All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related
Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related
Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports.
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
Describes 3 levels of complexity when implementing a secret management architecture, and presents 2 real world examples.
Technologies used: Hashicorp Vault, Chef Vault, AWS KMS, git-crypt.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Yaroslav talks more about Mobile Security and his experience doing it on iOS platforms.
You can see his full lecture here: https://www.youtube.com/watch?v=_f7pmwi0yfs
Yaroslav Vorontsov works as a software architect at DataArt. Over the course of his professional career, he has taken part in many projects from different industrial domains, managed to grow from an intern to a tech lead quickly. He has also won two major prizes at two consecutive THacks in Berlin as a member of DataArt teams, participated in local developers’ communities and taught about 100 students in total for 3 years at the university. When he's not working, Yaroslav enjoys playing and watching football, and exploring new countries with his wife.
IT talk is an open community, where anyone interested in technologies can participate. It is a real opportunity for IT professionals, teachers, students and even novice developers to share knowledge, network & discuss technical solutions and even present them at the next IT Talk seminars!
Website: http://dataart.bg/
Facebook: https://www.facebook.com/dataartbulgaria/
YouTube: https://www.youtube.com/channel/UCFYE6-NmhDFhFtx4gGkHXGQ
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/UXKP50A5aZy
While medical facilities are most at risk for a HIPAA violation, most organizations in the United States have to comply with the law and can be hit with civil and criminal penalties.
Join IDERA and K. Brian Kelley as he looks at what you’re expected to meet with regards to data security. Brian will cover effective mechanisms, both inside SQL Server and out, to comply with these expectations and avoid a HIPAA violation. He will also talk general best practices which lead to and encourage proper data stewardship.
About Brian: Brian’s community involvement stems from being a SQL Server author, columnist, and Microsoft MVP with a focus on SQL Server and Windows security. His skillset extends beyond being a DBA; he has served as an infrastructure and security architect including solutions such as Citrix, virtualization, and Active Directory. Brian is a very active member of the IT community having spoken at DevConnections, SQL Saturdays, code camps, and user groups.
Similar to Extracting Credentials From Windows (20)
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. INTRODUCTIONS
Who are we?
• Scott Sutherland
• Antti Rantasaari
What do we do?
• Network and application penetration testing
at NetSPI
3. GOAL
Provide a basic understanding of how passwords can
be exposed on Windows systems
• What are the controls?
• What are their limitations?
• How can we reduce risk?
4. OVERVIEW
How to steal credentials from Microsoft technologies:
• Password Storage
• Cleartext passwords
• Encrypted passwords
• Password hashes
• Authentication tokens
5. PASSWORD STORAGE
• Hashed passwords
Used when cleartext password is not required later
No key required, hashing process can’t be reversed
• Encrypted passwords
Used when cleartext password will be required later
Requires key to decrypt password
Requires key management
• Encoded passwords
Should not be used to protect passwords
No key required to decode password
• Cleartext passwords – Don’t do that!
6. CLEARTEXT PASSWORDS
Why does it matter if passwords are stored or
transmitted in cleartext?
• Vulnerabilities can provide read-only access to:
OS files, backup files, and files shares
Network traffic
• Passwords can then be used to access:
Systems
Applications / Databases
Sensitive information
7. CLEARTEXT PASSWORDS
Why does it matter if passwords are stored or
transmitted in cleartext?
• Vulnerability examples:
File traversal
Local file includes
Excessive privileges on shares
ARP MITM
8. CLEARTEXT PASSWORDS
Where can I find cleartext passwords?
• Mapped network drives – User files
• Configuration files
• Windows Registry
• Active Directory
• Websites
• Script files
• Log files
9. CLEARTEXT PASSWORDS
Mapped Network Drives
• Users have access to a ton of files shares
• File shares often have bad ACLs
• Users love to store password in files
xls files
doc files
txt file
etc…
11. CLEARTEXT PASSWORDS
Mapped Network Drives
Recommendations
• Review for password on at regular intervals
• Periodic audits of access controls on shares
• User awareness training
• Use of proper password storage
12. CLEARTEXT PASSWORDS
Configuration Files
• Sometimes config files are only accessible to
administrators
• Most config files are accessible to all users
Bad ACLs
Access to backups
13. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Files created to support the automation of large
scale image roll outs
• Configuration settings
• Local and domain credentials
15. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
Type Location
Registry HKLMSystemSetup!UnattendFile
File %WINDIR%PantherUnattend
File %WINDIR%Panther
File
Removable read/write media in order of drive letter, at the root of the
drive.
File Removable read-only media in order of drive letter, at the root of the drive.
