Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory

•

0 likes•613 views

Mallory is a man-in-the-middle proxy tool that was created to simplify common tasks in mobile application assessments such as setting up proxies and dealing with multiple protocols. It can intercept both HTTP and HTTPS traffic as well as other protocols like SSH and DNS. The tool has both a graphical user interface and programmatic APIs to modify intercepted traffic streams for tasks like fuzzing. It was demonstrated intercepting and modifying traffic for protocols like VNC and SSL.

Technology

Presented by:
Jeremy Allen
Rajendra Umadas

April 21, 2011

Network Stream Hacking with
Mallory

Agenda

• Who are we? • What annoys us?
– Rajendra Umadas – Proxy setup
– Jeremy Allen – Throwaway Tools
– Wasted or
Redundant effort
• What do we do?
– Mobile Application
Assessments, • What did we do
Thick Clients, about it?
COTS (lots of other – Mallory!
assessments)

Who are we: Jeremy Allen

Jeremy Allen
 Principal Consultant

 iOS Assessment Lead

 Writes a lot of Python

 Try to break things before the bad guys do

Who are we: Rajendra Umadas

Rajendra Umadas
 Consultant

 Mobile Application Hacker

 Does not afraid of anything

 Mobile Application Security = fun;

What we do: Assessment Types

Application Assessments
 Mobile Applications
 Acronym and Name Overload:
QUALCOMM/BREW, RIM, Windows Mobile,
Windows Phone, iPhone, Android …
 Web Applications
 XSS, SQL Injection – Pays the bills, still how many
get owned
 Other Apps
 Thick clients, binary protocols, “harder” targets

What we do: Tools

HTTP Proxy
 When is a HTTP Proxy Not Enough?

 Protocols that just use HTTP for transport

 Unidentified network streams in tested
application

What we do: Tools

Other Tools
 What tools exist that are good for MiTM and
app testing for application assessments?

 dsniff, cain, tcpdump ,wireshark (about
that…), others

Solution: Mallory

“The enemy knows the system” –
Claude Shannon

Solution

Hard Way
 ARP

 DNS Spoofing

 iptables and custom scripts

 Packet level techniques

Solution

What have others done with
Mallory?
 WSJ Application Privacy Research

Solution

Application Testing
 WSJ Application Privacy Research

 Chose Mallory because it is pervasive

 Apps don’t matter, Mallory can see the traffic

Solution

GUI Configuration
 Common tasks are fast, easy (configuring
mallory, editing TCP streams)

 Uncommon tasks are possible, fairly easy
(rules, known protocols)

 Rare tasks are harder, require some trickery
(python plugins, python code)

Solution

GUI Configuration
 Getting traffic to the stream editor

 Echo Server

 Rules Config Demo

Solution

Demo – Something More
Serious
 TCP Stream Editing

 All flows and datagrams go to a database

 Show database in advanced view

Solution

Programmatic Modification
 What about places where editing is harder?

 DEMO – Modifying VNC Keystrokes

Solution

What about Fuzzing?
 Fuzzing Paradigms

 File fuzzing

 Network fuzzing

Solution

How does Mallory Fuzz?
 ProxFuzz

 Opportunistic Fuzzing

 Protocol Depth

Solution

Fuzzing Results
 Can vary greatly

 Depends on your app

 We have seen good returns with opportunistic
fuzzing

Solution

Common App Testing Problem
 SSL

Solution

Mallory Knows SSL
 DEMO - SSL

Solution

SSL Usage
 Mallory acts as a CA

 Generates Certs in Memory

 Makes Look Alike Certs

Conclusion

Conclusion
 Mallory is a MiTM Proxy

 Focus on streams and datagrams

 Mallory can decode and MiTM: HTTP, HTTPS,
SSL, DNS, SSH

 Mallory make common app testing tasks easy

This document provides an overview of an organization and information for developers. It introduces key people in the organization across different departments. It describes the culture as smart, agile, innovative but also demanding. It outlines the typical development lifecycle process including requirements, design, implementation, stabilization and release every 3 weeks. It provides details on using version control, building and deploying code as well as tips for development, documentation and terminology.

Who should the security team hire next?

Source Conference

The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.

