This document describes a new technique called "IRONSQUIRREL" for encrypting browser exploits during delivery to prevent their analysis and leakage. It uses elliptic curve Diffie-Hellman key exchange to encrypt the exploit code between the server and client browser. This makes the exploit non-replayable and difficult for reverse engineers to analyze from network traffic alone. The document provides details on how IRONSQUIRREL works and recommendations to further obstruct analysis through techniques like one-time URLs, anti-debugging, and obfuscation.
Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network, or application.
In this paper, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time, which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Bucardo is a replication system for PostgreSQL. It supports both master-slave (to multiple slaves) and master-master replication, and does not require any modifications to PostgreSQL to run. Maintained by Greg Sabino Mullane, its management application (bucardo_ctl) has recently been significantly improved, making initial setup of replication very fast and easy.
Information security is one of the main concerns in modern society. Even though we have much more advanced methods to secure our data, good old passwords are the final security measurement standing between our information and the outside world. So, the security of passwords is very important for the overall security of a system, network, or application.
In this paper, the learner discusses about John the ripper tool and its 4 different password cracking modes. Using Kali Linux operating system and John the ripper tool, learner demonstrates the Single crack mode by creating different passwords in different strength levels and cracking them. By analysing the time, which is taken to crack those passwords, learner is looking forward to gain knowledge about strong and weak passwords along with their characteristics. At last, learner discusses about major principles behind password policies to learn about good password construction and password management. By using that knowledge, learner creates an organizational password policy for “Rythmo Art Gallery”.
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Bucardo is a replication system for PostgreSQL. It supports both master-slave (to multiple slaves) and master-master replication, and does not require any modifications to PostgreSQL to run. Maintained by Greg Sabino Mullane, its management application (bucardo_ctl) has recently been significantly improved, making initial setup of replication very fast and easy.
In this popular session, discover how Amazon EBS can take your application deployments on Amazon EC2 to the next level. Learn about Amazon EBS features and benefits, how to identify applications that are appropriate for use with Amazon EBS, best practices, snapshots, and details about its performance and volume types. The target audience is storage administrators, application developers, applications owners, and anyone who wants to understand how to optimize performance for Amazon EC2 using the power of Amazon EBS.
re:Invent 2019 BPF Performance Analysis at NetflixBrendan Gregg
Talk by Brendan Gregg at AWS re:Invent 2019. Abstract: "Extended BPF (eBPF) is an open source Linux technology that powers a whole new class of software: mini programs that run on events. Among its many uses, BPF can be used to create powerful performance analysis tools capable of analyzing everything: CPUs, memory, disks, file systems, networking, languages, applications, and more. In this session, Netflix's Brendan Gregg tours BPF tracing capabilities, including many new open source performance analysis tools he developed for his new book "BPF Performance Tools: Linux System and Application Observability." The talk includes examples of using these tools in the Amazon EC2 cloud."
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Our Sr. Web Operations Engineer, Justin Lintz, goes over some parameters we tuned in TCP and NGINX to improve the performance and stability of our systems. These slides are a complement to a two part blog post found over on our engineering blog.
http://engineering.chartbeat.com/2014/01/02/part-1-lessons-learned-tuning-tcp-and-nginx-in-ec2/
http://engineering.chartbeat.com/2014/02/12/part-2-lessons-learned-tuning-tcp-and-nginx-in-ec2/
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
In this popular session, discover how Amazon EBS can take your application deployments on Amazon EC2 to the next level. Learn about Amazon EBS features and benefits, how to identify applications that are appropriate for use with Amazon EBS, best practices, snapshots, and details about its performance and volume types. The target audience is storage administrators, application developers, applications owners, and anyone who wants to understand how to optimize performance for Amazon EC2 using the power of Amazon EBS.
re:Invent 2019 BPF Performance Analysis at NetflixBrendan Gregg
Talk by Brendan Gregg at AWS re:Invent 2019. Abstract: "Extended BPF (eBPF) is an open source Linux technology that powers a whole new class of software: mini programs that run on events. Among its many uses, BPF can be used to create powerful performance analysis tools capable of analyzing everything: CPUs, memory, disks, file systems, networking, languages, applications, and more. In this session, Netflix's Brendan Gregg tours BPF tracing capabilities, including many new open source performance analysis tools he developed for his new book "BPF Performance Tools: Linux System and Application Observability." The talk includes examples of using these tools in the Amazon EC2 cloud."
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Our Sr. Web Operations Engineer, Justin Lintz, goes over some parameters we tuned in TCP and NGINX to improve the performance and stability of our systems. These slides are a complement to a two part blog post found over on our engineering blog.
http://engineering.chartbeat.com/2014/01/02/part-1-lessons-learned-tuning-tcp-and-nginx-in-ec2/
http://engineering.chartbeat.com/2014/02/12/part-2-lessons-learned-tuning-tcp-and-nginx-in-ec2/
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
On August 2017 a well established Corporation was hit by an advanced attacker. The techniques adopted to overcome security platforms and infrastructures showed a very dangerous and innovative attacker. This is the tale of the IR team hired to fight this advanced attacker, a tale of a team pushing all his resources and technical skills to overcome the threat and finally chase the Adder...
