This document provides a summary of authentication techniques and common vulnerabilities. It discusses how over 90% of applications use usernames and passwords for authentication. More secure authentication methods like two-factor authentication are also described. The document outlines various authentication protocols like HTTP, SAML, and JWT. It then details common design flaws such as weak passwords, password change vulnerabilities, account recovery issues, and information leakage. Specific attacks like brute force, credential stuffing, and session hijacking are examined. The summary recommends approaches to secure authentication like strong credentials, hashing passwords, multi-factor authentication, and logging authentication events.
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
This document provides an overview of identity and access management topics including authentication methods, password types, password hashing and cracking techniques, multifactor authentication, biometric systems, access control technologies like single sign-on and Kerberos, and identity management services. The key points covered are the four types of authentication (something you know, have, are, or where you are), methods for static, one-time, and dynamic passwords, password hashing and cracking attacks, and centralized vs decentralized access control systems.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
This document provides an overview of securing session management and discusses vulnerabilities in session tokens. It describes how session tokens can be attacked by predicting, modifying, or stealing them. It also discusses weaknesses related to how tokens are generated, transmitted, handled by applications, and terminated. The document recommends generating strong, unpredictable tokens and protecting them throughout their lifecycle to help secure session management.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This document provides a summary of authentication techniques and common vulnerabilities. It discusses how over 90% of applications use usernames and passwords for authentication. More secure authentication methods like two-factor authentication are also described. The document outlines various authentication protocols like HTTP, SAML, and JWT. It then details common design flaws such as weak passwords, password change vulnerabilities, account recovery issues, and information leakage. Specific attacks like brute force, credential stuffing, and session hijacking are examined. The summary recommends approaches to secure authentication like strong credentials, hashing passwords, multi-factor authentication, and logging authentication events.
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
This document provides an overview of identity and access management topics including authentication methods, password types, password hashing and cracking techniques, multifactor authentication, biometric systems, access control technologies like single sign-on and Kerberos, and identity management services. The key points covered are the four types of authentication (something you know, have, are, or where you are), methods for static, one-time, and dynamic passwords, password hashing and cracking attacks, and centralized vs decentralized access control systems.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
This document provides an overview of securing session management and discusses vulnerabilities in session tokens. It describes how session tokens can be attacked by predicting, modifying, or stealing them. It also discusses weaknesses related to how tokens are generated, transmitted, handled by applications, and terminated. The document recommends generating strong, unpredictable tokens and protecting them throughout their lifecycle to help secure session management.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
This document discusses core defense mechanisms for securing web applications, including limiting user access and input, and administrative monitoring. It covers authentication, session management, access control, input validation techniques like whitelisting and sanitization, boundary validation to divide trusted and untrusted zones, handling errors, maintaining audit logs, alerting administrators, and reacting to attacks. It also notes security risks of management interfaces and importance of securing the entire application, not just the user-facing parts.
1. The document discusses how passwords can be exposed on Windows systems through cleartext storage, encrypted storage that can be decrypted, and password hashes.
2. Passwords are commonly stored in cleartext in files, registry settings, configuration files, and network traffic using basic authentication. Encrypted passwords can sometimes be decrypted if the encryption key is known or can be recovered.
3. The document provides recommendations for securing passwords such as avoiding cleartext storage, encrypting passwords appropriately, and auditing systems regularly for exposed passwords.
This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
This document provides a summary of session management vulnerabilities. It discusses how session management enables identifying users across multiple requests and is thus a prime target for attackers. Potential consequences of session management attacks include impersonating other users or escalating privileges. The document then covers specific weaknesses like predictable or encrypted tokens, time-dependent values, and weak random number generation that can be exploited. It also addresses issues like tokens being transmitted without encryption, stolen via network sniffing, or exposed by not fully using HTTPS. Overall, the summary highlights how session management is critical to security and important to attack.
This document discusses cross-site scripting (XSS) attacks and how they can be carried out. It describes different types of XSS like reflected, stored, and DOM-based XSS. It provides examples of real-world XSS attacks on sites like MySpace, Twitter, and Apache. It also discusses techniques attackers use to deliver payloads, bypass input filtering, span injections across multiple locations, and more. The goal is to summarize the key points about how XSS attacks work and strategies attackers employ.
