Re: Exploit package analysis

From: Mattias Ahnberg (mattias@ahnberg.pp.se)
Date: Fri Jul 29 2005 - 07:35:13 EDT


Erin Carroll wrote:
> My question to all of you is what are some basic sandbox tools you would
> recommend to pursue this? Does anyone work in a similar vein and has the
> experience been helpful in your pen-testing work?

I normally use VMware with one or more boxes in a virtual VMware-internal
network to test things out. Its easy to take a snapshot, entirely trash a
system, press a button and revert all changes back to the state it was in
before you begun. A _huge_ timesaver when debugging & analyzing.

In Windows I run tools like ethereal, sysinternals tools (filemon, regmon
and whatever else suits your current needs) and ollydbg for example. As a
complement to the Windows box I usually have another virtual machine alive
with Linux on it; I run a VMware internal network and use the Linux box as
default gateway for the Windows box, and therefore see all traffic that
the box attempts to send out when infected.

On the Linux (or whatever OS you favor at the time) box it is useful to
run something like dsniff's arpspoof & dnsspoof.

There are a million ways you can do things like this. Put perhaps this is
of some use to someone. :)

-- 
/ahnberg.


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT