The document discusses techniques for capturing network traffic and system logs to detect security incidents in large networks. It describes how to capture traffic using libpcap, nfqueue, and DAQ. It also discusses challenges like fragmentation and the need to decode protocols. For logs, it highlights weaknesses like signature-based detection and the importance of normalized, unconfigurable logs. It introduces CUDA and NetGPU for GPU-accelerated traffic processing and visualization tools like SecViz and Circos for analyzing large datasets. The conclusion emphasizes that visualization can help solve the problem of events getting lost in noise and overcome technical limitations of current detection approaches.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
The document discusses using network flow data for applied detection and analysis. It describes how to collect flow data using tools like SiLK, analyze the data using rwfilter, rwstats and other SiLK tools, and use the results for detection via visualizations with FlowPlotter and intelligence gathering. Flow data provides benefits like small data footprint and scalability compared to full packet capture.
The document summarizes a presentation given by Raffael Marty at DefCon 13 in Las Vegas on visual security event analysis. It discusses how event graphs can be used for real-time monitoring, forensic and historical analysis by visually representing relationships between events and entities. Specific examples shown include using graphs to analyze firewall activity, network scans, port scans, load balancers, and a capture the flag exercise from DefCon 2004.
Here are a few things you can typically get from SNMP queries:
- System information - OS name, version, uptime, hardware details
- Network configuration - IP addresses, subnet masks, default gateways
- Interface statistics - traffic volumes, errors
- Storage information - disk space usage, volumes
- Processor load and usage
- Memory usage
- Running services and processes
- Temperature, fan speeds (for hardware devices)
SNMP exposes a wealth of system monitoring data that can provide insights into what's running and how devices are configured. However, it's generally not a good idea to run unauthenticated SNMP scans, as it could reveal sensitive information or even enable configuration changes if default community strings are used.
This document discusses BPF (Berkeley Packet Filter), a mechanism for filtering network packets on Linux. BPF allows defining filters using an instruction set that is executed against packets to determine whether to accept or drop them. The document provides an overview of how BPF works, demonstrating simple BPF filters, and discusses using BPF for packet filtering and other applications like seccomp.
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
The document discusses using coverage-guided fuzzing to find bugs in modern malware. It begins with an introduction and motivation for using fuzzing techniques on malware. It then provides an overview of coverage-guided fuzzing and how it works. Several case studies are presented where coverage-guided fuzzing was used to find vulnerabilities in popular malware samples like Mirai.
BPF of Berkeley Packet Filter mechanism was first introduced in linux in 1997 in version 2.1.75. It has seen a number of extensions of the years. Recently in versions 3.15 - 3.19 it received a major overhaul which drastically expanded it's applicability. This talk will cover how the instruction set looks today and why. It's architecture, capabilities, interface, just-in-time compilers. We will also talk about how it's being used in different areas of the kernel like tracing and networking and future plans.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
The document discusses using network flow data for applied detection and analysis. It describes how to collect flow data using tools like SiLK, analyze the data using rwfilter, rwstats and other SiLK tools, and use the results for detection via visualizations with FlowPlotter and intelligence gathering. Flow data provides benefits like small data footprint and scalability compared to full packet capture.
The document summarizes a presentation given by Raffael Marty at DefCon 13 in Las Vegas on visual security event analysis. It discusses how event graphs can be used for real-time monitoring, forensic and historical analysis by visually representing relationships between events and entities. Specific examples shown include using graphs to analyze firewall activity, network scans, port scans, load balancers, and a capture the flag exercise from DefCon 2004.
Here are a few things you can typically get from SNMP queries:
- System information - OS name, version, uptime, hardware details
- Network configuration - IP addresses, subnet masks, default gateways
- Interface statistics - traffic volumes, errors
- Storage information - disk space usage, volumes
- Processor load and usage
- Memory usage
- Running services and processes
- Temperature, fan speeds (for hardware devices)
SNMP exposes a wealth of system monitoring data that can provide insights into what's running and how devices are configured. However, it's generally not a good idea to run unauthenticated SNMP scans, as it could reveal sensitive information or even enable configuration changes if default community strings are used.
