On a recent assessment we came across the following scenario:
1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver 2) The box is firewalled only allowing 53 UDP ingress and egress
3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ So we want to tunnel from the SensePost offices to Target Company's internal machines, with this pretty restrictive setup. How did we accomplish this?
1) Upload and compile dns2tcp to the target machine
2) Create a dns2tcp tunnel from target (dns2tcp client) to SPDNSTUNNEL (dns2tcp server)
See the attached picture for a summary of the above.
-sigh- the topic is stolen directly from the [DarkReading Article] -snip- It’s yet another new spin on a pervasive attack -- this time using the old standby Simple Network Management Protocol (SNMP) to stage cross-site scripting (XSS) attacks. -snip-
-sigh- a little while back while doing a pen-test on a 1U device, we found that a well poisoned SNMP string could easily result in XSS and even SQL Injection attacks.
a few months later, nick used a variation of this by simply using XSS payloads as his SSID and broadcasting near wifi IDS devices with web based management consoles.
My point is simply that this hardly counts as a new attack.. (we didnt even think it was novel enough to blog at the time!)
-sigh- ignore me.. im older and cynicaler and tireder today.. i should get some sleep...
So felten et al basically figured that cooling dram chips allows an attacker to move them to another machine where they can be leeched!
The geek in me cant help but say "COOL!" According to the comments posted (by Eugene Spafford no less) this sort of attack is fairly well known.. but.. for this humble fanboy, i think its still pretty rocking!
Many people took a crack at "what tool will work to replace mangler, out of the box" and so we have a bunch of new tools to play with..
Steven's answer of MS-Word or PowerPoint left us scratching our heads a little, and rezn threw in the added complexity of the app requiring valid certs..
ah well.. another cheap, quick informal QoW follows intercrastically..
(my first X-Rated blog post.. i should hook up ad-words and watch the money roll in!)
Ok.. our Zimbabwean recruit was posed the following question by some international academics:
Q:"How would you sort your shoes?"
A: "I make the assumption that the shoes are positioned such that I can see their sizes, and that they are in a row of boxes. I would randomly pick a pair of shoes in a box and call them my 'pivot point'. I would then reorder the shoes such that all shoes with sizes less than my pivot are on the left of it, and all shoes with a greater size are on the right of the pivot (perhaps having 2 piles of shoes next to me as I work, one for size less than, one for size greater than). This pivot pair of shoes would now be in their correct sorted position. I would then apply this same process to the left and right sets of shoes, and then to their left(left,right) and right(left,right) sets, continuing this process until all shoes have been 'pivoted' or there is only one or zero pair of shoes between two pivots. (i.e a set of only one pair)."
Now.. this seems impressive.. but my response was (kinda) Thats a whoreish way to do it..
QoW-1: What possessed me to respond like this?
QoW-2: Do you have a better solution? and why?