This document discusses techniques used to evade detection from enterprise security systems. It covers common security technologies like firewalls, IDS, IPS and how attackers can bypass them. Specific evasion techniques discussed include modifying packet headers, fragmentation, source routing and using tunnels through other compromised systems. The goal is to introduce common concepts but the document is not intended to be comprehensive.
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Practical White Hat Hacker Training - ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This document provides an overview of PRISMA, a cyber security consultancy firm. It discusses PRISMA's penetration testing and training services. It also covers topics related to penetration testing like methodologies, career paths in cyber security, and certifications. The document is intended to introduce PRISMA's services and activities to potential clients or training participants.
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Practical White Hat Hacker Training - ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This document provides an overview of PRISMA, a cyber security consultancy firm. It discusses PRISMA's penetration testing and training services. It also covers topics related to penetration testing like methodologies, career paths in cyber security, and certifications. The document is intended to introduce PRISMA's services and activities to potential clients or training participants.
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
This document discusses how to use tcpdump and Linux utilities like grep, awk and sed to analyze network traffic for incident response. It provides examples of basic tcpdump syntax and using BPF filters to profile traffic. Specific techniques covered include hunting for suspicious DNS queries, mapping related infrastructure, finding unusual outbound connections, and automating tasks with scripting. The overall message is that security analysts should go beyond automated tools and learn to manually analyze network data to identify compromised systems that tools may miss.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
A penetration test involves four main phases: reconnaissance, scanning, exploitation, and maintaining access. In the reconnaissance phase, tools are used to gather information about the target system without authorization. Scanning identifies open ports and vulnerabilities. Exploitation attempts to gain unauthorized control of systems by exploiting vulnerabilities, such as using password crackers. Maintaining access involves creating backdoors for future unauthorized access, such as using network sniffing tools or installing rootkits. Popular tools used in penetration tests include Nmap for scanning, Metasploit for exploitation, and Netcat for creating backdoors. Defending against penetration tests requires monitoring information published online, properly configuring firewalls and access controls, patching systems, and using antivirus and intrusion detection software
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
This document summarizes how SSH can be used to compromise security in several ways:
1. Authentication can be bypassed by generating a public key on an attacker's machine and transferring it to a victim's machine to allow code execution without a password.
2. SSH allows file transfer and traffic tunneling which can be used to transfer tools, exfiltrate data, and bypass firewalls by tunneling any protocol over an SSH connection.
3. Dynamic tunneling with tools like SOCKS and Proxychains allows running scans, exploits, and other tools through an SSH connection without needing privileged access on the target.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
The document discusses techniques for bypassing security controls and gaining persistent access to a secured remote desktop server. It proposes infecting a client's workstation, stealing RDP credentials, and using various tools to bypass firewalls, application whitelisting, and other defenses in order to install malware and establish command and control of the target server. Specific bypass methods involve abusing Microsoft Word macros, exploiting Windows services, installing kernel drivers, and manipulating TCP source ports. The presentation demonstrates new attack tools and methods for pentesters and warns blue teams of challenges in detecting such advanced intrusions.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
This document summarizes three papers presented at an S&P 2012 security conference session on system security. The first paper proposes a framework to eliminate backdoors from response-computable authentication systems. The second paper discusses replacing the standard program loader with a secure loader to prevent attacks on software-based fault isolation. The third paper presents a technique called ReDebug for finding unpatched code clones in entire OS distributions.
The document discusses the path of cyber security and how to become a hacker or security professional. It outlines the typical steps of penetration testing: reconnaissance and analysis, vulnerability mapping, gaining access, privilege escalation, maintaining access, and covering tracks. It recommends starting with networking and programming skills, focusing on an area of expertise like web security, participating in competitions and creating a practice lab to learn. The presenter gives demonstrations on vulnerable VMs and recommends courses, CTF competitions, and building your own lab to advance your skills in security research, tool development, and operations.