Attack All the Layers - What's Working in Penetration TestingNetSPI
The document discusses techniques for attacking different layers during a penetration test. It covers attacking protocols like ARP, NBNS, SMB, PXE and DTP. It also discusses attacking passwords by cracking hashes, dictionary attacks, and dumping passwords in cleartext. Additionally, it covers attacking applications, bypassing endpoint protection, and escalating privileges on Windows systems locally and within a domain. The overall message is that penetration testers should attack all layers of the stack during a test to fully evaluate security.
The document discusses common web application security vulnerabilities and best practices for prevention. It covers topics like cross-site scripting (XSS), SQL injection, insecure direct object references, command injection, cross-site request forgery (CSRF), and improper password storage. The document provides examples of each vulnerability and recommendations for prevention, including input validation, prepared statements, encryption, hashing passwords, and other techniques. The objectives are to create awareness of web security issues and how developers can build more secure applications using secure coding practices.
Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
This document discusses core defense mechanisms for securing web applications, including limiting user access and input, and administrative monitoring. It covers authentication, session management, access control, input validation techniques like whitelisting and sanitization, boundary validation to divide trusted and untrusted zones, handling errors, maintaining audit logs, alerting administrators, and reacting to attacks. It also notes security risks of management interfaces and importance of securing the entire application, not just the user-facing parts.
1. The document discusses how passwords can be exposed on Windows systems through cleartext storage, encrypted storage that can be decrypted, and password hashes.
2. Passwords are commonly stored in cleartext in files, registry settings, configuration files, and network traffic using basic authentication. Encrypted passwords can sometimes be decrypted if the encryption key is known or can be recovered.
3. The document provides recommendations for securing passwords such as avoiding cleartext storage, encrypting passwords appropriately, and auditing systems regularly for exposed passwords.
This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
This document provides a summary of session management vulnerabilities. It discusses how session management enables identifying users across multiple requests and is thus a prime target for attackers. Potential consequences of session management attacks include impersonating other users or escalating privileges. The document then covers specific weaknesses like predictable or encrypted tokens, time-dependent values, and weak random number generation that can be exploited. It also addresses issues like tokens being transmitted without encryption, stolen via network sniffing, or exposed by not fully using HTTPS. Overall, the summary highlights how session management is critical to security and important to attack.
This document discusses cross-site scripting (XSS) attacks and how they can be carried out. It describes different types of XSS like reflected, stored, and DOM-based XSS. It provides examples of real-world XSS attacks on sites like MySpace, Twitter, and Apache. It also discusses techniques attackers use to deliver payloads, bypass input filtering, span injections across multiple locations, and more. The goal is to summarize the key points about how XSS attacks work and strategies attackers employ.
Attack All the Layers - What's Working in Penetration TestingNetSPI
The document discusses techniques for attacking different layers during a penetration test. It covers attacking protocols like ARP, NBNS, SMB, PXE and DTP. It also discusses attacking passwords by cracking hashes, dictionary attacks, and dumping passwords in cleartext. Additionally, it covers attacking applications, bypassing endpoint protection, and escalating privileges on Windows systems locally and within a domain. The overall message is that penetration testers should attack all layers of the stack during a test to fully evaluate security.
The document discusses common web application security vulnerabilities and best practices for prevention. It covers topics like cross-site scripting (XSS), SQL injection, insecure direct object references, command injection, cross-site request forgery (CSRF), and improper password storage. The document provides examples of each vulnerability and recommendations for prevention, including input validation, prepared statements, encryption, hashing passwords, and other techniques. The objectives are to create awareness of web security issues and how developers can build more secure applications using secure coding practices.
Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Talk at TYPO3 Conference 2016 in Bologna/Italy. Basic insights into hacking websites with SqlMap and BeEF XSS and considerations to prevent that. Screencasts of SQLi and XSS at https://www.youtube.com/watch?v=VIGVlmaKqxY & https://www.youtube.com/watch?v=WBDWWv5zdUQ
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
This document introduces Ranger, an automated Windows attack tool that uses methods like WMIEXEC, SMBEXEC, and PSEXEC to quickly access and exploit targets in a stealthy manner. It summarizes Ranger's capabilities such as identifying systems an account has access to, executing code without dropping payloads, and automatically logging results. The document outlines how Ranger delivers payloads through an HTTP catapult server and employs techniques like double encoding and direct memory injection to avoid detection. It also describes how Ranger can take input like IP ranges/files and output aggregated credential data. Mitigations like credential hygiene practices and PowerShell logging are proposed to prevent Ranger attacks.
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
This document discusses techniques for lateral movement within a network after gaining initial access. It covers using existing credentials from an initial compromised system to access other systems on the network by scanning for open ports and services, exploiting vulnerabilities like EternalBlue to spread to other unpatched systems, and harvesting additional credentials from plaintext files, backups, or tools like Mimikatz to escalate privileges and access more sensitive systems. It concludes with recommendations for protection measures like keeping systems patched, limiting local admin rights, strong unique passwords, IPS, and endpoint/network detection systems to limit lateral movement within a network.
The document discusses techniques for operating system security including authentication, authorization, and confinement. It describes the goals of safely sharing resources while preventing unauthorized access to private data or interference between programs. The trusted computing base and security techniques like reference monitors, access control lists, and capabilities are explained. Later sections cover implementing authentication through passwords, public keys, and biometrics and how authorization works using access control matrices. The challenges of confinement and running untrusted code securely are also discussed.
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
The document discusses various penetration testing techniques including:
1. Using OSINT techniques like disabling content security policies to scrape invite links from a site.
2. Checking domains with services like VirusTotal to see their categorization and reputation over time.
3. Using Azure domain fronting to hide command and control domains from network defenders.
4. Enumerating Active Directory with tools like Bloodhound to find high privilege accounts and exploit delegation.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Attack All The Layers - What's Working in Penetration TestingNetSPI
The document discusses techniques for attacking different layers during a penetration test. It covers attacking protocols like ARP, NBNS, SMB, PXE and DTP. It also discusses attacking passwords by cracking hashes, dictionary attacks, and dumping passwords in cleartext. Application attacks like SQL injection and directory traversals are mentioned. Bypassing endpoint protection through code injection and modifying application whitelisting is covered. Windows privilege escalation techniques like exploiting insecure service configurations and dumping credentials from memory are also summarized. The conclusions state that most networks and protocols have vulnerabilities but can be fixed through proper controls and patching.
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
MS LAPS protection: portal for secure access to local admin passwordsNikolay Klendar
weblaps.pro - secure way to get passwords of local administrators managed by LAPS. Web portal with 2FA, extended audit log, flexible access control and other paranoid security features. Mobile app helps to use LAPS passwords in more convenient way.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain shares practical tips on the various ways to protect a computer / organization from Windows computer / password attacks. Gain strength from the detailed 14 tips and tricks!
Similar to Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access (20)
Michael Gianarakis' presentation discusses developing secure iOS applications. It provides an overview of the iOS application attack surface and common security issues. It outlines secure design principles such as not trusting the client/runtime, understanding the app's risk profile, implementing anti-debugging controls, jailbreak detection, and address space validation. The presentation aims to help developers design apps that are secure against common attacks.
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggeratedeightbit
- Bug bounties involve crowdsourcing security testing by allowing security researchers to submit vulnerabilities found in systems and receive financial or other incentives for valid submissions.
- While bug bounties address skills shortages and testing challenges, managing a bounty program requires security expertise and the ability to quickly fix issues. Production testing also carries risks if not properly controlled.
- Lessons from SEEK's private bounty programs showed limited control over researchers, importance of clear program guidelines, and need for timely response to researchers to maintain incentives.
- The economics of bounty programs are more complex than portrayed, with costs including management fees, downtime expenses, and impact on production systems and incentives. Total cost of ownership models are more
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applicationseightbit
Swift apps present some challenges for reverse engineering compared to Objective-C apps. The main challenges are that Swift is less dynamic and there is limited tooling available. To analyze Swift apps, one can disassemble the binary and demangle Swift function names using the swift-demangle utility. For apps with Objective-C code as well, the class-dump tool can provide some class information. Runtime inspection using debuggers is also possible but less straightforward than with Objective-C. Overall, while more difficult, many typical reverse engineering tasks can still be performed on Swift apps.