Matthew Coles - Izar Tarandach - Security Toolbox

Source Conference

The document discusses challenges for incorporating security practices into agile development and proposes a "Security Toolbox" to help development teams identify and mitigate security risks through the use of accepted security knowledge bases and guidance mapped to specific architectural elements. The toolbox is intended to minimize "Security Debt" by predicting security issues upfront and providing acceptance tests and estimates to integrate security into sprint planning and product backlogs. An example is provided of how the toolbox could be applied to help three development teams implement a secure online comment system.

James Beeson SOURCE Boston 2011

Source Conference

This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.

Dan Crowley - Jack Of All Formats

Source Conference

This document discusses how files can contain data in multiple formats by piggybacking one file type into another. It provides examples of how files like JPEGs, PDFs, and GIFs can sometimes contain additional hidden data like archives, scripts, or documents. This technique could allow for covert channels, bypass of security tools like antivirus, and denial of service attacks if file size limits are not properly enforced. The document recommends defenses like validating the full file contents and allowed extensions for file uploads to prevent abuse of this flexibility in file formats.

David Snead - Nailing Down Security Regulations

Source Conference

This document summarizes key issues to consider when establishing security regulations for cloud computing and outsourcing arrangements. It outlines topics such as: defining security breaches and responsibilities; establishing enforceable contract terms around security policies, third party access, data transmission and disposition; understanding applicable laws; and ensuring security obligations survive termination. The document provides sample contract language addressing notification of policy changes, rights to terminate for security impacts, data deletion obligations, and prior notice of governmental data access requests.

Paul Asadoorian - Bringing Sexy Back

Source Conference

Wim Remes SOURCE Boston 2011

Source Conference

Presented by Damon Edwards, co-founder of Rundeck, at DevOps Enterprise Summit Las Vegas 2019 See a Demo of Rundeck Enterprise : https://www.rundeck.com/see-demo --or-- Download Rundeck Open Source here: https://rundeck.com/open-source Connect: Stack Overflow community: https://stackoverflow.com/questions/tagged/rundeck Github: https://github.com/rundeck/rundeck/issues Twitter: https://twitter.com/Rundeck Facebook: https://www.facebook.com/RundeckInc/ LinkedIn: www.linkedin.com › company › rundeck-inc

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization. This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Merit Event - Monitor, Secure & Control Your Network with JMC IT & Lightspeed...

meritnorthwest

IT security is an increasing concern to companies across all sectors. Unfortunately it can also be an administrative burden with countless applications in place to protect the multiple elements of your network. With the increasing use of mobile technologies, and sophistication of external dangers such as spyware, how can you ensure your most valuable assets – namely your employees and clients - are protected? This 60 minute session will outline how you can best protect your network and valuable data whilst greatly reducing the associated administrative burden. It will introduce technology that enables you to monitor, control and secure your entire network from a single user interface. In fact the session will address ways in which to control: - Enterprise Reporting - Web Content filtering - Spam - Email Journaling - Firewall Implementation - Bandwidth Management - Policy Management - Anti-Virus & Spyware - Zero Hour Threats - Removable Device Control

Incident Management in the Age of DevOps and SRE

Rundeck

Presented by Damon Edwards, co-founder of Rundeck, at QCon San Francisco 2019. See a Demo of Rundeck Enterprise : https://www.rundeck.com/see-demo --or-- Download Rundeck Open Source here: https://rundeck.com/open-source Connect: Stack Overflow community: https://stackoverflow.com/questions/tagged/rundeck Github: https://github.com/rundeck/rundeck/issues Twitter: https://twitter.com/Rundeck Facebook: https://www.facebook.com/RundeckInc/ LinkedIn: www.linkedin.com › company › rundeck-inc

Incident Management in the Age of DevOps and SRE

Rundeck

Keynote presentation at DevOps Con Munich, December 3, 2019, presented by Damon Edwards, co-founder of Rundeck. Responding to incidents has always been the core job of Operations. With the rise of DevOps and SRE, how Operations work gets done — and who is doing the work — is changing. This talk will look at how high-performing organizations are applying DevOps and SRE practices to shorten incidents and reduce escalations. See a Demo of Rundeck Enterprise : https://www.rundeck.com/see-demo --or-- Download Rundeck Open Source here: https://rundeck.com/open-source Connect: Stack Overflow community: https://stackoverflow.com/questions/tagged/rundeck Github: https://github.com/rundeck/rundeck/issues Twitter: https://twitter.com/Rundeck Facebook: https://www.facebook.com/RundeckInc/ LinkedIn: www.linkedin.com › company › rundeck-inc

