SlideShare a Scribd company logo
DevOoops 
LasCon 
October 2014
Who Ken 
Ken Johnson (@cktricky) 
● CTO (@nVisium) 
● Railsgoat Co-Author 
● (One) of the voices of SecCasts
Who Chris 
Chris Gates (CG) @carnal0wnage 
● Security Engineer (Facebook) 
● NoVA Hackers Co-Founder 
● http://carnal0wnage.attackresearch.com
Why This Talk 
Increase awareness around DevOps infra security 
Provide solutions 
Demonstrate impact, regardless of where the infrastructure 
is deployed (internal, external, cloud)
Agenda 
● GitHub 
● Revision Control Tools 
● Continuous Integration Tools 
● AWS Config Files 
● Client Provisioning Tools 
● Elasticsearch 
● In-Memory Databases
GitHub
GitHub Search 
GitHub Advanced Search 
● GitHub supports advanced search operators 
● Google hacking for GitHub 
○ http://seclists.org/fulldisclosure/2013/Jun/15 
○ http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html 
GitHub OSINT 
● Check $company employee repos for uh ohs 
○ internal project commits, passwords, etc
Git Fun 
Can we impersonate other GitHub users? 
Sort of.
Git Fun 
Let’s be Linus...
Git Fun
Git Fun 
Result: It appears Linus committed to our repo
Git Fun (Review) 
● Audit who has access to your repos 
○ Have a process to remove ex-employees 
○ Consider auditing their personal repos for leaks 
● Be suspicious of Pull Requests 
○ From “trusted” authors (they can be spoofed) 
○ With massive code changes within the PR (can 
potentially introduce vulns)
GitHub Org “To Do’s” 
Forks need be deleted if a member leaves your org 
● https://help.github.com/articles/deleting-a-private-fork-of-a-private- 
organization-repository/ 
Audit organization members for 2 factor authentication 
● https://developer.github.com/changes/2014-01-29-audit-org-members- 
for-2fa/
Revision Control
.Git Exposed 
Do you have your .git folder exposed on a webserver 
outside? 
● Or inside? 
● Access to .git content can allow for full source 
download. 
● Use wget, DVCS-Pillage, or dvcs-ripper to archive and 
recreate the repo locally. 
https://github.com/evilpacket/DVCS-Pillage 
https://github.com/kost/dvcs-ripper
.Git Exposed 
If directory listings are enabled, it’s simple to get source 
$ mkdir git-test 
$ cd git-test 
$ wget --mirror --include-directories=/.git http://www. 
example.com/.git 
Then 
$ cd www.example.com 
$ git reset --hard 
HEAD is now at [...] 
You now have the source of the site
.Git Exposed
.Git Exposed 
If directory listings are NOT enabled 
● Test by checking for .git/config 
● Use DVCS-Pillage or dvcs-ripper to 
download the source. 
DVCS-Pillage also supports 
Mercurial (HG) and Bazaar (BZR).
.Git Exposed 
What can you get? 
● Creds, config files, source code, dev names, public 
keys, email addresses, etc 
● repo history: vulns fixed, passwords/keys checked in but 
removed later :-) 
● wordpress config files common 
● site/database backups in .git 
● session generation keys
.Git Exposed 
Internal GitHub Enterprise ties into 
organization’s LDAP or Active Directory. 
● Find devops/devpassword equivalent 
● Download source code 
● Log in and search for interesting things
Subversion 
Subversion 1.6 (and earlier) 
● Check for .entries files 
● Walk svn chain to retrieve source 
● Example: 
○ http://somedomain.com/.svn/text-base/index.php.svn-base 
● Metasploit Auxiliary Module: 
○ auxiliary/scanner/http/svn_scanner 
Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
Subversion 
Subversion 1.7 and later 
● Working copy and changes stored in a sqlite database 
● Example: 
○ http://www.somedomain.com/.svn/wc.db 
● Metasploit Auxiliary Module: 
○ auxiliary/scanner/http/svn_wcdb_scanner 
Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
GitList
GitList
GitList 
RCE: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ 
Affects: version 0.4.0 and below
Continuous Integration
Hudson/Jenkins 
“Hudson is a continuous integration (CI) tool written in 
Java, which runs in a servlet container, such as Apache 
Tomcat or the GlassFish application server” 
Very popular 
If you can’t pwn Jenkins then try 
GlassFish or Tomcat :-)
Hudson/Jenkins 
Shodan search for X-Hudson
Hudson/Jenkins 
Shodan search for X-Hudson with HTTP 200
Hudson/Jenkins 
Metasploit Aux Module
Hudson/Jenkins 
If no authentication required 
