SlideShare a Scribd company logo

BSides Philly Finding a Company's BreakPoint

Download as PPT, PDF
Andrew McNicol
Andrew McNicol

We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".

Technology
1 of 48
Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
Modern Day Hacking
Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
Things Have Changed Since the 90s
Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
CEOs Reaction to Opening to Phishing Email
1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
1. Phishing: Finding Vulnerabilities
1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
1. Phishing: Possible Scenarios Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
Responder!
3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
So You Started a Scan
4. SMB Relay Attack Visual: Automated Process
4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Nessus Scanner Scenario
4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
5. Account Compromise
5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs We Are Hiring – Remote Positions Available

Recommended

BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 

Recommended

BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
I See You
I See YouI See You
I See YouAndrew Beard
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsAndrew McNicol
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 

More Related Content

What's hot

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 

What's hot (20)

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
I See You
I See YouI See You
I See You
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 

Viewers also liked

Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsAndrew McNicol
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 
100Mpps czyli jak radzić sobie z atakami DDoS?
100Mpps czyli jak radzić sobie z atakami DDoS?100Mpps czyli jak radzić sobie z atakami DDoS?
100Mpps czyli jak radzić sobie z atakami DDoS?Redge Technologies
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Pythonpycontw
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)KR_Barker
 
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...Ferhat Ozgur Catak
 
Embracing Distributed Version Control
Embracing Distributed Version ControlEmbracing Distributed Version Control
Embracing Distributed Version ControlNowell Strite
 
Network ve Sistem 101 etkinliği
Network ve Sistem 101 etkinliği Network ve Sistem 101 etkinliği
Network ve Sistem 101 etkinliği Ahmet Han
 
IP Security
IP SecurityIP Security
IP SecurityS H
 
Network101 murat arslan
Network101 murat arslanNetwork101 murat arslan
Network101 murat arslanMURAT ARSLAN
 
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...Ferhat Ozgur Catak
 
The Agile Process - Taming Your Process To Work For You
The Agile Process - Taming Your Process To Work For YouThe Agile Process - Taming Your Process To Work For You
The Agile Process - Taming Your Process To Work For YouNowell Strite
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 

Viewers also liked (20)

Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
100Mpps czyli jak radzić sobie z atakami DDoS?
100Mpps czyli jak radzić sobie z atakami DDoS?100Mpps czyli jak radzić sobie z atakami DDoS?
100Mpps czyli jak radzić sobie z atakami DDoS?
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Python
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)
 
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...
Dağıtık Sistemler İçin Mahremiyet Korumalı Uç Öğrenme Makinesi Sınıflandırma ...
 
Embracing Distributed Version Control
Embracing Distributed Version ControlEmbracing Distributed Version Control
Embracing Distributed Version Control
 
Hesaplamalarım
HesaplamalarımHesaplamalarım
Hesaplamalarım
 
Tablo oluşturma
Tablo oluşturmaTablo oluşturma
Tablo oluşturma
 
Network ve Sistem 101 etkinliği
Network ve Sistem 101 etkinliği Network ve Sistem 101 etkinliği
Network ve Sistem 101 etkinliği
 
IP Security
IP SecurityIP Security
IP Security
 
Network101 murat arslan
Network101 murat arslanNetwork101 murat arslan
Network101 murat arslan
 
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...
Secure Multi-Party Computation Based Privacy Preserving Extreme Learning Mach...
 
The Agile Process - Taming Your Process To Work For You
The Agile Process - Taming Your Process To Work For YouThe Agile Process - Taming Your Process To Work For You
The Agile Process - Taming Your Process To Work For You
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 

Similar to BSides Philly Finding a Company's BreakPoint

Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptBUSHRASHAIKH804312
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?HBServices7
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfbrijeshagarwa329898l
 

Similar to BSides Philly Finding a Company's BreakPoint (20)

Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Hacking
HackingHacking
Hacking
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Windows network
Windows networkWindows network
Windows network
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Windows network security
Windows network securityWindows network security
Windows network security
 
what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdf
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

BSides Philly Finding a Company's BreakPoint

  • 1. Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
  • 3. Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
  • 4. ~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
  • 5. Things Have Changed Since the 90s
  • 6. Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
  • 7. Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
  • 8. How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
  • 9. 1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
  • 10. 1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
  • 11. CEOs Reaction to Opening to Phishing Email
  • 12. 1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
  • 13. 1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
  • 14. 1. Phishing: Finding Vulnerabilities
  • 15. 1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
  • 16. 1. Phishing: Possible Scenarios Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
  • 17. Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
  • 18. 2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
  • 19. 2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 20. 2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 21. 2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
  • 22. 2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
  • 23. 2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
  • 24. 2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
  • 25. 3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
  • 27. 3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
  • 28. 3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
  • 29. 3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
  • 30. 3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
  • 31. 3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
  • 32. 4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
  • 33. So You Started a Scan
  • 34. 4. SMB Relay Attack Visual: Automated Process
  • 35. 4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 36. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 37. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 38. 4. SMB Relay Attack: Nessus Scanner Scenario
  • 39. 4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
  • 41. 5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
  • 42. 5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
  • 43. 5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
  • 44. 5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
  • 45. 5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
  • 46. Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
  • 47. Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
  • 48. Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs We Are Hiring – Remote Positions Available