Scaling Ruby for Enterprise Applications

Pro777

This document summarizes scaling Ruby applications for enterprise use. It discusses profiling tools like New Relic, databases like MongoDB and MySQL, queues like 0MQ and RabbitMQ, tools like Chef, testing with RSpec and Cucumber, dealing with legacy code, and adopting a component architecture with state on the wire. Specific techniques discussed include vertical scaling on EC2 by moving subsystems to different instance types, horizontal scaling by adding more machines and using Chef to provision them, and how these approaches improved metrics like throughput, database I/O, and size. The document emphasizes measuring performance, not prematurely optimizing, and allowing failure during development.

Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview

Symantec

Symantec Advanced Threat Protection is a solution that uses four main modules - prevention, detection, response, and recovery - to address advanced persistent threats. It provides endpoint, network, and email visibility to identify suspicious files and indicators of compromise. When threats are found, the solution works to block, isolate, and remove the threats from infected systems using techniques like quarantining, blacklisting, and sweeping and collecting evidence from endpoints. It leverages technologies like Cynic file analysis, SONAR behavior monitoring, virtual and physical sandboxes, and the Synapse correlation engine to detect and remediate advanced attacks.

Layer7-WebServices-Hacking-and-Hardening.pdf

distortdistort

This document provides an overview of a presentation on hacking and hardening web services. The presentation discusses the components and terminology of web services, common threats to web services related to transport, parsing, deployment, and service code. It then describes the steps to hack a web service by learning about the system, doing homework, launching an attack, and cleaning up. Finally, it outlines techniques for hardening web services to mitigate threats through implementing confidentiality and integrity enforcement, XML structure threat detection, secure deployment practices, input validation, and virus detection.

Software quality assurance and cyber security

Nascenia IT

Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]

Websec México, S.C.

http://www.guadalajaracon.org/conferencias/echidna-sistema-de-respuesta-incidentes-open-source/ El proyecto Echidna es un sistema de respuesta incidentes dirigido a analistas de seguridad siguiendo los principios de Network Security Monitoring. Se trata de un proyecto totalmente Open Source donde comparto crédito con autores de populares herramientas como Ian Firns (Barnyard2, SecurityOnion NSM Scripts) y Edward Bjarte (cxtracker, passivedns, prads, etc.). Echidna consiste en agentes, servidor e interfaz de usuario. Los agentes y los servidores estan programados en perl, las aplicaciones especializadas (sesion, eventos…) estan hechos en C/C++. La interfaz de usuario funciona del lado del cliente usando AngularJS. El servidor provee una API REST para uso de la UI o cualquier otro tipo de interfaz alternativa. El proposito de Echidna es integrar diferentes herramientas de análisis en red para las diferentes capas de NSM. Desde Suricata/Snort hasta HTTPRY. Lo interesante es que la mayoría del stack por default son nuestras propias herramientas ej. Cxtracker – sesiones, barnyard2 – spooler de eventos para snort/suricata, prads -deteccion de assets, passivedns – analisis de dns pasivo, etc. Ian aka firnsy es core dev y Edward aka ebf0 dirije desde la perspectiva de analista. Cada uno ha creado uno o mas herramientas expertas que Echidna integra en el stack.

Microservices done right or SOA lessons learnt - Sean Farmar - Codemotion Mil...

Codemotion

BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi

Shah Sheikh

Anonymization techniques are a double-edged sword invention as they can be used by journalists to communicate more safely with whistle blowers or by malicious users to commit cyber-crimes without getting caught but the problem is that neither party is anonymous nor safe from being exposed. In the presentation Mohamed discussed a tool that he developed "dynamicDetect" to de-anonymize TOR clients and browsers and abstracting the user's original IP address and fingerprint. The tool then uses this information as a launchpad to perform defensive and offensive against that TOR user.

Subverting the monolith!

