Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (1)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
General Security Discussions
"The Seen VS the Unseen"
i was not really sure if one could call this a paper, per say, but i felt the need to put it out there anyway
i have dabbled with this pen-testing stuff for over 10 years (off and on)
the one thing i have always seen prevalent is that people continue to scan/analyze/drilldown---always in the "dark". let me elaborate:
i always see screenshots of kids posting they are using nmap or metasploit, yet that is all you see. you seem to never see the most important piece that should be in place---THE TRAFFIC/PACKET ANALYZER!
for one to be scanning a host/hosts, or to be firing off various payloads at a target, one should ALWAYS be running a sniffer in the background to see what he/she is even "hitting", if anything
this may seem like common sense, but you would be surprised to know how much of that is lacking in this world of ours! i find running TCP/Windump on ANYTHING i do on a remote level to be absolutley critical in what i am doing. how many are aware of that?
a perfect example of why you should always have one running (and refer to it as well) is this case in point:
one running a test on a POP3 server once, i simply got back from output from the Telnet session "error...cannot connect"
one would usually leave it at that. but i delved further and after looking at what traffic was involved, i saw that is was an authentication issue and i did not have proper credentials
not a big deal you say, but if i was never to actually look into what was REALLY going on, i would just assume it was a program error/glitch or what have you
i have also seen times where using Wireshark and looking at packets IN DETAIL allowed me figure out just what was happening in a protocol exchange. in the case of a Metasploit test for an MS-RPC exploit, i would get back on an unsuccessful attempt "NCACN_ACCESS_DENIED"
alot of times that would suffice, but i wanted to know WHY (the beauty of a hackers mind)
i looked at Wireshark and realized it was an authentication issue once again (i believe it was in relation to NTLM security turned on, not sure)
my point is that anything could have been causing Metasploit to spit out that message. if one simply trusts what their programs are telling them, without actually SEEING if it is true, you are really just believing what you see (and that is dangerous and innacurate in alot of cases)
hopefully this paper/rant has explained why it is vital to actually VERIFY what you are seeing and what you are not (through packet analysis)
Entire post needs to sticky noted on everyone's monitor. To add to your points, if you're infected with any kind of malware, the sniffer will (for the most part) show you if you're infected or not...and in many cases show you who it is connecting back to. Tutorial to come on this soon.
while( !(succeed = try() ) );
Great thread McKittrick, we needed something discussing this. People become to reliant on the tools and not on what's physically happening in situations.
Yeah a lot of people dont do this
Add a Comment