The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows techniques are also discussed.
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Socially Acceptable Methods to Walk in the Front DoorMike Felch
This document discusses techniques for gaining initial access to systems through RDP files and token tactics. It begins with an introduction to the speakers and an overview of how initial access is becoming more difficult. It then covers ways to leverage access tokens from Microsoft services like Azure AD to gain additional access, such as abusing email extensions and enticing users. Next, it discusses generating RDP files to deliver payloads from a self-hosted Windows server and techniques for signing and encrypting RDP files. It demonstrates the PyRDP tool for intercepting RDP traffic and capturing files. Finally, it covers hiding payloads on a victim's system at login and remediation techniques.
Training on July 16, 2017.
This training is the compressed version of Malware Engineering & Crafting.
In this training, we will talk about malware as well as crafting the simple working malware. The goal of this session is to understanding malware internal so one can have tactics to combat it.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Socially Acceptable Methods to Walk in the Front DoorMike Felch
This document discusses techniques for gaining initial access to systems through RDP files and token tactics. It begins with an introduction to the speakers and an overview of how initial access is becoming more difficult. It then covers ways to leverage access tokens from Microsoft services like Azure AD to gain additional access, such as abusing email extensions and enticing users. Next, it discusses generating RDP files to deliver payloads from a self-hosted Windows server and techniques for signing and encrypting RDP files. It demonstrates the PyRDP tool for intercepting RDP traffic and capturing files. Finally, it covers hiding payloads on a victim's system at login and remediation techniques.
Training on July 16, 2017.
This training is the compressed version of Malware Engineering & Crafting.
In this training, we will talk about malware as well as crafting the simple working malware. The goal of this session is to understanding malware internal so one can have tactics to combat it.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
This document provides an overview of a training on advancing mobile device forensics through reverse engineering and programming techniques. It discusses how traditional forensic tools are becoming less effective at recovering data from newer devices and applications that are designed for privacy. The training will demonstrate extracting artifacts from a raw device image using a hex editor and Python scripts. It also outlines a simulated criminal investigation involving the murder of a victim, and how analyzing the digital evidence from the victim and suspect's mobile phones through these new techniques revealed deleted messages that are relevant to the case.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
This document provides information about a 2-day training course on exploiting injection flaws. It discusses the agenda which includes hands-on exercises covering SQL injection, LDAP injection, ORM injection, XPath injection and combining XXE and XPath. The trainer, Sumit Siddharth, is an expert in application and database security with over 8 years experience who has spoken at several security conferences. The course aims to help attendees think outside the box to find issues that tools may miss through practical CTF exercises.
Andrew Morris collected malware samples over the weekend using Dionaea and JBoss honeypots. The Dionaea honeypot captured over 100 Conficker malware samples exploiting Windows SMB vulnerabilities. The JBoss honeypot was infected by the ZECMD worm within 24 hours, exploiting exposed JMX consoles. Both provided real-world malware samples for analysis without risking other systems on Morris' network. He offered to collaborate on further manual analysis of the samples.
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
This document discusses extracting malware configurations at scale. It describes the large number of new malware samples seen daily and challenges with keeping up through traditional analysis methods. The author proposes automating extraction of configurations from remote access trojans (RATs) to more efficiently gather intelligence. Tools are introduced that can statically extract configurations from over 30 RAT types. A system is designed to intake large volumes of samples, use these tools to extract configurations, and output the data to a database for further analysis. The goal is to gain more insight into actors through common configuration elements like command and control domains even as they change tools.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
The document discusses the path of cyber security and how to become a hacker or security professional. It outlines the typical steps of penetration testing: reconnaissance and analysis, vulnerability mapping, gaining access, privilege escalation, maintaining access, and covering tracks. It recommends starting with networking and programming skills, focusing on an area of expertise like web security, participating in competitions and creating a practice lab to learn. The presenter gives demonstrations on vulnerable VMs and recommends courses, CTF competitions, and building your own lab to advance your skills in security research, tool development, and operations.
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
With advanced cyber-actors evolving quickly and becoming more stealthy, it has become imperative to question the status quo of our existing cyber-operations. This session will outline how a case study and incident response led to changes in focus and philosophy and how that changed the structure of Defensive Cyber Operations.