Sophia Russell

We’ve been told the future is automated, orchestrated, service-oriented applications built on top of dynamic, on-demand, massively scalable infrastructure (serverless anyone?). But how do you go from here to there? At Betterment we built a platform that goes beyond “lift and shift”. In this presentation, I’ll share how we built a platform for tomorrow, with support for today’s legacy apps. I’ll also share how we designed the tooling to encourage developers to build for the future, while ensuring security and reliability, going deep into how the tooling ultimately guided our own path, and why the principles behind everything helped us stay the course.

Code quality as a built-in process

Elad Maimon

This document discusses various techniques for maintaining code quality, including pair programming, test-driven development, code reviews, and self-documenting code. It notes that pair programming involves two developers sharing one monitor, keyboard, and mouse to collaboratively write code. Benefits include higher quality code, knowledge sharing, and a teaching tool. Code reviews search for bugs, design flaws, nonconformance with requirements or style guides. Comments should explain why code is written a certain way rather than describing how.

5 Best Practices for Application-aware Network Performance Management (AANPM)...

Enterprise Management Associates

Application-aware Network Performance Management (AANPM) practices and products provide detailed insights into exactly who is using which resources, what quality of experience is taking place, and where to look when things go wrong. Such information can significantly improve planning, monitoring, and troubleshooting efforts. But which are the best options when it comes to planning out an AANPM strategy? Which sources of data offer the most cost-efficient results? How can complex, widely distributed networks be accommodated, particularly when users are far removed from the application servers? And where is the best place to start? These slides will reveal: *Key goals and objectives of AANPM *Choosing the right sources of AANPM data *Achieving true end-to-end AANPM, from core to remote site including the access layer *AANPM features and capabilities having the broadest impact and delivering the most value

What is happening with my microservices?

Israel Blancas

Encontrando la Aguja en el Rendimiento de Aplicaciones

Software Guru

En ocasiones resulta complicado entregar alta calidad de software con la velocidad que el mercado requiere. La propuesta de DevOps es mas allá de una metodología, un cambio cultural en la forma en que funcionan los equipos tanto de operación como de desarrollo, buscando aportar valor para la empresa mediante mejoras en el ciclo de vida de desarrollo y buscando un rendimiento optimo de las aplicaciones mediante herramientas tanto en la fase de desarrollo como de operación.

How to stop fingerpointing when your application is down

Compuware ASEAN

The document discusses how traditional monitoring leads to finger-pointing between teams when applications are down. It describes how Compuware's Application Performance Management (APM) solution provides a single system that monitors applications across development, testing, and production. This gives teams a common view of transactions and issues to reduce finger-pointing and resolve problems faster.

Application Whitelisting - Complementing Threat centric with Trust centric se...

Osama Salah

This document discusses application whitelisting as a security control that can complement traditional threat-centric security approaches. It notes that application whitelisting works on a principle of default deny by only allowing approved applications to run, whereas traditional antivirus uses a default allow approach. The document outlines challenges with traditional antivirus, including its inability to keep up with the exponential growth of malware. It advocates for implementing application whitelisting to prevent both known and unknown threats from executing. Key considerations for implementation include scope, stakeholder engagement, approval processes, and change management. The document argues that application whitelisting can significantly reduce malware incidents when implemented effectively.

Using Yammer & SharePoint Intranets to Drive Employee Engagement

Perficient, Inc.

The document discusses driving employee engagement through the use of Yammer and enterprise social networks (ESNs). It provides an overview of Yammer and how it can be used to break down communication silos. The keynote then outlines a three step process for user adoption and engagement: get in, get engaged, and get advanced. It emphasizes the importance of planning for cloud infrastructure, running social strategy workshops, focusing on early adopters, and bringing IT and end users together through communities and steering teams.

Million Browser Botnet

Source Conference

Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.

iBanking - a botnet on Android

Source Conference

Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.

Similar to Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory

The Last Mile Continued: Incident Management

Rundeck

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston

Merit Event - Monitor, Secure & Control Your Network with JMC IT & Lightspeed...

meritnorthwest

Incident Management in the Age of DevOps and SRE

Rundeck

Incident Management in the Age of DevOps and SRE

Rundeck

Scaling Ruby for Enterprise Applications

Pro777

Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview

Symantec

Layer7-WebServices-Hacking-and-Hardening.pdf

distortdistort

Software quality assurance and cyber security

Nascenia IT

Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]

Websec México, S.C.

