SlideShare a Scribd company logo

Modern Post-Exploitation Strategies - 44CON 2012

44CON
44CON

Rich Smith's Modern Post-Exploitation Strategies presentation slides from 44CON 2012 in London, September 2012.

Technology
1 of 63
Download to read offline
Modern Post-Exploitation Strategies Rich Smith Kyrus Rich@Kyr.us
3 •  Going to discuss some ongoing research in extending attack techniques •  Came from real world needs of being able to manage complex, long term attack engagements for customers What are we going to discuss
4 •  Looking at: •  Attack process •  Attack workflow •  How current tooling map to complex workflows •  Pen-test vs Attack What are we going to discuss
5 One of the things we do is to perform highly targeted attacks for our customers Targeted attack services
6 Ongoing engagements, think ~6-12 months Long term, breadth
7 Read CEO’s email Alter source code Goal driven
8 •  Baby steps towards a goal Multi-stage, incremental
9 Current tooling falls short
10 Recon   Exploit   Post-­‐Exploit   Time   Huge focus on exploitation
11 •  What you do after you compromise •  Nothing to do with how you compromise What is post-exploitation?
12 ‘How to make the BEST use of the systems that have been compromised’ Or from the attacker perspective
13 What do I worry about at night?
14 Attacker worries
15 Manage Many Targets   Rapid Development   QA & Avoid Detection   Maintenance   Post-exploitation challenges
16 I also worry about technology futures & how it may change the attack landscape Post-exploitation worries
( From Gartner’s 2012 Hype Cycle of Emerging Technologies - August 16, 2012 ) Technology trends
18 Co$t  of   A3ack   Shi>  the   Target   A3ack   Effec7veness   Future questions
Cloud Computing Trends
Mobile Devices Trends
Bring your own device (BYOD) Trends
Social Media Trends
23 Overall Trends •  Larger number of resources •  Greater diversity in those resources •  Increased inter-resource complexity/ dependency •  Users relationship with technology has never been deeper Trends & attack
24 Manage Many Targets   Rapid Development   QA & Avoid Detection   Maintenance   Post-exploitation challenges
25 Not well, if at all
26 •  Recognize current post-exploitation ‘binary dropper’ approaches don’t scale well •  In the development process •  In the ability to be effective against diverse targets •  Pen-test frameworks use this approach - Software engineering nightmare Scale poorly
27 •  Baking in capabilities to the implant is sub- optimal for most situations •  Reduce your flexibility post-compromise •  Can reveal an overall attack intent - Reverse engineering field day Baking in
28 BIG is not what should be most worrying Small is Size matters
29 Scalability ­  Greater platform independence ­  Easier to develop & maintain logic Stealth ­  Reduced attribution & MO leakage ­  Avoid existing deployed defenses High Level Aims
30 Technical Proof of concept
31 •  Would be great to have a single payload that would run everywhere! •  Cross platform, Interpreted Languages such as Java or Python could help here •  They also help address some of the software engineering worries Goals
32 •  Separate what you do, from why you do it •  Lots of distributed system approaches that may help out here e.g. RPC •  Can also help with reducing complexity in the implant, pushing it to the server Goals
33 •  Uses Python over-the-wire bytecode for cross-platform tasking •  No persistent native binary code •  Harder analysis on both platter & wire •  A distributed implant architecture, RPC based •  Split the task & the decision •  ‘Reach back’ rather than ‘bake in’ The implementation
34 Post-exploitation logic executes in the the Interpreted Language runtime, not on the target platform RPC   Server IL implant Bytecode IL bytecode Dispatch IL Process Task Loop Tasks process Return IL source Process Object High level
35 Python internals 101 Python Internals 101
36 Bytecode •  Python source code as written by the programmer is compiled to a simple bytecode representation ­  This is what the .pyc’s/.pyo’s are •  Python bytecode is portable between platforms & architectures ­  As long as major & minor versions are the same (micro can vary) Python internals 101
37 Import hooks •  Python has modules & packages •  import statement is used to access them & resolve their dependency tree •  An import hook is custom importer that can be used to find & load modules in non-standard ways ­  Importer protocol defined in PEP302 Python internals 101
38 •  Writing new hooks can be a pain in the *** ­  Worth a whole talk in itself, see ‘Import this, that and the other thing’ by Brett Cannon PyCon2010 – it’s excellent •  Python 3.x reduces this pain via importlib •  Not available in Python 2.x so you need to implement from scratch using PEP 302 ­  Available since v2.3 to better customize the __import__ builtin ­  Given 2.x is in the widest use this is what I did Python internals 101
39 •  The PEP 302 protocol defines ­  A Finder ­  Tends to be pretty straightforward ­  Locate the module/package code ­  A Loader ­  More complex ­  Compile to bytecode if needed ­  Insert module into namespace ­  Execute top level code ­  Lots of annoying metadata bookkeeping Python internals 101
40 Python internals 101
41 •  Self-Bootstrapping Native task •  Stage 0 is the only Tasking Binary Injector / persistent part of the bytecode Userland Exec implant. Tiny & generic Stage 2 RPC Import Hook •  Simple event-loop that & Mainloop GETs bytecode over SSL & Stage 0 Stage 1 runs it from memory Bytecode HTTPS + Exec ZIP Import (Persistent) Hook •  This is used to bootstrap PythonVM the Stage 1 import hook ….
