tag:blogger.com,1999:blog-37798047.post4873236692357784885..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Yet more blogging blackhatDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-37798047.post-34743411430505686622007-03-12T16:39:00.000-04:002007-03-12T16:39:00.000-04:00Hi, I was the presenter and I didn't make either o...Hi, I was the presenter and I didn't make either of those comments :p<BR/><BR/>I made a statement that said that COMPUTER ATTACKS are polymorphic, meaning (as you admirably show) that they can be performed in many sintactically different, but semantically equivalent, ways.<BR/><BR/>ADMmutate was just a quick example that most people know, and that explains the point. I didn't claim that I did "a test with a different engine", either. Did you attend someone else's talk or I'm worse in my English skills than I believed ? :)<BR/><BR/>The rest of your post is so totally and glaringly obvious that only a fool would not agree. Luckily enough, it was born just of a misunderstanding - and therefore, if you look closely at the remainder of my presentation, it doesn't influence a word of what is in it.<BR/><BR/>Thanks for the comment, even if I would have been glad to receive it on my email as well, as a form of basic courtesy ;)Stefanohttps://www.blogger.com/profile/10370847089315785833noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-36903525206994322942007-03-07T17:14:00.000-05:002007-03-07T17:14:00.000-05:00You make a good point about signatures that trigge...You make a good point about signatures that trigger on a shellprompt.<BR/><BR/>However, and even though I wouldn't position IMPACT as a fancy IDS evasion tool but a pen-testing one, we actually don't launch a shell unless the user wants to. Exploits use a syscall proxying payload which does not need a shell to do stuff, so I'm surprised you actually saw that. One of the benefits of syscall proxying is actually not having to run a shell on the target.<BR/><BR/>In fact, I believe this also applies to Metasploit's meterpreter and Canvas, but I can't really speak for them.Max Cacereshttps://www.blogger.com/profile/04982289055107379476noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-62529341688794972322007-03-06T16:38:00.000-05:002007-03-06T16:38:00.000-05:00"I'm stumped to think of a valid situation in whic...<I>"I'm stumped to think of a valid situation in which those strings would exist un-encoded on the wire, outside of a few proprietary protocols I've seen."</I><BR/><BR/>I guess it depends on where your sensor is. I've seen these strings (and more!) when applications are deployed over the wire and even by inventory management systems. Apps downloaded over ftp or http also tend to have this characteristic (isos especially).<BR/><BR/>While I agree that you shouldn't rely solely on detecting shells, you shouldn't ignore it either. A good defense is spread out, to detect exploit attempts, exploit success and post-exploit activity (i.e. shells, c2 channels, etc). All network activity leaves some kind of network artifact.Juan Miguel Paredeshttps://www.blogger.com/profile/14027659645575367269noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-5223673380162929072007-03-05T01:26:00.000-05:002007-03-05T01:26:00.000-05:00While "cmd /k" does prevent the DOS header informa...While "cmd /k" does prevent the DOS header information from being presented back over the network, I'd be interested to see how many other IDS vendors match on "C:\Program Files\..." or "C:\WINDOWS\system32\.." for the simple reason that the shell will still send the present working directory over the network.<BR/><BR/>I'm stumped to think of a valid situation in which those strings would exist un-encoded on the wire, outside of a few proprietary protocols I've seen.<BR/><BR/>** I wouldn't advocate building you defenses reliant on picking out the shell traversing the network, as you've already got a major problem when it's at that stage. Also the advent of Meterpreter with on-the-fly SSL encryption of traffic to a custom shell bypasses such sigs.Rhys Kiddhttps://www.blogger.com/profile/09377758607874992932noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-89090042802388454012007-03-02T15:36:00.000-05:002007-03-02T15:36:00.000-05:00I am a bit surprised that polymorphic shellcodes a...I am a bit surprised that polymorphic shellcodes aren't used more considering how available they are these days. But I suppose it is true, why bother if just regular shellcode (which may be less error prone depending on the vulnerability) works just fine.<BR/><BR/>The few snort shellcode rules that are out there -constantly- trigger on false positives. For example the rule that looks for 0x90. Polymorphic nop sleds, or even plain nop sleds of a different opcode easily bypass this stuff.<BR/><BR/>The idea of alerting on a long string of 'a' is very laughable.Chris Rohlfhttps://www.blogger.com/profile/16615531060194715892noreply@blogger.com