This document discusses BPF (Berkeley Packet Filter), a mechanism for filtering network packets on Linux. BPF allows defining filters using an instruction set that is executed against packets to determine whether to accept or drop them. The document provides an overview of how BPF works, demonstrating simple BPF filters, and discusses using BPF for packet filtering and other applications like seccomp.
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
The document discusses using coverage-guided fuzzing to find bugs in modern malware. It begins with an introduction and motivation for using fuzzing techniques on malware. It then provides an overview of coverage-guided fuzzing and how it works. Several case studies are presented where coverage-guided fuzzing was used to find vulnerabilities in popular malware samples like Mirai.
BPF of Berkeley Packet Filter mechanism was first introduced in linux in 1997 in version 2.1.75. It has seen a number of extensions of the years. Recently in versions 3.15 - 3.19 it received a major overhaul which drastically expanded it's applicability. This talk will cover how the instruction set looks today and why. It's architecture, capabilities, interface, just-in-time compilers. We will also talk about how it's being used in different areas of the kernel like tracing and networking and future plans.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
ebpf and IO Visor: The What, how, and what next!Affan Syed
Extended BPF (eBPF) provides a mechanism for running custom programs inside the Linux kernel that can be used for filtering network packets, monitoring system activity, and more. eBPF programs are written in a restricted subset of C and compiled to bytecode that is verified by the kernel for safety before being run. The BCC toolkit makes it easier to write and load eBPF programs. The IO Visor project aims to further develop eBPF and provide tools and use cases for networking, security, and system tracing applications.
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
This document discusses packet sniffing and ways to detect and prevent it. Packet sniffing involves using a packet sniffer tool to analyze network traffic. While switches make sniffing more difficult than hubs by only sending packets to their intended recipients, there are still sniffing attacks possible like ARP spoofing. The document outlines techniques for sniffing detection such as ARP cache poisoning and tools like Arpwatch. It also recommends prevention methods including port security, authentication, encryption, and secure protocols.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Netcat (nc) is a networking utility that can be used to transfer files, run commands remotely, and scan ports on remote systems. It allows establishing TCP and UDP connections to ports on remote systems. The document provides examples of using nc to scan ports, transfer files between systems, set up reverse shells, and perform basic network tasks and administration. Google dorking techniques are also presented for searching websites and finding specific pages or files using keywords, titles, and URLs. The Whois tool is demonstrated to query registration records for domain names and obtain information like registrar, IP address, and name servers.
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
This document discusses use-after-free attacks and ways to prevent them. It begins with an introduction to dynamic memory allocation and how freed memory can be reallocated. It then explains how dangling pointers can be used to hijack memory and execute arbitrary code through use-after-free vulnerabilities. Several real-world examples are provided. The document discusses various techniques programmers can use to prevent these attacks, such as smart pointers, immediately nullifying freed pointers, and compiler security checks. It also covers operating system defenses like Control Flow Guard on Windows and AddressSanitizer on Linux. The talk concludes with recommendations on comprehensive mitigations through secure coding practices and system hardening.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
This document discusses attacking the Linux pseudo-random number generator (PRNG) on Android and embedded devices. It begins by motivating the attack by describing a previous vulnerability discovered in the Android keystore. It then provides an overview of the Linux PRNG and describes how an attacker could reconstruct the PRNG's internal state by simulating PRNGs with different seeds and comparing to leaked values from the real PRNG. It discusses problems with mounting the attack and where leaks could be obtained, such as during the kernel or platform boot process. It then describes a local attack method using a malware to obtain a PRNG seed and bypass stack canary protection.
This document summarizes the /etc/services file, which defines network services and their associated port numbers. It notes that the file contains services defined by IANA in the Assigned Numbers registry, including well-known ports from 0-1023, registered ports from 1024-49151, and dynamic/private ports from 49152-65535. Each entry lists the service name, port number, transport protocol, and optional comments or aliases.