Leverage the Network to Detect and Manage ThreatsCisco Canada
Session: Leverage the Network to Detect and Manage Threats
Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US
Date: October 6, 2015
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
This document discusses program security for Android apps. It begins with an introduction of the speaker and covers topics like Android architecture, app threat models, app components like activities and intents, data storage security, cryptography, injection attacks, and reverse engineering defenses. The document provides examples of real security issues from apps like LinkedIn and Pandora and offers tips to defend against various threats like improper data handling, insecure communication, and client-side injection.
There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms.
This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.
This document provides an overview of basic network security concepts. It discusses what security is, why we need it, who is vulnerable, and common security attacks like denial of service attacks, TCP attacks, packet sniffing, and their countermeasures. It also covers firewalls and intrusion detection systems, explaining what they are used for and how they help address security issues. The document uses examples to illustrate concepts like how firewall rules work and how packet sniffing, man-in-the-middle attacks, and dictionary attacks exploit vulnerabilities.
A college class in Network Security Monitoring at CCSF, based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Course website: https://samsclass.info/50/50_F17.shtml
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
This document discusses how to use tcpdump and Linux utilities like grep, awk and sed to analyze network traffic for incident response. It provides examples of basic tcpdump syntax and using BPF filters to profile traffic. Specific techniques covered include hunting for suspicious DNS queries, mapping related infrastructure, finding unusual outbound connections, and automating tasks with scripting. The overall message is that security analysts should go beyond automated tools and learn to manually analyze network data to identify compromised systems that tools may miss.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
A penetration test involves four main phases: reconnaissance, scanning, exploitation, and maintaining access. In the reconnaissance phase, tools are used to gather information about the target system without authorization. Scanning identifies open ports and vulnerabilities. Exploitation attempts to gain unauthorized control of systems by exploiting vulnerabilities, such as using password crackers. Maintaining access involves creating backdoors for future unauthorized access, such as using network sniffing tools or installing rootkits. Popular tools used in penetration tests include Nmap for scanning, Metasploit for exploitation, and Netcat for creating backdoors. Defending against penetration tests requires monitoring information published online, properly configuring firewalls and access controls, patching systems, and using antivirus and intrusion detection software
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
This document summarizes how SSH can be used to compromise security in several ways:
1. Authentication can be bypassed by generating a public key on an attacker's machine and transferring it to a victim's machine to allow code execution without a password.
2. SSH allows file transfer and traffic tunneling which can be used to transfer tools, exfiltrate data, and bypass firewalls by tunneling any protocol over an SSH connection.
3. Dynamic tunneling with tools like SOCKS and Proxychains allows running scans, exploits, and other tools through an SSH connection without needing privileged access on the target.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
The document discusses techniques for bypassing security controls and gaining persistent access to a secured remote desktop server. It proposes infecting a client's workstation, stealing RDP credentials, and using various tools to bypass firewalls, application whitelisting, and other defenses in order to install malware and establish command and control of the target server. Specific bypass methods involve abusing Microsoft Word macros, exploiting Windows services, installing kernel drivers, and manipulating TCP source ports. The presentation demonstrates new attack tools and methods for pentesters and warns blue teams of challenges in detecting such advanced intrusions.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
This document summarizes three papers presented at an S&P 2012 security conference session on system security. The first paper proposes a framework to eliminate backdoors from response-computable authentication systems. The second paper discusses replacing the standard program loader with a secure loader to prevent attacks on software-based fault isolation. The third paper presents a technique called ReDebug for finding unpatched code clones in entire OS distributions.
The document discusses the path of cyber security and how to become a hacker or security professional. It outlines the typical steps of penetration testing: reconnaissance and analysis, vulnerability mapping, gaining access, privilege escalation, maintaining access, and covering tracks. It recommends starting with networking and programming skills, focusing on an area of expertise like web security, participating in competitions and creating a practice lab to learn. The presenter gives demonstrations on vulnerable VMs and recommends courses, CTF competitions, and building your own lab to advance your skills in security research, tool development, and operations.