● Trivial to gain remote code execution via script console 
● Metasploit Module 
○ exploit/multi/http/jenkins_script_console 
https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/ 
http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html 
http://zeroknock.blogspot.com/search/label/Hacking%20Jenkins
Hudson/Jenkins 
Script Console
Hudson/Jenkins
Hudson/Jenkins 
Metasploit exploit module for script console
Hudson/Jenkins 
You can lock down script console access by 
turning on authentication 
● However, if it’s set to local auth, you can 
register as a regular user :-) 
● ...then get access to the /script
Hudson/Jenkins 
If you have access to /view/All/newJob, 
create a new build and run commands
Hudson/Jenkins
Hudson/Jenkins 
Can you browse a workspace?
Hudson/Jenkins
Hudson/Jenkins
AWS Config Files
AWS - CLI Dev Tools 
AWS stores creds in plaintext in **hidden files** 
Typically privileged access
AWS - CLI Dev Tools
AWS - CLI Dev Tools + EB
AWS - Pivoting 
Once credentials are obtained, leverage 
nimbostratus to pivot 
http://andresriancho.github.io/nimbostratus/ 
or… just leverage any of the open source 
libraries available to interact with AWS
Client Provisioning
Chef 
Chef allows you to define the state your 
servers (local or cloud) should be in and 
enforces it.
Chef (Web Interface) 
Default/Weak Creds
Chef (Web Interface) 
Environment Leakage
Chef (Web Interface) 
Databags
Chef/knife 
knife is a Chef command line utility 
● Credentials stored in data bags 
● Can be encrypted 
● Example: 
$ knife data bag list
Chef/knife
Chef/knife (encrypted data bag)
Chef/knife
Vagrant 
Did you change your SSH keys?
Vagrant 
● Default Credentials 
○ root/vagrant vagrant/vagrant 
○ No pass to sudo :-)
Vagrant 
Scan using the default private key
Vagrant 
Scan using the default private key
Vagrant 
Identify real from fake by ssh version scan
Vagrant 
Breaking into host from guest 
http://finite.state.io/blog/2012/10/30/breaking-in-and-out-of-vagrant/ 
“Put evil things in /vagrant/.git/hooks/post-commit 
and wait for the user to commit some code. Since 
the /vagrant/ directory is mounted from the host, 
my hook will persist even if the user destroys the 
VM.”
Kickstart Files 
3 ways to set root password 
1. Enter during installation 
2. Crypted hash in the kickstart file 
“rootpw --iscrypted” 
3. Clear text in the kickstart file 
“rootpw --plaintext”
Kickstart Files 
Examples
Kickstart Files 
Examples
ElasticSearch
elasticsearch 
Provides a distributed, multitenant-capable full-text 
search engine with a RESTful web 
interface and schema-free JSON documents. 
● GET request to port 9200 will show version 
"version" : { 
"number" : "1.2.4",
elasticsearch 
● No Authentication 
● Can search stored data via HTTP API 
● Update data with PUT request 
● Join an open cluster and receive all data 
● RCE prior to 1.2.0
elasticsearch 
exploit/multi/elasticsearch/script_mvel_rce
elasticsearch 
Searching via curl/browser is cumbersome 
● Kibana FTW 
○ http://www.elasticsearch.org/overview/kibana/ 
● Edit config.js to point to open Elasticsearch 
● Open index.html in local browser or host on 
a server
elasticsearch (Kibana)
elasticsearch (Kibana)
elasticsearch (Kibana) 
Viewing the content of the document
In-Memory Databases
Redis 
Defaults: 
● No encrypted communication 
● No credentials 
● Port 6379 (TCP) 
● Binds to all interfaces 
○ Moral of the story? Keep off the interwebs!
Redis 
How prevalent is this?
Redis 
You can navigate the DB with the redis-cli
Redis 
Or use the Redis Desktop Manager
Redis 
Feel lucky?
Redis - Fun Commands 
FLUSHALL 
SCRIPT LOAD 
EVAL / EVALSHA 
○ Also - Thanks Adam Baldwin: 
○ https://github.com/evilpacket/redis-sha-crack
memcache 
Free & open source, high-performance, 
distributed memory object caching system 
No code exec, but fun things get put into 
memcache 
Examples
memcache
memcache
memcache
What can we do about 
this?
Actions you can take tomorrow 
● If you have Jenkins, make sure it requires 
authentication 
● Ensure access to tools/systems are only 
available to hosts that need it 
● Change default vagrant private key 
● Update to latest versions of your devops 
tools
Thanks! 
Ken Johnson ken.johnson [at] nvisium.com 
Chris Gates chris [at] carnal0wnage.com