Rootcon X - Reverse Engineering Swift Applicationseightbit
The document discusses challenges and techniques for reverse engineering Swift apps. It notes that class dump utilities do not work on Swift binaries due to name mangling. However, the symbol table, nm tool, and swift-demangle utility can be used to retrieve function signatures. A hacked script approximates class dump output. While stripping symbols makes analysis harder, Objective-C compatibility eases the process. Other tools like classdump-dyld and disassemblers also help. Function hooking is possible but setter methods require calling from top-level code due to inlining.
This document provides an introduction to runtime hacking on iOS. It discusses setting up the environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then covers techniques for dumping and modifying variables at runtime like retrieving sensitive user data. Methods for manipulating functions are also presented, such as bypassing authentication or jailbreak detection. Persistence techniques like injecting libraries are explained. Finally, it addresses considerations for hacking Swift applications. The overall goal is to quickly get people up to speed on runtime analysis and manipulation of third-party iOS apps.
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
This document discusses securing mobile applications. It begins with an overview of threats to mobile platforms and how they have created opportunities for hackers. It then discusses understanding the risks with a mobile threat model showing different attack vectors. The key threats identified are insecure data storage, insufficient transport layer security, and client side injection. It provides examples of these threats and how they are commonly exploited. Finally, it discusses defending mobile applications with design principles and approaches like assuming the client is compromised, connecting to untrusted networks, and an untrusted operating system. It emphasizes the basics of secure development, testing, and ongoing monitoring and review.
This document provides a crash course on runtime hacking of iOS applications. It discusses setting up the necessary environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then demonstrates how to retrieve sensitive variables like credentials by directly accessing them at runtime using Cycript. Finally, it shows how functions can be manipulated to bypass security checks or modify application behavior persistently through injection.
The document discusses developing secure iOS applications. It covers common security issues like binary and runtime security, transport layer security, and data security. It provides principles for secure design like not trusting the client/runtime and not storing sensitive data on devices. It also describes techniques to address specific issues like debug checks, jailbreak detection, and preventing unintended data leakage.
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
The document provides an introduction to iOS application penetration testing. It discusses setting up a testing environment including jailbreaking a device and installing tools. It covers assessing data security issues like insecurely stored data and background snapshots. Topics to be covered include binary analysis, runtime manipulation, transport security, and other testing like authentication and sessions.
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
This document provides an introduction to iOS application penetration testing. It discusses setting up an iOS penetration testing environment, including jailbreaking a test device and installing necessary software tools. It also provides an overview of iOS and Objective-C, covering key security features of iOS like sandboxing, ASLR, code signing, and data encryption. Topics to be covered include assessing data security, binary analysis, runtime manipulation, and evaluating authentication, session management, and transport security.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
1. Portia - Finding Your Way To
Domain Access
Michael Gianarakis
Keith Lee
2. #whoami
• Michael Gianarakis (@mgianarakis)
• Director of SpiderLabs APAC
• SecTalks Brisbane
• Flat Duck Enthusiast
• Keith Lee (@keith55)
• Senior Consultant at SpiderLabs APAC
3. Motivation
• We do a number of internal network penetration tests as part of our day to
day
• There are a bunch of awesome tools and techniques for capturing and
cracking credentials (e.g. Responder)
• We wanted to fill the gap after cracking a low privilege password hash from
NetBIOS/LLMNR/WPAD attacks etc. to compromising the entire domain
• Also to help with a few common issues that we as penetration testers face
• Developed a tool, Portia to help with this.
