume it was a program error/glitch or what have you

    i have also seen times where using Wireshark and looking at packets IN DETAIL allowed me figure out just what was happening in a protocol exchange. in the case of a Metasploit test for an MS-RPC exploit, i would get back on an unsuccessful attempt "NCACN_ACCESS_DENIED"

    alot of times that would suffice, but i wanted to know WHY (the beauty of a hackers mind)
    i looked at Wireshark and realized it was an authentication issue once again (i believe it was in relation to NTLM security turned on, not sure)
    my point is that anything could have been causing Metasploit to spit out that message. if one simply trusts what their programs are telling them, without actually SEEING if it is true, you are really just believing what you see (and that is dangerous and innacurate in alot of cases)

    hopefully this paper/rant has explained why it is vital to actually VERIFY what you are seeing and what you are not (through packet analysis)

    thank you
  • m0rph
    Posts: 332
    Entire post needs to sticky noted on everyone's monitor. To add to your points, if you're infected with any kind of malware, the sniffer will (for the most part) show you if you're infected or not...and in many cases show you who it is connecting back to. Tutorial to come on this soon.
    while( !(succeed = try() ) );
  • Sh3llc0d3
    Posts: 1,910
    Great thread McKittrick, we needed something discussing this. People become to reliant on the tools and not on what's physically happening in situations.
  • Xin
    Posts: 3,251
    Yeah a lot of people dont do this
    Xin
Add a Comment