What I have found to be the simplest way of confusing Virus scanners is to compress the file, using one of the "PKLite" style self-decompressing executable tools. i.e. Take BackOrifice 2000, build it and link it with your config. Run it - Virus scanner busts you. Run upx on the file. Run the result - no virus scanner Rogan http://upx.sourceforge.net/ > -----Original Message----- > From: Kimberly S. [mailto:kimsehhingat_private] > Sent: 10 January 2002 10:28 > To: pen-testat_private; focus-msat_private > Subject: pen test help please asap > Importance: High > > > Hi all, > > I am currently working on a no holds barred pen test that > includes social > engineering. > As such, I intend to get a trojan installed onto the clients > network via > email or autostarting CDROM, but want something that is going > to not be > caught by AV software (they say they have Norton AV enterprise wide). > I was hoping that someone out there in pen test land already > had developed > something of the same ilk and could save me some time by > sending me a copy > or linking to something I could use. > > Features desired are: > > 1>> > Machine A on client site makes a configurable encrypted > OUTBOUND connection > to Machine B. Desire a netcat type outbound connection on > port 80 that will > detect and use the clients existing Internet Browser proxy > settings. Once > the connection is made to the outbound host (Machine B), a > smtp mail will be > sent out to notify that it is active. At that point I want to > be able to > connect to machine B from Machine C and leverage that > outbound tunnel from > Machine Ato get back into the organization, and have a remote > command prompt > and or remote desktop control of the target (Machine A) > > ------------------------------- > | | > | My slave system | > | (machine B) | > --------------------------------- > /|\ > /|\ > | > | > Port 80 / 443 encrypted SSH > connection or > equivalent > | > | > -------------------------------- > ----------------- > --------------- > | | | > | > | Client Target sys | | > my control > system | > | (machine A) | | > (machine C) > | > --------------------------------- > ------------------ > --------------- > > > > 2>> Source code available so I can confirm no "hidden extras" ;-) > > 3>> Autoinstalls on machine A by leveraging a bug in IE or Outlook if > possible; tho not essential > > 4>> Attached to some joke or funny, so the recipient is not suspicious > > 5>> Not detected by AV software > > 6>> Detects OS; installs as a SERVICE on NT/Win2k/XP systems, > else in the > Run sections of HKLM on Win9x > > 7>> Installs at the same level as TinyFirewall or ZoneAlarm, > and thus will > bypass these products (if possible) > > 8>> Incorporate a keystroke or screen capture element (if possible) > > > > I know this is quite a tall order; really the most important > element is that > Machine A makes the outbound connection, and that the traffic > at least looks > a bit like HTTP and it survives a reboot. > > Any help would be *so* appreciated! > > Sincerely > Kimberly > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 11:35:10 PST