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
Ведущий: Алексей Черепанов
Скорость взлома хешей растет. Растет и количество алгоритмов хеширования. Объем задач для поддержки универсального инструмента для взлома тоже увеличивается. В ответ на это был разработан john-devkit — улучшенный генератор кода к известному приложению для взлома паролей John the Ripper. john-devkit содержит более 100 типов хешей. Ведущий рассмотрит ключевые аспекты его использования: разделение алгоритмов, оптимизация и вывод данных для различных устройств, простое промежуточное представление алгоритмов хеширования, трудности оптимизации для человека и машины, bitslicing, сравнение скорости обработки.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
This document discusses network emulation using tc. It begins with an agenda that covers why emulation is useful, what aspects of a network can be emulated, how tc works, how to do emulation with tc, a comparison of tc to Nistnet and WANem, and references for further information. It then goes into detail on each agenda item, providing explanations of concepts like qdiscs, classes, filters, and examples of using tc for tasks like bandwidth emulation, delay/jitter emulation, and loss emulation. The key advantages and limitations of Nistnet and WANem are also outlined.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Provenance for Data Munging EnvironmentsPaul Groth
Data munging is a crucial task across domains ranging from drug discovery and policy studies to data science. Indeed, it has been reported that data munging accounts for 60% of the time spent in data analysis. Because data munging involves a wide variety of tasks using data from multiple sources, it often becomes difficult to understand how a cleaned dataset was actually produced (i.e. its provenance). In this talk, I discuss our recent work on tracking data provenance within desktop systems, which addresses problems of efficient and fine grained capture. I also describe our work on scalable provence tracking within a triple store/graph database that supports messy web data. Finally, I briefly touch on whether we will move from adhoc data munging approaches to more declarative knowledge representation languages such as Probabilistic Soft Logic.
Presented at Information Sciences Institute - August 13, 2015
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
ebpf and IO Visor: The What, how, and what next!Affan Syed
Extended BPF (eBPF) provides a mechanism for running custom programs inside the Linux kernel that can be used for filtering network packets, monitoring system activity, and more. eBPF programs are written in a restricted subset of C and compiled to bytecode that is verified by the kernel for safety before being run. The BCC toolkit makes it easier to write and load eBPF programs. The IO Visor project aims to further develop eBPF and provide tools and use cases for networking, security, and system tracing applications.
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
This document discusses packet sniffing and ways to detect and prevent it. Packet sniffing involves using a packet sniffer tool to analyze network traffic. While switches make sniffing more difficult than hubs by only sending packets to their intended recipients, there are still sniffing attacks possible like ARP spoofing. The document outlines techniques for sniffing detection such as ARP cache poisoning and tools like Arpwatch. It also recommends prevention methods including port security, authentication, encryption, and secure protocols.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Netcat (nc) is a networking utility that can be used to transfer files, run commands remotely, and scan ports on remote systems. It allows establishing TCP and UDP connections to ports on remote systems. The document provides examples of using nc to scan ports, transfer files between systems, set up reverse shells, and perform basic network tasks and administration. Google dorking techniques are also presented for searching websites and finding specific pages or files using keywords, titles, and URLs. The Whois tool is demonstrated to query registration records for domain names and obtain information like registrar, IP address, and name servers.
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
This document discusses use-after-free attacks and ways to prevent them. It begins with an introduction to dynamic memory allocation and how freed memory can be reallocated. It then explains how dangling pointers can be used to hijack memory and execute arbitrary code through use-after-free vulnerabilities. Several real-world examples are provided. The document discusses various techniques programmers can use to prevent these attacks, such as smart pointers, immediately nullifying freed pointers, and compiler security checks. It also covers operating system defenses like Control Flow Guard on Windows and AddressSanitizer on Linux. The talk concludes with recommendations on comprehensive mitigations through secure coding practices and system hardening.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
This document discusses attacking the Linux pseudo-random number generator (PRNG) on Android and embedded devices. It begins by motivating the attack by describing a previous vulnerability discovered in the Android keystore. It then provides an overview of the Linux PRNG and describes how an attacker could reconstruct the PRNG's internal state by simulating PRNGs with different seeds and comparing to leaked values from the real PRNG. It discusses problems with mounting the attack and where leaks could be obtained, such as during the kernel or platform boot process. It then describes a local attack method using a malware to obtain a PRNG seed and bypass stack canary protection.