(Source: RSA Conference USA 2017)
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Hack Attack! An Introduction to Penetration TestingSteve Phillips
This document provides an introduction to penetration testing and ethical hacking. It discusses how hacking can be done ethically through penetration testing with permission. It outlines the stages of a hacker's skills from script kiddie to uberhacker. Popular programming languages for creating hacking tools like C, Python, and Ruby are also mentioned. The document demonstrates some hacking tools in BackTrack Linux like sniffing passwords with Ettercap and bruteforcing FTP passwords with Hydra. It emphasizes how virtualization allows one to practice hacking legally and provides further learning resources.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
This document discusses malware collection and analysis conducted at the DSNSLab at NCTU. It introduces the lab director, Professor Xie Zhiping, and outlines the lab's research areas including malware analysis, virtual machines, digital forensics, and network security. It then provides an overview of the Secmap platform for automated malware analysis and collection. Methods of malware collection discussed include disk forensics, web crawling, shared repositories, email, and honeypots.
Stuxnet was a sophisticated malware targeting industrial control systems that was attributed to nation-state sponsorship. The document discusses techniques for attributing malware through analysis of exploits, code quality, debug symbols, and automation. Attribution aims to profile adversary capabilities and differentiate between state-sponsored and criminal actors. Analysis of Stuxnet found use of older vulnerabilities, custom payloads, and insider knowledge of target systems, suggesting a high level of technical skill and resources from a nation state.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
This document provides an overview of a training on advancing mobile device forensics through reverse engineering and programming techniques. It discusses how traditional forensic tools are becoming less effective at recovering data from newer devices and applications that are designed for privacy. The training will demonstrate extracting artifacts from a raw device image using a hex editor and Python scripts. It also outlines a simulated criminal investigation involving the murder of a victim, and how analyzing the digital evidence from the victim and suspect's mobile phones through these new techniques revealed deleted messages that are relevant to the case.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
This document provides information about a 2-day training course on exploiting injection flaws. It discusses the agenda which includes hands-on exercises covering SQL injection, LDAP injection, ORM injection, XPath injection and combining XXE and XPath. The trainer, Sumit Siddharth, is an expert in application and database security with over 8 years experience who has spoken at several security conferences. The course aims to help attendees think outside the box to find issues that tools may miss through practical CTF exercises.
Andrew Morris collected malware samples over the weekend using Dionaea and JBoss honeypots. The Dionaea honeypot captured over 100 Conficker malware samples exploiting Windows SMB vulnerabilities. The JBoss honeypot was infected by the ZECMD worm within 24 hours, exploiting exposed JMX consoles. Both provided real-world malware samples for analysis without risking other systems on Morris' network. He offered to collaborate on further manual analysis of the samples.
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
This document discusses extracting malware configurations at scale. It describes the large number of new malware samples seen daily and challenges with keeping up through traditional analysis methods. The author proposes automating extraction of configurations from remote access trojans (RATs) to more efficiently gather intelligence. Tools are introduced that can statically extract configurations from over 30 RAT types. A system is designed to intake large volumes of samples, use these tools to extract configurations, and output the data to a database for further analysis. The goal is to gain more insight into actors through common configuration elements like command and control domains even as they change tools.
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
The document discusses the path of cyber security and how to become a hacker or security professional. It outlines the typical steps of penetration testing: reconnaissance and analysis, vulnerability mapping, gaining access, privilege escalation, maintaining access, and covering tracks. It recommends starting with networking and programming skills, focusing on an area of expertise like web security, participating in competitions and creating a practice lab to learn. The presenter gives demonstrations on vulnerable VMs and recommends courses, CTF competitions, and building your own lab to advance your skills in security research, tool development, and operations.
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
With advanced cyber-actors evolving quickly and becoming more stealthy, it has become imperative to question the status quo of our existing cyber-operations. This session will outline how a case study and incident response led to changes in focus and philosophy and how that changed the structure of Defensive Cyber Operations.
(Source: RSA Conference USA 2017)
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Hack Attack! An Introduction to Penetration TestingSteve Phillips
This document provides an introduction to penetration testing and ethical hacking. It discusses how hacking can be done ethically through penetration testing with permission. It outlines the stages of a hacker's skills from script kiddie to uberhacker. Popular programming languages for creating hacking tools like C, Python, and Ruby are also mentioned. The document demonstrates some hacking tools in BackTrack Linux like sniffing passwords with Ettercap and bruteforcing FTP passwords with Hydra. It emphasizes how virtualization allows one to practice hacking legally and provides further learning resources.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
This document discusses malware collection and analysis conducted at the DSNSLab at NCTU. It introduces the lab director, Professor Xie Zhiping, and outlines the lab's research areas including malware analysis, virtual machines, digital forensics, and network security. It then provides an overview of the Secmap platform for automated malware analysis and collection. Methods of malware collection discussed include disk forensics, web crawling, shared repositories, email, and honeypots.