Leverage the Network to Detect and Manage ThreatsCisco Canada
Session: Leverage the Network to Detect and Manage Threats
Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US
Date: October 6, 2015
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
This document discusses program security for Android apps. It begins with an introduction of the speaker and covers topics like Android architecture, app threat models, app components like activities and intents, data storage security, cryptography, injection attacks, and reverse engineering defenses. The document provides examples of real security issues from apps like LinkedIn and Pandora and offers tips to defend against various threats like improper data handling, insecure communication, and client-side injection.
There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms.
This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.
This document provides an overview of basic network security concepts. It discusses what security is, why we need it, who is vulnerable, and common security attacks like denial of service attacks, TCP attacks, packet sniffing, and their countermeasures. It also covers firewalls and intrusion detection systems, explaining what they are used for and how they help address security issues. The document uses examples to illustrate concepts like how firewall rules work and how packet sniffing, man-in-the-middle attacks, and dictionary attacks exploit vulnerabilities.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Where firewalls fit in the corporate landscape discusses various firewall topics such as why firewalls are needed, the risks without firewalls, what needs to be secured, firewall components, types of firewalls including packet filters, proxy firewalls, and network address translation. It also covers deploying and configuring firewalls properly, auditing firewalls, and trends in firewall technologies. The document provides an overview of firewall concepts and best practices for implementation in a corporate environment.
This document discusses various types of network security attacks and methods to prevent them. It covers physical access attacks, social engineering attacks, penetration attacks like scanning and malware. It also discusses attacks on the OSI and TCP/IP models like at the session, transport and network layers. Prevention methods covered include firewalls, proxies, IPSec, security policies and hardening hosts. Specific switch and router vulnerabilities are examined like ARP poisoning, SNMP, spanning tree attacks. Countermeasures for switches include BPDU guard, root guard.
Normalizing Empire's Traffic to Evade Anomaly-Based IDSUtku Sen
This document discusses techniques for normalizing Empire's traffic to evade anomaly-based intrusion detection systems (IDS). It begins with an overview of signature-based and anomaly-based IDS. While signature-based IDS can be evaded, anomaly-based IDS aim to detect new attacks but require a training period. The document then discusses how Empire communicates over HTTP and key traits that could be changed to blend in with normal traffic. It proposes a polymorphic blending attack where the attacker captures normal network traffic, learns the profile, and adjusts Empire's traits like request URI, user agent and server header to match. It also discusses adjusting the connection interval and using Markov encoding and a tool called firstorder to automatically
This document discusses firewalls and network security. It begins by outlining common firewall topics and risks to networks like data theft and denial of service attacks. It then examines why firewalls are needed to secure networks and assets. The document outlines different types of firewalls like packet filters, proxy firewalls, and network address translation. It discusses strengths and weaknesses of each approach. Finally, it covers best practices for firewall deployment, configuration, auditing and trends in firewall technologies.
Honeypots are well-known tools for detecting and trapping hacking attempts. Compared to other security mechanisms such as Firewalls and Intrusion Detection Systems, honeypot technology has not advanced significantly, particularly in Industrial Control Systems (ICS).
ICS honeypots attempt to simulate the services of industrial control systems to imitate their behaviors. The adversaries on the other hand try to identify these honeypots and bypass them. This makes protecting such honeypots against detection very important.\r\nIn this research, we categorize honeypot identification methods used to identify industrial honeypots. We classify these methods in four categories, the first three of which are the commonly discussed in the literature, whereas the fourth method is related to the nature of industrial control systems.
With respect to these categories, we have developed an ICS honeypot detection framework, and evaluated it by identifying “Gaspot”, a popular ICS honeypot used to simulate common tank gauges used in the oil & gas industry.\r\nOur framework recognizes honeypots based on characteristics specific to each categorization. Evaluations show that our framework identifies gaspots with more confidence compared to state-of-the-art tools.
This document discusses intrusion detection systems (IDS). It defines intrusion, intrusion detection, and intrusion prevention. It explains the components of an IDS including audit data, detection models, and detection and decision engines. It describes misuse detection using signatures and anomaly detection using statistical analysis. It also discusses host-based and network-based IDS, their advantages and disadvantages, and limitations of exploit-based signatures. The document emphasizes the importance of selecting and properly deploying the right IDS for an organization's needs.
