SlideShare a Scribd company logo

BSidesJXN 2016: Finding a Company's BreakPoint

Download as PPT, PDF
Andrew McNicol
Andrew McNicol

The document outlines various techniques that can be used to break into a company's network beyond just scanning for vulnerabilities. It discusses phishing, exploiting web application vulnerabilities, using Responder to poison name resolution and enable man-in-the-middle attacks, SMB relay attacks, and compromising user accounts by combining different vulnerabilities. Specific tools and steps are provided for each technique.

Technology
1 of 48
Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
Modern Day Hacking
Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
Things Have Changed Since the 90s
Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
CEOs Reaction to Opening to Phishing Email
1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
1. Phishing: Finding Vulnerabilities
1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
1. Phishing: Execute Code Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
Responder!
3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
So You Started a Scan
4. SMB Relay Attack Visual: Automated Process
4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Nessus Scanner Scenario
4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
5. Account Compromise
5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs

Recommended

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 

Recommended

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
Braga
BragaBraga
Braga
ActividadesIESULGIJON
 
Visita Junta General 20 diciembre
Visita Junta General 20 diciembreVisita Junta General 20 diciembre
Visita Junta General 20 diciembre
ActividadesIESULGIJON
 

More Related Content

What's hot

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 

What's hot (20)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 

Viewers also liked

Braga
BragaBraga
Braga
ActividadesIESULGIJON
 
Visita Junta General 20 diciembre
Visita Junta General 20 diciembreVisita Junta General 20 diciembre
Visita Junta General 20 diciembre
ActividadesIESULGIJON
 
Ficha información padres Visita Junta General
Ficha información padres Visita Junta GeneralFicha información padres Visita Junta General
Ficha información padres Visita Junta General
ActividadesIESULGIJON
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)
KR_Barker
 
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
Eswar Publications
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
Andrew McNicol
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
The Error of Our Ways
The Error of Our WaysThe Error of Our Ways
The Error of Our Ways
Kevlin Henney
 
Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)
KR_Barker
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Ping Identity
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15
abraham ignacio dani mendoza huamanyauri
 
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A ImagenesJosé M. Padilla
 
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasGlocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasCAESCG.org
 
Activitat2
Activitat2Activitat2
Activitat2luzzatti
 
Soluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería saSoluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería sa
Mauricio Marquez
 
Nodo23
Nodo23Nodo23
Nodo23nodo23
 

Viewers also liked (20)

Braga
BragaBraga
Braga
 
Visita Junta General 20 diciembre
Visita Junta General 20 diciembreVisita Junta General 20 diciembre
Visita Junta General 20 diciembre
 
Ficha información padres Visita Junta General
Ficha información padres Visita Junta GeneralFicha información padres Visita Junta General
Ficha información padres Visita Junta General
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)
 
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
 
The Error of Our Ways
The Error of Our WaysThe Error of Our Ways
The Error of Our Ways
 
Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15
 
Dentro De Ti
Dentro De TiDentro De Ti
Dentro De Ti
 
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
 
Virus Y Antivirus
Virus Y AntivirusVirus Y Antivirus
Virus Y Antivirus
 
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasGlocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
 
Activitat2
Activitat2Activitat2
Activitat2
 
Soluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería saSoluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería sa
 
Nodo23
Nodo23Nodo23
Nodo23
 

Similar to BSidesJXN 2016: Finding a Company's BreakPoint

Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
Greater Noida Institute Of Technology
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
Arun Modi
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Hack the hack
Hack the hackHack the hack
Hack the hack
Shakti Ranjan
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?
HBServices7
 

Similar to BSidesJXN 2016: Finding a Company's BreakPoint (20)

Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Hacking
HackingHacking
Hacking
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Windows network
Windows networkWindows network
Windows network
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 

BSidesJXN 2016: Finding a Company's BreakPoint

  • 1. Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
  • 3. Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
  • 4. ~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
  • 5. Things Have Changed Since the 90s
  • 6. Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
  • 7. Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
  • 8. How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
  • 9. 1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
  • 10. 1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
  • 11. CEOs Reaction to Opening to Phishing Email
  • 12. 1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
  • 13. 1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
  • 14. 1. Phishing: Finding Vulnerabilities
  • 15. 1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
  • 16. 1. Phishing: Execute Code Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
  • 17. Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
  • 18. 2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
  • 19. 2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 20. 2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 21. 2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
  • 22. 2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
  • 23. 2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
  • 24. 2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
  • 25. 3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
  • 27. 3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
  • 28. 3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
  • 29. 3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
  • 30. 3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
  • 31. 3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
  • 32. 4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
  • 33. So You Started a Scan
  • 34. 4. SMB Relay Attack Visual: Automated Process
  • 35. 4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 36. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 37. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 38. 4. SMB Relay Attack: Nessus Scanner Scenario
  • 39. 4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
  • 41. 5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
  • 42. 5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
  • 43. 5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
  • 44. 5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
  • 45. 5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
  • 46. Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
  • 47. Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
  • 48. Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs