[Dailydave] Better, more FLAME-like, penetration testing

Daniel Clemens daniel.clemens at packetninjas.net
Fri Sep 27 10:34:00 EDT 2013

On Sep 26, 2013, at 2:41 PM, Dave Aitel wrote:

> You use your exploit framework of choice to phish a few people with a PDF exploit. Your exploit is written by a professional team and is highly reliable, and you know it triggered because it downloaded your trojan from your watering-hole website, but you never got a callback. This is one of those features of modern well-run networks. It's sometimes easy to get INTO the network, but hard to get OUT of the network. INNUENDO is an injectable DLL, so not easy to catch even by modern AV/HIPS.
> By design INNUENDO is highly configurable at build-time, and hot-patchable at runtime using blocks of code that are strongly signed and encrypted. One of the core features is that there are channels into and out of the core message pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a local exploit, of course. 
> One of the main things we're moving into here is a complete break from the concept of tunneling connections into a network. Messages move throughout the network and get routed as they want to. INNUENDO handles interruptions in connectivity in a completely reliable way - if you switch to DNS tunneling halfway through a big file transfer because they've blocked your HTTPS callback, then so be it.
> In any case, if you want to be in on the early testing, or want to budget for it in the new FY, let me know!

Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. 

Daniel Uriah Clemens

O +1  202 747 0043 Ext. 7001
M +1  205 567 6850
F  +1  205 449 4731

Packet Ninjas LLC
265 Riverchase Pkwy E. Suite 103
Hoover, AL 35244

"Moments of Sorrow are moments of sobriety"

More information about the Dailydave mailing list