Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/22/2009
03:13 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Using Malware In Penetration Testing

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."The blog is by Gunter Ollmann and covers pen-testing from a historical perspective, with discussions about how the art (and science) of pen-testing has branched out during the years into specialized areas. It's an interesting read, but I think the article's point is going to be missed or skewed by many because Ollmann uses the term "malware" when talking about exploiting users and client-side applications.

If you were told the company performing pen-testing against your organization was planning to use malware to try and penetrate your systems, then how would your CIO/CISO respond? Probably with a resounding, "Hell, no!" The truth is, we as security professionals use "malware" all the time. I can't tell you how many times I've had my tools folder decimated because my antivirus software decided to forget its exclusion rules and instead deleted a bunch of my tools it deemed malicious.

But in information security, one man's tool is another man's malware. What Ollmann is describing as a pen-test using malware is what Chris Gates of the Carnal0wnage blog has referred to as many times as full-scope penetration testing. In the simplest of terms, instead of limiting a pen-test to only include Internet-facing systems, systems containing sensitive information, or some other arbitrary limitation, a full scope pen-test includes ALL systems -- including users.

Gunter is using the term malware to refer to the tools that currently exist for creating custom code that can be used to compromise systems the same way an attacker would with a malicious Website. His example is saying, "Prove it" when confronted by a statement like: "Drive-by downloads are a fact of life, and all it takes is one unpatched host to browse a dangerous site to infect our network. But that's okay, because we have anomaly detection systems and DLP, and we'll stop them that way."

In truth, there are many do-it-yourself malware creation kits that attacks use, but I don't think any reputable pen-tester is going to go out and get one of them. Instead, we have well-known and well-respected tools, like the Metasploit Framework and Core IMPACT, that provide us with the same capabilities to exploit users and systems through phishing and client-side attacks.

We don't need malware creation kits and the risks of using them....or is that what Ollmann was calling tools like Metasploit or IMPACT? It certainly wouldn't be the first time a tool like netcat or Sysinternals pstools was labeled as malware and deleted by AV, because tools we've used for good as infosec pros were also used for malicious purposes. No matter the distinction, the reality is that comprehensive, full-scope pen-tests using the methods described in Ollmann's blog are taking place, and have been for a couple of years now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.