42 •  Stage 1 Import Hook - Native task In memory import of a zip over SSL Binary Tasking Injector / bytecode Userland Exec •  Zip imports supported since Py2.3 Stage 2 •  but only from the filesystem not RPC Import Hook & Mainloop memory Stage 0 Bytecode Stage 1 HTTPS + •  Re-implement the stdlib Exec (Persistent) ZIP Import Hook zipfile module in Python PythonVM
43 (SSL) Bootstrap Get Zip Stage 1 Stage 0 server Unzip Expanded zip Zip in in memory memory Custom Finder Import Import Hook in Stage 1 Loader Module / Package in frame’s namespace Stage 1
44 Native task •  Stage 2 is a full RPC Import Hook + RPC client node Binary Tasking bytecode Injector / Userland •  Import hook resolves Exec bytecode dependency trees Stage 2 remotely & transparently RPC Import Hook & Mainloop •  No sourcecode mods Stage 0 Bytecode Stage 1 HTTPS + •  Fully symmetric RPC system Exec (Persistent) ZIP Import Hook over SSL PythonVM •  Splits the task & decision
45 RPC Server   Endpoint Implant   Remote HTTPS   Finder Import RPC Map into mem Compile & Strip Pre- Loader Sys.modules compiled Payload Stdlib Cache Scrub mem Stage 2 RPC import hook
46 •  Now there is the ability for complex bytecode bundles to be sent, executed and automatically have dependencies resolved remotely without touching disk ­  Write completely standard Python ­  Much quicker to write than C/ASM ­  Much easier to debug/QA ­  Non-stdlib packages easily usable Stage 2 Mainloop
47 •  1st Task performed is to derive a UUID ­  IP’s are often used but generally a bad choice when managing many targets •  Instead we use SYSUUID from SMBIOS ­  Fairly easy to get at from Pure Python on Unixes, Linux & OSX ­  Pain in the a** on Windows but can be done via Ctypes Initialization
48 •  The implant uses a polling mechanism rather than a persistent connection ­  At random intervals checks-in to RPC endpoint(s) ­  Pending tasks can be sent as ­  A task ID to import, resolve & execute ­  All tasks can operate in own thread or child •  Nothing needs to touch disk •  Result objects cached & returned next check-in Mainloop
49 RPC UUID:  Result  Objects   Endpoint Poll Loop Result Cache Result  Obj   UUID   Result Payload  bytecode   Spawn New Processing Dispatcher Task RPC Logic To  run/import   Endpoint Service   New  task   RPC     Logic            imports   New Task Services Task Services Process Services Queue Mainloop
50 •  Tasks are split into 2 parts ­  Payload: What executes on the target ­  Service: The logic that processes the result of the payload, executes on the server •  Payloads are pure Python bytecode •  Determination of next task happens at the server ­  If compromise detected we leak minimal MO ­  Allows easy updating of goal oriented logic ­  No need to define goal at asset creation time Tasks
51 •  A Common Task is one that Native task is pure Python bytecode ­  E.g. Search for files named Common Binary ‘pk.pem’ Injector / Task Bytecode Userland Exec •  There is a balance to be struck between stealth & Stage 2 RPC Import Hook efficiency when splitting & Mainloop tasks ­  Task searching for ‘secret.doc’ Stage 0 Stage 1 Bytecode HTTPS + can leak MO Exec ZIP Import ­  Exfiltrating every filename to (Persistent) Hook match to ‘secret.doc’ at the PythonVM server would use bandwidth
52 •  A Native Task is one that Native task executes native code ­  Some tasks are too low level/ Binary specific for Python Tasking bytecode Injector / Userland •  A number of options Exec depending on OS Stage 2 ­  Ctypes, PyObjC, Subprocess RPC Import Hook & Mainloop •  Potential issues ­  Forensically noisy Stage 0 Bytecode Stage 1 HTTPS + ­  Native functions may Exec (Persistent) ZIP Import Hook be hooked •  One solution userland PythonVM execution …….
53 •  Allows execution through the replacement/modification of existing process image with a new one ­  Without calling OS (Execve, loadlibrary etc) ­  Without having to load from disk •  Useful in a number of scenarios ­  Antiforensics ­  Non-exec filesystem mounts ­  Wanting to inject native code from a IL VM! Userland execution
54 •  Builds on years of other people research •  Grugqs Phrack 62 paper ul_exec & FIST (Linux) •  Pluf & Ripe’s SELF work from Phrack 63 (Linux) •  Immunity’s PyELF library (Linux) •  Nebbet’s Shuttle (Windows) •  Dai Zovi’s & Iozzo’s Mach-O work (OS X) •  pyMachO … Userland execution
55 •  Facilitates userland exec from a Python runtime on OS X ­  Think PyELF for OS X ­  Nicely sidesteps code-signing controls •  Send a Mach-O binary over the wire to a Python userland exec task, & inject it into an existing process pyMachO
56 Native Binary Inject   Python Userland Exec (pyMachO, pyELF….) Over  the  wire   Python Implant Layer Native Bytecode (RPC) Binary Data Task Python Runtime pyMachO
57 •  For the demo we will inject an OSX MachO bundle to do webcam capture •  isight.bundle hasn’t worked since 64bit Snow Leopard •  Relies on Quicktime.framework •  32 bit only •  So we wrote a new one for the demo using QTKit (32 & 64 bit supported) Example injection
Implant   Server   58 Webcam Grab Binary Facial Recognition pyMachO ?   Tasking Get SysUUID Stage 2 RPC Hook Stage 1 HTTP/Zip Hook Bootstrap Stage 0 (persistent) Python VM Tying it all together
59 Demo Time!
60 Takeaways •  Current post-exploitation approaches do not scale well •  Baking-in capabilities can leak your intent •  Interpreted languages can help with scale •  Distributed architectures can help with separating action from reason Summary
61 Calls to action Providers •  Don’t let the current toolsets dictate and limit you, critique, innovate & change them to suit your needs Customers •  Understand the difference between, and value of Pen-Testing vs Attack Teaming Summary
62 ¿ Rich@Kyr.us Rich@Kyr.us Questions
Modern Post-Exploitation Strategies - 44CON 2012