Stuxnet was a sophisticated malware targeting industrial control systems that was attributed to nation-state sponsorship. The document discusses techniques for attributing malware through analysis of exploits, code quality, debug symbols, and automation. Attribution aims to profile adversary capabilities and differentiate between state-sponsored and criminal actors. Analysis of Stuxnet found use of older vulnerabilities, custom payloads, and insider knowledge of target systems, suggesting a high level of technical skill and resources from a nation state.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Big problems with big data – Hadoop interfaces securitySecuRing
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
The document discusses container vulnerability management. It describes the attacker model and how attackers exploit vulnerabilities. It emphasizes that open source code has less security support than closed source commercial code. The document outlines how to secure container contents and environment through techniques like enabling Linux security modules, using a minimal OS, and limiting privileges. It recommends verifying the trustworthiness of container sources and checking for vulnerable open source components. Black Duck software is introduced as a tool to analyze open source usage and risks.
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
I'm Ian. I do that geek thing.
This is an introductory deck on why an SDL or quality/secure software program is a good idea.
I can be found here:
http://gorrie.org
@gorrie
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
Rod Soto and Joseph Zadeh discuss detecting webshells in compromised perimeter assets using machine learning algorithms. They define webshells and how they are commonly used by attackers to gain access to networks. Two approaches are described for detecting webshells using ML: global models that analyze overall asset behavior, and local models that examine individual web server content and traffic patterns. Detecting deviations from normal behavior across both local and global views can help identify compromised assets with webshells.
Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
Red Team: Emulating Advanced Adversaries in CyberspaceDon Anto
The document describes the phases of a red team engagement to emulate advanced cyber adversaries:
1. Initial reconnaissance of the target organization is performed to identify attack vectors. Weaponization then involves setting up command and control infrastructure and payloads.
2. The exploit phase delivers the payload to obtain an initial foothold, such as through social engineering or exploiting public servers.
3. Once on the network, control is established by installing simulated malware to maintain presence and facilitate information gathering for privilege escalation.
4. Escalation involves compromising highly privileged accounts like domain administrators. Internal reconnaissance then focuses on the red team's objectives and lateral movement before completing the assigned missions.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers? In this presentation I would like to show that penetration testing of Hadoop installation does not really differ much from any other application. Apart from complexity of the installation and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security, encryption at rest, obsolete libraries bugs and least privilege principle. We tested popular Hadoop environments and found few critical vulnerabilities, which for sure cast a shadow on big data security. So as not to stop with CVE shooting, we would like to show you our approach of testing big data installations and few ideas of how to keep them secure.
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
This document summarizes a presentation on advanced Android app security testing. The presentation covers Frida and Xposed frameworks for bypassing security protections like root checks, SSL pinning, and secret codes. It then compares Frida and Xposed frameworks and outlines techniques for protecting apps, including code hardening, runtime application self-protection (RASP), and code optimization.
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
Engineering Presentation for Careers@DirectiDirecti Group
Directi is a company that provides various web services and products including crawling domains, powering websites, and serving ads. They deal with complex challenges at large scale using technologies like Cassandra, Redis, Hadoop and more. As an engineer at Directi, one would work on large networking and collaboration applications, analyze terabytes of data, and design scalable systems.
1. External to DA, the OS X Way
Operating in an OS X-heavy environment
2. Contents
Introduction
Overview
Tradecraft Preparation
Challenges
The Agent
Phishing
Situational Awareness: Host Enumeration
Privilege Escalation
Persistence
Situational Awareness: Network and User Enumeration
Lateral Movement
3. Introductions
Alex Rymdeko-Harvey is a previous US Army Solider that recently
transitioned and currently works at the Adaptive Threat Division at Veris
Group as a Penetration Tester and Red Teamer. Alex has a wide range of
skills and experience from offensive and defensive operations taking place
in today's security surface.
Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry
Combat Veteran and private security contractor. Currently working as a
Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive
Threat Division. Steve enjoys bug hunting, building useful security tools and
teaching.
4. Overview
• Typical penetration tests cover Windows / Linux
• Assessments become mundane
• Client approaches with a large OS X user-base
• Use common methodologies with new tools and techniques
adapted for OS X
• Utilize EmPyre, a Remote Access Trojan based of of the Empire
framework
5. Adversarial Use
• WireLurker (Trojanized applications, Infects connected ios devices)
• XcodeGhost (Infected xcode package in China)
• Hacking Team (Remote Code Systems compromise platform)
• OceanLotus (Flash Dropper, Download Mach-O binary)
• KeRanger (Ransomware, Infected transmission package)
6. The Scenario
• A client requests an external penetration test against their corporate
infrastructure.
