Recognize-Security

Client-Side Vulnerabilities and Penetration Testing

Posted by Trancer on Mar 17 2009

Code Obfuscation In today’s world the Internet is not what it used to be. Back in the days hacking was pretty easy – an attacker who wants to penetrate a company network just had to do a little reconnaissance – host discovery, port scanning, OS and services detection to find a vulnerable service, fire up an exploit and that’s all there is to it.
Scenarios of such are almost impossible these days. The vast majority of companies have heavily protected internal networks from outside threats. Thanks to firewalls, IDS/IPS’s, content/web filtering appliances, anti-virus/spyware software, SIM/SOC products and etc’, penetrating a company internal network is a really hard job. Therefore, the easiest way for an attacker to penetrate a company internal network is to attack her weakest link – Users.
Anyone in the IT/information security field who’s aware of attacks and exploitation trends for the past few years knows the statistics – attackers are now attacking users, or in other words, exploiting client-side vulnerabilities. A quick look at the exploits posted daily on milw0rm proves this fact. Or, reading the statistics of the Mass SQL Injection attacks and how it got so damn popular in the last couple of years. Exploiting client-side vulnerabilities actually works quite efficiently, and that’s what attackers exploit.
In the attackers arsenal you’ll find tons of exploits targeting users desktops. It starts with web browser exploits and ActiveX exploits (various IE toolbars and other), through 3rd party applications exploits (Adobe Reader, Adobe Flash, Apple QuickTime, RealPlayer and more) and various fileformat exploits, targeting Microsoft Office and other office suites, media players, image viewers and what not. Attackers are able to exploit users desktops in so many ways and so easily that most of the time attacks will be successful.

The following presentation is about this subject, and demonstrating it well using the Metasploit Framework. It’s called Attacking Layer 8: Client-Side Penetration Testing, presented at SOURCE Boston 2009 by the guys of Full Scope Security and they doing a great job explaining how client-side vulnerabilities risk companies more then any other threat these days.

Or you can watch it on their web site – Attacking Layer 8: Client-Side Penetration Testing.

Categories: Presentations

0 Comments | Comments RSS | TrackBack URL

Recognize-Security Welcome to the Machine March 2009

Client-Side Vulnerabilities and Penetration Testing Posted by Trancer on Mar 17 2009 In today’s world the Internet is not what it used to be. Back in the days hacking was pretty easy – an attacker who wants to penetrate a company network just had to do a little reconnaissance – host discovery, port scanning, OS and services detection to find a vulnerable service, fire up an exploit and that’s all there is to it. Scenarios of such are almost impossible these days. The vast majority of companies have heavily protected internal networks from outside threats. Thanks to firewalls, IDS/IPS’s, content/web filtering appliances, anti-virus/spyware software, SIM/SOC products and etc’, penetrating a company internal network is a really hard job. Therefore, the easiest way for an attacker to penetrate a company internal network is to attack her weakest link – Users. Anyone in the IT/information security field who’s aware of attacks and exploitation trends for the past few years knows the statistics – attackers are now attacking users, or in other words, exploiting client-side vulnerabilities. A quick look at the exploits posted daily on milw0rm proves this fact. Or, reading the statistics of the Mass SQL Injection attacks and how it got so damn popular in the last couple of years. Exploiting client-side vulnerabilities actually works quite efficiently, and that’s what attackers exploit. In the attackers arsenal you’ll find tons of exploits targeting users desktops. It starts with web browser exploits and ActiveX exploits (various IE toolbars and other), through 3rd party applications exploits (Adobe Reader, Adobe Flash, Apple QuickTime, RealPlayer and more) and various fileformat exploits, targeting Microsoft Office and other office suites, media players, image viewers and what not. Attackers are able to exploit users desktops in so many ways and so easily that most of the time attacks will be successful. The following presentation is about this subject, and demonstrating it well using the Metasploit Framework. It’s called Attacking Layer 8: Client-Side Penetration Testing, presented at SOURCE Boston 2009 by the guys of Full Scope Security and they doing a great job explaining how client-side vulnerabilities risk companies more then any other threat these days. Or you can watch it on their web site – Attacking Layer 8: Client-Side Penetration Testing. Categories: Presentations 0 Comments \| Comments RSS \| TrackBack URL Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Recognize-Security Links BinaryVision BlackHat Security BugSec Ltd. Digital Whisper Extraexploit Inj3ct0r exploit database milw0rm NiX IRC Network NullByte Pankaj Kohli Peter Van Eeckhoutte The Metasploit Project TryThis0ne Udi Mosayev Uninformed xorl eax, eax Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2009 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

March 2009

Client-Side Vulnerabilities and Penetration Testing

Leave a Reply