This document discusses computer security and ethical hacking. It covers various types of hacking like interruption and interception. It defines different types of hackers like white hat, black hat and gray hat hackers. It explains the process of ethical hacking which includes preparation, footprinting, vulnerability identification and exploitation. The document provides details on what hackers do after gaining access like covering tracks, creating backdoors. It suggests ways to protect systems like patching vulnerabilities, encrypting data, and setting up firewalls and intrusion detection systems. It advises actions to take after being hacked like restoring from backups.
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
This document discusses integrating MITRE ATT&CK intelligence into Logstash plugins to provide security analysts with more context about threats. It covers writing plugins to extract relevant data from logs and map detections to MITRE tactics and techniques. When data is missing, the plugin uses other intelligence sources to infer classifications. The document demonstrates connecting Logstash pipelines to leverage parsing and enrichment, and shows tools for viewing and debugging pipeline configurations.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Understanding Intrusion Detection Systems with SnortShyamsundar Das
This document discusses IDS (intrusion detection systems) and the open source Snort IDS. It begins with an agenda that includes where firewalls fail, comparing IDS and firewalls, how IDS works, types of IDS, and writing rules with Snort. It then discusses where firewalls fail to protect against authorized traffic, detect insider attacks, or analyze encrypted traffic. It compares NIDS, HIDS, and hybrid IDS and discusses signature detection and state-based detection methods. The document dives deeper into Snort's architecture, rule syntax, and provides an example Snort rule to detect the SubSeven trojan. It concludes with a demonstration of running Snort and detecting network traffic.
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
ATMs (Automated Teller Machines) are usually weak spots in any organization that operates them. We would like to share with you how we hack ATMs. We will show GENERIC ways to attack ATMs. Specific attacks are kewl but we like GENERIC ones that work in the often complex ATM world. Join us to pwn some ATMs and learn from our vast experience in the trenches.
This document provides an overview of intrusion prevention systems (IPS). It defines IPS and their main functions, which include identifying intrusions, logging information, attempting to block intrusions, and reporting them. It also discusses terminology related to IPS like false positives and negatives. The document outlines different detection methods used by IPS like signature-based, anomaly-based, and stateful protocol analysis. It categorizes IPS based on deployment like network-based, host-based, and wireless. It provides Snort, an open-source IPS, as a case study and discusses its components, rules structure, and challenges.
Routers, firewalls, intrusion detection systems, honeypots, and other security devices can be used to protect networks. Routers direct network traffic using routing protocols and access lists. Firewalls control access to internal networks using packet filtering, stateful inspection, and application inspection. Intrusion detection systems monitor network traffic for suspicious activity and generate alerts. Honeypots are decoy systems used to attract and study hackers without exposing real systems to risk. These security devices provide layered defenses to enhance network protection.
The document discusses Python jails (PyJails), which are CTF problems that provide a limited Python interpreter. The goal is typically to call restricted functions like os.system() or open() to access files. Common solutions leverage attributes of Python objects like __class__, __globals__, and __builtins__ to access the open() function despite restrictions. The document then provides an in-depth explanation of these Python object attributes and how they allow constructing a solution to bypass the restrictions in a PyJail.
This document provides information about the Computer Security Group (CSG) Spring 2022 kickoff event. It introduces CSG as a weekly security-focused student group. It also describes the Scholarship for Service program, lists the CSG leadership team, and advertises upcoming technical talks on topics like embedded systems, Python, anonymity, and fuzzing. Members are encouraged to attend weekly meetings, join the Discord server, and suggest additional talk topics.
This document provides an introduction to cloud computing, including what cloud is, its benefits and drawbacks, common cloud service models (SaaS, PaaS, IaaS), major cloud providers, and common cloud computing services. Key cloud computing services discussed include compute services (like AWS EC2 and Google Compute Engine), databases, storage, and additional AI/ML and serverless services. The document also highlights some free cloud credits and resources available for students.