Recommended

A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDA GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDJulian Mazzitelli
 
Argocd up and running
Argocd up and runningArgocd up and running
Argocd up and runningRaphaël PINSON
 
GitLab for CI/CD process
GitLab for CI/CD processGitLab for CI/CD process
GitLab for CI/CD processHYS Enterprise
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturasparkfabrik
 
Cicd pixelfederation
Cicd pixelfederationCicd pixelfederation
Cicd pixelfederationJuraj Hantak
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
DevOps: The Future of Software Development
DevOps: The Future of Software DevelopmentDevOps: The Future of Software Development
DevOps: The Future of Software DevelopmentOpsta
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdBilly Yuen
 

Recommended

A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDA GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDJulian Mazzitelli
 
Argocd up and running
Argocd up and runningArgocd up and running
Argocd up and runningRaphaël PINSON
 
GitLab for CI/CD process
GitLab for CI/CD processGitLab for CI/CD process
GitLab for CI/CD processHYS Enterprise
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturasparkfabrik
 
Cicd pixelfederation
Cicd pixelfederationCicd pixelfederation
Cicd pixelfederationJuraj Hantak
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
DevOps: The Future of Software Development
DevOps: The Future of Software DevelopmentDevOps: The Future of Software Development
DevOps: The Future of Software DevelopmentOpsta
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdBilly Yuen
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOpsBrice Fernandes
 
SFDC Seamless Deployment Techniques
SFDC Seamless Deployment TechniquesSFDC Seamless Deployment Techniques
SFDC Seamless Deployment TechniquesPawan Tyagi (2x)
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsMariano Cunietti
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
Developer Productivity Engineering with Gradle
Developer Productivity Engineering with GradleDeveloper Productivity Engineering with Gradle
Developer Productivity Engineering with GradleAll Things Open
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCDCloudOps2005
 
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...apidays
 
How to Become DevOps
How to Become DevOpsHow to Become DevOps
How to Become DevOpsOpsta
 
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Andrew Phillips
 
Importance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCPImportance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCPAnshTyagi27
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesDocker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesAndrew Phillips
 
DevOps Transformation in Technical
DevOps Transformation in TechnicalDevOps Transformation in Technical
DevOps Transformation in TechnicalOpsta
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limitsAntje Barth
 
Gerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI DemonstrationGerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI Demonstrationvanoorts
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive LibbySchulze
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Labs
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 

More Related Content

What's hot

Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOpsBrice Fernandes
 
SFDC Seamless Deployment Techniques
SFDC Seamless Deployment TechniquesSFDC Seamless Deployment Techniques
SFDC Seamless Deployment TechniquesPawan Tyagi (2x)
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsMariano Cunietti
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
Developer Productivity Engineering with Gradle
Developer Productivity Engineering with GradleDeveloper Productivity Engineering with Gradle
Developer Productivity Engineering with GradleAll Things Open
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCDCloudOps2005
 
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...apidays
 
How to Become DevOps
How to Become DevOpsHow to Become DevOps
How to Become DevOpsOpsta
 
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Andrew Phillips
 
Importance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCPImportance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCPAnshTyagi27
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesDocker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesAndrew Phillips
 
DevOps Transformation in Technical
DevOps Transformation in TechnicalDevOps Transformation in Technical
DevOps Transformation in TechnicalOpsta
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limitsAntje Barth
 
Gerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI DemonstrationGerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI Demonstrationvanoorts
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive LibbySchulze
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Labs
 

What's hot (20)

Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
 
SFDC Seamless Deployment Techniques
SFDC Seamless Deployment TechniquesSFDC Seamless Deployment Techniques
SFDC Seamless Deployment Techniques
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operations
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
 
Developer Productivity Engineering with Gradle
Developer Productivity Engineering with GradleDeveloper Productivity Engineering with Gradle
Developer Productivity Engineering with Gradle
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
apidays LIVE Paris 2021 - Using OpenAPI to configure your API Gateway by Ole ...
 
How to Become DevOps
How to Become DevOpsHow to Become DevOps
How to Become DevOps
 
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
 
Importance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCPImportance of GCP: 30 Days of GCP
Importance of GCP: 30 Days of GCP
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
 
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesDocker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
 
DevOps Transformation in Technical
DevOps Transformation in TechnicalDevOps Transformation in Technical
DevOps Transformation in Technical
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limits
 
Gerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI DemonstrationGerrit & Jenkins Workflow: An Integrated CI Demonstration
Gerrit & Jenkins Workflow: An Integrated CI Demonstration
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive
 
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
Ambassador Developer Office Hours: Summer of Kubernetes Ship Week 1: Intro to...
 

Viewers also liked

Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Introduction to Apache Accumulo
Introduction to Apache AccumuloIntroduction to Apache Accumulo
Introduction to Apache AccumuloJared Winick
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Python Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and GeventPython Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and Geventemptysquare
 

Viewers also liked (9)

Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDC
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Introduction to Apache Accumulo
Introduction to Apache AccumuloIntroduction to Apache Accumulo
Introduction to Apache Accumulo
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Python Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and GeventPython Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and Gevent
 

Similar to Modern Post-Exploitation Strategies - 44CON 2012

Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!Joachim Tuchel
 
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013Christopher Curtin
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_indexChester Chen
 
Tooling for the JavaScript Era
Tooling for the JavaScript EraTooling for the JavaScript Era
Tooling for the JavaScript Eramartinlippert
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015Henry Huang
 
Jfokus 2016 - A JVMs Journey into Polyglot Runtimes
Jfokus 2016 - A JVMs Journey into Polyglot RuntimesJfokus 2016 - A JVMs Journey into Polyglot Runtimes
Jfokus 2016 - A JVMs Journey into Polyglot RuntimesCharlie Gracie
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Ambassador Labs
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Chocolatey Software
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Michel Buczynski
 
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit Ebner
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit EbnerThe NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit Ebner
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit EbnerNRB
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyComsysto Reply GmbH
 

Similar to Modern Post-Exploitation Strategies - 44CON 2012 (20)

Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!
 