More Related Content

What's hot

Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with Docker
Brett Palmer
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in Django
Rami Sayar
 
Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web Applications
Pablo Godel
 
Evolution of deploy.sh
Evolution of deploy.shEvolution of deploy.sh
Evolution of deploy.sh
Leonid Mamchenkov
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
Jeremy Brown
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Amazon Web Services
 
Introduction openstack-meetup-nov-28
Introduction openstack-meetup-nov-28Introduction openstack-meetup-nov-28
Introduction openstack-meetup-nov-28
Sadique Puthen
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Three amigos: Bitbucket + Jenkins + Docker
Three amigos: Bitbucket + Jenkins + DockerThree amigos: Bitbucket + Jenkins + Docker
Three amigos: Bitbucket + Jenkins + Docker
Daniel Gordillo
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
Pablo Godel
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
QAware GmbH
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
John Smith
 
Testing the Enterprise layers, with Arquillian
Testing the Enterprise layers, with ArquillianTesting the Enterprise layers, with Arquillian
Testing the Enterprise layers, with Arquillian
Virtual JBoss User Group
 

What's hot (20)

Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with Docker
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in Django
 
Rock Solid Deployment of Web Applications
Rock Solid Deployment of Web ApplicationsRock Solid Deployment of Web Applications
Rock Solid Deployment of Web Applications
 
Evolution of deploy.sh
Evolution of deploy.shEvolution of deploy.sh
Evolution of deploy.sh
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
 
Introduction openstack-meetup-nov-28
Introduction openstack-meetup-nov-28Introduction openstack-meetup-nov-28
Introduction openstack-meetup-nov-28
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
 
Three amigos: Bitbucket + Jenkins + Docker
Three amigos: Bitbucket + Jenkins + DockerThree amigos: Bitbucket + Jenkins + Docker
Three amigos: Bitbucket + Jenkins + Docker
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
 
Testing the Enterprise layers, with Arquillian
Testing the Enterprise layers, with ArquillianTesting the Enterprise layers, with Arquillian
Testing the Enterprise layers, with Arquillian
 

Similar to LasCon 2014 DevOoops

Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Developing with-devstack
Developing with-devstackDeveloping with-devstack
Developing with-devstack
Deepak Garg
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
DVC - Git-like Data Version Control for Machine Learning projects
DVC - Git-like Data Version Control for Machine Learning projectsDVC - Git-like Data Version Control for Machine Learning projects
DVC - Git-like Data Version Control for Machine Learning projects
Francesco Casalegno
 
Containers Roadshow: How to Develop Containers for the Enterprise
Containers Roadshow: How to Develop Containers for the EnterpriseContainers Roadshow: How to Develop Containers for the Enterprise
Containers Roadshow: How to Develop Containers for the Enterprise
Honza Horák
 
Git Workshop : Git On The Server
Git Workshop : Git On The ServerGit Workshop : Git On The Server
Git Workshop : Git On The Server
Wildan Maulana
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
MarcinStachniuk
 
FOSDEM 2017: GitLab CI
FOSDEM 2017:  GitLab CIFOSDEM 2017:  GitLab CI
FOSDEM 2017: GitLab CI
OlinData
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
muayyad alsadi
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
Jordan Open Source Association
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
Jérôme Petazzoni
 
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
Leo Lorieri
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 
Bgoug 2019.11 building free, open-source, plsql products in cloud
Bgoug 2019.11   building free, open-source, plsql products in cloudBgoug 2019.11   building free, open-source, plsql products in cloud
Bgoug 2019.11 building free, open-source, plsql products in cloud
Jacek Gebal
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
GR8Conf
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
n00py1
 
Ranger admin dev overview
Ranger admin dev overviewRanger admin dev overview
Ranger admin dev overview
Tushar Dudhatra
 

Similar to LasCon 2014 DevOoops (20)

Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Developing with-devstack
Developing with-devstackDeveloping with-devstack
Developing with-devstack
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
DVC - Git-like Data Version Control for Machine Learning projects
DVC - Git-like Data Version Control for Machine Learning projectsDVC - Git-like Data Version Control for Machine Learning projects
DVC - Git-like Data Version Control for Machine Learning projects
 