Microservices done right or SOA lessons learnt - Sean Farmar - Codemotion Mil...

Codemotion

BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi

Shah Sheikh

Subverting the monolith!

Sophia Russell

Code quality as a built-in process

Elad Maimon

5 Best Practices for Application-aware Network Performance Management (AANPM)...

Enterprise Management Associates

What is happening with my microservices?

Israel Blancas

Encontrando la Aguja en el Rendimiento de Aplicaciones

Software Guru

How to stop fingerpointing when your application is down

Compuware ASEAN

Application Whitelisting - Complementing Threat centric with Trust centric se...

Osama Salah

Using Yammer & SharePoint Intranets to Drive Employee Engagement

Perficient, Inc.

Similar to Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory (20)

The Last Mile Continued: Incident Management

Smart Bombs: Mobile Vulnerability and Exploitation

Merit Event - Monitor, Secure & Control Your Network with JMC IT & Lightspeed...

Incident Management in the Age of DevOps and SRE

Scaling Ruby for Enterprise Applications

Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview

Layer7-WebServices-Hacking-and-Hardening.pdf

Software quality assurance and cyber security

Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]

Microservices done right or SOA lessons learnt - Sean Farmar - Codemotion Mil...

BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi

Subverting the monolith!

Code quality as a built-in process

5 Best Practices for Application-aware Network Performance Management (AANPM)...

What is happening with my microservices?

Encontrando la Aguja en el Rendimiento de Aplicaciones

How to stop fingerpointing when your application is down

Application Whitelisting - Complementing Threat centric with Trust centric se...

Using Yammer & SharePoint Intranets to Drive Employee Engagement

More from Source Conference

Million Browser Botnet

Source Conference

iBanking - a botnet on Android

Source Conference

I want the next generation web here SPDY QUIC

Source Conference

The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.

From DNA Sequence Variation to .NET Bits and Bobs

Source Conference

Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files. Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.

Extracting Forensic Information From Zeus Derivatives

Source Conference

The document discusses extracting forensic information from Zeus and its derivatives. It outlines goals like determining what data was stolen, where it was sent, and who the attackers were. It then describes how to achieve these goals by extracting information like command and control addresses, stolen data, and configuration files from variants like Zeus 2.0.8.9, IceIX, Citadel, Gameover, and KINS through analyzing their encryption routines, configuration retrieval methods, and automated analysis.

How to Like Social Media Network Security

Source Conference

Brian Honan, IRISSCERT Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way. Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.

Wfuzz para Penetration Testers

Source Conference

WFUZZ is a web application brute forcing and fuzzing tool that allows penetration testers to perform complex brute force attacks on various parts of web applications like parameters, authentication, forms, directories, files, and headers. It has features like multiple injection points, advanced payload management, multi-threading, encodings, result filtering, and proxy support. New features include HEAD method scanning, fuzzing HTTP methods, following redirects, a plugin framework, and result filtering. It uses a modular architecture with payloads, encoders, iterators, plugins, and printers to perform brute force tests quickly and efficiently.

Security Goodness with Ruby on Rails

Source Conference

This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.

Securty Testing For RESTful Applications

Source Conference

This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.

Esteganografia

Source Conference

Este documento proporciona una introducción a la esteganografía, que es la técnica de ocultar información dentro de otro contenido como imágenes, documentos u otros archivos. Explica que la esteganografía se ha utilizado desde la antigua Grecia y Roma, y que a lo largo de la historia se han empleado diferentes métodos como tablas de cera, tatuajes, tinta invisible y filigranas en papel. También describe brevemente algunas técnicas más recientes como los micropuntos y los métodos digitales basados en bits

Men in the Server Meet the Man in the Browser

Source Conference

The document discusses techniques for detecting "man in the browser" (MitB) attacks, where malware running in a user's browser is able to intercept and modify traffic between the browser and web applications. It describes shape-based tests that examine requests for unusual changes typical of malware, and content-based tests where the server embeds a random value in content and the browser verifies it was not altered to detect tampering by malware. The overall goal is to identify infected client sessions to protect businesses from the risks posed by consumers being attacked.

