I'm working on implementing rootkitting/ trojans/ Browser exploits into my Phishing attacks...
I have noticed how easy it is to get users to give up credentials but sometimes
this only provides access to OWA
for example...( if that is the only resource available )
The network I'm looking at now doesn't have much of an Internet presence so I haven't had any luck
with any infrastructure or app holes...
I got about 5 accounts us the Phishing
attack above- also wrote a script to tail Apache custom logs and trend target
users OS, browser, IP, plug-ins, and remote time in hopes of using this to
craft a browser attackā¦..
But if only OWA is
available I'm initially
limited to info harvesting in hopes of finding something good in email.. (Usually
sensitive docs)
Which brings me to my question:
What are the caveats of using browser exploits or Trojans/Rootkits to obtain a reverse shell? I would want it to come out something
like HTTP or HTTPS or ICMP
or DNS...
depending on the internal architecture...
Would one need to worry about the payload being proxy aware? I'm thinking
that the proxy should
cache credentials and allow the payload outbound since the user had to initiate
the request and download the Trojan
or visit my site to get exploited... OR would the backdoor or payload need to
pass credentials? Shouldn't be a problem.. because I already have them :)
Idears?
JP
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
