what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Thursday, October 31, 2013


I have had any assessments where i have gone head to head with Symantec, McAfee and other security products, KAS once in a while but this year i had a chance to face KES or rather Kaspersky Endpoint Security and KSN Kaspersky Security Network.

Now, alot of Pentesters get scared of some of these AVs and HIDS that these End Points products do host. But as a security official, you should know that nothing is impenetrable, and you should not give in, since the bad guys who come after such an organization wont.

I have seen Pentest reports from majority of our Security Companies, and most of them would report that they do see a vulnerability (That is from a scanner), but they can't penetrate to the system, and thus, the Assessment changes to a Vulnerability Assessment. I know most of you can't agree to that statement, but its a true fact and you know it. I did get myself to such a situation last month against a WAF when doing a Pentest and i couldn't report it as VA, blog of another week.

So lets go back to Kaspersky and understand it.

We know Kaspersky as KAV, or rather Kaspersky Antivirus, which as a matter of fact is one of the best. Even though how expensive the product is, you will find it in most secure networks especially the financial infrastructures world wide, and i think thats where KSN came from. So Kaspersky will find worm, trojans, malware, viruses, botnet-callbacks and neutralize them. So with KSN, all the users of this product from around the world are connected together in some way, via the Kaspersky Labs, to help with the identification of malware, new and oldies, and reduce the duration to neutralize them.

Understanding of the product and the target using it, are vital important aspects during an attack. A lot of us do Target Profiling during Threat Intelligence Phase, but we forget the need of understanding of the AV and its background. Just the same way we find the LimeSurvey CMS on a target, we download it from its main source website and run it in our Virtual Network to understand it, it should be the same way we deal with AVs.

Kasperky when installed on a domain network will have the main Server that will install agents to each machine on the network  that are joined to the domain, but the admin panel has no password login, so if you access the server that hosts the administration, you can easily admin agents to the workstations and other servers.

KES still doesn't catch Polymorphic intrusions, if you have good experience in executing such malware you will have a good way in, it all about experience and making the infrastructure believe your executables are to be trusted. Such an operation should be tested virtually before execution in an network that you are testing.

If you gain access to the box and do your add, 'net user' to the domain, this will be the screen you will get, KES will gladly welcome you.

Don't change a Pentest to Vulnerability Assessment and tell the client that it was a Penetration Testing, just because an AV stopped you. Bad guys will not.

1 comment:

bonbonboi said...

Hi Chucks,
I have enjoyed reading your blog, even I am not an IT security specialist. Thank you.