This document summarizes the /etc/services file, which defines network services and their associated port numbers. It notes that the file contains services defined by IANA in the Assigned Numbers registry, including well-known ports from 0-1023, registered ports from 1024-49151, and dynamic/private ports from 49152-65535. Each entry lists the service name, port number, transport protocol, and optional comments or aliases.
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
Ведущий: Алексей Черепанов
Скорость взлома хешей растет. Растет и количество алгоритмов хеширования. Объем задач для поддержки универсального инструмента для взлома тоже увеличивается. В ответ на это был разработан john-devkit — улучшенный генератор кода к известному приложению для взлома паролей John the Ripper. john-devkit содержит более 100 типов хешей. Ведущий рассмотрит ключевые аспекты его использования: разделение алгоритмов, оптимизация и вывод данных для различных устройств, простое промежуточное представление алгоритмов хеширования, трудности оптимизации для человека и машины, bitslicing, сравнение скорости обработки.
The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.
This document discusses network emulation using tc. It begins with an agenda that covers why emulation is useful, what aspects of a network can be emulated, how tc works, how to do emulation with tc, a comparison of tc to Nistnet and WANem, and references for further information. It then goes into detail on each agenda item, providing explanations of concepts like qdiscs, classes, filters, and examples of using tc for tasks like bandwidth emulation, delay/jitter emulation, and loss emulation. The key advantages and limitations of Nistnet and WANem are also outlined.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Provenance for Data Munging EnvironmentsPaul Groth
Data munging is a crucial task across domains ranging from drug discovery and policy studies to data science. Indeed, it has been reported that data munging accounts for 60% of the time spent in data analysis. Because data munging involves a wide variety of tasks using data from multiple sources, it often becomes difficult to understand how a cleaned dataset was actually produced (i.e. its provenance). In this talk, I discuss our recent work on tracking data provenance within desktop systems, which addresses problems of efficient and fine grained capture. I also describe our work on scalable provence tracking within a triple store/graph database that supports messy web data. Finally, I briefly touch on whether we will move from adhoc data munging approaches to more declarative knowledge representation languages such as Probabilistic Soft Logic.
Presented at Information Sciences Institute - August 13, 2015
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
The document provides instructions on how to configure an SSH server on Linux, perform footprinting and reconnaissance, scanning tools and techniques, enumeration tools and techniques, password cracking techniques and tools, privilege escalation methods, and keylogging and hidden file techniques. It discusses active and passive footprinting, Nmap port scanning, NetBIOS and SNMP enumeration, Windows password hashes, the sticky keys method for privilege escalation, ActualSpy keylogging software, and hiding files using NTFS alternate data streams. Countermeasures for many of these techniques are also outlined.
This document provides an overview and demonstration of Security Onion, an open-source Linux distribution for intrusion detection and network security monitoring. It describes Security Onion's tools like Snort, Sguil, Pulled Pork, Snorby and Daemonlogger. The document demonstrates how to install Security Onion, use its tools to analyze network traffic, view alerts and raw packet captures. It also provides challenges for users to further explore Security Onion's capabilities.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
Symmetric Crypto for DPDK - Declan Dohertyharryvanhaaren
The document describes the DPDK symmetric cryptography framework. It includes APIs for scheduling crypto workloads using mbuf bursts, crypto primitives like cipher and hash algorithms, crypto transforms, session management, crypto operations, operation pools, and implemented PMDs like the AES-NI multi-buffer PMD and QAT PMD. Performance tests show the QAT PMD achieving higher throughput than the AES-NI multi-buffer PMD for AES128_CBC_SHA256_HMAC. Future work includes adding asymmetric crypto and an accelerated IPsec solution.