1. The document discusses various methods for gaining domain administrator privileges on a Windows domain, including exploiting the domain's architecture, abusing Active Directory services like Kerberos, and cracking Kerberos tickets.
2. It provides three attack scenarios: leveraging internal access and the BloodHound tool, performing an NTLM relay attack against WebDAV to setup delegation, and directly cracking Kerberos tickets by requesting tickets for service principal names.
3. The document recommends demonstrating these attacks against a test environment to gain hands-on experience compromising a Windows domain from different starting points.
Python is an interpreted programming language that can be used for many purposes including security related tasks. It was created in the late 1980s by Guido van Rossum and named after the Monty Python comedy group. There are differences between Python versions 2.7 and 3.0, such as print becoming a function in 3.0. Python has an interactive shell environment that allows users to run commands and an extensive standard library including data types like lists, tuples, sets and dictionaries. Libraries like pwntools and PyCryptodome provide functionality for tasks like exploit development and cryptography.
This document provides an introduction and overview of various topics related to cybersecurity including programming languages, operating systems, networks, penetration testing tools, defensive tools, and security certifications. It also lists upcoming cybersecurity events at the school including an intern fair, career fair, engineering week, capture the flag competition, and security operations center competition. Students are invited to sign in using a QR code or URL to participate in resume critiques and learn more.
Bash is a command line shell that allows users to interact with and manage a Linux operating system. It can be used to edit files and system configurations, monitor and manage processes, run scripts, and more. Common bash commands include ls to list directories, cd to change directories, cat to output file contents, and man to view command manuals. The demo section provides a hands-on experience using bash commands.
1. The document discusses web exploitation and provides tips for assessing what functionality a server may have and how to test for vulnerabilities.
2. It lists common server-side technologies like PHP, Python, NodeJS that have been exploited in past events, and encourages researching assumed functionality and how others may have previously exploited similar systems.
3. The document emphasizes that web exploitation involves searching and researching to understand what a server can do in response to inputs, as its functionality may not always be obvious, in order to discover ways to read files or execute code remotely.
This document provides an overview of network exploitation, including types of networks, network environments, internal vs external networks, network enumeration tools, and attack routing. It announces upcoming events and provides details about local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), corporate and personal network environments, using Nmap and Nessus for scanning, and pivoting through internal networks from external points.
1. The document discusses the steps of a penetration test against a target machine called Celestial on the Hack the Box platform.
2. It outlines reconnaissance, enumeration through Nmap scanning, exploitation to gain initial access, escalation of privileges from user to root, establishing persistence, and clean-up to remove traces of access.
3. The target is an Linux machine at IP 10.10.10.85, and the session will walk through each step of the penetration test process.
This presentation gives an overview of many different encryption and encoding schemes. The content ranges from simple encodings, such as ASCII text represented as decimals to classical ciphers, such as Caesar and Vigenere ciphers to modern encryption standards, such as the Data Encryption Standard (DES) and Advanced Encryption Standard (AES). For modern encryption, there are many different implementation flaws that are discussed in the presentation as well as a few ideas for how to correct those flaws. At the end of the presentation, some thought questions are provided.
We continue where we left off from Part 1. This section covers 2 main topics, debugging libraries and fuzzer design. For debugging libraries we go over PyDBG and WinAppDbg, discussing basic to intermediate examples, and when you might want to use one instead of the other. After that, fuzzer design is discussed, including goals, design choices, architecture, etc. Some code samples are shown from my fuzzer, along with a github link for those who are interested.
This document provides an introduction to software exploitation on Linux 32-bit systems. It covers common exploitation techniques like buffer overflows, format strings, and ret2libc attacks. It discusses the Linux memory layout and stack structure. It explains buffer overflows on the stack and heap, and how to leverage them to alter control flow and execute arbitrary code. It also covers the format string vulnerability and how to leak information or write to arbitrary memory locations. Tools mentioned include GDB, exploit-exercises, and Python. Overall it serves as a crash course on the basic techniques and concepts for Linux exploitation.
