SlideShare a Scribd company logo

Rob "Mubix" Fuller: Attacker Ghost Stories

A
Area41

This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.

1 of 57
Download to read offline
Attacker Ghost Stories Mostly free defenses that give attackers nightmares
About me... Mubix “Rob” Fuller o Father o Husband o NoVA Hacker o Marine
Why are we here?
Memory Corruption Bugs
EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect o Deployable by GPO o Logs o FREE
Protections
What about EMET bypasses? http://goo.gl/QrJZdd
Another good resource about EMET http://goo.gl/ELlBsi
Protections
Good percentage of Java bugs are non- memory corruption What about Java?
Protections Commonly Discussed •  “Just patch all of them” •  This person never had a developer on staff •  Or never had to install ArcSight •  “Disable the plugin in GPO” •  Not only is this just a Windows solution but not a very popular one •  “Just upgrade everyone to Java 7 update 200 so you can use the block list functionality” •  “Everyone should just use Linux…”
Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent This never happens if they can’t pull the code!
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent o Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. o FREE o Stops java exploits loaded by a browser. o Attacker cannot modify UA pre-exploit
Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
Block Java UA at the Proxy Oh yea, it protects Macs too…
But do all wrong… The stuff we know about
Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. o Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) o HIPS (enable the prevention part) o Vuln Scanning is what a tool does. Lets start Vuln Reporting. o Get your pentester/red team involved!
Stop buying Typo-Squatted Domains •  Huge cost every year, and no way to keep up. •  Large risk as typo-squatted domains are easily used as phishing sources •  Use URLCrazy •  Add all of the Typo domains to your INTERNAL DNS servers •  Benefits •  No cost (except for upkeep/initial add) •  Phishing gets null-routed or even better, sent to “Phishing education” page •  Bad guy has no idea what is wrong •  Bad guy has no idea which domains are intra-squatted
Crowdsourcing Security Security Incident / Phishing Incentive Program o Reward “top” users for reporting malicious or “phishy” content. o Make a big deal out of it (company / section wide emails) o Every employee becomes an IDS o Quarterly “Think Evil” games
Crowdsourcing Security Internal Bug Bounty Program o Developers Developers Developers …. o Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
WPAD My _favorite_ vulnerability:
WPAD o Make null routed (127.0.0.1) DNS entry for WPAD o Make null routed (::1) for DNS entry WPADWPADWPAD o Disable NetBIOS resolution domain wide. Your DNS servers can handle it. o It’s also a privacy concern NetBIOS traffic is broadcasted to everyone o FREE
Seriously Turn off DNS.
Believe me… would I lie to you?
DNS o There is no reason a user needs to resolve Google.com internally o Let your web proxies do all the DNS o FREE o Turn off forward lookups on your internal DNS servers. o Point your proxies at DNS servers that only they are allowed to use.
But we rarely do anything more than set a password policy for it. Passwords suck!
Dump your own hashes!
Dump your own hashes! o Crackers o  John the Ripper o  Rockyou.txt o Dumpers o  Depends… o  Goes back to the, “don’t use code you don’t trust”. o  List by Bernardo Damele - http://goo.gl/wDpJHc o  Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
Authenticated. Splash. Proxy.
Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” o Block all “uncategorized” o Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail.
Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
CAUGHT
Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. o Stop leaving them out of the loop.
Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.

Recommended

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 

Recommended

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
Santhosh Kumar
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
Pich Pra Tna
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Node.js Anti Patterns
Node.js Anti PatternsNode.js Anti Patterns
Node.js Anti Patterns
Ben Hall
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
Jeremy Brown
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
Netsparker
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automaticallyMrko3ko3
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
Pich Pra Tna
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

More Related Content

What's hot

Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
Santhosh Kumar
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
Pich Pra Tna
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Node.js Anti Patterns
Node.js Anti PatternsNode.js Anti Patterns
Node.js Anti Patterns
Ben Hall
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
Jeremy Brown
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
Netsparker
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automaticallyMrko3ko3
 

What's hot (20)

Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Node.js Anti Patterns
Node.js Anti PatternsNode.js Anti Patterns
Node.js Anti Patterns
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automatically
 

Similar to Rob "Mubix" Fuller: Attacker Ghost Stories

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
Pich Pra Tna
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
Alex Payne
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
sonuagain
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
Pim Piepers
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
Mikal Villa
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
Daniel Garcia (a.k.a cr0hn)
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
kosborn
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
E Hacking
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
Indus Khaitan
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
TonikJDK
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 

