Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Â
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
OWASP Top 10 2021 â Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Â
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
OWASP Top 10 2021 â Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
Â
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
Â
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Â
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ainât talking about overflows here , just logics and techniques
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
Â
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
Â
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Â
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ainât talking about overflows here , just logics and techniques
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
Conceitos e recursos de arquitetura empresarial abordando os dominios de negÃŗcios e as arquiteturas de infra-estrutura, de aplicaçÃĩes, de informaçÃĩes e de negÃŗcios.
O objetivo de uma arquitetura corporativa Ê fornecer estruturas e ferramentas para permitir que as organizaçoes desenvolvam e implementem sua estratÊgia de negocio. à um recurso para informaçÃŖo tecnologica correta. A arquitetura empresarial privelegia os modelos de operaçÃĩes de negocios e indica como desenvolver uma infra estrutura de negocio.
Continuous intrusion: Why CI tools are an attackerâs best friendsNikhil Mittal
Â
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)Rafael Targino
Â
Esta palestra faz uma breve introduçÃŖo do que Ê a Arquitetura Corporativa (Enterprise Architecture) e discute o problema dos diversos modelos nas organizaçÃĩes. TambÊm mostra alguns dos benefÃcios da Arquitetura Corporativa que tambÊm Ê chamada de Arquitetura Empresarial.
A palestra finaliza propondo um processo iterativo e incremental para a implantaçÃŖo da Arquitetura Corporativa nas organizaçÃĩes.
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, thatâs not security. Thatâs obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the worldâs best safecrackers can study it and you still canât open the safe, thatâs security.
Rajarshi Gupta at AI Frontiers : Security is AIâs biggest challenge, AI is Se...AI Frontiers
Â
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
Â
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers â especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue â and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun â boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis â the attacker? Can there be life where matter and anti-matter collide? We will know about this soon â because this is what this talk is going to be about. Developer versus attacker â vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Avoid embarrassing press by designing secure IoT products with Misha SeltzerProduct of Things
Â
These are the slides from Misha Seltzer's talk at Product of Things Conference in Tel Aviv on July 2018:
Who this talk is for: this talk is for product managers that want to avoid common design flaws that lead to easily hackable IoT devices.
After this workshop you will be able to:
Spot and eliminate security design flaws early
Know where you, as a PM, can get involved to improve your product's security
Learn from mistakes done by others, and not repeat them
What is covered:
RTOS as well as Linux-based IoT protection
Rules of thumb for basic IoT security
Unexpected areas from which security flaws might creep into your products.
In the land of IoT, with so many different companies/manufacturers competing for the same space, it's essential to have a good reputation. One embarrassingly hackable product can not only hurt sales but kill the company altogether.
In this talk, we'll go over a couple of cases of embarrassing IoT security flaws, learn how/where those mistakes were made, and what can you, as PMs, do not to repeat those mistakes.
A presentation specifically designed for non-technical decision makers who would like to understand Cyber Security and GDPR better, and how to protect their businesses.
Talk given at OpenIT (Tech talks at IT University of Copenhagen) in 2014. The talk covers different aspects of how to protect our privacy when using personal devices.
I will be going over a list of definitions, tools that fit each category, and open source variants that fit each (if available). I will be also going over the good, bad, and ugly of new/emerging technology.
I recommend watching the talk. Many notes and context are only verbal not in the slides.
Link for talk.
http://www.irongeek.com/i.php?page=videos/bsidestampa2018/track-206-blue-teams-tool-dump-stop-using-them-term-next-gen-this-isnt-xxcall-of-dutyxx-alex-kot
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
Â
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
2. Hacking the future with
USB HID
Nikhil âSamratAshokâ Mittal
Hacker
Session ID:
Session Classification:
3. About Me
ī§ SamratAshok
ī§ Twitter - @nikhil_mitt
ī§ Blog â http://labofapenetrationtester.blogspot.com
ī§ Creator of Kautilya, Mareech and Nishang
ī§ Interested in Offensive Information Security, new attack
vectors and methodologies to pwn systems.
