[Dailydave] Better, more FLAME-like, penetration testing

Dave Aitel dave at immunityinc.com
Thu Sep 26 15:41:28 EDT 2013


So for a long time, Immunity has felt that modern penetration testing
products need to evolve. INNUENDO is our step forward towards a future
that leaps over the next generation of defensive network architectures
which have authenticating HTTP proxies, behavioral anomaly detection,
and layered deep content inspection.

Instead of a feature list, I wanted to put forth a scenario for those of
you in Red Teams that do penetration tests:

You use your exploit framework of choice to phish a few people with a
PDF exploit. Your exploit is written by a professional team and is
highly reliable, and you know it triggered because it downloaded your
trojan from your watering-hole website, but you never got a callback.
This is one of those features of modern well-run networks. It's
sometimes easy to get INTO the network, but hard to get OUT of the
network. INNUENDO is an injectable DLL, so not easy to catch even by
modern AV/HIPS.

By design INNUENDO is highly configurable at build-time, and
hot-patchable at runtime using blocks of code that are strongly signed
and encrypted. One of the core features is that there are channels into
and out of the core message pumps, and these are themselves
hot-swappable. So for PDF exploits, one of the channels you'll use is a
PDF sniffer that sits in the PDF reader and looks at all new PDF's for
signed messages from the C&C. It can then use these to update itself
with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel
(slightly higher bandwidth). Or a local exploit, of course.

One of the main things we're moving into here is a complete break from
the concept of tunneling connections into a network. Messages move
throughout the network and get routed as they want to. INNUENDO handles
interruptions in connectivity in a completely reliable way - if you
switch to DNS tunneling halfway through a big file transfer because
they've blocked your HTTPS callback, then so be it.

In any case, if you want to be in on the early testing, or want to
budget for it in the new FY, let me know!

Dave Aitel
Immunity, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130926/e3d3a21c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Type: image/png
Size: 10200 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130926/e3d3a21c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130926/e3d3a21c/attachment.sig>

More information about the Dailydave mailing list