Similar to Rob "Mubix" Fuller: Attacker Ghost Stories (20)

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 

More from Area41

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseJuriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Area41
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Area41
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
hashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynotehashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - KeynoteArea41
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Realityhashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 

More from Area41 (11)

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseJuriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
hashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynotehashdays 2011: Mikko Hypponen - Keynote
hashdays 2011: Mikko Hypponen - Keynote
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Realityhashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

Rob "Mubix" Fuller: Attacker Ghost Stories

  • 1. Attacker Ghost Stories Mostly free defenses that give attackers nightmares
  • 2. About me... Mubix “Rob” Fuller o Father o Husband o NoVA Hacker o Marine
  • 3. Why are we here?
  • 4.
  • 6. EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect o Deployable by GPO o Logs o FREE
  • 8. What about EMET bypasses? http://goo.gl/QrJZdd
  • 9. Another good resource about EMET http://goo.gl/ELlBsi
  • 11.
  • 12. Good percentage of Java bugs are non- memory corruption What about Java?
  • 13. Protections Commonly Discussed •  “Just patch all of them” •  This person never had a developer on staff •  Or never had to install ArcSight •  “Disable the plugin in GPO” •  Not only is this just a Windows solution but not a very popular one •  “Just upgrade everyone to Java 7 update 200 so you can use the block list functionality” •  “Everyone should just use Linux…”
  • 14. Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
  • 15. Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
  • 16. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent
  • 17. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent This never happens if they can’t pull the code!
  • 18. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent o Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. o FREE o Stops java exploits loaded by a browser. o Attacker cannot modify UA pre-exploit
  • 19. Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
  • 20. Block Java UA at the Proxy Oh yea, it protects Macs too…
  • 21.
  • 22. But do all wrong… The stuff we know about
  • 23. Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. o Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) o HIPS (enable the prevention part) o Vuln Scanning is what a tool does. Lets start Vuln Reporting. o Get your pentester/red team involved!
  • 24.
  • 25. Stop buying Typo-Squatted Domains •  Huge cost every year, and no way to keep up. •  Large risk as typo-squatted domains are easily used as phishing sources •  Use URLCrazy •  Add all of the Typo domains to your INTERNAL DNS servers •  Benefits •  No cost (except for upkeep/initial add) •  Phishing gets null-routed or even better, sent to “Phishing education” page •  Bad guy has no idea what is wrong •  Bad guy has no idea which domains are intra-squatted
  • 26.
  • 27. Crowdsourcing Security Security Incident / Phishing Incentive Program o Reward “top” users for reporting malicious or “phishy” content. o Make a big deal out of it (company / section wide emails) o Every employee becomes an IDS o Quarterly “Think Evil” games
  • 28. Crowdsourcing Security Internal Bug Bounty Program o Developers Developers Developers …. o Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
  • 29.
  • 31. WPAD o Make null routed (127.0.0.1) DNS entry for WPAD o Make null routed (::1) for DNS entry WPADWPADWPAD o Disable NetBIOS resolution domain wide. Your DNS servers can handle it. o It’s also a privacy concern NetBIOS traffic is broadcasted to everyone o FREE
  • 32.
  • 34. Believe me… would I lie to you?
  • 35. DNS o There is no reason a user needs to resolve Google.com internally o Let your web proxies do all the DNS o FREE o Turn off forward lookups on your internal DNS servers. o Point your proxies at DNS servers that only they are allowed to use.
  • 36.
  • 37. But we rarely do anything more than set a password policy for it. Passwords suck!
  • 38. Dump your own hashes!
  • 39. Dump your own hashes! o Crackers o  John the Ripper o  Rockyou.txt o Dumpers o  Depends… o  Goes back to the, “don’t use code you don’t trust”. o  List by Bernardo Damele - http://goo.gl/wDpJHc o  Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
  • 40.
  • 41. Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
  • 42.
  • 44. Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” o Block all “uncategorized” o Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail.
  • 45. Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
  • 46.
  • 48. Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
  • 49. Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
  • 50. Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
  • 51.
  • 52. Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. o Stop leaving them out of the loop.
  • 53.
  • 54. Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
  • 55. Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
  • 56. Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
  • 57. Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.