A short presentation on the Latest dumb of nsa tools by Shadowbroker hacker group. How to attack how to prevent the attack. Also about the new ransomware wanna cry 2.0
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
How to hide your browser 0-days
1. How to protect your
browser 0-day
Codenamed #IRONSQUIRREL
TS//SI//FVEY
FOUO//SI//FVEY
Zoltan Balazs – MRG Effitas
SyScan360, 2017 September
2. Whoami?
I’m NOT a CEH
Creator of the Zombie Browser Toolkit
https://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool
• Idea later(?) implemented by nation state attackers in Duqu 2.0
https://github.com/MRGEffitas/hwfwbypass
Creator of the Malware Analysis Sandbox Tester tool
https://github.com/MRGEffitas/Sandbox_tester
Played with crappy IoT devices
https://jumpespjump.blogspot.hu/2015/09/how-i-hacked-my-ip-camera-and-found.html
https://jumpespjump.blogspot.hu/2015/08/how-to-secure-your-home-against.html
4. How did it all begin?
I had this “discussion” with nextgen/breach-detection
vendors that their network appliance can be bypassed in
a way that they can’t even see an exploit happened or
malware was delivered
They told me it is impossible
5.
6. Why should you listen to this talk?
Exploit brokers and law enforcement
• Effective way to prevent the 0-day exploit code being leaked
Pentesters/red team members
• Bypass perimeter defenses, some host IDS
Blue team members, forensics investigators, exploit kit
researchers
• How current defenses can be bypassed via
#IRONSQUIRREL browser exploit delivery
Rest of you
• Learning about elliptic curve cryptography is always fun
7. Introduction to
Exploit kits, targeted attacks with 0-dayz
DH key agreement
ECDH key agreement
Encrypted browser exploit delivery
My idea implemented by the bad guys
8. Browser exploits, exploit kits
“An exploit kit is a software kit designed to run on
web servers, with the purpose of identifying software
vulnerabilities in client machines communicating with
it, and discovering and exploiting vulnerabilities to
upload and execute malicious code on the client.”
https://en.wikipedia.org/wiki/Exploit_kit
9. Lost 0-day exploit => $$$--
Targeting of Ahmed Mansoor with iOS
Safari 0-day exploit
• http://www.5z8.info/malicious-cookie_z2m5jd_mydick
• iOS 0-day exploit
• 100 000 USD – 1 500 000 USD
• Mansoor still in prison
Tor browser 0-day exploit used by law
enforcement on pedophile site
• http://www.5z8.info/twitterhack_u3o2ex_this-page-will-
steal-all-of-your-personal-data
• Tor Browser 0-day : 30 000 USD
https://www.zerodium.com/program.html
Both exploit leaked, burnt
11. Elliptic Curve based Diffie-
Hellman (ECDH) key agreement
ECDH key agreement 5-10 times faster on same CPU
[citation needed]
DH key agreement is too slow for JS
It is like you know the start
and end position of the billiard
ball on the table, but god
knows the way it took to
get there
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/1/
14. Implementation details
Original Node.JS POC – 2 June, 2015
New Ruby POC (to be released today) compatible and
tested with
• Edge
• IE11 (older IE just sucks, can’t crypto)
• Firefox (Tor Browser)
• Chrome
• Opera
• Mobile Safari
• Mobile Chrome
• Android built-in browser
15. DH implemented in exploit kits
FireEye analysis – Angler exploit kit
• “First” in-the-wild DH encrypted exploit
• Only shellcode was protected by encryption
https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html
“You might think this is coincidental, but I
assure you it is not …”
https://www.youtube.com/watch?v=XeDq
GwQkDk8
16.
17. DH implemented in exploit kits
“Several days ago analysts found the usage of the Diffie-Hellman cryptographic protocol in
the Angler Exploit Kit, … that is the first known case of its usage in an exploit kit.”
Weakness demonstrations
• Use of DH instead of ECDH
• Short keys suspected to be factorized
2017 May: Astrum/Stegano exploit kit back
with DH exploit delivery
https://securelist.com/blog/research/72097/attacking-diffie-
hellman-protocol-implementation-in-the-angler-exploit-kit/
18.
19. Attacker model
Who is my attacker?
• The reverse engineer (RE), who tries to reverse the
precious 0-day exploit
• The nextgen/breach-detection system
What is the capability of the attacker?
• See next slides
21. RE can debug in browser – JavaScript level
Has access to DOM in browser
22. RE can debug the browser – Assembly level
This is not always trivial – e.g. if you can’t jailbreak iOS
23. Network forensics
When checking IRONSQUIRREL network traffic, you
see
• Bunch of crypto libraries
• Public key exchange
• Encrypted blobs
• Without the shared key, you can’t do much
• Unless you have a kick-ass quantum computer
• Attackers: just use quantum resistant key exchange
Debugging in browser is possible – but I will
recommend some tricks to make this harder
24. Why is this different, new?
Protecting the browser exploit code was so far
obfuscation only
• It was encryption with keys known to the attacker
• Now, it is encryption with keys not know to the
attacker
Why is this different then SSL/TLS ?
