>
> Can anyone of you pen-testers give me some basic advice on client side
> exploits and what potential impact they can have on server-side
> infrastructure, and are these included in pen-tests. In my less than expert
> opinion when it comes to client side exploits, that spells out to me stuff
> like adobe reader, whereby to exploit an un-patched version of adobe,
> requires a hacker to somehow trick a user into opening a malicious PDF which
> in turn I assume lets the hacker run some sort of code under the privilege
> of that user.
The potential impact on servers can range for low to high--of course depending on the attack.
When you mention client-side exploits, you are also referring to web attacks such as XSS?
>
> I have read hackers typically target users and unpatched vulns on user?s
> workstations in the network/domain that have access to specific servers as
> opposed to targeting unpatched vulns on the server itself, is that true? Are
> unpatched vulns on servers and server apps never targeted from the outside,
> i.e. via dodgey email, malicious websites etc?
In your example, the PDF exploit would also work on a server if it was vulnerable.
When you conduct a pen test you test all systems in scope including servers.
It sometimes is easier to send email to "trusting" users and have them open an attachment. This
is because users use workstations with an email client installed as their everyday computer.
Servers can always be targeted from the outside.
>
> Does this mean then that if you had an un-patched version of adobe reader on
> say a windows 2003 file server, there?s no real risk? Admins don?t use the
> server to browse the net, open email etc, so how can you trick an admin into
> opening a dodgey PDF on a server?
Autorun, registry entry, or logon script.
>
> Back to the running of malicious code once you have tricked a user into
> opening your malicious PDF, what kind of code is it? What language? And how
> can this code attack the server to get to whatever sensitive data you were
> after? If the server has been hardened with strong passwords, ACL?s, patches
> etc is it going to stand up to this malicious code execution? The thing that
> worries me is if malware can execute code that can bypass windows security
> features, so technically could a malicious insider if they had that code. I
> just wondered what type of things the code will try and attack if its sole
> focus is getting a copy of sensitive data on a file server.
The language is dependent on the application. For example Adobe Reader can read/execute Javascript.
Strong passwords will not defend against a user opening a malicious file. ACL might help and patches will.
>
> And last but not least, another thing that baffles me, is if this dodgy PDF
> gets onto a workstation, it then executes its malicious code and gets onto
> an admin share on a windows server, and finds 20 word documents full of
> sensitive restricted data, how does it get these word documents out and into
> the hands of the hacker? I just cant see how that stage works.
The malicious PDF is crafted to connect back to the attacker and then they can execute commands and browse the internal network.
>
> And is this the kind of thing you include in your pen-tests, i.e. send a
> shed load of dodgey PDF to corporate users via email and see what kind of
> access and data it gets you access too?
Sometimes yes; depending on scope.
>
> Sorry about my ignorance but I have read some articles on this subject and
> it makes less sense, so I thought I?d ask the experts. If you can put it in
> lay persons terminology that would help me no end.
>
> Thanks
>
> --
> View this message in context: http://old.nabble.com/Client-Side-Exploits-tp31238041p31238041.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
Thanks,
Jovon Itwaru
On Mar 25, 2011, at 9:44 AM, cribbar wrote:
>
> Can anyone of you pen-testers give me some basic advice on client side
> exploits and what potential impact they can have on server-side
> infrastructure, and are these included in pen-tests. In my less than expert
> opinion when it comes to client side exploits, that spells out to me stuff
> like adobe reader, whereby to exploit an un-patched version of adobe,
> requires a hacker to somehow trick a user into opening a malicious PDF which
> in turn I assume lets the hacker run some sort of code under the privilege
> of that user.
The potential impact on servers can range for low to high--of course depending on the attack.
When you mention client-side exploits, you are also referring to web attacks such as XSS?
>
> I have read hackers typically target users and unpatched vulns on user?s
> workstations in the network/domain that have access to specific servers as
> opposed to targeting unpatched vulns on the server itself, is that true? Are
> unpatched vulns on servers and server apps never targeted from the outside,
> i.e. via dodgey email, malicious websites etc?
In your example, the PDF exploit would also work on a server if it was vulnerable.
When you conduct a pen test you test all systems in scope including servers.
It sometimes is easier to send email to "trusting" users and have them open an attachment. This
is because users use workstations with an email client installed as their everyday computer.
Servers can always be targeted from the outside.
>
> Does this mean then that if you had an un-patched version of adobe reader on
> say a windows 2003 file server, there?s no real risk? Admins don?t use the
> server to browse the net, open email etc, so how can you trick an admin into
> opening a dodgey PDF on a server?
Autorun, registry entry, or logon script.
>
> Back to the running of malicious code once you have tricked a user into
> opening your malicious PDF, what kind of code is it? What language? And how
> can this code attack the server to get to whatever sensitive data you were
> after? If the server has been hardened with strong passwords, ACL?s, patches
> etc is it going to stand up to this malicious code execution? The thing that
> worries me is if malware can execute code that can bypass windows security
> features, so technically could a malicious insider if they had that code. I
> just wondered what type of things the code will try and attack if its sole
> focus is getting a copy of sensitive data on a file server.
The language is dependent on the application. For example Adobe Reader can read/execute Javascript.
Strong passwords will not defend against a user opening a malicious file. ACL might help and patches will.
>
> And last but not least, another thing that baffles me, is if this dodgy PDF
> gets onto a workstation, it then executes its malicious code and gets onto
> an admin share on a windows server, and finds 20 word documents full of
> sensitive restricted data, how does it get these word documents out and into
> the hands of the hacker? I just cant see how that stage works.
The malicious PDF is crafted to connect back to the attacker and then they can execute commands and browse the internal network.
>
> And is this the kind of thing you include in your pen-tests, i.e. send a
> shed load of dodgey PDF to corporate users via email and see what kind of
> access and data it gets you access too?
Sometimes yes; depending on scope.
>
> Sorry about my ignorance but I have read some articles on this subject and
> it makes less sense, so I thought I?d ask the experts. If you can put it in
> lay persons terminology that would help me no end.
>
> Thanks
>
> --
> View this message in context: http://old.nabble.com/Client-Side-Exploits-tp31238041p31238041.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]