SlideShare a Scribd company logo

44CON Hacking Enterprises

in.security Ltd.
in.security Ltd.

Our 45 min presentation that we did for 44CONnect on 13th March 2019. The demos were live and not filmed, but we'll get some example video content out soon!

1 of 52
Download to read offline
grep ‘in.security’ /etc/groups A cyber security consultancy offering specialist technical and training services Technical • Vulnerability Assessments • Penetration Testing • Red Team Engagements • Social Engineering Engagements • Wireless Security Assessments • Password Audits • Build Reviews • Firewall Reviews © in.security Ltd 2019, all rights reserved
$whoami /all Will Hunt • Co-founder of in.security • 10+ years in cyber • Assists UK Government • Hacker, formerly digital forensics • Trained at various conferences including Black Hat USA/EU • @Stealthsploit • https://stealthsploit.com © in.security Ltd 2019, all rights reserved
$whoami /all Owen Shearing • Co-founder of in.security • 14+ years in technical roles • Trained at various bespoke events and conferences including Black Hat Asia, USA and EU • CREST CCT • @rebootuser • https://rebootuser.com / https://github.com/rebootuser © in.security Ltd 2019, all rights reserved
The LAB The LAB • The MGT network hosts LAB resources for all students to access, including: • Phishing Platform (Gophish) • ELK Stack • CTF Platform • Kali network (attackers) – this is you! • The Dev network - routable from attackers subnet • Two undiscovered, firewalled subnets! + a third subnet unlocked after training completes! © in.security Ltd 2019, all rights reserved MGT Dev Attackers
© in.security Ltd 2019, all rights reserved Topics… © in.security Ltd 2019, all rights reserved MGT A:ackers Dev OSINT techniques IPv4 / IPv6 discovery & enumeration Automated vulnerability scanning Introduction into exploitation frameworks & Mobile devices Linux enumeration, shells, privilege escalation & post exploitation P@ssw0rd cracking (Linux) Windows enumeration Creating & executing a phishing campaign P@ssw0rd cracking (Windows) Windows shells, privilege escalation, post exploitation & info gathering Defensive monitoring Restricted environment breakouts Pivoting and lateral movement Identifying further targets Database/application enumeration & exploitation Domain/trust compromise Persistence & exfiltration
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Phishing – Delivery & Payloads Delivery Examples • Email, generic ‘campaign’ or targeted attack (spear phishing) • SMS (Smishing) / Voice (Vishing) • Web based (malicious/hacked website) • Malvertising Payload Examples • Data collection via hosted forms (credentials, personal/sensitive information, payment details) • Spoofing and/or content injection targeting legitimate websites • Embedded code in attached Office documents (Macros, DDE) • Exploiting vulnerabilities in client-side software (Flash, Acrobat, Java) © in.security Ltd 2019, all rights reserved
Gophish – Users & Groups Using Gophish for a phishing campaign: • Targets (Users & Groups tab) • Email template • Landing page • Sending Profile https://docs.getgophish.com/user-guide © in.security Ltd 2019, all rights reserved
Phishing – HTA Files • HTML application • Launched by mshta.exe on Windows “In short, HTAs pack all the power of Internet Explorer - its object model, performance, rendering power and protocol support - without enforcing the strict security model and user interface of the browser” https://docs.microsoft.com/en-us/previous-versions//ms536496(v=vs.85) • A nice overview of HTA/command execution https://9to5it.com/using-html-applications-as-a-powershell-gui/ © in.security Ltd 2019, all rights reserved
Phishing – HTA Files <script language="VBScript"> window.moveTo -4000, -4000 cmd = "powershell.exe -c Test-Connection 10.133.251.10" Set runme = CreateObject("Wscript.Shell") result = runme.Run(cmd, 0, true) window.close() </script> • Cmd – command we are executing • 0 – set to hidden • True - wait for command to complete before continuing © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… <DEMO> © in.security Ltd 2019, all rights reserved [Phishing]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Sysmon • Part of the Sysinternals suite https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon • A configuration file can be supplied (-i) containing the desired rules • A great template config from @SwiftOnSecurity https://github.com/SwiftOnSecurity/sysmon-config © in.security Ltd 2019, all rights reserved
A/V & AMSI • So, why did our initial phish with msfvenom generated HTA fail? …. • Well, this would be due to Windows Defender/Antimalware Scan Interface © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Monitoring]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Unicorn • Created by TrustedSec / https://github.com/trustedsec/unicorn • Simple to use, well documented and regularly updated with new techniques/evasion methods • A number of payloads rely on a msf handler listening on the attacking system (all required configs are generated by the tool) © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Phishing #2]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? • [… • …] • What systems are deemed to hold important/sensitive data? © in.security Ltd 2019, all rights reserved