File
windowsPE and offlineServicing passes:
Sources directory in a Windows distribution
All other passes:
%WINDIR%System32Sysprep
File %SYSTEMDRIVE%
16. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Most of the time they are stored with no
protection…
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
18. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
• Sometimes they are Base64 encoded…
http://technet.microsoft.com/en-us/library/cc749415%28v=ws.10%29.aspx
22. CLEARTEXT PASSWORDS
Configuration Files – Sysprep
Recommendations
• Configure roll out scripts to remove the sysprep
answer files like unattend.xml
• Additional notes:
Prevent remote logins by local administrators
Manage systems with domain groups
23. CLEARTEXT PASSWORDS
Configuration Files – Web.config
• Used to store IIS web application configurations
• Often contain database passwords
• By default passwords are cleartext
27. CLEARTEXT PASSWORDS
Basic Authentication
• Simple way to implement IIS authentication
• Uses Base64 encoding, NOT ENCRYPTION
• Credentials can be captured from network traffic
over HTTP, or via man-in-the-middle over HTTPS
30. CLEARTEXT PASSWORDS
Basic Authentication
Recommendations
• Basic Auth is simple, but not often necessary
• Replace with Integrated Authentication to enforce
authentication handshake
• Additional notes:
Integrated Authentication can still be exploited,
but it’s not as easy
31. CLEARTEXT PASSWORDS
Windows Registry
• Many applications store passwords in cleartext
• Easy to search for common strings to find
passwords
• Windows also stores some passwords in cleartext
Autologin username and password
32. CLEARTEXT PASSWORDS
Windows Registry - AutoLogin
• Used by many kiosk and POS systems
• Often stores autologin credentials in
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon]
"AutoAdminLogon"="1"
"DefaultUserName"=“autoadmin"
"DefaultPassword"=“!PassW0rd!"
"DefaultDomainName"=“acme"
34. CLEARTEXT PASSWORDS
Windows Registry - AutoLogin
Recommendations
• Only use autologin when necessary
• If required, store credentials encrypted in
LSASecrets
• Additional notes:
The encrypted password can be recovered with
administrative access to the system
http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
37. ENCRYPTED PASSWORDS
How is it possible to decrypt passwords protected
by Microsoft technologies?
Key Point: If an application or OS can decrypt it, so
can an attacker!
…sometimes administrator access is required.
38. ENCRYPTED PASSWORDS
How is it possible to recover passwords encrypted
by Microsoft technologies?
• Calling native OS and application functions
• Recovering encryption keys
From same system as the protected data
From external systems like HSMs
• Use the keys and correct algorithm to recover
protected data
40. ENCRYPTED PASSWORDS
Groups.xml
• For that to work the password has to be sent to
the user’s system
• Groups.xml is pulled down from the SYSVOL
share on the DC
• SYSVOL and Groups.xml are accessible to all
domain users and computer accounts
42. ENCRYPTED PASSWORDS
• Passwords in groups.xml are AES256 encrypted and
base64 encoded
• To apply the password locally, client has to decrypt it
• To enable this, encryption key is stored on clients
• But MS released the STATIC key in an MSDN article;
now anyone can decrypt the password!
http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-
1f2fa45dd4be.aspx#endNote2
43. ENCRYPTED PASSWORDS
• Groups.xml password decrypted with a simple
PowerShell script
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-
GPPPassword.ps1
44. ENCRYPTED PASSWORDS
Groups.xml
Recommendations
• Microsoft does not recommend setting passwords via
Group Policy so it’s not a good idea to do that
• Access to groups.xml cannot be prevented for domain
users so it should not be used
46. ENCRYPTED PASSWORDS
LSASecrets
• Passwords are stored encrypted in the registry
HKLM:SECURITYPolicySecrets
• Only viewable by LocalSystem
• But…administrators can become LocalSystem
49. ENCRYPTED PASSWORDS
LSASecrets
• Use native API methods to decrypt the secrets
LsaRetrievePrivateData
LsaStorePrivateData
LsaOpenPolicy
LsaNtStatusToWinError
LsaClose
LsaFreeMemory
51. ENCRYPTED PASSWORDS
WDigest
• Designed for use protocols that require a cleartext
password to authenticate:
Hypertext Transfer Protocol (HTTP)
Simple Authentication Security Layer (SASL)
exchanges
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://www.slideshare.net/gentilkiwi
52. ENCRYPTED PASSWORDS
WDigest
• Stores passwords for interactive logins (like RDP)
encrypted in the lsass.exe process
• Depending on secret
size and OS version
RC4, DES, or AES
is used
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://www.slideshare.net/gentilkiwi
53. ENCRYPTED PASSWORDS
WDigest
• After injecting into the lsass.exe process or
importing initialized keys via lsasrv.dll…
• Native functions from lsasrv.dll can be used to
decrypt the passwords – namely…
LsaUnprotectMemory
http://www.slideshare.net/gentilkiwi
http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
54. ENCRYPTED PASSWORDS
WDigest
• Tools like Mimikatz and WCE can be used to
recover cleartext passwords
http://www.slideshare.net/gentilkiwi
http://msdn.microsoft.com/en-us/library/windows/desktop/ff714510(v=vs.85).aspx
55. ENCRYPTED PASSWORDS
WDigest
Recommendations
• Use smartcard or biometrics when possible