4. Motivation
• We developed Portia because we found similar tools had a number
of issues
• Limited support and success with recent versions of Windows
• Not as effective against systems that have implemented common
hardening techniques
• Wanted a single, but modular tool to cover a number of
techniques rather than multiple tools
5. Portia
• Portia aims to automate a number of techniques commonly performed on internal
network penetration tests after a low privileged account has been compromised
• Privilege escalation
• Lateral movement
• Convenience modules
• Portia is a genus of jumping spider that feeds on other spiders - known for their
intelligent hunting behaviour and problem solving capabilities usually only found
in larger animals
6. Portia basic workflow
• Checks the credentials
• Enumerates list of users in Domain Admin group
• Check if account if part of Domain Admin group
• Checks SYSVOL for stored credentials
• Sync times with DC and exploits MS14-068 if vulnerable
• Also checks for MS08-067 and MS17-010
• Checks which hosts the account has admin access on
• Checks for impersonation tokens belonging to Domain Admin group
• If found, use the impersonation token and run Mimikatz to target domain controller
• If not found, runs Mimikatz and dumps local password hashes
• If any new passwords/hashes found, tests the credentials and then use them to access other hosts in the network
• Continue to do so until all password/hashes have been exhausted or when all hosts have been compromised.
• Continues with post exploitation modules like finding interesting files, search disks and memory for PAN numbers (if option is enabled)
8. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• Credentials may be stored in Group Policy Preferences
• Locations in Group Policy Preferences where credentials may be saved
• Drive Maps
• Local Users and Groups
• Scheduled Tasks
• Services
• Data Sources
9. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• When a new GPP is created an XML file is created in SYSVOL which
contains relevant configuration data including potentially passwords
• Any authenticated domain user account is able to access it
• Passwords are encrypted using a “known” 32-byte AES key.
• “Known” because Microsoft published it on MSDN
11. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• MS Patch - MS14-025 (KB2962486)
• Unable to create new GPO preferences that rely on saved
passwords
• Doesn’t remove the old insecure passwords
• Have they disabled or removed the old account that were used
in GPP previously?
12. MS14-068 (KB3011780) Vulnerability in Microsoft
Windows Kerberos KDC
• An attacker will be able to use an unprivileged domain user
account and elevate the privileges to that of a domain
administrator account.
• A Privilege Attribute Certificate (PAC) can be forged that would be
accepted by the KDC as legitimate. Can create a fake PAC claiming
the regular user is a member of the domain administrators group.
13. MS08-067 and MS17-010
• MS08-067 (that old chestnut)
• Buffer overflow vulnerability triggered by a specially crafted RPC request.
• Old and mostly patched out but sometimes you get lucky.
• MS17-010
• Thanks Shadow Brokers/Equation Group
• Flaw with how SMBv1 handles certain requests that can result in remote
code execution
14. Assuming no passwords in SYSVOL and
MS14-068, MS08-067 and MS17-010
are not exploitable - what’s next?
15. Impersonation Token
• What is Impersonation Token?
• When a user logs into a system a delegation token is created which is converted
to an impersonation token once the user logs out.
• The impersonation token has the same rights and properties as the delegation
token.
• The delegation and impersonation tokens, once created remains on the system
until it is rebooted.
• If a Domain Administrator impersonate token is found can use Mimikatz or add to
the Domain Admin group to dump credentials on DC
16.
17. Portia - Impersonation Tokens
• If no impersonate token is found, the Portia runs Mimikatz as well as
dumps local password hashes
• If there are any new passwords/hashes they are added to the
database and and the process starts again
• The new passwords will be tested against every host until there are
no new passwords
18. Shared Local Administrator Passwords
• IT administrators uses a default Operating System (OS) image (with the software
installed) and roll out to new users. The OS is configured with a default password.
• In order for the IT staff to support the workstations/servers, it’s easy to use a single
default local administrator password.
• From an offensive perspective you can exploit this to move from compromising one
host in the network to compromising 100 hosts in the network
• Portia detects if multiple machines are using the same local administrator password
• Does not matter if the machines are connected to the domain
19. AMSI
• Anti-Malware Scan Interface
• Designed to detect and prevent script attacks
• Implements a number of security checks
• Provides file, memory and stream scanning, content source URL/IP reputation
checks as well as other techniques
• Includes additional calls for scripts that use obfuscation or layer-dynamic code
evaluation
• Portia implements two techniques to bypass AMSI
20. AMSI Bypass Technique 1
• If .NET v2.0.50727.4927 is installed you can force the use of
PowerShell v2 using the -Version option.
