5

When it comes time for the internal phase of a white box or red-team audit, where you've locked yourself in a mop-closet in an office building of a Fortune 500 company, I would think that the last thing you'd need is Burp Suite attempting to connect to portswiggerDOTcom to check for a new version or noisy traffic generated by a web browser, such as all the "safe-browsing" and "self-repair" clatter...

What do pen-testers do to mitigate this type of noise? Some of the aforementioned is easily enough dealt with, other stuff, like the Burp example can't be filtered with itself (that traffic conveniently can't be trapped by the proxy, and adding the domain to a HOSTS file does nothing).

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
russ6100
  • 71
  • 2

3 Answers3

1

While it is very useful to be able to grab latest updates etc., you are right that this is not what works in various types of testing. The two most likely are 'stealthy' tests, as you mention, and tests where you do not have a connection outside the network.

The solution is to come with everything you need: all tools and scripts on your testing laptop, or for those tests where you are not allowed to take your own physical kit on site, delivery of your tools to the in-house security team for review and installation onto the test machine.

The list of tools you will want will develop with experience - you'll learn the ones that you typically need for a specific type of test - but I always found that more was better, as if I took a cut down toolset I'd always need one I hadn't brought!

And to be properly quiet on the network you need to configure every tool in stealth mode. Remove 'call-home' functionality. Wind down rate limits where possible. Turn off 'noisy' tests.

If the test allows you to have a smartphone, then using that to check for script updates etc. Is very useful to keep things off the LAN.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
1

Burp Suite Professional is a tool for approved tests, or for labs -- not for red-team engagements or cyber exercises. Typically, a cyber exercise is going to include exploit-only code where the exploitability of each vulnerability is well-known and pre-tested.

When you look at exploit code, such as the ones targeting Cisco PIX and ASA firewall platforms -- the codenames and modularization are focused entirely on known, categorized exploits as late attack-cycle specialized weapons -- not as early-on testing all-purpose software-quality tools.

Even the metasploit-framework is losing its relevance, including its evolving Meterpreter implant. It is rare to hear of real threat actors using metasploit-framework components -- I have only heard about India-based threat communities using it for high-profile attacks.

Probably the most-common red-team engagement tool for stealth is PowerSploit. Instead of bypassing or using an unrestricted PowerShell ExecutionPolicy, typically modules and assemblies will be signed. Using a custom or slightly-modified compression or encoding approach, PowerShell can be easily obfuscated and even ConstrainedLanguage and AMSI bypassed. Posh-SecMod has some examples of script compression through the Compress-PostScript and New-PostDownloadExecuteScript functions.

PowerShell and C# provide a lot of low-profile attack paths. If you are interested in XSS, SQLi, or similar attacks from these easy-to obfuscate frameworks, be sure to check out the book, Grey Hat C#. Many of the stealth-oriented attack techniques are available in PowerView because Microsoft Windows Server Forest technology isn't widely monitored by orgs, nor are any of the Active Directory elements -- especially not AD objects that relate to Microsoft DNS or SPN identifiers.

If an exploit can reach memory (e.g. client-side or service-process layer), such as through a Flash, Internet Explorer, or office-document exploit -- a red team can leverage the ReflectivePick technique outlined in the links in the third paragraph of this answer (N.B., especially see the one on alternatives to Meterpreter).

Many attacks can leverage the TLS protocol for stealth, including SQLi. If you want to tunnel through a web framework such as ASP.NET or Java Enterprise, be sure to check out APBTTS, which will provide the transport-layer capabilities of a web shell without writing a web shell to the disk.

Specific, other defensive-technology bypasses (or theories that could certainly lead to new techniques) can likely be found in books such as The Anti-Virus Hacker's Handbook.

Community
  • 1
atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    Sorry for the necro / tardiness but great post! I agree that the Metasploit Framework is not seen as much anymore and that even Meterpreter payloads that have had several iterations of Metasploit's provided obfuscation techniques are often detected. However, an added layer of 'rolling your own' obfuscation - e.g. an XOR with a short key can breathe new life into old tech. Also agree on the MS stuff, even VBA in the right context will often surprisingly not raise an eybrow. – russ6100 Jul 02 '18 at 22:32
1

Use the routing table. Dedicate one network interface to the network under attack, and define only the 10.0.0.0 route (or the 192.168.0.0 route, or whatever) to use that interface. Configure a different interface to be the default gateway. This way you can't have a noisy tool make an accidental mistake that would give you away to an IDS.

You can tether the default adapter to your mobile phone if you need internet access during the test.

John Deters
  • 33,650
  • 3
  • 57
  • 110