Containers Roadshow: How to Develop Containers for the Enterprise
Containers Roadshow: How to Develop Containers for the EnterpriseContainers Roadshow: How to Develop Containers for the Enterprise
Containers Roadshow: How to Develop Containers for the Enterprise
 
Git Workshop : Git On The Server
Git Workshop : Git On The ServerGit Workshop : Git On The Server
Git Workshop : Git On The Server
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
 
FOSDEM 2017: GitLab CI
FOSDEM 2017:  GitLab CIFOSDEM 2017:  GitLab CI
FOSDEM 2017: GitLab CI
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
Bgoug 2019.11 building free, open-source, plsql products in cloud
Bgoug 2019.11   building free, open-source, plsql products in cloudBgoug 2019.11   building free, open-source, plsql products in cloud
Bgoug 2019.11 building free, open-source, plsql products in cloud
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
Ranger admin dev overview
Ranger admin dev overviewRanger admin dev overview
Ranger admin dev overview
 

More from Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
Chris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
Chris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
Chris Gates
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
Chris Gates
 

More from Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 

Recently uploaded

The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 

Recently uploaded (20)

The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 

LasCon 2014 DevOoops

  • 2. Who Ken Ken Johnson (@cktricky) ● CTO (@nVisium) ● Railsgoat Co-Author ● (One) of the voices of SecCasts
  • 3. Who Chris Chris Gates (CG) @carnal0wnage ● Security Engineer (Facebook) ● NoVA Hackers Co-Founder ● http://carnal0wnage.attackresearch.com
  • 4. Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal, external, cloud)
  • 5. Agenda ● GitHub ● Revision Control Tools ● Continuous Integration Tools ● AWS Config Files ● Client Provisioning Tools ● Elasticsearch ● In-Memory Databases
  • 7. GitHub Search GitHub Advanced Search ● GitHub supports advanced search operators ● Google hacking for GitHub ○ http://seclists.org/fulldisclosure/2013/Jun/15 ○ http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html GitHub OSINT ● Check $company employee repos for uh ohs ○ internal project commits, passwords, etc
  • 8. Git Fun Can we impersonate other GitHub users? Sort of.
  • 9. Git Fun Let’s be Linus...
  • 11. Git Fun Result: It appears Linus committed to our repo
  • 12. Git Fun (Review) ● Audit who has access to your repos ○ Have a process to remove ex-employees ○ Consider auditing their personal repos for leaks ● Be suspicious of Pull Requests ○ From “trusted” authors (they can be spoofed) ○ With massive code changes within the PR (can potentially introduce vulns)
  • 13. GitHub Org “To Do’s” Forks need be deleted if a member leaves your org ● https://help.github.com/articles/deleting-a-private-fork-of-a-private- organization-repository/ Audit organization members for 2 factor authentication ● https://developer.github.com/changes/2014-01-29-audit-org-members- for-2fa/
  • 15. .Git Exposed Do you have your .git folder exposed on a webserver outside? ● Or inside? ● Access to .git content can allow for full source download. ● Use wget, DVCS-Pillage, or dvcs-ripper to archive and recreate the repo locally. https://github.com/evilpacket/DVCS-Pillage https://github.com/kost/dvcs-ripper
  • 16. .Git Exposed If directory listings are enabled, it’s simple to get source $ mkdir git-test $ cd git-test $ wget --mirror --include-directories=/.git http://www. example.com/.git Then $ cd www.example.com $ git reset --hard HEAD is now at [...] You now have the source of the site
  • 18. .Git Exposed If directory listings are NOT enabled ● Test by checking for .git/config ● Use DVCS-Pillage or dvcs-ripper to download the source. DVCS-Pillage also supports Mercurial (HG) and Bazaar (BZR).
  • 19. .Git Exposed What can you get? ● Creds, config files, source code, dev names, public keys, email addresses, etc ● repo history: vulns fixed, passwords/keys checked in but removed later :-) ● wordpress config files common ● site/database backups in .git ● session generation keys
  • 20. .Git Exposed Internal GitHub Enterprise ties into organization’s LDAP or Active Directory. ● Find devops/devpassword equivalent ● Download source code ● Log in and search for interesting things
  • 21. Subversion Subversion 1.6 (and earlier) ● Check for .entries files ● Walk svn chain to retrieve source ● Example: ○ http://somedomain.com/.svn/text-base/index.php.svn-base ● Metasploit Auxiliary Module: ○ auxiliary/scanner/http/svn_scanner Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
