Excellent presentation. I've been using similar techniques with a fair amount of success. Some of your emails look a little more creative, but we branched out to use Canvas in addition to Metasploit and some custom tools. It would be great to exchange notes sometime.
CG: Given the vast variety of client software that can be leveraged to get internal client/workstation access, other than specifically testing a user training program or a HIPS type solution, does cutting straight to the internal test and assuming that a client will be compromised sometime make sense?
I think so *sometimes*. Its all based on scope and what the customer wants/needs (those dont always match up properly).
I guess it would also depend on if you are just doing an internal PT for the sake of doing one or if you are trying to test their responses to finding the bad guy once that client side has been executed or if they want to see how far a bad guy can get given one user clicking that email.
But I dont think alot of businesses are mature enough to understand that and let testers that way.
That was probably more questions than answers to your question.
Anonymous, you're basically right. But there's a problems. I'd agree with CG on: "But I dont think alot of businesses are mature enough to understand that". Most businesses don't understand security. Sometimes the only way to communicate to them is by executing an attack and providing detailed screen shots.
excellent talk about this most intersting topic. I really learned a lot!! Are your slides available somewhere, e.g. as pdf? That would be great. Cheers
Excellent presentation. I've been using similar techniques with a fair amount of success. Some of your emails look a little more creative, but we branched out to use Canvas in addition to Metasploit and some custom tools. It would be great to exchange notes sometime.
ReplyDeleteCG: Given the vast variety of client software that can be leveraged to get internal client/workstation access, other than specifically testing a user training program or a HIPS type solution, does cutting straight to the internal test and assuming that a client will be compromised sometime make sense?
ReplyDelete@anonymous
ReplyDeleteI think so *sometimes*. Its all based on scope and what the customer wants/needs (those dont always match up properly).
I guess it would also depend on if you are just doing an internal PT for the sake of doing one or if you are trying to test their responses to finding the bad guy once that client side has been executed or if they want to see how far a bad guy can get given one user clicking that email.
But I dont think alot of businesses are mature enough to understand that and let testers that way.
That was probably more questions than answers to your question.
Anonymous, you're basically right. But there's a problems. I'd agree with CG on: "But I dont think alot of businesses are mature enough to understand that". Most businesses don't understand security. Sometimes the only way to communicate to them is by executing an attack and providing detailed screen shots.
ReplyDeleteHello Chris,
ReplyDeleteexcellent talk about this most intersting topic. I really learned a lot!! Are your slides available somewhere, e.g. as pdf? That would be great.
Cheers