Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at counter measures within the exploitation phase of the Pee test standard. Now a quick disclaimer. Pee Test videos do cover techniques and tools that could be used for system hacking.
So any tools discussed
or techniques to discussed and demonstrated should be researched and understood by the user.
Please research your laws and regulations regarding the use of such tools, and you're given area to ensure that you do not get into any trouble with the law. Now let's jump into the objectives for two days discussion. So we're going to look at defining what countermeasures are.
We're going to look at some different types of countermeasures, such as Anna Virus, White List, bypass project injection
process injection excuse me and memory resident counter, you know, for bypassing countermeasures. And so
again, this is a combination of a countermeasure discussion and Cem applicable ways to bypass them. We're going to look at depth and Web application firewalls within this particular discussion.
what our countermeasures. While cattle kari measures are defined as a preventative technology or controls that hinder the ability to successfully complete an exploit avenue. So could be again host based intrusion prevention
Security guards. If we're talking physical countermeasures, Web application firewalls,
really, any method that we're putting in place to prevent something from being successful is far. Isn't it an attack?
So when performing an exploit, several factors should be taken into consideration in the event that we have preventative technology. Circumvention techniques should be considered when this is not possible. Alternative exploit methods should be considered
now. It's important to remember
the Exploitation Avenue in consideration
should on Lee be attempted if it's allowed within the rules of engagement and the scope of service so or scope of work. So if those things were not allowed or they're not a part of the rules of engagement of the system is not in scope,
then we should not consider attacking. Those systems are attempting to circumvent any controls in those cases,
so let's jump into some types of countermeasures.
So starting this office good old and a virus and a virus, of course, is a technology that's aimed at preventing malicious software from being deployed on a system. We should be able to identify these types of antivirus technologies and protect,
um against them as far as working against those technologies or kind of a few skating our code against those technologies,
depending on whether the Anna bars the signature based or uses heuristics,
that could be a determination and how we approach that. Now. There are some techniques for bypassing
and a fire, So encoding is when we scramble the information and rearrange the order of the particular exploit that we're trying to pass through that Anna virus. And so the hope here is is that if it's a signature based system will be able to trick it by rearranging the way that exploit looks.
And essentially it won't match. The signature packing essentially uses compression in an attempt to, of course, pack the payload and bypass and a virus. And then we've got encryption, which attempts to bypass protections by making the code unrecognizable to the anti virus a swell. So each of these
is more so in a manner to
get one over on signature base and a virus. If it's looking at behavior
and it's Maurine in point detection and response tool, Um, then we're probably looking at attempting to do some of these things to get it past the first hurdle of signature based detection.
But then, if the payload attempts to run processes or do things that are common with certain attack types, and it's heuristics over some type of, you know, a way that it's trying to attempt system that may get caught.
But we could at least try to get past the first part of the anti virus now white list by passing so white. Listing technology essentially leverages a trusted module for applications that have been seen on a given system at a time. So the technology takes a baseline of the system
and identifies what is normal
to be run on the system versus something foreign, and so we should be able to circumvent these types of technologies. The common method is through direct memory access.
White listing doesn't have the capability to monitor memory in real time, and if memory resident program is running and not touching the desk than it can be run without detection of the particular white listing tool.
So that's why a lot of times when we get into engagements than involved forensics on the system hasn't been rebooted. We want to try to capture what's in memory so that we can see if the attacker used something that was memory resident to, you know, bypass controls and things of that nature. So
that can be applied in our efforts in the exploitation phase of testing as well to kind of circumvent those technologies now. Data execution prevention
data Execution prevention is essentially a defensive measure implemented into most operating systems, and it prevents execute permission when an override and memory has occurred. So this is common when you're trying to work around applications to perform maybe something like a buffer overflow attack
depth is, ah, component that essentially stops the attacker in rewriting memory and then executing that code. And so we work on what's called return oriented programming the bypasses. And essentially it's having your payload execute and a space not protected by depth.
This is probably outside of the scope of the pee test discussion to get any deeper than that. And if you want to do
more research on memory based attacks as faras doing buffer overflow attacks and bypassing depth and SLR and things like that, then you're going to probably want to do some additional research and watch some of the videos on actually putting together buffer overflow attacks.
Now Web application firewalls
are a technology that essentially sits in mind with an application that maybe Web facing to protect against Web based application attacks. And so they attempt to identify dangerous or malformed attacks towards a given Web application, and it tries to prevent him.
So there are a number of bypassed techniques that you can try.
Wild cards, a great eso. Essentially, you use wild cards that the system recognizes that once passed through the firewall, the system will see those an attempt to execute the wild cards,
and some firewalls won't recognize that you're attempting to do that. And we'll just see that as normal traffic is as non threatening and it will just pass that along.
Ah, bypass parameter verification and sending malformed http methods. And so some firewalls may not pick up on other http methods, and it may allow you to send information in that manner and bypass protections,
so each of these is a valid method when attempting to bypass a Web application firewall. So with that in mind, let's go ahead and jump into our check on learning
true or false encoding is an antivirus bypass method where the attacker encrypts the payload.
All right, so if you need additional time to look over the question, please pause the video.
So remember, encoding is when we scrambled things up
and rearrange things in order to attempt to bypass antivirus encryption is when we encrypt the payload. And so, in this case,
we're not doing encryption in encoding.
And so this statement does ring false. Is faras this particular question? So with that, let's jump into our summary.
So today we went over quite a few things. We describe what countermeasures are. We describe some types of countermeasures and some bypass methods. So white list stain and a virus process injection memory resident type methods for bypassing white listing and things of that nature.
We described what depth was in a high level and essentially the method for bypassing that it's common in buffer overflow type attacks against applications.
And then we described a Web application firewall.
Essentially, it is a device or software that sits between a Web app and um, the Internet, and it attempts to see if someone is attempting to do malicious things against the site and we can bypass those again. Do things like wild chords and
HT alternate alternative. Http methods when we're attempting to get that system to respond in a manner that would allow us to bypass those protections. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.