Information Gathering PowerView • Part of the PowerSploit package https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon OR, for the latest version 3 (development) version https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 • PowerShell script that provides numerous functions for situational awareness and domain enumeration • A great ‘cheatsheet’ on functions and usage by @harmj0y https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 • Functions include: Get-DomainUser, Get-DomainGroup, Get-DomainGroupMember Get-NetDomain, Get-DomainPolicy, Get-DomainTrust, Get-DomainComputer, Find-DomainShare + LOADS more © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Enumeration]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Password Managers - KeePass © in.security Ltd 2019, all rights reserved • Password managers/vaults are often used to store privileged credentials and information • KeePass uses .kdb files (v1) and .kdbx files (v2) to store the database • We can’t just give the file to a password cracker so we need to extract the hash • keepass2john can do this and it comes shipped with Kali • We could then either install KeePass and load the database, or access directly over the command line using a tool like kpcli
How Can We Exfil The DataZ? © in.security Ltd 2019, all rights reserved Transferring files using PowerShell $FileName = “<target_file>” $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName)) ReadAllBytes – Opens a binary file, reads the contents into a byte array and closes the file* * https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Exfiltration]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Offline Password Cracking Success depends on a number of factors • Algorithm complexity • Password length / complexity • Hardware (GPU/FPGA/ASIC) Password cracking process • Hash the clear text candidate • Compare to stolen hash • No match? Start again • Match = Win! © in.security Ltd 2019, all rights reserved
Brute Force Attack © in.security Ltd 2019, all rights reserved • Try every possible combination of every character • Not used 99% of the time… Pros • 100% GUARANTEED to crack Cons • You likely won’t be around to see it happen!
Brute Force Attack • Key space = char set ^ length • 8x NVIDIA GTX 1080 Ti GPUs - Windows passwords @ 513 GH/s* (full 95 char set) • 8 char NTLM = 3.5 hours • 9 char NTLM = 14 days • 10 char NTLM = 3.7 years • 11 char NTLM = 351 years • 12 char NTLM = 33,401 years • 13 char NTLM = 3.2 million years © in.security Ltd 2019, all rights reserved *h:ps://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
Dictionary Attack © in.security Ltd 2019, all rights reserved Wordlist Rules insecurity Insecurity Password 1nsecurity monkey ins3curity! 1234567 Ins3cur1ty Qwerty in53cur!ty letmein • Wordlist contains password candidates • Most commonly used • Can be mangled with rules Pros • Wordlists contain common passwords • Mangling addresses the human element Cons • Only as good as your dictionary/rules
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Cracking]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Routing in Metasploit • Traffic to target networks can be routed over existing sessions… • To add a route route add <$network> <$mask> <$sessionID> © in.security Ltd 2019, all rights reserved
SOCKS Proxies • A server that can establish a connection to a destination on behalf of a client • Metasploit SOCKS modules auxiliary/server/socks4a auxiliary/server/socks5 ”This module provides a socksx proxy server that uses the built-in Metasploit routing to relay connections” * • This functionality allows programs external to Metasploit, to utilise configured routes within msf and gain access to the target system(s)/network(s) …with the help of proxychains © in.security Ltd 2019, all rights reserved
SOCKS Proxies & Proxychains • Proxychains / http://proxychains.sourceforge.net • Allows/supports TCP (not UDP - with the exception of DNS) • Used to allow *any program to run through a SOCKS proxy • Configuration file @ /etc/proxychains.conf • Then run a program through the proxy! proxychains smbclient -W insec-xxxx.local //10.133.50.xxx/<$fileshare> -U <$targetUser>%<$password> © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [SOCKS & Shellz]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Hiding Data • Alternate Data Streams (ADS) allow one file system entry to contain multiple data sets (NTFS only) • Original file is always the ‘main’ stream, additional streams are appended to filename and are colon delimited File.txt File.txt:secretdata.txt:$DATA File.txt:shell.exe:$DATA • One option to trigger – wmic process call create File.txt:shell.exe • A nice article by Oddvar Moe on executing files from ADS https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ © in.security Ltd 2019, all rights reserved
Exfiltrating Data Over ICMP © in.security Ltd 2019, all rights reserved • ICMP doesn’t use ports (types) and is often left enabled, forgotten and not monitored • Overcomes network egress issues when usual channels are blocked • icmpsh is a reverse ICMP shell (https://github.com/inquisb/icmpsh) • Server works in C, Perl, Python • Client is Win32 • We have to disable ICMP replies from the attacking host and then start the ICMP server sysctl -w net.ipv4.icmp_echo_ignore_all=1
Our 45min-ish Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [ADS & OOB ICMP… If time persists!]
Our 45min Pwnage Plan… Phish Kibana Phish#2 Enumeration Exfiltration Password Cr@cK5 SOCKS Proxies OOB Persistence © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… </DEMO> © in.security Ltd 2019, all rights reserved
Much, Much More… © in.security Ltd 2019, all rights reserved June 6th/7th @44CON h9ps://44con.com/44con-training/hacking-enterprises-exploiCng-insecurity/