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013
Kafka 0.8.0 Presentation to Atlanta Java User's Group March 2013
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_index
 
Core Principles Of Ci
Core Principles Of CiCore Principles Of Ci
Core Principles Of Ci
 
Tooling for the JavaScript Era
Tooling for the JavaScript EraTooling for the JavaScript Era
Tooling for the JavaScript Era
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
 
Kku2011
Kku2011Kku2011
Kku2011
 
Jfokus 2016 - A JVMs Journey into Polyglot Runtimes
Jfokus 2016 - A JVMs Journey into Polyglot RuntimesJfokus 2016 - A JVMs Journey into Polyglot Runtimes
Jfokus 2016 - A JVMs Journey into Polyglot Runtimes
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit Ebner
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit EbnerThe NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit Ebner
The NRB Group mainframe day 2021 - DevOps on Z - Jerome Klimm - Benoit Ebner
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

Modern Post-Exploitation Strategies - 44CON 2012

  • 1.
  • 3. 3 •  Going to discuss some ongoing research in extending attack techniques •  Came from real world needs of being able to manage complex, long term attack engagements for customers What are we going to discuss
  • 4. 4 •  Looking at: •  Attack process •  Attack workflow •  How current tooling map to complex workflows •  Pen-test vs Attack What are we going to discuss
  • 5. 5 One of the things we do is to perform highly targeted attacks for our customers Targeted attack services
  • 6. 6 Ongoing engagements, think ~6-12 months Long term, breadth
  • 7. 7 Read CEO’s email Alter source code Goal driven
  • 8. 8 •  Baby steps towards a goal Multi-stage, incremental
  • 10. 10 Recon   Exploit   Post-­‐Exploit   Time   Huge focus on exploitation
  • 11. 11 •  What you do after you compromise •  Nothing to do with how you compromise What is post-exploitation?
  • 12. 12 ‘How to make the BEST use of the systems that have been compromised’ Or from the attacker perspective
  • 13. 13 What do I worry about at night?
  • 15. 15 Manage Many Targets   Rapid Development   QA & Avoid Detection   Maintenance   Post-exploitation challenges
  • 16. 16 I also worry about technology futures & how it may change the attack landscape Post-exploitation worries
  • 17. ( From Gartner’s 2012 Hype Cycle of Emerging Technologies - August 16, 2012 ) Technology trends
  • 18. 18 Co$t  of   A3ack   Shi>  the   Target   A3ack   Effec7veness   Future questions
  • 19. Cloud Computing Trends
  • 21. Bring your own device (BYOD) Trends
  • 22. Social Media Trends
  • 23. 23 Overall Trends •  Larger number of resources •  Greater diversity in those resources •  Increased inter-resource complexity/ dependency •  Users relationship with technology has never been deeper Trends & attack
  • 24. 24 Manage Many Targets   Rapid Development   QA & Avoid Detection   Maintenance   Post-exploitation challenges
  • 25. 25 Not well, if at all
  • 26. 26 •  Recognize current post-exploitation ‘binary dropper’ approaches don’t scale well •  In the development process •  In the ability to be effective against diverse targets •  Pen-test frameworks use this approach - Software engineering nightmare Scale poorly
  • 27. 27 •  Baking in capabilities to the implant is sub- optimal for most situations •  Reduce your flexibility post-compromise •  Can reveal an overall attack intent - Reverse engineering field day Baking in
  • 28. 28 BIG is not what should be most worrying Small is Size matters
  • 29. 29 Scalability ­  Greater platform independence ­  Easier to develop & maintain logic Stealth ­  Reduced attribution & MO leakage ­  Avoid existing deployed defenses High Level Aims
  • 31. 31 •  Would be great to have a single payload that would run everywhere! •  Cross platform, Interpreted Languages such as Java or Python could help here •  They also help address some of the software engineering worries Goals
  • 32. 32 •  Separate what you do, from why you do it •  Lots of distributed system approaches that may help out here e.g. RPC •  Can also help with reducing complexity in the implant, pushing it to the server Goals