ī§ Previous Talks
ī§ Clubhackâ10, Hackfestâ11, Clubhackâ11, Black hat Abu
Dhabiâ11, Black Hat Europeâ12, Troopersâ12, PHDaysâ12, Black
Hat USAâ12
ī§ Upcoming Talks
ī§ Talk at EUSecWestâ12
ī§ Training at GrrCONâ12
4. Agenda
ī§ Human Interface Devices
ī§ Using HIDs in Penetration Tests
ī§ HID of choice â Teensy++
ī§ How we will use Teensy++?
ī§ Windows Family
ī§ Mac OS X Family
ī§ Kautilya
ī§ Attacks Demo (on Windows 8 and Mountain Lion )
ī§ Comparison
ī§ Future of Attacks
ī§ Limitation
ī§ Defense
ī§ Conclusion
4
5. A typical Pen Test Scenario
ī§ A client engagement comes with IP addresses.
ī§ We need to complete the assignment in very
restrictive time frame.
ī§ Pressure is on us to deliver a âgoodâ report with
some high severity findings. (That âHighâ return
inside a red colored box)
7. ī§ This is a best case scenario.
ī§ Only lucky ones find that.
ī§ Generally legacy Enterprise Applications or
Business Critical applications are not upgraded
and are the first targets.
ī§ There is almost no fun doing it that way.
8. Some of us do it better
Enum Scan Exploit Report
9. Some of us do it even better
Enum
Post
+ Scan Exploit Report
Exp
Intel
10. Why do we need to exploit?
ī§ To gain access to the systems.
ī§ This shows the real threat to clients that we can
actually make an impact on their business. No
more âso-whatâ ī
ī§ We can create reports with âHighâ Severity
findings which bring $$$
11. What do we exploit?
ī§ Memory Corruption bugs.
ī§ Server side
ī§ Client Side
ī§ Mis-configurations
ī§ Open file shares.
ī§ Sticky slips.
ī§ Man In The Middle (many types)
ī§ Unsecured Dumpsters
ī§ Humans
ī§ <Audience>
12. Worse Scenario
ī§ Many times we get some vulnerabilities but canât
exploit.
ī§ No public exploits available.
ī§ Not allowed on the system.
ī§ Countermeasure blocking it.
ī§ Exploit completed but no session was generated :P
13. Worst Scenario
ī§ Hardened Systems
ī§ Patches in place
ī§ Countermeasures blocking scans and exploits
ī§ Security incident monitoring and blocking
ī§ No network access
ī§ We need alternatives.
14. Need for new methods to break into systems
ī§ Breaking into systems is not as easy as done in
the movies.
ī§ Those defending the systems have become
smarter and it is getting harder to break into
âsecuredâ environments.
ī§ Everyone is breaking into systems using the
older ways, you need new ways to do it better.
15. Human Interface Devices
ī§ Wikipedia â âA human interface device or HID is
a type of computer device that interacts directly
with, and most often takes input from, humans
and may deliver output to humans.â
ī§ Mice, Keyboards and Joysticks are most
common HID.
ī§ What could go wrong?
16. Using HIDs in Penetration Tests
ī§ Human Interface Devices are trusted by
Operating Systems.
ī§ Countermeasures like Anti Virus do not care for
such devices.
ī§ The way we use it, using HID for offensive
security is equivalent to sitting in front of the
target system as a user.
ī§ The attack scenarios are large in number and
may have severe impact.
16
17. HID of choice â Teensy++
ī§ A USB Micro-controller device from pjrc.com
ī§ Storage of about 130 KB.
ī§ We will use Teensy ++ which is an updated
version of Teensy.
ī§ A cheap device, costs only $24.
ī§ It uses an Atmel based
processor.
18. HID of choice â Teensy++
ī§ It could be used as Keyboard/Mouse/Joystick.
ī§ The device is easily programmable using C or C
type syntax using Arduino Development
Environment with Teensyduino plugin.
ī§ The device works with many Operating Systems.
ī§ It is small in size.
19. How we will use Teensy++?
ī§ As a programmable keyboard.
ī§ We will program the device to do a defined set of
activities when it is connected to a system.
ī§ We will utilise the privileges of the currently
logged in user and any higher privileges
accessible to the user.
ī§ Aim is to mimic a user sitting in front of the
target.
19
20. Windows Family
ī§ A user is notified when a new device is
connected.
ī§ It takes 20-25 seconds while the driver for the
device gets loaded.
ī§ A device can type really fast on Windows
machine thanks to large USB keyboard buffer of
Windows.