Recommended

How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
Peter Wood
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
MarketingArrowECS_CZ
 

Recommended

How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
Peter Wood
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
MarketingArrowECS_CZ
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
Toni de la Fuente
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
Achmad Yudo
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
MarketingArrowECS_CZ
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 

More Related Content

What's hot

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
Toni de la Fuente
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
Achmad Yudo
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
MarketingArrowECS_CZ
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 

What's hot (20)

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)VoIP Wars: Destroying Jar Jar Lync (Filtered version)
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!Departed Communications: Learn the ways to smash them!
Departed Communications: Learn the ways to smash them!
 
MBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile ApplicationsMBFuzzer : MITM Fuzzing for Mobile Applications
MBFuzzer : MITM Fuzzing for Mobile Applications
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS Attack
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 

Similar to 44CON Hacking Enterprises

Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
Meeting rooms are talking. Are you listening
Meeting rooms are talking. Are you listeningMeeting rooms are talking. Are you listening
Meeting rooms are talking. Are you listening
Cisco DevNet
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
Option3
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
Imperva
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
NoNameCon
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Codemotion
 
Emulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API ProvidersEmulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
Cisco DevNet
 
Keeping your collaboration safe while working remotely
Keeping your collaboration safe while working remotelyKeeping your collaboration safe while working remotely
Keeping your collaboration safe while working remotely
Cisco Webex
 
BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdf
HaitamSouissi1
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 

Similar to 44CON Hacking Enterprises (20)

Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
Meeting rooms are talking. Are you listening
Meeting rooms are talking. Are you listeningMeeting rooms are talking. Are you listening
Meeting rooms are talking. Are you listening
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat bots
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
 
Emulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API ProvidersEmulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API Providers
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
 
Keeping your collaboration safe while working remotely
Keeping your collaboration safe while working remotelyKeeping your collaboration safe while working remotely
Keeping your collaboration safe while working remotely
 
BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdf
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