Finding Needles in Haystacks (The Size of Countries)packetloop
This document discusses network security monitoring (NSM) and how it can be used at large scales with big data tools. It advocates focusing on detection over prevention since prevention will inevitably fail. NSM tools like Sguil, Argus, and Bro are used to collect security data, while analysts provide analysis. Full packet captures are important for understanding attacks. Tools like Hadoop and Pig can be used to process large volumes of security data in a distributed manner for analysis. Packetpig is an open source tool that integrates NSM with big data tools like Pig to enable security analytics on large datasets. Use cases include threat analysis, incident response, and research.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
Cisco CSIRT uses NetFlow to collect 16 billion flows from Cisco’s 175TB of traffic observed daily. The data is used to monitor, investigate, and contain incidents using 3 key playbook “plays” each day.
Two leaders from Cisco's Computer Security Incident Response Team (CSIRT) will review a real cyber incident and the resulting investigation leveraging NetFlow collected via the StealthWatch System.
Participants will learn how to use NetFlow and the StealthWatch System to:
Investigate top use cases: C&C discovery, data loss and DOS attacks
Gain contextual awareness of network activity
Accelerate incident response
Minimize costly outages and downtime from threats
Protect the evolving network infrastructure
Provide forensic evidence to prosecute adversaries
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
This document discusses network forensics and packet analysis. It provides an introduction to network forensics methodology and considerations for network-based digital evidence. This includes challenges like volatility, scattering of evidence across multiple sources, and encryption. The document also discusses the scope and role of network forensics, including standards for evidence acquisition, storage, analysis, and forensic readiness. Finally, it provides tips and examples for using Wireshark to analyze network traffic and identify abnormal packets through built-in features and example packet capture files.
This document discusses the development of an IPv6 plugin for the Snort intrusion detection system. It provides context on IPv6 security issues and attacks. It then describes how the plugin was implemented to add IPv6-specific rule options and decode/process IPv6 traffic. A neighbor discovery preprocessor was also created to monitor network changes using ICMPv6 messages. The plugin allows Snort to better detect IPv6 attacks and anomalies.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like Puppet for server management, OSSEC for log management, different command line tools, and Nagios/Monit for system monitoring.
This document summarizes a presentation about tuning parallel code on Solaris. It discusses:
1) Using tools like DTrace, prstat, and vmstat to analyze performance issues like thread scheduling and I/O problems in parallel applications on Solaris.
2) Two examples of using DTrace to analyze thread scheduling and troubleshoot I/O performance problems in a virtualized Windows server.
3) How the examples demonstrated using DTrace to identify unbalanced thread scheduling and discover that a domain controller was disabling disk write caching, slowing performance.
José Ramón Palanco is an OT security expert at ElevenPaths (Telefónica) who specializes in penetration testing, vulnerability research, and programming. The presentation covers OT protocols, an OT lab for hardware hacking and firmware analysis, industrial malware examples like Stuxnet, and projects including an industrial protocol IDS and Nmap scripts for discovering SCADA/ICS devices.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Similar to HES2011 - Sebastien Tricaud - Capture me if you can (20)
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
This document discusses bypassing security protections provided by the grsecurity and PaX patchsets on Linux kernels. It begins with an introduction and agenda, then provides background on Linux kernel security issues over the past decade. The presentation notes that an arbitrary kernel write is a common exploitation primitive, but that this is insufficient to escalate privileges when protections like grsecurity/PaX are in place. It then introduces the concept of "stackjacking", where an attacker leverages kernel stack memory disclosures, which are common low severity vulnerabilities, along with an arbitrary kernel write to bypass grsecurity/PaX protections without needing to introduce new code or modify control flow.
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
This document discusses potential vulnerabilities related to autorun functionality and removable storage devices like USB drives on Linux systems. It notes that while Linux desktop environments don't automatically run scripts from removable devices, vulnerabilities could still exist in drivers and applications that handle connecting and accessing such devices. Specific vulnerabilities are identified in USB drivers, file system drivers, thumbnail generation applications, and external thumbnailer programs. Exploiting these could allow gaining root access or defeating full disk encryption from physical access to a system.
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
The document describes how DWARF bytecode, included in GCC-compiled binaries to support exception handling, can be exploited to insert trojan payloads. DWARF bytecode interpreters are included in the standard C++ runtime and are Turing-complete, allowing the bytecode to perform arbitrary computations by influencing program flow. A demonstration shows how DWARF bytecode can be used to hijack exceptions and execute malicious payloads without requiring native code.
