What is hostscan? Hostscan is a feature of Cisco AnyConnect. When a host attempts to VPN into a network, hostscan verifies specific settings are in place. A common example is ensuring Antivirus (AV) is installed. Other examples include looking for specific registry keys, checking for a firewall, etc. From an attackers stand point, this can be a huge pain. What if I want to VPN in with my Linux box but the environment mandates AV?
What is enumerid? Enumerid is an impacket based Relative Identifier (RID) enumeration utility. It was initially created to solve a common problem that attackers face after getting an initial compromise- getting oriented within the network. Historically this means looking through ARP tables, VPN routes, wireshark, etc. With a valid set of credentials, you can now enumerate all valid network ranges.. even if you don’t currently have access to them.
The Scenario The client would like to test the controls in their environment as if I were an employee. This means utilizing a heavy restricted Windows machine to perform testing because outside equipment is not authorized. Users are not local admins and the group policies applied to employee workstations are quite restrictive (ex. no mass storage). To top it off, this environment utilizes application whitelisting. The Goal The goal of the test is to find any gaps in their procedures or controls that would allow an employee to get away with something nefarious.
Blocking Group Policy You’re on an engagement and just obtained your first set of credentials. Score! You attempt to join your Windows VM to the domain and you are greeted with a warm message: “Welcome to the __ domain”. You’re excited to have your initial foothold in the network but you quickly realize these credentials don’t provide much access. We need to go deeper! You start looking for ways to elevate your access in the network.
Introduction On one of our recent engagements we were tasked with testing a network protocol for DoS conditions. Naturally this engagement led us to explore the various fuzzers that are currently available. After going through a few options, I came across a python fuzzing framework on Github called Sulley. The framework looked to be unmaintained, which led to the discovery of boofuzz. Boofuzz is a fork of the Sulley fuzzing framework and is actively maintained.