<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<img alt="INNUENDO" title="INNUENDO LOGO"
src="cid:part1.01020706.02020309@immunityinc.com" width="719"
height="209"><br>
<br>
So for a long time, Immunity has felt that modern penetration
testing products need to evolve. INNUENDO is our step forward
towards a future that leaps over the next generation of defensive
network architectures which have authenticating HTTP proxies,
behavioral anomaly detection, and layered deep content inspection. <br>
<br>
Instead of a feature list, I wanted to put forth a scenario for
those of you in Red Teams that do penetration tests:<br>
<br>
You use your exploit framework of choice to phish a few people with
a PDF exploit. Your exploit is written by a professional team and is
highly reliable, and you know it triggered because it downloaded
your trojan from your watering-hole website, but you never got a
callback. This is one of those features of modern well-run networks.
It's sometimes easy to get INTO the network, but hard to get OUT of
the network. INNUENDO is an injectable DLL, so not easy to catch
even by modern AV/HIPS.<br>
<br>
By design INNUENDO is highly configurable at build-time, and
hot-patchable at runtime using blocks of code that are strongly
signed and encrypted. One of the core features is that there are
channels into and out of the core message pumps, and these are
themselves hot-swappable. So for PDF exploits, one of the channels
you'll use is a PDF sniffer that sits in the PDF reader and looks at
all new PDF's for signed messages from the C&C. It can then use
these to update itself with, say, a bi-directional ICMP channel, or
a Twitter/IMGUR channel (slightly higher bandwidth). Or a local
exploit, of course. <br>
<br>
One of the main things we're moving into here is a complete break
from the concept of tunneling connections into a network. Messages
move throughout the network and get routed as they want to. INNUENDO
handles interruptions in connectivity in a completely reliable way -
if you switch to DNS tunneling halfway through a big file transfer
because they've blocked your HTTPS callback, then so be it.<br>
<br>
In any case, if you want to be in on the early testing, or want to
budget for it in the new FY, let me know!<br>
<br>
Thanks,<br>
Dave Aitel<br>
Immunity, Inc. <br>
<br>
<br>
</body>
</html>