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
This document provides an overview of Ruby on Rails (RoR) from a code auditor's perspective. It discusses the MVC architecture that RoR uses and describes where the different components (model, view, controller) are typically located in a RoR application. It also discusses common things to look for when reviewing RoR code like user input validation, filters, migrations and more. Specific examples of issues found in Redmine and another open source project are also provided like a persistent XSS issue and information leak.
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
This document provides a summary of a presentation by Raoul Chiesa on cybercrime trends from the past to present. It discusses how hacking has evolved from curiosity-driven activities by bored teens to profit-motivated crimes by adults. Reasons for the rise of cybercrime include the increasing number of internet users and victims, economic incentives, availability of hacking tools, recruitment of inexperienced people, and lack of consequences. The presentation also notes how media portrayal has changed perceptions of who hackers are.
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
The document discusses Adobe Reader's use of sandboxing to improve security. It provides background on past vulnerabilities in Adobe Reader and discusses the architecture of the Adobe Reader X sandbox. The sandbox isolates rendering code in a lower privileged process and uses a higher privileged broker process to validate and fulfill requests for system resources according to internal policy. The document outlines how to analyze the sandbox's security mechanisms, such as by determining the rights of processes, auditing the IPC mechanisms, and fuzzing the resource request validation.
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
This document discusses kernel pool exploitation on Windows 7. It begins with an introduction and overview of the kernel pool and its internals such as pool descriptors, free lists, and lookaside lists. It then covers attacks on the kernel pool and ways to harden it against exploitation, such as by modifying pool structures.
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
The document discusses new and evolving ways that criminals steal money through digital means. It outlines how criminal operations have become more sophisticated and business-like, moving from individual hackers to organized underground companies. It describes various technical methods that are used, such as phishing, pharming, malware injections, and man-in-the-browser attacks to steal login credentials and hijack financial transactions. It also discusses how criminal groups set up complex international operations using mules, drop points, and covert channels to launder and cash out the stolen money without being detected. The document warns that security measures are catching up, but that criminals will continue adapting their methods, such as through screen scraping or new types of online games involving money.
The document discusses how software can be used to damage hardware through various techniques like overclocking, overvolting, overheating, and firmware flashing. It provides examples of how components like CPUs, RAM, graphics cards, hard drives, and BIOS can be permanently damaged by exploiting their software interfaces. The goal could be industrial espionage, terrorism, or other malicious motives like destroying a commercial rival's operations through an act of industrial cyber warfare.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
HES2011 - Sebastien Tricaud - Capture me if you can
1. Capture me if you can!
Sebastien Tricaud1
1 Picviz Labs
Hackito Ergu Sum (Paris, France) 2011
1/54
2. $ whoami
• Sebastien Tricaud
• Picviz Labs Director
• Picviz Labs is the editor of Picviz Inspector, a data-mining
software for security
• Honeynet Project CTO
• 15 years of various IDS implementations
2/54
5. Context
Once upon a time. . .
Two days ago, at CERIAS, M. Neal Ziring said:
The attack data is often lost in the noise of events
4/54
6. Context
Mr. Neal Ziring is currently a technical director in the
Information Assurance Directorate (IAD), at NSA. The IAD
provides cryptographic, network, and operational security
products and services to protect and defend national security
systems.
5/54
7. Talk objective
How capture can be performed and managed to effectively find
incidents1 in large networks.
1
attacks, documents leaks, etc.
6/54
8. Find incidents in large networks: Network traffic
1 Capture all the traffic
2 Someone reports an incident
3 Run Snort on the captured traffic
7/54
9. Find incidents in large networks: Network traffic
1 Capture all the traffic
2 Someone reports an incident
3 Run Snort on the captured traffic
• Two countries examples:
• 30 Gb Netflow Traffic for a 20 millions people country per
24 hours (about 1700 events/s; 510 000 events/5 mn)
7/54
10. Find incidents in large networks: Network traffic
1 Capture all the traffic
2 Someone reports an incident
3 Run Snort on the captured traffic
• Two countries examples:
• 30 Gb Netflow Traffic for a 20 millions people country per
24 hours (about 1700 events/s; 510 000 events/5 mn)
• 5 min Netflow Capture on the main backbone on a 45
millions people country: 3 millions events/5 mn
7/54
12. Capture with libpcap
u_char ∗ packet ;
struct timeval packet_tv ;
s t r u c t pcap_pkthdr pheader ;
...