• Use network logins instead of interactive logs when
possible
• Use unprivileged accounts when possible
• Do not provide admin / system / debug privileges
to users
http://www.slideshare.net/gentilkiwi
56. ENCRYPTED PASSWORDS
DPAPI
• Windows Data Protection API (DPAPI)
• Standard / easy way on Windows to encrypt and
decrypt data
• DPAPI used by many applications
IE, Chrome, Skype, EFS certificates, WEP / WPA
keys, RDP passwords, Credential Manager
• Data protection in memory or on disk
57. ENCRYPTED PASSWORDS
DPAPI – stored data
• Two protection scopes: CurrentUser or
LocalMachine
• Protection scope determines the encryption keys
CurrentUser scope uses keys protected by
current user’s password
LocalMachine scope uses keys on the system
• Additional entropy added to strengthen protection
58. ENCRYPTED PASSWORDS
DPAPI - internals
• Largely undocumented by Microsoft – just the API
calls are fully documented
• DPAPI has been reversed and offline decryption
tools have been released
http://passcape.com/index.php?section=blog&cmd=details&id=20#11
http://www.elie.net/publication/reversing-dpapi-and-stealing-
windows-secrets-offline#.U3BnB_ldWDs
59. ENCRYPTED PASSWORDS
MSSQL Links - Background
• Microsoft SQL Server allows users to create links to
external data sources, typically to SQL Servers
• Links can be configured to use SQL server
credentials
• Cleartext passwords are needed to connect to
linked servers – password hashing cannot be used
61. ENCRYPTED PASSWORDS
MSSQL Links – Password Storage
• Linked server passwords stored in the database –
only accessible using DAC
• Passwords stored in pwdhash column even though
hashing is not used
• Passwords encrypted but SQL Server must have
the key
63. ENCRYPTED PASSWORDS
MSSQL Links – Service Master Key
• SQL Server has a Service Master Key which is
encrypted using DPAPI
• Additional entropy is stored in the registry
• Service Master Key is “the root of the SQL Server
encryption hierarchy”, used to encrypt linked
server passwords too
65. ENCRYPTED PASSWORDS
MSSQL Links – Passwords Decryption
• Decrypt Service Master Key using DPAPI
• Extract encrypted password from database
• Remove metadata from the password
• Decrypt password using Service Master Key (either
3DES or AES depending on version)
67. ENCRYPTED PASSWORDS
MSSQL Links
Recommendations
• Best practice is to use Windows authentication only
– do not enable SQL server authentication
• Configure linked servers to use current execution
context rather than saved credentials
68. ENCRYPTED PASSWORDS
Credential Manager / Vault
• Credential Manager is intended to be a secure way
to store password
• Can be used for Windows credentials, browser
credentials, application credentials
• Each user has their own Vault – user can store own
passwords
69. ENCRYPTED PASSWORDS
Credential Manager / Vault
• Cleartext credentials needed to connect to remote
systems – thus passwords in Cred Manager are
encrypted, not hashed.
• DPAPI used to encrypt passwords
72. ENCRYPTED PASSWORDS
Credential Manager / Vault
Recommendations
• Stored passwords always a security risks
• Consider disabling Credential Manager using
group policies
73. ENCRYPTED PASSWORDS
Wireless
• Wireless connections with pre-shared keys have to
store the passwords
• Passwords encrypted using DPAPI
• User or SYSTEM can access the stored passwords
• Multiple tools to extract wireless credentials,
including Metasploit
77. ENCRYPTED PASSWORDS
Web.config and ApplicationHost.config
• IIS application configuration files
• Web.config = application level
• ApplicationHost.config = server level
Application pool credentials
Windows credentials used for directory access
… but they can also be decrypted
79. ENCRYPTED PASSWORDS
Web.config and ApplicationHost.config
• No surprise that local administrators can do this:
aspnet_regiis.exe -pdf "connectionStrings" c:webapp
80. HASHED PASSWORD
Why do should I care if someone steals my
password hashes if I have complexity enabled?
• #1 Reason:
Password hashes can be replayed and used to
authenticate without knowledge of the password
81. HASHED PASSWORD
Why do should I care if someone steals my
password hashes if I have complexity enabled?
• #2 Reason:
Password hashes can cracked at lighting speeds using
modern hardware and software
82. PASSWORD HASHES
On the System
• Local / Domain LM hashes
• Local / Domain NTLM hashes
• Domain MS-CACHEv2
On the Network
• Local / Domain NetLM
• Local / Domain NetNTLM
84. DO I REALLY NEED PASSWORDS?
Short answer is NO
85. DO I REALLY NEED PASSWORDS?
• SMB relay
• Pass-the-hash
• Stealing authentication tokens
• Crawling database links
• Process migration
• Generating golden tickets
86. CONCLUSIONS
• Protecting passwords is really, really hard if an attacker
has admin rights to you system
• Don’t store passwords in clear text – Anywhere!
• Only use encryption when the cleartext passwords need
used later
• Use HSM to protect keys used to encrypt data
• Use strong salted hashes to protect passwords
• Enforce least privilege everywhere – networks, servers,
applications…EVERYWHERE
87. NETSPI REFERENCES
• NetSPI blog: http://www.netspi.com/blog
• NetSPI github: https://github.com/netspi
• Scott github: https://github.com/nullbind
• NetSPI slideshare: http://slideshare.com/netspi
• Scott slideshare: http://slideshare.com/nullbind
• Scott twitter: @_nullbind