ī§ If PowerShell is used some really powerful
things could be done.
20
21. OS X Family
ī§ A user is not notified if a USB device is
connected.
ī§ It takes 10-15 seconds while the device is
detected and loaded.
ī§ The device cannot type very fast.
ī§ Built-in scripting languages make payloads
powerful.
21
22. Kautilya
ī§ It is a toolkit which aims to make HID more
useful in Penetration Tests.
ī§ Named after Chanakya a.k.a. Kautilya.
ī§ Written in Ruby.
ī§ Itâs a menu drive program which let users select
and customize payloads.
ī§ Aims to make HID part of every Penetration
testerâs tool chest.
ī§ Contains payloads for Windows, Linux and OS
X.
23. Payloads in Kautilya
ī§ Payloads are tested on Teensy without SD Card.
ī§ Pastebin is extensively used for uploads and
downloads.
ī§ Payloads are commands, powershell scripts or
combination of both.
ī§ Payload execution depends on privilege of user
logged in when the device is plugged in.
24. Attacks Demo
(on Windows 8 and Mountain Lion )
ī§ Let us have a look at three attacks on both
ī§ Download and execute shellcode.
ī§ Reverse shell using built-in features.
ī§ DNS TXT Code Execution.
24
25. Comparison
Attribute Windows 8 Mac OS X Mountain Lion
Detection or blocking of Shows a balloon. Easy to No information to user.
USB HIDs prevent installation of Not easy to block a device.
removable devices using
Group policies.
Response to a very fast Possible to send input Delays must be introduced
keyboard input really fast. between the keyboard
inputs.
Trust on end user (as we For sensitive functions a Sudo is required for
are simulating one) UAC prompt is shown. sensitive functions.
25
26. Pen Test Stories
Library Fun
ī§ Internal PT for a large media house.
ī§ The access to network was quite restrictive.
ī§ The desktops at Library were left unattended
many times.
ī§ Teensy was plugged into one system with a
sethc and utilman backdoor.
ī§ Later in the evening the system was accessed
and pwnage ensued.
27. Pen Test Stories
Breaking the perimeter
ī§ A telecom company.
ī§ A perimeter check for the firm was to be done.
ī§ The Wireless rogue AP payload was used and
Teensy was sold to the clients employees during
lunch hours.
ī§ Within couple of hours, we got a wireless
network ready with an administrative user and a
bind shell.
28. Pen Test Stories
Help by the Helpdesk
ī§ A pharma company.
ī§ A userâs data card was replcaed with a Teensy
inside the data cardâs cover.
ī§ The payload selected was Keylogger.
ī§ âData cardâ obviously didnât worked and multiple
keyloggers were installed, for the user and the
helpdesk.
ī§ Helpdesk guys had access to almost everything
in the environment and over a workday, it was
over.
29. Limitations with Teensy
ī§ Limited storage in Teensy. Resolved if you
attach a SD card with Teensy.
ī§ Inability to âreadâ from the system. You have to
assume the responses of victim OS and there is
only one way traffic.
ī§ Inability to clear itself after a single run.
30. Limitations with Kautilya
ī§ Many payloads need Administrative privilege.
ī§ Lots of traffic to and from pastebin.
ī§ Some times payloads are not stable.
ī§ For payloads which use executables you
manually need to convert and paste them to
pastebin.
31. Future of Attacks
ī§ Improvement in current payloads.
ī§ Use some payloads as libraries so that they can
be reused.
ī§ More payloads for Non-Windows platform.
ī§ Implementation of newer payloads.
ī§ Reliable user activity detection.
32. Defence
ī§ For Windows systems, use Group Policy to
âPrevent Installation of Removable Devicesâ.
ī§ For Mac OS X, udev rules may be used.
ī§ Best defence is to physically block USB ports or
lock the existing devices to the ports.
32
33. Conclusion
ī§ USB HID attacks are real threats and here to
stay.
ī§ This is because Operating System trust itself
and its users.
ī§ Security ends with trust.
33
34. Thank You
ī§ Questions?
ī§ Insults?
ī§ Feedback?
ī§ Kautilya is available at
http://code.google.com/p/kautilya/
ī§ Follow me @nikhil_mitt
ī§ http://labofapenetrationtester.blogspot.com/