Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Social Engineering Website (and Trojan test)
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 10 Jan 2004 00:50:59 +0100

On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:

The modification we'd like to make to our site would be a remote
exploit of some sort, and I'm not totally sure where to go with that.

It is of utmost importance that this program can be easily and
totally removed after the testing is complete.

Implement expiration in your trojan code and set it for several days
(for duration of the test). After the expiration date make sure the
trojan does not do anything (ie. immediately exit). If you want to it
to be "totally removed", *do not do any* automagic removal in your
code but ask the user to contact his security administrator (and make
sure he knows how to do it).

Each copy of the Trojan could possibly identify itself when it calls
home (unique identifier) so you can tell who forwarded which copy
further in test period.

The "call home" technique is sometimes not trivial. You should test it
*with the help of the client* before the actual test:

 - consult what sort of OS/MUA/browser combination is expected (to not
   use MS Outlook(IE) tricks in Lotus Notes environment etc.),
 - test if the trojan can go "in" in email attachment (sometimes not
   allowed or just removed from the message by SMTP content filters,
   usually by decision based on filename extension) or as a HTML
   message with URL to your webserver/trojan code,
 - test if it is possible to execute the trojan in their typical
   desktop environment and how easy is that (what steps are required
   to be performed by the user),
 - test if the trojan is able to "call home" from their LAN - direct
   TCP/IP connection, http(s) proxy (authentication!), email through
   SMTP server, DNS query etc. You could also place the PC inside their
 - finally, get the list of the target users (email recipients)

Try to make sure the client does understand the test and its purpose.
Especially that he does not plan to use the test results as a "reason"
for firing someone. You don't want to make enemies :-)

* Use IE remote exploits to start a netcat listening session (not
* Create a screen saver application of some sort that would gather
* Create a free automated "security scanner" application similar to

No need to. Just popup some window and do the work in background (make
sure the background job still runs *after* the user closes the window)
or simply do not do anything (only the background job).

Cons to doing this, as I see it: the employee may forward the message
outside their company, skewing results and running on systems without
permission. (this would only be if a screensaver/application were

This happens. Make sure the trojan does not do anything harmful under
any circumstance, only the minimun needed.

         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]