How does this affect exploit replay?
Why is this different then StegoSploit?
25. IRONSQUIRREL exploit delivery
VS exploit kits using SSL/TLS
If you control the client (the analysis machine), TLS
MiTM is trivial
Deep Packet Inspection
• TLS MiTM at enterprises
• TLS MiTM with intercept proxies like Burp or
Fiddler at home or your lab
26. Traditional browser exploits
forensics
Reproducible exploit replay with Fiddler or similar
SSL/TLS exploit delivery can be replayed if MiTM is
possible
IRONSQUIRREL exploit delivery cannot be replayed
• The client will generate different public/private key
• Client will send different public key to replay server
• Replay server either sends the encrypted data with the
old key, or can’t generate new ECDH key thus fails to
replay
28. Astrum EK replay broken
http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/
Fun fact: even if exploit is not 0-day,
other threat groups can’t steal your exploit
code
29. IRONSQUIRREL exploit delivery
VS Stegosploit
“Stegosploit creates a new way to encode "drive-by"
browser exploits and deliver them through image files” …
“image based exploit delivery - Steganography and
Polyglots”
Stegosploit is good at hiding your exploit. But it is
replayable, thus easy to analyse once recorded/identified
http://stegosploit.info/
It is possible to combine Stegosploit
with IRONSQUIRREL
30. IRONSQUIRREL exploit delivery
VS Heartbleed
TLS Heartbeet can be sent either
• In clear-text before handshake finished
• Encrypted, after handshake
It is harder to create IDS signatures for the encrypted payload.
Heartbleed exploit uses encryption as part of the protocol.
IRONSQUIRREL exploit delivery uses encryption as an additional module to
make reversing harder
31. Defense and offense
Prevention and detection on the network level
Analysis on the endpoint
How to make endpoint analysis (a lot) harder
32. Anti-analysis improvements
One-time URLs (URL is dead after one use)
• In Law Enforcement mode, use one-time URL per logged in user!
Time-limits to prevent manual debugging
Remove full DOM after exploit runs
34. Prevent the IRONSQUIRREL exploit
attacks via network defenses
IRONSQUIRREL specific blocking/detection
• Detection of (EC)DH encrypted traffic
• Will lead to False Positives (FP)
Non IRONSQUIRREL specific blocking/detection
• Block uncategorized/new domains
• Domain white-listing
35. Delivery method improvements
To bypass uncategorized/new
domain prevention/detection
• Use of watering hole
• Quantum insert techniques
• Warning, might not
be available in your
attacker capability
36. Analyze IRONSQUIRREL
exploits on the endpoint
Log the shared key and/or client private key
“Fix” the random generator – generate same client
private keys always
“Hook” the JS code to immediately return with the
same client secret key
Remote debugging iOS Safari on OS X
Detailed JS execution Tracelog
• https://github.com/szimeus/evalyzer
--> check out this great project!
38. Anti-analysis improvements
Detect debug window (client-side protection )
https://github.com/zswang/jdetects
Proper fingerprinting of the target before exploit
delivery
Code obfuscation – effective against MiTM *
Generate multiple DH private keys and check if it is the
same
* http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit-
operators-are-misusing-diffie-hellman-key-exchange/
39. Anti-analysis improvements
Adding lot of junk code to DoS the analysis
environment
Use eval equivalent functions like SetTimeout, new
Function(), ... to bypass default Evalyzer
https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream
40. Conclusion of the RE attacker
Determined RE engineer can restore exploit from a
memory dump
Determined attacker can put breakpoints on DEP related
VirtualProtects or use Guard Pages, and reverse the
vulnerability *
But it can delay the analysis/discovery of the exploit by
days/weeks/months if the attacker implements my
suggestions
* Windows only method
42. Current Metasploit integration level
Pre-alpha (a.k.a non-existent) version 0.0
• Run Metasploit with (fake) victim
• Extract HTML file (now the exploit is static)
• Put extracted HTML into exploit folder
• Run IRONSQUIRREL with the HTML file
Need help!
43. Is there a logo???
This is not a vulnerability
Logos are lame
So the logical answer is that there is no logo
47. Conclusion
IRONSQUIRREL could have prevented the leak of
the iOS Safari 0-day
IRONSQUIRREL could have prevented (or
significantly delay) the leak of the Tor Browser 0-day
IRONSQUIRREL with one-time exploits can make RE
a nightmare
IRONSQUIRREL does not deal with endpoint exploit
protections (EMET)
OPSEC is important
48. Ethical dilemmas
Why do I help the “bad” guys?
Who are the bad guys?
• Neither offense nor defense is bad by itself
• I consider the FBI being the good guys if they are catching
the pedophiles
• It is all about evolution
• Have better defense or offense than the others to survive
I agree that the current laws are not prepared for law
enforcement hacking of Tor users
What happens if we don’t prepare our defenses against
these attacks?