Advanced Data Exfiltration The Way Q Would Have Done It

Source Conference

The document appears to be a presentation by Iftach Ian Amit from November 2011 about advanced data exfiltration techniques. It includes sections on using emails, web links and phishing to extract data, as well as utilizing social engineering techniques to manipulate targets. Automating parts of the process with tools like SET is also mentioned. The presentation suggests using both aggressive and ingratiating social behaviors when interacting with targets. It diagrams extracting data by routing it through third parties and the internet.

Adapting To The Age Of Anonymous

Source Conference

Joshua Corman gave a presentation about adapting to Anonymous in the age of chaotic actors. He began by providing background on himself and his research interests. He then discussed understanding Anonymous by deconstructing it and looking at its rise, different sects, and levels of involvement. Corman addressed adapting to Anonymous by looking at escalation risks and the need for improved security strategies. He concluded by discussing the possibility of building a better version of Anonymous that is focused on positive goals.

Are Agile And Secure Development Mutually Exclusive?

Source Conference

The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.

Advanced (persistent) binary planting

Source Conference

This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.

Legal/technical strategies addressing data risks as perimeter shifts to Cloud

Source Conference

The Latest Developments in Computer Crime Law

Source Conference

The document summarizes recent developments in computer crime law, specifically regarding interpretations of the federal Computer Fraud and Abuse Act. It discusses how courts have broadly interpreted what constitutes unauthorized access, including violating an employer's computer use policies. It also notes problems with prosecutors trying to double-count penalties for unauthorized access by charging it as a felony in furtherance of another crime when it is essentially the same conduct. The future could see legislative changes enhancing penalties for computer crimes.

JSF Security

Source Conference

This document discusses several techniques for validating user input and preventing cross-site scripting (XSS) attacks in JavaServer Faces (JSF) applications. It covers built-in JSF validators, custom validators, output encoding tags, and using OWASP ESAPI to properly encode output. The document also discusses using an AccessController for authorization and injecting anti-CSRF tokens to defend against cross-site request forgery attacks.

How To: Find The Right Amount Of Security Spend

Source Conference

This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.

Everything you should already know about MS-SQL post-exploitation

Source Conference

Rob Beck, Director of Assessment at Attack Research, gave a presentation on MS-SQL post exploitation. He explained that SQL post exploitation involves the steps an attacker takes after gaining SQL access or command execution on a database. He outlined several techniques attackers use, including utilizing stored procedures to attack the host system, harvesting credentials from the database that may be valid elsewhere, and using the database as an attack framework by loading compiled code or scripts. He emphasized that many SQL instances remain vulnerable because they are run as privileged accounts like SYSTEM and have advanced options enabled without additional security configurations.

More from Source Conference (20)

Million Browser Botnet

iBanking - a botnet on Android

I want the next generation web here SPDY QUIC

From DNA Sequence Variation to .NET Bits and Bobs

Extracting Forensic Information From Zeus Derivatives

How to Like Social Media Network Security

Wfuzz para Penetration Testers

Security Goodness with Ruby on Rails

Securty Testing For RESTful Applications

Esteganografia

Men in the Server Meet the Man in the Browser

Advanced Data Exfiltration The Way Q Would Have Done It

Adapting To The Age Of Anonymous

Are Agile And Secure Development Mutually Exclusive?

Advanced (persistent) binary planting

Legal/technical strategies addressing data risks as perimeter shifts to Cloud

The Latest Developments in Computer Crime Law

JSF Security

How To: Find The Right Amount Of Security Spend

Everything you should already know about MS-SQL post-exploitation

Recently uploaded

WeTestAthens: Postman's AI & Automation Techniques

Postman

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Alpen-Adria-Universität

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

shyamraj55

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

Fueling AI with Great Data with Airbyte Webinar

Zilliz

Recently uploaded (20)

WeTestAthens: Postman's AI & Automation Techniques

Choosing The Best AWS Service For Your Website + API.pptx

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Building Production Ready Search Pipelines with Spark and Milvus

UI5 Controls simplified - UI5con2024 presentation

Monitoring and Managing Anomaly Detection on OpenShift.pdf

June Patch Tuesday

Columbus Data & Analytics Wednesdays - June 2024

20240607 QFM018 Elixir Reading List May 2024

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

20240609 QFM020 Irresponsible AI Reading List May 2024

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Mariano G Tinti - Decoding SpaceX