  • 22. Subversion Subversion 1.7 and later ● Working copy and changes stored in a sqlite database ● Example: ○ http://www.somedomain.com/.svn/wc.db ● Metasploit Auxiliary Module: ○ auxiliary/scanner/http/svn_wcdb_scanner Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
  • 26.
  • 28. Hudson/Jenkins “Hudson is a continuous integration (CI) tool written in Java, which runs in a servlet container, such as Apache Tomcat or the GlassFish application server” Very popular If you can’t pwn Jenkins then try GlassFish or Tomcat :-)
  • 30. Hudson/Jenkins Shodan search for X-Hudson with HTTP 200
  • 32. Hudson/Jenkins If no authentication required ● Trivial to gain remote code execution via script console ● Metasploit Module ○ exploit/multi/http/jenkins_script_console https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/ http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html http://zeroknock.blogspot.com/search/label/Hacking%20Jenkins
  • 35. Hudson/Jenkins Metasploit exploit module for script console
  • 36. Hudson/Jenkins You can lock down script console access by turning on authentication ● However, if it’s set to local auth, you can register as a regular user :-) ● ...then get access to the /script
  • 37. Hudson/Jenkins If you have access to /view/All/newJob, create a new build and run commands
  • 39. Hudson/Jenkins Can you browse a workspace?
  • 43. AWS - CLI Dev Tools AWS stores creds in plaintext in **hidden files** Typically privileged access
  • 44. AWS - CLI Dev Tools
  • 45. AWS - CLI Dev Tools + EB
  • 46. AWS - Pivoting Once credentials are obtained, leverage nimbostratus to pivot http://andresriancho.github.io/nimbostratus/ or… just leverage any of the open source libraries available to interact with AWS
  • 48. Chef Chef allows you to define the state your servers (local or cloud) should be in and enforces it.
  • 49. Chef (Web Interface) Default/Weak Creds
  • 50. Chef (Web Interface) Environment Leakage
  • 52. Chef/knife knife is a Chef command line utility ● Credentials stored in data bags ● Can be encrypted ● Example: $ knife data bag list
  • 56. Vagrant Did you change your SSH keys?
  • 57. Vagrant ● Default Credentials ○ root/vagrant vagrant/vagrant ○ No pass to sudo :-)
  • 58. Vagrant Scan using the default private key
  • 59. Vagrant Scan using the default private key
  • 60. Vagrant Identify real from fake by ssh version scan
  • 61. Vagrant Breaking into host from guest http://finite.state.io/blog/2012/10/30/breaking-in-and-out-of-vagrant/ “Put evil things in /vagrant/.git/hooks/post-commit and wait for the user to commit some code. Since the /vagrant/ directory is mounted from the host, my hook will persist even if the user destroys the VM.”
  • 62. Kickstart Files 3 ways to set root password 1. Enter during installation 2. Crypted hash in the kickstart file “rootpw --iscrypted” 3. Clear text in the kickstart file “rootpw --plaintext”
  • 66. elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents. ● GET request to port 9200 will show version "version" : { "number" : "1.2.4",
  • 67. elasticsearch ● No Authentication ● Can search stored data via HTTP API ● Update data with PUT request ● Join an open cluster and receive all data ● RCE prior to 1.2.0
  • 69. elasticsearch Searching via curl/browser is cumbersome ● Kibana FTW ○ http://www.elasticsearch.org/overview/kibana/ ● Edit config.js to point to open Elasticsearch ● Open index.html in local browser or host on a server
  • 72. elasticsearch (Kibana) Viewing the content of the document
  • 74. Redis Defaults: ● No encrypted communication ● No credentials ● Port 6379 (TCP) ● Binds to all interfaces ○ Moral of the story? Keep off the interwebs!
  • 76. Redis You can navigate the DB with the redis-cli
  • 77. Redis Or use the Redis Desktop Manager
  • 79. Redis - Fun Commands FLUSHALL SCRIPT LOAD EVAL / EVALSHA ○ Also - Thanks Adam Baldwin: ○ https://github.com/evilpacket/redis-sha-crack
  • 80. memcache Free & open source, high-performance, distributed memory object caching system No code exec, but fun things get put into memcache Examples
  • 84. What can we do about this?
  • 85. Actions you can take tomorrow ● If you have Jenkins, make sure it requires authentication ● Ensure access to tools/systems are only available to hosts that need it ● Change default vagrant private key ● Update to latest versions of your devops tools
  • 86. Thanks! Ken Johnson ken.johnson [at] nvisium.com Chris Gates chris [at] carnal0wnage.com