• Phishing with payloads may be conducted with email addresses
harvested from publicly available sources.
• 90% of users utilize OS X with several developers using Windows
7. Scenario: Goals
• Phish OS X users
• Elevate local privileges
• Move Laterally if needed
• Gain control of the Active Directory domain
8. Tradecraft Preparation
• Planning and Preparation
• Right tools for the job
• Live off the land
• pbpaste
• screencapture
• Native vs Non-Native
• Methodology
• Reconnaissance
• Exploitation (gain access)
• Sitiuational Awareness
• Escalate Privileges
• Establish Persistence
• Lateral Movement
Gain
Access
Situational
Awareness
Escalate
Privileges
Establish
Persistence
Lateral
Movement
9. Challenges
Limited information on operating in OS X environments
No open-sourced asynchronous Remote Access Trojan (RAT)
Lateral Spread
OS X/Linux
Windows
Less phishing payloads available
No OLE
Less executable types
11. The Agent: EmPyre
Remote Access Trojan (RAT)
Python (core developed by @harmj0y) based on the Empire project
Asynchronous / C2
Secure Diffie-Hellman exchange communications
Post-Exploitation modules
OS X/Linux
Launcher detects Little Snitch
12. The Agent: EmPyre
The Diffie Hellman implementation is from Mark Loiseau's project at
https://github.com/lowazo/pyDHE, licensed under version 3.0 of the
GNU General Public License.
The AES implementation is adapted from Richard Moore's project at
https://github.com/ricmoo/pyaes, licensed under the MIT license.
16. Situational Awareness: Host
Previous Tradecraft
PowerShell
WMI
PowerUp
Cobalt Strike Beacon modules
Meterpreter modules
The core of knowing your land
How do we priv-esc?
19. Situational Awareness: Clipboard Monitoring
Non-Native method
Native pbpaste may be
signatured by Carbon Black
Out to file
20. Situational Awareness: Keychain Dump
Cleartext Keychain
Dump
Versions Prior to OS X El
Capitan
Inspired / Adapted from
Juuso:
https://github.com/juuso
/keychaindump
21. Situational Awareness: Search Messages
Scrapes Message.app DB
iMessage, Jabber, Google Talk,
Yahoo, AIM
Enumerate X messages
Account
Service
Number
message
43. Honorable Mention: REST API
EmPyre implements the same RESTful API specification as Empire
https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API
External users/projects can fully control an EmPyre server in a
predictable way REST requests
This opens the possibility for web front ends, Android apps, multi-
player CLI UIs, and more
44. What’s next
Socks Proxy
Community Modules
More Exploitation Modules
Merge with Empire
Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this
effort!
Editor's Notes
Steve starts talking
Introduce ourselves
As a Penetration Tester or Red Teamer, the path to Domain Administrator in many environments may seem all too easy or “cookie cutter” these days. But what happens when you engage a high-security client with an OS X-heavy environment? Do you turn down the engagement or accept the challenge and up your game?
This talk explores such a scenario and how testers can utilize various tools, techniques, and lessons-learned to successfully perform a complete assessment in an OS X domain-joined environment. We will cover a custom-built OS X/Linux agent and its associated tradecraft, from gaining initial access, to post-exploitation, lateral spread, persistence, and domain compromise.
Keep in mind, methodologies stay the same for OS X, tradecraft may change. Explain such as “How do we gain access in OS X”? SSH/Phishing.
Different operating systems present their own lateral spread challenges. (linux: no smb, wmi, powershell) (Windows: no ssh, OS X doesnt have net commands)
Alex Start
Familiar interface for Empire users.
Currently ,we have two payloads for phishing.
Talk about tradecraft as a whole,
This is post exploitation enumeration
Keychain Dump - No el Capitan YET
Currently saves to target in an unencrypted format.
Talk about how messages are stored unencrypted in a database
Currently, only dumps history. Useful for hunting internal web services.
Steve Starts
Utilizes “ldapsearch” for AD enumeration
In order to perform LDAP queries we’ll need to start off by finding the domain controller that we are going to bind our LDAP queries to. One quick solution is a single nslookup query.
During most penetration tests, you may find yourself moving from host to host using common techniques such as PSEXEC, WMI or RDP. Operating in an OS X environment presents challenges as these methods may not be available.