  • 33. 33 •  Uses Python over-the-wire bytecode for cross-platform tasking •  No persistent native binary code •  Harder analysis on both platter & wire •  A distributed implant architecture, RPC based •  Split the task & the decision •  ‘Reach back’ rather than ‘bake in’ The implementation
  • 34. 34 Post-exploitation logic executes in the the Interpreted Language runtime, not on the target platform RPC   Server IL implant Bytecode IL bytecode Dispatch IL Process Task Loop Tasks process Return IL source Process Object High level
  • 35. 35 Python internals 101 Python Internals 101
  • 36. 36 Bytecode •  Python source code as written by the programmer is compiled to a simple bytecode representation ­  This is what the .pyc’s/.pyo’s are •  Python bytecode is portable between platforms & architectures ­  As long as major & minor versions are the same (micro can vary) Python internals 101
  • 37. 37 Import hooks •  Python has modules & packages •  import statement is used to access them & resolve their dependency tree •  An import hook is custom importer that can be used to find & load modules in non-standard ways ­  Importer protocol defined in PEP302 Python internals 101
  • 38. 38 •  Writing new hooks can be a pain in the *** ­  Worth a whole talk in itself, see ‘Import this, that and the other thing’ by Brett Cannon PyCon2010 – it’s excellent •  Python 3.x reduces this pain via importlib •  Not available in Python 2.x so you need to implement from scratch using PEP 302 ­  Available since v2.3 to better customize the __import__ builtin ­  Given 2.x is in the widest use this is what I did Python internals 101
  • 39. 39 •  The PEP 302 protocol defines ­  A Finder ­  Tends to be pretty straightforward ­  Locate the module/package code ­  A Loader ­  More complex ­  Compile to bytecode if needed ­  Insert module into namespace ­  Execute top level code ­  Lots of annoying metadata bookkeeping Python internals 101
  • 41. 41 •  Self-Bootstrapping Native task •  Stage 0 is the only Tasking Binary Injector / persistent part of the bytecode Userland Exec implant. Tiny & generic Stage 2 RPC Import Hook •  Simple event-loop that & Mainloop GETs bytecode over SSL & Stage 0 Stage 1 runs it from memory Bytecode HTTPS + Exec ZIP Import (Persistent) Hook •  This is used to bootstrap PythonVM the Stage 1 import hook ….
  • 42. 42 •  Stage 1 Import Hook - Native task In memory import of a zip over SSL Binary Tasking Injector / bytecode Userland Exec •  Zip imports supported since Py2.3 Stage 2 •  but only from the filesystem not RPC Import Hook & Mainloop memory Stage 0 Bytecode Stage 1 HTTPS + •  Re-implement the stdlib Exec (Persistent) ZIP Import Hook zipfile module in Python PythonVM
  • 43. 43 (SSL) Bootstrap Get Zip Stage 1 Stage 0 server Unzip Expanded zip Zip in in memory memory Custom Finder Import Import Hook in Stage 1 Loader Module / Package in frame’s namespace Stage 1
  • 44. 44 Native task •  Stage 2 is a full RPC Import Hook + RPC client node Binary Tasking bytecode Injector / Userland •  Import hook resolves Exec bytecode dependency trees Stage 2 remotely & transparently RPC Import Hook & Mainloop •  No sourcecode mods Stage 0 Bytecode Stage 1 HTTPS + •  Fully symmetric RPC system Exec (Persistent) ZIP Import Hook over SSL PythonVM •  Splits the task & decision
  • 45. 45 RPC Server   Endpoint Implant   Remote HTTPS   Finder Import RPC Map into mem Compile & Strip Pre- Loader Sys.modules compiled Payload Stdlib Cache Scrub mem Stage 2 RPC import hook
  • 46. 46 •  Now there is the ability for complex bytecode bundles to be sent, executed and automatically have dependencies resolved remotely without touching disk ­  Write completely standard Python ­  Much quicker to write than C/ASM ­  Much easier to debug/QA ­  Non-stdlib packages easily usable Stage 2 Mainloop
  • 47. 47 •  1st Task performed is to derive a UUID ­  IP’s are often used but generally a bad choice when managing many targets •  Instead we use SYSUUID from SMBIOS ­  Fairly easy to get at from Pure Python on Unixes, Linux & OSX ­  Pain in the a** on Windows but can be done via Ctypes Initialization