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

How to use Firebase Data Connect For Flutter

How to Get CNIC Information System with Paksim Ga.pptx

National Security Agency - NSA mobile device best practices

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Fueling AI with Great Data with Airbyte Webinar

Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory

1. Presented by: Jeremy Allen Rajendra Umadas April 21, 2011 Network Stream Hacking with Mallory

2. Agenda • Who are we? • What annoys us? – Rajendra Umadas – Proxy setup – Jeremy Allen – Throwaway Tools – Wasted or Redundant effort • What do we do? – Mobile Application Assessments, • What did we do Thick Clients, about it? COTS (lots of other – Mallory! assessments)

3. Who Are We

4. Who are we: Jeremy Allen Jeremy Allen  Principal Consultant  iOS Assessment Lead  Writes a lot of Python  Try to break things before the bad guys do

5. Who are we: Rajendra Umadas Rajendra Umadas  Consultant  Mobile Application Hacker  Does not afraid of anything  Mobile Application Security = fun;

6. What we do

7. What we do: Assessment Types Application Assessments  Mobile Applications  Acronym and Name Overload: QUALCOMM/BREW, RIM, Windows Mobile, Windows Phone, iPhone, Android …  Web Applications  XSS, SQL Injection – Pays the bills, still how many get owned  Other Apps  Thick clients, binary protocols, “harder” targets

8. What we do: Tools HTTP Proxy  When is a HTTP Proxy Not Enough?  Protocols that just use HTTP for transport  Unidentified network streams in tested application

9. What we do: Tools Other Tools  What tools exist that are good for MiTM and app testing for application assessments?  dsniff, cain, tcpdump ,wireshark (about that…), others

10. Solution

11. Solution: Mallory “The enemy knows the system” – Claude Shannon

12. Solution Hard Way  ARP  DNS Spoofing  iptables and custom scripts  Packet level techniques

13. Solution Easy Way

14. Solution Demo  Intro to Mallory GUI

15. Soltuion: Mallory Architecture

16. Solution What have others done with Mallory?  WSJ Application Privacy Research

17. Solution Application Testing  WSJ Application Privacy Research  Chose Mallory because it is pervasive  Apps don’t matter, Mallory can see the traffic

18. Demos + Deep Dive

19. Demos and Deep Dive

20. Solution GUI Configuration  Common tasks are fast, easy (configuring mallory, editing TCP streams)  Uncommon tasks are possible, fairly easy (rules, known protocols)  Rare tasks are harder, require some trickery (python plugins, python code)

21. Solution GUI Configuration  Getting traffic to the stream editor  Echo Server  Rules Config Demo

22. Solution Demo – Something More Serious  TCP Stream Editing  All flows and datagrams go to a database  Show database in advanced view

23. Solution Programmatic Modification  What about places where editing is harder?  DEMO – Modifying VNC Keystrokes

24. Solution What about Fuzzing?  Fuzzing Paradigms  File fuzzing  Network fuzzing

25. Solution How does Mallory Fuzz?  ProxFuzz  Opportunistic Fuzzing  Protocol Depth

26. Solution How does Mallory Fuzz?  DEMO

27. Solution Fuzzing Results  Can vary greatly  Depends on your app  We have seen good returns with opportunistic fuzzing

28. Solution Common App Testing Problem  SSL

29. Solution Mallory Knows SSL  DEMO - SSL

30. Solution SSL Usage  Mallory acts as a CA  Generates Certs in Memory  Makes Look Alike Certs

31. Solution SSL Usage  Mallory acts as a CA  Generates Certs in Memory  Makes Look Alike Certs

32. Conclusion

33. Conclusion Conclusion  Mallory is a MiTM Proxy  Focus on streams and datagrams  Mallory can decode and MiTM: HTTP, HTTPS, SSL, DNS, SSH  Mallory make common app testing tasks easy

Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory

Recommended

Recommended

More Related Content

Similar to Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory

Similar to Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory (20)

More from Source Conference

More from Source Conference (20)

Recently uploaded

Recently uploaded (20)

Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory