As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks.
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
Threat hunting involves proactively searching networks to detect advanced threats that evade existing security solutions. It is not a reactive process like alerting, but instead involves repeated searches through networks using various approaches like data-centric hunting, endpoint hunting, and deception techniques. The document provides examples of hunting techniques for lateral movement, command and control, data exfiltration, and malware on networks. It emphasizes that threat hunting is an ongoing process of iterative searches to continuously identify security threats.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
This document discusses web archiving in the Czech Republic. It provides information on who archives the web, how it is archived, and why archiving the web is important. The National Library of the Czech Republic leads web archiving efforts and works with international partners like the International Internet Preservation Consortium to archive over 200 TB of web data using software like Heritrix and OpenWayback. Metadata standards like WARC and CDX are used to describe archived web pages and their relationships over time.
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
We need t go deeper - Testing inception apps.SecuRing
When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
Threat hunting involves proactively searching networks to detect advanced threats that evade existing security solutions. It is not a reactive process like alerting, but instead involves repeated searches through networks using various approaches like data-centric hunting, endpoint hunting, and deception techniques. The document provides examples of hunting techniques for lateral movement, command and control, data exfiltration, and malware on networks. It emphasizes that threat hunting is an ongoing process of iterative searches to continuously identify security threats.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
This document discusses web archiving in the Czech Republic. It provides information on who archives the web, how it is archived, and why archiving the web is important. The National Library of the Czech Republic leads web archiving efforts and works with international partners like the International Internet Preservation Consortium to archive over 200 TB of web data using software like Heritrix and OpenWayback. Metadata standards like WARC and CDX are used to describe archived web pages and their relationships over time.
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
We need t go deeper - Testing inception apps.SecuRing
When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
Reversing Engineering a Web Application - For fun, behavior and detectionRodrigo Montoro
This document discusses reverse engineering a web application for web application firewall (WAF) detection. It describes analyzing application traffic and structure, including parameter matching, file structure analysis, and restricting access. Statistical analysis of traffic is also suggested to identify attacks and new trends for the WAF. Challenges include vulnerabilities in code, themes, plugins and handling multiple languages.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
This document discusses how hackers may attempt to exploit APIs and outlines strategies for using HATEOAS to improve API security. It notes that hackers will automatically fuzz APIs using tools to find vulnerabilities. It recommends using HATEOAS to enforce state-based navigation through the API, adding tracking data to links, and having a "front door" endpoint to validate requests and limit guessable paths, reducing opportunities for exploitation. Overall, the document argues that while HATEOAS aims to help clients, naively implementing it does not improve security, and the engine of application state concept should be used thoughtfully to enforce valid request flows and detect unexpected behavior.
This document discusses using information visualization techniques to analyze network security data. It provides examples of visualizing port scan data, vulnerability scanner results, and a wargame scenario. It also outlines several active research areas in network security visualization like visualizing worm propagation and intrusion detection system alerts.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
This apresentation part of course Utah Networxs Hardening Web Servers.
The target is show any options to configure security apache web server and protect to possible hackers attacks.
The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz
Thanks...
Utah Networxs
Walking to Giants
JLeRN Paradata Challenge at Dev8D 2012Bharti Gupta
The document summarizes the JLeRN Experiment project, which set up test nodes of the Learning Registry at Mimas, University of Manchester. It provides background on the Learning Registry and describes the APIs, processes, and examples used to publish and retrieve content from the JLeRN nodes. It also outlines a challenge for participants to create applications or ideas involving the capture and mashing up of paradata from learning resources.
The document discusses GRelC, a project that aims to design and deploy the first Grid Database Management System (Grid-DBMS) for the Globus community. It describes how GRelC allows for dynamic and transparent access to distributed, heterogeneous databases in a grid environment. Key features of GRelC include authentication, authorization, access control policies, data encryption, and support for single and multi-query operations across multiple database management systems.
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
The document discusses F5 programmability and using Puppet for automation and deployment. It provides an overview of F5 programmability tools like iRules, iApps, and iControl. It then covers benefits of using Puppet for infrastructure as code and automation. Examples are given of using REST APIs and languages like Perl and Python to programmatically configure F5 devices.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This document provides tips and tricks for software engineering in bioinformatics. It discusses using object-oriented software design principles like encapsulation and inheritance. It also covers best practices like automating documentation, performance optimization, working with data using databases and file formats, parallel and distributed computing, hardware acceleration, and web services.
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Docker, Inc.
Fugro Chance Inc. oversees ship surveys globally using IoT and Docker. They developed a solution using AWS, Docker, and microservices to support a real-time web application for ship tracking. Key challenges included supporting services that need to run together and efficiently deploying new versions. They addressed this using SupervisorD to run multiple services in a single Docker container. This allows flexible development and deployment of future microservices.
Ten practical ways to improve front-end performanceAndrew Rota
Conference talk presented at PHP South Coast 2017. Ten concrete ways to improve web performance, split between quick tactical wins and longer-term overarching strategies.
- The document discusses building a predictive anomaly detection model for network traffic using streaming data technologies.
- It proposes using Apache Kafka to ingest and process network packet and Netflow data in real-time, and Akka clustering to build predictive models that can guide human cybersecurity experts.
- The solution aims to more effectively guide human awareness of network threats by complementing localized rule-matching with predictive modeling of aggregate network behavior based on streaming metrics.
This document provides an overview of linked data and the linking open data project. It discusses linked data principles, including using URIs to identify things and including links between data. It also describes the web of data 101 including URIs, HTTP, and RDF. The document outlines the linking open data community project and its goal of interlinking open datasets. It provides examples of datasets in the project like DBpedia and Geonames. Finally, it discusses some tools and applications for working with linked data.
Modern Web Security, Lazy but Mindful Like a FoxC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2hYU0cd.
Albert Yu presents a few viable, usable and effective defensive techniques that developers have often overlooked. Filmed at qconsf.com.
Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment.
The document discusses practical incident response in heterogeneous environments and overcoming limitations of traditional approaches. It proposes utilizing intelligence-driven investigation and actionable IOCs to more flexibly shape the triage process across different operating systems. Examples are provided of using software fingerprinting and debugging symbols to attribute malware and build structured knowledge bases of attackers.
The document discusses techniques for performing specialized searches and information extraction from web pages and documents. It describes using regular expressions and custom scripts to search for patterns like phone numbers. It also provides examples of using APIs and libraries like JavaScript::V8 to execute JavaScript and extract hidden content from web pages. The goal is to go beyond typical keyword searches to recognize structures and patterns to refine search results and find embedded information.
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
Remotely Compromising iOS via Wi-Fi and Escaping the Sandboxmark-smith
It describes exactly how iOS devices can be remotely compromised over Wi-Fi without user interaction or complicity. iOS Wi-Fi attacks bypass all built in mitigations and sandboxes.
More Related Content
Similar to Attacking Network Infrastructure to Generate a 4 Tbs DDoS
Reversing Engineering a Web Application - For fun, behavior and detectionRodrigo Montoro
This document discusses reverse engineering a web application for web application firewall (WAF) detection. It describes analyzing application traffic and structure, including parameter matching, file structure analysis, and restricting access. Statistical analysis of traffic is also suggested to identify attacks and new trends for the WAF. Challenges include vulnerabilities in code, themes, plugins and handling multiple languages.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
This document discusses how hackers may attempt to exploit APIs and outlines strategies for using HATEOAS to improve API security. It notes that hackers will automatically fuzz APIs using tools to find vulnerabilities. It recommends using HATEOAS to enforce state-based navigation through the API, adding tracking data to links, and having a "front door" endpoint to validate requests and limit guessable paths, reducing opportunities for exploitation. Overall, the document argues that while HATEOAS aims to help clients, naively implementing it does not improve security, and the engine of application state concept should be used thoughtfully to enforce valid request flows and detect unexpected behavior.
This document discusses using information visualization techniques to analyze network security data. It provides examples of visualizing port scan data, vulnerability scanner results, and a wargame scenario. It also outlines several active research areas in network security visualization like visualizing worm propagation and intrusion detection system alerts.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
This apresentation part of course Utah Networxs Hardening Web Servers.
The target is show any options to configure security apache web server and protect to possible hackers attacks.
The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz
Thanks...
Utah Networxs
Walking to Giants
JLeRN Paradata Challenge at Dev8D 2012Bharti Gupta
The document summarizes the JLeRN Experiment project, which set up test nodes of the Learning Registry at Mimas, University of Manchester. It provides background on the Learning Registry and describes the APIs, processes, and examples used to publish and retrieve content from the JLeRN nodes. It also outlines a challenge for participants to create applications or ideas involving the capture and mashing up of paradata from learning resources.
The document discusses GRelC, a project that aims to design and deploy the first Grid Database Management System (Grid-DBMS) for the Globus community. It describes how GRelC allows for dynamic and transparent access to distributed, heterogeneous databases in a grid environment. Key features of GRelC include authentication, authorization, access control policies, data encryption, and support for single and multi-query operations across multiple database management systems.
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
The document discusses F5 programmability and using Puppet for automation and deployment. It provides an overview of F5 programmability tools like iRules, iApps, and iControl. It then covers benefits of using Puppet for infrastructure as code and automation. Examples are given of using REST APIs and languages like Perl and Python to programmatically configure F5 devices.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This document provides tips and tricks for software engineering in bioinformatics. It discusses using object-oriented software design principles like encapsulation and inheritance. It also covers best practices like automating documentation, performance optimization, working with data using databases and file formats, parallel and distributed computing, hardware acceleration, and web services.
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Docker, Inc.
Fugro Chance Inc. oversees ship surveys globally using IoT and Docker. They developed a solution using AWS, Docker, and microservices to support a real-time web application for ship tracking. Key challenges included supporting services that need to run together and efficiently deploying new versions. They addressed this using SupervisorD to run multiple services in a single Docker container. This allows flexible development and deployment of future microservices.
Ten practical ways to improve front-end performanceAndrew Rota
Conference talk presented at PHP South Coast 2017. Ten concrete ways to improve web performance, split between quick tactical wins and longer-term overarching strategies.
- The document discusses building a predictive anomaly detection model for network traffic using streaming data technologies.
- It proposes using Apache Kafka to ingest and process network packet and Netflow data in real-time, and Akka clustering to build predictive models that can guide human cybersecurity experts.
- The solution aims to more effectively guide human awareness of network threats by complementing localized rule-matching with predictive modeling of aggregate network behavior based on streaming metrics.
This document provides an overview of linked data and the linking open data project. It discusses linked data principles, including using URIs to identify things and including links between data. It also describes the web of data 101 including URIs, HTTP, and RDF. The document outlines the linking open data community project and its goal of interlinking open datasets. It provides examples of datasets in the project like DBpedia and Geonames. Finally, it discusses some tools and applications for working with linked data.
Modern Web Security, Lazy but Mindful Like a FoxC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2hYU0cd.
Albert Yu presents a few viable, usable and effective defensive techniques that developers have often overlooked. Filmed at qconsf.com.
Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment.
The document discusses practical incident response in heterogeneous environments and overcoming limitations of traditional approaches. It proposes utilizing intelligence-driven investigation and actionable IOCs to more flexibly shape the triage process across different operating systems. Examples are provided of using software fingerprinting and debugging symbols to attribute malware and build structured knowledge bases of attackers.
The document discusses techniques for performing specialized searches and information extraction from web pages and documents. It describes using regular expressions and custom scripts to search for patterns like phone numbers. It also provides examples of using APIs and libraries like JavaScript::V8 to execute JavaScript and extract hidden content from web pages. The goal is to go beyond typical keyword searches to recognize structures and patterns to refine search results and find embedded information.
Similar to Attacking Network Infrastructure to Generate a 4 Tbs DDoS (20)
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
Remotely Compromising iOS via Wi-Fi and Escaping the Sandboxmark-smith
It describes exactly how iOS devices can be remotely compromised over Wi-Fi without user interaction or complicity. iOS Wi-Fi attacks bypass all built in mitigations and sandboxes.
Applied Machine Learning for Data exfil and other fun topicsmark-smith
This document summarizes a talk on applying machine learning techniques for security purposes. It discusses using machine learning for NMAP clustering to group similar devices, identifying botnet panels through classification of website features, and obfuscating data with Markov chains to enable covert data exfiltration past network restrictions. The talk provides an overview of machine learning concepts like features, vectors, distances, clustering, and classification. It demonstrates several tools developed by the speakers for these applied machine learning use cases.
In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.
The linux kernel hidden inside windows 10mark-smith
The document discusses the architectural overview of the Linux kernel hidden inside Windows 10. It describes the components that enable running Linux processes as "Pico processes" inside Windows, including the LXCORE kernel driver that implements the Linux ABI and API, and the LXSSMANAGER user-mode service that provides the external interface. The document outlines the initialization and functionality of these components, such as how they implement system calls, virtual file systems, and inter-process communication between Linux and Windows processes.
People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust.
Greed for Fame Benefits Large Scale Botnetsmark-smith
A criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated.
How your smartphone cpu breaks software level security and privacymark-smith
We will discuss how two apps on a system can communicate with each other, circumventing the permission system and show how we can attack Bouncy Castles AES implementation.
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
It is possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find the message plausible because they know the sender, or because it fits their expectations (context).
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for
decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack
has been, for decades, far easier than cyber defense.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. $ WHOAMI
➤ Undergraduate Student - Junior
➤ 2nd year at DEF CON
➤ Website: bored.engineer
➤ Email: me@bored.engineer
➤ LinkedIn: https://www.linkedin.com/in/bored-engineer
➤ Twitter: @TheBoredEng
3. DISCLAIMER
➤ The views and opinions expressed in this presentation are those of
the authors and do not necessarily reflect the official policy or
position of any current or previous employer. Examples of
exploitation performed within this presentation are only examples
and they should not be utilized in the real-world.
4. AGENDA
➤ What is Internet2?
➤ What is perfSONAR?
➤ Exploiting perfSONAR
➤ Privilege Escalation to root
➤ Enumerating perfSONAR Instances
➤ Code Release and Q&A
5. BACKSTORY
➤ “The Internet is a global system of interconnected networks. The University
connects to both the global Internet and a number of special research and education
networks commonly referred to as Internet2. These networks provide high
bandwidth connectivity enabling and supporting research collaborations and
educational opportunities regionally, nationally, and around the world.”
6. WHAT IS A INTERNET2?
➤ “Internet2 is an exceptional community of U.S. and international leaders in research,
academia, industry and government who create and collaborate via innovative
technologies. Together, we accelerate research discovery, advance national and global
education, and improve the delivery of public services.”
➤ 282 - Higher Education
➤ 86 - Corporations
➤ 66 - Affiliate members (Governments)
➤ 42 - Regional and State Education Networks
7. ➤ Lookout
➤ Office 365
➤ Rackspace
➤ SoftLayer
➤ Splunk
➤ VMWare
➤ Zoom
WHAT IS A INTERNET2?
➤ AWS
➤ Azure
➤ Box
➤ Dropbox
➤ DocuSign
➤ Duo Security
➤ LastPass
40. Backup original bwctld.conf
Use ConfigManager to stop bwctld
Write executable posthook.pl
Use ConfigManager to write new
bwctld.conf
Use ConfigManager to start bwctld
PERFSONAR - CONFIGMANAGER
Trigger a bwctl session, triggering
posthook.pl as root
Use ConfigManager to stop bwctld
Remove posthook.pl
Restore original bwctld.conf
Use ConfigManager to start bwctld
back to original configuration
54. CALCULATING ACTUAL NETWORK SPEED
➤ Enumerate all perfSONAR instances and their maximum interface speed
➤ Calculate instance location from GeoIP
➤ Match 5 closest instances of same or faster interface speed
55. CALCULATING ACTUAL NETWORK SPEED
➤ index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename
external_address.address as address, external_address.speed as speed,
services{}.enabled as enabled | where mvindex(enabled,0)="1" | fillnull
value=10000000000 speed | iplocation address | map maxsearches=100000
search="search index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename
services{}.enabled as peer_enabled | eval peer_enabled = mvindex(peer_enabled,0) |
where peer_enabled="1" | eval address=$address$, speed=$speed$ | rename
external_address.address as peer_address, external_address.speed as peer_speed |
fillnull value=10000000000 peer_speed | where peer_address!=address AND
peer_speed >= speed | eval lat=$lat$, lon=$lon$ | iplocation prefix=peer_
peer_address | eval distance=sqrt(pow(lat-peer_lat,2)+pow(lon-peer_lon,2)) | where
distance!=0 | sort distance | head 5 | fields address, speed, peer_address, peer_speed,
distance" | table address, speed, peer_address, peer_speed, distance
56. CALCULATING ACTUAL NETWORK SPEED
➤ Never run 2 tests with the same instance at the same time
➤ Never run more than 10 tests at the same time
➤ Never test a host that doesn’t have bwctl enabled