44CON Hacking Enterprises

  • 1.
  • 2. grep ‘in.security’ /etc/groups A cyber security consultancy offering specialist technical and training services Technical • Vulnerability Assessments • Penetration Testing • Red Team Engagements • Social Engineering Engagements • Wireless Security Assessments • Password Audits • Build Reviews • Firewall Reviews © in.security Ltd 2019, all rights reserved
  • 3. $whoami /all Will Hunt • Co-founder of in.security • 10+ years in cyber • Assists UK Government • Hacker, formerly digital forensics • Trained at various conferences including Black Hat USA/EU • @Stealthsploit • https://stealthsploit.com © in.security Ltd 2019, all rights reserved
  • 4. $whoami /all Owen Shearing • Co-founder of in.security • 14+ years in technical roles • Trained at various bespoke events and conferences including Black Hat Asia, USA and EU • CREST CCT • @rebootuser • https://rebootuser.com / https://github.com/rebootuser © in.security Ltd 2019, all rights reserved
  • 5. The LAB The LAB • The MGT network hosts LAB resources for all students to access, including: • Phishing Platform (Gophish) • ELK Stack • CTF Platform • Kali network (attackers) – this is you! • The Dev network - routable from attackers subnet • Two undiscovered, firewalled subnets! + a third subnet unlocked after training completes! © in.security Ltd 2019, all rights reserved MGT Dev Attackers
  • 6. © in.security Ltd 2019, all rights reserved Topics… © in.security Ltd 2019, all rights reserved MGT A:ackers Dev OSINT techniques IPv4 / IPv6 discovery & enumeration Automated vulnerability scanning Introduction into exploitation frameworks & Mobile devices Linux enumeration, shells, privilege escalation & post exploitation P@ssw0rd cracking (Linux) Windows enumeration Creating & executing a phishing campaign P@ssw0rd cracking (Windows) Windows shells, privilege escalation, post exploitation & info gathering Defensive monitoring Restricted environment breakouts Pivoting and lateral movement Identifying further targets Database/application enumeration & exploitation Domain/trust compromise Persistence & exfiltration
  • 7. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 8. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 9. Phishing – Delivery & Payloads Delivery Examples • Email, generic ‘campaign’ or targeted attack (spear phishing) • SMS (Smishing) / Voice (Vishing) • Web based (malicious/hacked website) • Malvertising Payload Examples • Data collection via hosted forms (credentials, personal/sensitive information, payment details) • Spoofing and/or content injection targeting legitimate websites • Embedded code in attached Office documents (Macros, DDE) • Exploiting vulnerabilities in client-side software (Flash, Acrobat, Java) © in.security Ltd 2019, all rights reserved
  • 10. Gophish – Users & Groups Using Gophish for a phishing campaign: • Targets (Users & Groups tab) • Email template • Landing page • Sending Profile https://docs.getgophish.com/user-guide © in.security Ltd 2019, all rights reserved
  • 11. Phishing – HTA Files • HTML application • Launched by mshta.exe on Windows “In short, HTAs pack all the power of Internet Explorer - its object model, performance, rendering power and protocol support - without enforcing the strict security model and user interface of the browser” https://docs.microsoft.com/en-us/previous-versions//ms536496(v=vs.85) • A nice overview of HTA/command execution https://9to5it.com/using-html-applications-as-a-powershell-gui/ © in.security Ltd 2019, all rights reserved
  • 12. Phishing – HTA Files <script language="VBScript"> window.moveTo -4000, -4000 cmd = "powershell.exe -c Test-Connection 10.133.251.10" Set runme = CreateObject("Wscript.Shell") result = runme.Run(cmd, 0, true) window.close() </script> • Cmd – command we are executing • 0 – set to hidden • True - wait for command to complete before continuing © in.security Ltd 2019, all rights reserved
  • 13. Our 45min Pwnage Plan… <DEMO> © in.security Ltd 2019, all rights reserved [Phishing]
  • 14. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 15. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 16. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 17. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 18. Sysmon • Part of the Sysinternals suite https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon • A configuration file can be supplied (-i) containing the desired rules • A great template config from @SwiftOnSecurity https://github.com/SwiftOnSecurity/sysmon-config © in.security Ltd 2019, all rights reserved
  • 19. A/V & AMSI • So, why did our initial phish with msfvenom generated HTA fail? …. • Well, this would be due to Windows Defender/Antimalware Scan Interface © in.security Ltd 2019, all rights reserved
  • 20. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Monitoring]
  • 21. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 22. Unicorn • Created by TrustedSec / https://github.com/trustedsec/unicorn • Simple to use, well documented and regularly updated with new techniques/evasion methods • A number of payloads rely on a msf handler listening on the attacking system (all required configs are generated by the tool) © in.security Ltd 2019, all rights reserved
  • 23. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Phishing #2]
  • 24. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 25. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? © in.security Ltd 2019, all rights reserved
  • 26. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? © in.security Ltd 2019, all rights reserved
  • 27. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? © in.security Ltd 2019, all rights reserved
  • 28. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? • [… • …] • What systems are deemed to hold important/sensitive data? © in.security Ltd 2019, all rights reserved