This is part 1 of fuzzing, an introduction to the subject. This presentation covers some of theory and thought process behind the subject, as well as an introduction to environment variable fuzzing and file format fuzzing.
The document summarizes how to exploit a heap-based buffer overflow vulnerability in the Protostar Heap 3 challenge. It describes using the Doug Lea malloc implementation, modifying chunk size metadata to change program execution, overwriting pointers to hijack control flow, and crafting 12-byte shellcode to jump to a "winner()" function and complete the exploit.
We introduce the fundamentals of dynamic memory allocation and highlight several exploitable properties. These ideas are put into practice in a set of heap overflow challenges from exploit-exercise.com's Protostar VM. We walk through the first three. Other uses of heap space such as heap spraying are mentioned.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
4. “Corporate Espionage”
• Not really, but…
• Focuses on technology found in real business
environments.
• Considers the human element - the security analyst.
• Discusses techniques used by attackers to evade
detection and compromise protected networks.
• This is NOT comprehensive – the purpose is to introduce
the concepts.
5. Corporate Attitude
• Motivating factor for security is not security itself!
• Business Continuity - $$$
• Compliance – PCI / HIPAA etc…
• Management and executives do care about security, but
things are often ignored if it does not directly affect their
revenue stream or cause some compliance violation.
• This fact is useful for attackers – comprehensive security
is VERY difficult.
6. S.O.C
• Security Operations Center
• Comprised of analysts who monitor for attacks in real time
for scans, attacks, compromises, policy violations and
infections.
• 24/7
• Research and create signatures and policies for client
networks
• MSSP (Managed Security Service Provider)
• Have many clients who outsource their security needs to the S.O.C
8. Firewall
• Software or hardware based
• Controls incoming / outgoing network traffic
• Firewalls today can handle routing / NAT
• Hardware firewalls generally sit at network perimeter
• Stateful packet inspection:
• Maintain information and context in a session
• Stateless packet inspection:
• Simpler filtering, does not keep track of active session
• Rules define which traffic gets accepted and rejected.
• Usually the first line of defense.
11. IDS / HIDS
• IDS: Intrusion Detection System
• HIDS: Host based Intrusion Detection System
• Appliance (software or hardware) that detects malicious
traffic, or any traffic violating the defined policies.
• Use keyword matching or content matching
• Searching for something specific within a packet or session
• Can also use regular expression matching in payload
• Ex: content:”sEleCt”; pcre:”/^INSERT INTO”
• Analyst would see the alerts based on priority
• False positives
14. IPS
• Intrusion Prevention System
• Similar to IDS, but also attempts to prevent the traffic
from passing through the device.
• Rule / Signature based
• Like a firewall, the packets will be dropped.
• Rules and signatures are more complex than that of a
firewall.
16. Web Application Firewall
• Software or hardware
• Plugins or filters
• Applies to HTTP sessions
• Some vendors can handle HTTPS
• Checks for web attacks such as XSS and SQL Injection
• Content matching, regular expressions
18. Log Analysis
• Dynamic or static
• Great forensics tools, but can be difficult to find security
events in real time.
• Regular expression searches
• Keyword searches
• Solution such as Splunk can allow analyst to search for
events easily.
• Pulls from logs, not network traffic
• Splunk
19. S.I.E.M
• Security Information & Events Management
• Normalizes and correlates network traffic to identify
security events and reduce false positive
• Pulls in log data from multiple types of devices
• Identifies common attributes and associates different
events where applicable
• Alerts on actionable security events
• Helpful in compliance reporting
• Set complex rules to define expected behavior of a
network.
22. Tools
• Useful tools:
• hping3, firewalk, nmap, custom tools (scapy is great!), netcat,
tcpdump, wireshark, fragroute
• … so you discovered a firewall, now what?
23. Evasion: Basics
• Firewalls will drop packets that do not adhere to protocol
specification
• Ex: Sending a SYN ACK without first sending SYN is not how TCP
works!
• Tools like “xprobe” can be used to detect operating
systems behind a firewall by using the TCP / UDP / ICMP
protocols. This is ‘fingerprinting’.