packet = ( u_char ∗ ) pcap_next ( pcaph , &pheader ) ;
while ( packet ) {
p a c k e t _ t v = pheader . t s ;
t = packet_tv . tv_sec ;
s t r t i m e = c t i m e (& t ) ;
i f ( ntohs ( e t h e r −>e t h _ t y p e ) == ETH_TYPE_IP ) {
i p = ( s t r u c t i p _ h d r ∗ ) ( packet + ETH_HDR_LEN ) ;
...
9/54
13. How does libpcap works?
• Layer 2
• Packet copied! (ahah)
• Apply a BPF filter
• Get the data
10/54
15. DAQ
(Awesome) Data Acquisition Library written by Sourcefire.
Available from http://www.snort.org
Unifies:
• AFPacket
• ipqueue
• netfilter_queue
• libpcap
12/54
16. Other ways to capture
• Daemonlogger: relies on libpcap
• Streams2 : relies on libpcap just for BPF
• Various works from Luca Deri with PF_RING
• using GPGPU
2
git clone git://git.carnivore.it/streams.git
13/54
17. Now you (perhaps) got your packet!
The packet is captured, fine! however:
• It can be fragmented
• If you run a signature maching, UTF-8 encoding can
bypass it
• A protocol like RPC need to be decoded
• The attack can be located at different DoD model levels
14/54
18. Fragmentation
Let’s have a look at Linux:
• IPV4: linux-src/net/ipv4/ip_fragment.c
• IPV6: linux-src/net/ipv6/reassembly.c
How it is performed in IPV4:
• Defragmentation happens with the function ip_defrag()
• Called only by:
• ip_local_deliver()
• ip_call_ra_chain: only if the socket is tied to an interface
15/54
19. • Linux does not defragment upon FORWARD
• Netfilter may do it
• modprobe nf_conntrack_ipv4
16/54
20. We captured, we want evils!
Snort gives up several ways to find the evil:
• Binary:
content:"|0A 00 00 01 85 04 00 00
80|root|00|" (sid:1775)
• Simple pattern:
content:"fuck fuck fuck" (sid:1316)
• PCRE:
pcre:"/ˆ x3c(REQIMG|RVWCFG) x3e/ism"
(sid:2460)
Problem: How Snort manages pattern matching algorithms
along with PCRE? Each PCRE is tried on each packet?
17/54
21. snort PCRE lookup
• Long patterns are easier to find
• PCRE and pattern matching within Snort:
• Search for the longest pattern in each signature
• function fpAddLongestContent() in fpcreate.c
• The traffic is prequalifed (MPSE)
• Rules aare sequentially tested
• The PCRE option is ignored until the complete rule test
after the prequalification
• PCRE uses its own DFA/NFA
⇒ Less we have PCRE, better we are.
18/54
22. Netflow
• It is easier to investigate with connection flow
• Looking at TCP SYN is better for understanding than the
whole SYN>SYN-ACK>ACK>PSH>PSH-ACK, etc.
• Streams was designed to help you there
19/54
24. Logs
Logs highly used for forensic activity for cybercrime
investigation
21/54
25. Logs
Logs highly used for forensic activity for cybercrime
investigation
Question: who cares about logs? their weakness,
normalization, etc.?