  • 48. 48 •  The implant uses a polling mechanism rather than a persistent connection ­  At random intervals checks-in to RPC endpoint(s) ­  Pending tasks can be sent as ­  A task ID to import, resolve & execute ­  All tasks can operate in own thread or child •  Nothing needs to touch disk •  Result objects cached & returned next check-in Mainloop
  • 49. 49 RPC UUID:  Result  Objects   Endpoint Poll Loop Result Cache Result  Obj   UUID   Result Payload  bytecode   Spawn New Processing Dispatcher Task RPC Logic To  run/import   Endpoint Service   New  task   RPC     Logic            imports   New Task Services Task Services Process Services Queue Mainloop
  • 50. 50 •  Tasks are split into 2 parts ­  Payload: What executes on the target ­  Service: The logic that processes the result of the payload, executes on the server •  Payloads are pure Python bytecode •  Determination of next task happens at the server ­  If compromise detected we leak minimal MO ­  Allows easy updating of goal oriented logic ­  No need to define goal at asset creation time Tasks
  • 51. 51 •  A Common Task is one that Native task is pure Python bytecode ­  E.g. Search for files named Common Binary ‘pk.pem’ Injector / Task Bytecode Userland Exec •  There is a balance to be struck between stealth & Stage 2 RPC Import Hook efficiency when splitting & Mainloop tasks ­  Task searching for ‘secret.doc’ Stage 0 Stage 1 Bytecode HTTPS + can leak MO Exec ZIP Import ­  Exfiltrating every filename to (Persistent) Hook match to ‘secret.doc’ at the PythonVM server would use bandwidth
  • 52. 52 •  A Native Task is one that Native task executes native code ­  Some tasks are too low level/ Binary specific for Python Tasking bytecode Injector / Userland •  A number of options Exec depending on OS Stage 2 ­  Ctypes, PyObjC, Subprocess RPC Import Hook & Mainloop •  Potential issues ­  Forensically noisy Stage 0 Bytecode Stage 1 HTTPS + ­  Native functions may Exec (Persistent) ZIP Import Hook be hooked •  One solution userland PythonVM execution …….
  • 53. 53 •  Allows execution through the replacement/modification of existing process image with a new one ­  Without calling OS (Execve, loadlibrary etc) ­  Without having to load from disk •  Useful in a number of scenarios ­  Antiforensics ­  Non-exec filesystem mounts ­  Wanting to inject native code from a IL VM! Userland execution
  • 54. 54 •  Builds on years of other people research •  Grugqs Phrack 62 paper ul_exec & FIST (Linux) •  Pluf & Ripe’s SELF work from Phrack 63 (Linux) •  Immunity’s PyELF library (Linux) •  Nebbet’s Shuttle (Windows) •  Dai Zovi’s & Iozzo’s Mach-O work (OS X) •  pyMachO … Userland execution
  • 55. 55 •  Facilitates userland exec from a Python runtime on OS X ­  Think PyELF for OS X ­  Nicely sidesteps code-signing controls •  Send a Mach-O binary over the wire to a Python userland exec task, & inject it into an existing process pyMachO
  • 56. 56 Native Binary Inject   Python Userland Exec (pyMachO, pyELF….) Over  the  wire   Python Implant Layer Native Bytecode (RPC) Binary Data Task Python Runtime pyMachO
  • 57. 57 •  For the demo we will inject an OSX MachO bundle to do webcam capture •  isight.bundle hasn’t worked since 64bit Snow Leopard •  Relies on Quicktime.framework •  32 bit only •  So we wrote a new one for the demo using QTKit (32 & 64 bit supported) Example injection
  • 58. Implant   Server   58 Webcam Grab Binary Facial Recognition pyMachO ?   Tasking Get SysUUID Stage 2 RPC Hook Stage 1 HTTP/Zip Hook Bootstrap Stage 0 (persistent) Python VM Tying it all together
  • 60. 60 Takeaways •  Current post-exploitation approaches do not scale well •  Baking-in capabilities can leak your intent •  Interpreted languages can help with scale •  Distributed architectures can help with separating action from reason Summary
  • 61. 61 Calls to action Providers •  Don’t let the current toolsets dictate and limit you, critique, innovate & change them to suit your needs Customers •  Understand the difference between, and value of Pen-Testing vs Attack Teaming Summary
  • 62. 62 ¿ Rich@Kyr.us Rich@Kyr.us Questions