• Firewalls behave differently!
• Firewalking:
• Send TCP / UDP / ICMP packets and examine response
• Window size, sequence numbers, type encode, etc…
24. TCP Header
struct tcpheader {
unsigned short int th_sport;
unsigned short int th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short int th_win;
unsigned short int th_sum;
unsigned short int th_urp;
}; /* total tcp header length: 20 bytes (=160 bits) */
25.
26. UDP Header
struct udpheader {
unsigned short int uh_sport;
unsigned short int uh_dport;
unsigned short int uh_len;
unsigned short int uh_check;
}; /* total udp header length: 8 bytes (=64 bits) */
27.
28. ICMP Header
struct icmpheader {
unsigned char icmp_type;
unsigned char icmp_code;
unsigned short int icmp_cksum;
/* The following data structures are ICMP type specific
*/
unsigned short int icmp_id;
unsigned short int icmp_seq;
}; /* total icmp header length: 8 bytes (=64 bits) */
29.
30. Evasion: Scan Techniques
• Different Types of scans will produce different results
• XMAS scan: FIN PSH URG flags set on TCP segment.
• NULL scan: TCP flags are set to all 0
• FIN scan: FIN flag set on TCP segment
• ACK scan: ACK flag set on TCP segment
• SYN scan: SYN flag set
• SYN ACK: SYN ACK flag set
• FTP Bounce: uses another host to act as proxy
• Zombie Scan: Use idle host on a network to hide real
source address
31. Evasion: Scan Techniques
• Specify different source port
• Some poorly configured systems may block packets from a certain
source port
• Default UNIX based firewalls can be bypassed with an
XMAS or a NULL scan.
• Inverted Technique – crafting malformed TCP packets
• Closed ports will respond with RA (Reset Acknowledge) – RFC793
32. Evasion: Fragmentation
• Can be used to bypass Firewalls, IDS
• Can also cause Denial of Service by exhausting
resources
• IP packet has a MTU (maximum transmission unit) that is
smaller than the MTU of the current network it is
traversing.
• Can occur on ANY router the packet travels through
• Destination host will reassemble the packet
33. Evasion: Fragmentation
• Fragments of packets must include:
• Fragment ID # (IP ID)
• Offset (multiple of 8 bytes)
• Length of the data
• MF flag – more fragments
34.
35. Evasion: Fragmentation
• Fragment Offset
• Fragment offset field maximum = 8191 (13 bits)
• Max IP packet = 65535 bytes
• Fragment offset * 8 = real offset
38. Evasion: Fragmentation
• Protocol header found in first fragment
• Stateful packet filtering sees all fragments as one packet
• Stateless sees each individually
• Packet can have DF (don’t fragment) flag set, which tells
routers that it cannot be fragmented.
• Routers will respond with “unreachable – need to frag”
message if DF flag is set and it needs to be fragmented.
• ICMP error message returns MTU of the network which is
useful in Path MTU discovery.
• Can leverage this to discover MTU of a network
• router.ru > mail.mysite.ru: icmp: host.ru unreachable – need to frag
(mtu 308) (DF)
42. Evasion: Source Routing
• Loose Source Routing:
• Use any intermediate gateway
• This will cause different source IP which could potentially be
whitelisted (trusted device).
• Strict Source Routing:
• Defining your own route for a network
• Need to be on directly connected network
43. Evading Snort Rules
• Simple case:
• A rule exists to pick up certain user agent
• Simply change user agent.
45. Snort Rule Example
• Sample w3af signature:
(envelope) – (alert, log, passive) (protocol) (usually defined as any) (anything coming inbound) (to
our servers that are defined) (ports)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User
Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header;
fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757;
classtype:attempted-recon; sid:2007757; rev:12;)
(message tag) defines what the signature name is (alert that pops up)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User
Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header;
fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757;
classtype:attempted-recon; sid:2007757; rev:12;)
(rule) what to look for
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User
Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net";
http_header; fast_pattern:only; reference:url,w3af.sourceforge.net;
reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;)
46. Snort Rule Example
• Other tags – flow, content, reference, classtype, sid, rev
• Classtype – different classes lump together alerts of similar
priorities
• sid: (signature ID) – can track signature through their life cycle on
Emerging Threats or through Sourcefire. “rev” is the revision
number for the signature ID.