21/54
26. SSH defaults accounts testing
sshd [ 6 5 7 4 ] : error : PAM: Authentication failure for r o o t from 1 9 2 . 1 6 8 . 1 2 . 2
sshd [ 6 5 7 4 ] : error : PAM: Authentication failure for guest from 1 9 2 . 1 6 8 . 1 2 . 2
sshd [ 6 5 7 4 ] : error : PAM: Authentication failure for p r i n t e r from 1 9 2 . 1 6 8 . 1 2 . 2
sshd [ 6 5 7 4 ] : error : PAM: Authentication failure for l p from 1 9 2 . 1 6 8 . 1 2 . 2
sshd [ 6 5 7 4 ] : error : PAM: Authentication failure for admin from 1 9 2 . 1 6 8 . 1 2 . 2
22/54
27. Detection dilemna
1 Detecting
• A user enumeration is more likely to get caught and
correlated
• Use tools like OSSEC and get it right in your mailbox
• OSSEC and any other tools like that need logs to analyze
and detect things
2 Log analyzers common weaknesses
• Signature based
• PCRE based (with PCRE weaknesses as well, but this is
for an other talk)
• Needs food == Needs logs
23/54
29. Squid
Log Format configuration
l o g f o r m a t s q u i d %t s .%03 t u %6 t r %>a %Ss/%03>Hs %<s t %rm %r u %un %Sh/%<A %mt
Log Format options
...
[ h t t p : : ] rm Request method (GET/POST e t c )
[ h t t p : : ] ru Request URL
[ h t t p : : ] rp Request URL−Path e x c l u d i n g hostname
...
25/54
30. ProFTPd
Log with mod_log
Log Format configuration
LogFormat d e f a u l t "%h %l %u %t "% r " %s %b "
Log Format options
%A − Anonymous username ( password g i v e n )
%a − Remote c l i e n t IP address
%b − Bytes s e n t f o r r e q u e s t
26/54
31. Apache
Log with mod_log
Log Format configuration
LogFormat "%h %l %u %t "% r " %>s %b " % { R e f e r e r } i " " % { User−Agent } i " " combined
Cool options!
• %b did you see this %b?
• %b: Size of response in bytes, excluding HTTP headers.
In CLF format, i.e. a ’-’ rather than a 0 when no bytes are
sent.
• It is possible to exploit this weakness
27/54
32. Log misuse 0-day
A log misuse 0-day is:
• an application fails to properly log an information it could
• log injection
• incorrect logged information
There is NO log misuse 0-day database!
28/54
33. Simple Log misuse 0-day
Back on ProFTPd, remember:
Log Format options
%A − Anonymous username ( password g i v e n )
password given = gets anything
Code managing the password
# d e f i n e PR_TUNABLE_PATH_MAX 1024
char arg [ PR_TUNABLE_PATH_MAX+1] = { ’ 0 ’ } ;
case META_ANON_PASS:
argp = arg ;
pass = p r _ t a b l e _ g e t ( s e s s i o n . notes , " mod_auth . anon−passwd " , NULL ) ;
i f ( ! pass )
pass = "UNKNOWN" ;
s s t r n c p y ( argp , pass , s i z e o f ( arg ) ) ;
→ Remote log injection possible, in /var/log/proftpd/auth.log
29/54
34. Log misuse database
Actually there is CWE. . .
• Common Weakness Enumeration
• CWE-778: Insufficient Logging
"When a security-critical event occurs, the software either
does not record the event or omits important details about
the event when logging it."
30/54
35. CVE examples
• CVE-2003-1566: Microsoft IIS 5.0 does not log requests
that use the TRACK method, which allows remote
attackers to obtain sensitive information without detection.
• CVE-2007-3730: OpenVMS does not log the source IP.
• CVE-2008-1203: Adobe ColdFusion 8 and ColdFusion
MX7 do not log failed connection attempts on the
administrative interface.
• ...
Those CVE are still under review
31/54
36. YASA! (Yet Another Stealth Attack)
Ever seen this attack?
66.249.65.39 - - [28/Mar/2007:03:08:46 +0200] "GET /index.html
HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)"
32/54
57. Conclusion
• Data are obviously lost in the noise of events today
• If we are creative, we may be able to solve this issue
• We have some technical limitations, we need to find ways
to get around them
53/54
58. Conclusion
• Data are obviously lost in the noise of events today
• If we are creative, we may be able to solve this issue
• We have some technical limitations, we need to find ways
to get around them
• We have some technical solutions (hint: SIEM), we need to
find ways to get around them
• I strongly believe visualization has a great role to play in it
53/54