• PowerShell v2 does not support AMSI.
• Portia checks for the appropriate versions and forces the use of
PowerShell v2
21. AMSI Bypass Technique 2
• Another technique to bypass AMSI is to unload AMSI from the
current process.
• This technique was created by Matt Graeber
• Simple one-liner that unloads AMSI from the current process and
doesn’t require elevated privileges
22. App Locker Bypass
• Portia implements a number of App Locker bypass techniques:
• Weak Path Rules
• MSBuild.exe
• CScriptShell
23. App Locker Bypass - Weak Path Rules
• Exploits inappropriate folder permissions.
• By default Windows allows read and write access to the following folders:
• C:WindowsTasks
• C:WindowsTemp
• C:Windowstracing
• A binary that executes from these folders will not be blocked by App Locker
• Portia loads PowerShell into the Tasks directory.
24. App Locker Bypass - MSBuild.exe
• Injecting code into signed Microsoft binaries will execute without
being picked up by Device Guard.
• MSBuild.exe allows for “inline tasks” which can be used to can
compile and execute code in memory on the target.
• Can be used to execute arbitrary code on that target.
25. App Locker Bypass - CScriptShell
• CScriptShell is a tool that allows you to bypass application
whitelisting and PowerShell restrictions.
• Developed by Cn33liz and using a technique developed by
SubTee that lets you run .NET code inside JScript or VBScript
26. Invoke-Obfuscation
• Portia supports the Invoke-Obfuscation tool developed by Daniel
Bohannon.
• Invoke-Obfuscation is a PowerShell script obfuscation that can
assist with AV bypass.
27. Invoke-ReflectivePEInjection
• The Invoke-Mimikatz script which is commonly used run and
outdated version of Mimikatz that can have issues with Windows
10.
• Portia uses the Invoke-ReflectivePEInjection script which runs the
latest version of Mimikatz (or any binary) in the memory of the
target host which is more reliable on recent versions of Windows.
29. Portia - Current Modules
• Wireless Passwords
• WinvNC, Ultravnc
• Putty
• SNMP
• Browser Credentials (Firefox/Chrome)
• Dumping KeePass Credentials
• Filezilla sitemanager.xml
• Apache HTTPd.conf
• Unattend.xml, Sysprep.xml, Sysprep.inf
• Passwords stored in documents labelled
*password*
• IIS Credentials (ApplicationHost.config)
• PAN numbers in files/memory
• Enabling RDP
• Automatically compromise and search
MSSQL databases for sensitive information
30. Automatically Compromising MSSQL
• Look for weak passwords for the sa account
• If it’s successful it enables xp_cmdshell and adds a local admin
account on the box
• Dumps hashes, cleartext credentials
• Looks for any interesting information stored in the databases for
example credit cards and passwords etc.
34. Portia - Dumping Browser Credentials
• Uses various Powershell scripts
• First checks for Firefox or Chrome
• Checks the current logged in user and checks whether we have
the hash or password belonging to the user
• Powershell script that runs in the user session that dumps the
credentials to a file
35. Portia - Searching for PAN on Disk and In-Memory
• Portia uses modified versions of the following tools
• https://github.com/jksdua/credit-card-finder (Disk)
• https://github.com/Shellntel/scripts/blob/master/mem_scraper.ps1 (Memory)
• Portia enumerates the list of installed applications on the hosts where we have admin
access on
• Portia enumerates the processes running on the hosts where we have admin access on
• Portia produces a table mapping which processes/programs are running on which hosts
and what processes are common. This will allow an attacker to find interesting
‘processes’ to dump and find PAN numbers.
37. Portia - Analysing Hashes
• Currently has some basic analysis of hashes
• Blank hash
• Accounts using the same hash
• Future improvements
• Checking for password reuse between local admin account and
domain admin
39. Future Enhancements
• Support for attacking targets in adjacent networks via proxying
through trusted hosts
• Data exfiltration modules
• More database modules
• Docker Image
• Easy setup