• Need to understand the HTTP headers!!
53. MS08-067
• Changing the payload will bypass this specific signature.
• Payload was changed to a reverse https handler
54. About the payload
• Switching the payload evaded the signature.
• The IDS / IPS could be detecting other payloads, or even
characteristics of a payload.
• Using different encodings for the payload can be effective.
55. Tunnels
• Scenario:
• Attacker is blocked by firewall (System A).
• Attacker finds another host (System B), perhaps a partner website
or a portal with open services.
• Attacker breaches that host (System B), and tunnels through to the
original target (System A).
• System B’s IP address may be whitelisted, or maybe even on a
VPN.
• Tunneling allows us to attack from different computers.
• Good for “anonymous pentesting”.
56. Tunnels
• Ex: Attacker can sniff traffic from System B and steal valid
MAC addresses, spoof their MAC, and gain access to
networks that use MAC address authentication
• With the new MAC address, the attacker may have less
restrictions.
• May have access to new subnets.
• Firewalls, IDS, etc.. may not detect attacks or malicious
behavior because it is originating from a trusted host.
• Better rules can fix this, though.
57. Tunnels
• “SSH Gymnastics and Tunneling with ProxyChains” – magikh0e
• Tunneling through hosts using proxychains
• Explanation of how to reach protected hosts by tunneling through a
different host
• Tunnel all UDP/TCP traffic from a specific process over a proxy.
58. • From magikh0e’s SSH Gymnastics and Tunneling with ProxyChains
• http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html
59. Tunnels and Logging
• Can hop through Tor.
• Bounce through different countries.
• Many systems can be easily compromised by attackers
and used to hide their identity.
• General attack set up:
• Attacker -> Cracked wifi -> Compromised Host -> Compromised
Host -> Compromised Host -> ……. -> Target Host
60. Tunnels and Logging
• How do attackers find machines to tunnel through?
• Leverage vulnerabilities to gain remote access.
• Backdoor, rootkits.
• How do attackers use these machines to stay
anonymous?
• Forward all of their traffic through compromised machine.
• Bouncing through a single machine is not a good idea.
• Multiple hosts on multiple devices in multiple countries.
61. Tunnels and Logging
• Automation example (not tested. The grep –b4 would probably need to be
more dynamic):
• max_ms=250
• hosts=( $(nmap -PN -sV -p$port $host | grep -b4 $service | egrep -o '[[:digit:]]{1,3}.[[:digit:]]
{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}') )
• for ip in "${hosts[@]}"
• do
• # want to make sure ping response time is within our specified $max_ms
• time=$(ping -c1 $ip | egrep -o 'time=[0-9]{1,5}' | sed -e 's/time=//g' | tr -d 'n')
• if [[ "${time:-1000}" -ge $max_ms ]]
• then
• echo "$ip $time too slow, ignoring"
• else
• echo "$ip $time OK.. attempting to connect"
• # do stuff here with discovered device...
• fi
• done
62. Tunnels and Logging
• Useful for finding target by known vulnerable “service”.
• Once service is discovered, attacker can try to exploit the
vulnerable service, or brute force.
• Once access is gained, target can be used as a tunnel or
a proxy for web traffic.
• When analysts see attacks, they do not see the real
hosts.
• Tracking down the attackers becomes difficult, the log
data does not provide much useful information.
• Blacklisting IP addresses is futile.
63. Proprietary Protocols
• It can be difficult to write signatures for proprietary
protocols.
• A lot of traffic can appear to be legitimate, but actually
malicious.
• The protocol specification and the source code for the
service may not be readily available.
• The analyst will have hard time detecting these.
• Attacks can target the application to gain access to the
network or trigger an application layer DoS.
• Example: game servers