  • 29. Information Gathering PowerView • Part of the PowerSploit package https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon OR, for the latest version 3 (development) version https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 • PowerShell script that provides numerous functions for situational awareness and domain enumeration • A great ‘cheatsheet’ on functions and usage by @harmj0y https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 • Functions include: Get-DomainUser, Get-DomainGroup, Get-DomainGroupMember Get-NetDomain, Get-DomainPolicy, Get-DomainTrust, Get-DomainComputer, Find-DomainShare + LOADS more © in.security Ltd 2019, all rights reserved
  • 30. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Enumeration]
  • 31. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 32. Password Managers - KeePass © in.security Ltd 2019, all rights reserved • Password managers/vaults are often used to store privileged credentials and information • KeePass uses .kdb files (v1) and .kdbx files (v2) to store the database • We can’t just give the file to a password cracker so we need to extract the hash • keepass2john can do this and it comes shipped with Kali • We could then either install KeePass and load the database, or access directly over the command line using a tool like kpcli
  • 33. How Can We Exfil The DataZ? © in.security Ltd 2019, all rights reserved Transferring files using PowerShell $FileName = “<target_file>” $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName)) ReadAllBytes – Opens a binary file, reads the contents into a byte array and closes the file* * https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes
  • 34. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Exfiltration]
  • 35. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 36. Offline Password Cracking Success depends on a number of factors • Algorithm complexity • Password length / complexity • Hardware (GPU/FPGA/ASIC) Password cracking process • Hash the clear text candidate • Compare to stolen hash • No match? Start again • Match = Win! © in.security Ltd 2019, all rights reserved
  • 37. Brute Force Attack © in.security Ltd 2019, all rights reserved • Try every possible combination of every character • Not used 99% of the time… Pros • 100% GUARANTEED to crack Cons • You likely won’t be around to see it happen!
  • 38. Brute Force Attack • Key space = char set ^ length • 8x NVIDIA GTX 1080 Ti GPUs - Windows passwords @ 513 GH/s* (full 95 char set) • 8 char NTLM = 3.5 hours • 9 char NTLM = 14 days • 10 char NTLM = 3.7 years • 11 char NTLM = 351 years • 12 char NTLM = 33,401 years • 13 char NTLM = 3.2 million years © in.security Ltd 2019, all rights reserved *h:ps://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
  • 39. Dictionary Attack © in.security Ltd 2019, all rights reserved Wordlist Rules insecurity Insecurity Password 1nsecurity monkey ins3curity! 1234567 Ins3cur1ty Qwerty in53cur!ty letmein • Wordlist contains password candidates • Most commonly used • Can be mangled with rules Pros • Wordlists contain common passwords • Mangling addresses the human element Cons • Only as good as your dictionary/rules
  • 40. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Cracking]
  • 41. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 42. Routing in Metasploit • Traffic to target networks can be routed over existing sessions… • To add a route route add <$network> <$mask> <$sessionID> © in.security Ltd 2019, all rights reserved
  • 43. SOCKS Proxies • A server that can establish a connection to a destination on behalf of a client • Metasploit SOCKS modules auxiliary/server/socks4a auxiliary/server/socks5 ”This module provides a socksx proxy server that uses the built-in Metasploit routing to relay connections” * • This functionality allows programs external to Metasploit, to utilise configured routes within msf and gain access to the target system(s)/network(s) …with the help of proxychains © in.security Ltd 2019, all rights reserved
  • 44. SOCKS Proxies & Proxychains • Proxychains / http://proxychains.sourceforge.net • Allows/supports TCP (not UDP - with the exception of DNS) • Used to allow *any program to run through a SOCKS proxy • Configuration file @ /etc/proxychains.conf • Then run a program through the proxy! proxychains smbclient -W insec-xxxx.local //10.133.50.xxx/<$fileshare> -U <$targetUser>%<$password> © in.security Ltd 2019, all rights reserved
  • 45. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [SOCKS & Shellz]
  • 46. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 47. Hiding Data • Alternate Data Streams (ADS) allow one file system entry to contain multiple data sets (NTFS only) • Original file is always the ‘main’ stream, additional streams are appended to filename and are colon delimited File.txt File.txt:secretdata.txt:$DATA File.txt:shell.exe:$DATA • One option to trigger – wmic process call create File.txt:shell.exe • A nice article by Oddvar Moe on executing files from ADS https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ © in.security Ltd 2019, all rights reserved
  • 48. Exfiltrating Data Over ICMP © in.security Ltd 2019, all rights reserved • ICMP doesn’t use ports (types) and is often left enabled, forgotten and not monitored • Overcomes network egress issues when usual channels are blocked • icmpsh is a reverse ICMP shell (https://github.com/inquisb/icmpsh) • Server works in C, Perl, Python • Client is Win32 • We have to disable ICMP replies from the attacking host and then start the ICMP server sysctl -w net.ipv4.icmp_echo_ignore_all=1
  • 49. Our 45min-ish Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [ADS & OOB ICMP… If time persists!]
  • 50. Our 45min Pwnage Plan… Phish Kibana Phish#2 Enumeration Exfiltration Password Cr@cK5 SOCKS Proxies OOB Persistence © in.security Ltd 2019, all rights reserved
  • 51. Our 45min Pwnage Plan… </DEMO> © in.security Ltd 2019, all rights reserved
  • 52. Much, Much More… © in.security Ltd 2019, all rights reserved June 6th/7th @44CON h9ps://44con.com/44con-training/hacking-enterprises-exploiCng-insecurity/