The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ

1. Practical Exploitation
Timey Wimey WebAppy Style
by Mubix

2. Are we (the business) in
the Wall Street Journal?
No? Then we aren't under attack.

3. Agenda
● What you do
● What I do
● What is "practical" exploitation?
● Demos

4. We aren't going to talk about
● Stuff I assume you know
○ SQLI
○ Running your Database as root
○ RFI/LFI
○ etc
○ etc
○ OWASP TOP 10
● Stuff you should know
○ Your {SECURITY BLINKY
LIGHTS} won't save you....

5. What you do?
● This is where I ask you awkward questions
about what you do for a living

6. What I do?
● Senior Red Teamer
● Big Co
● Break into mainframes, bank accounts,
SCADA systems, Windows, Linux, wireless,
physical, web apps, UPSs, etc..
● Part of a team of highly skilled peeps
Primarily I'm a sorter of useful info

7. What is practical exploitation?
● The application of techniques, tactics, and
procedures to accomplish objectives and
sub-objectives within a targeted engagement
Also known as:
"if it doesn't get
me more, it's
stupid"

8. What falls in the "Stupid" category
● SSLv2 Enabled
● Traceroute Enabled
● DNS Cache Poisoning
● MD5 "collisions"
Oh ya, and every single public IE, Firefox,
Chrome or Windows exploit. Why? Because
their patch cycles are too fast for attackers.

9. DEMOS

10. Demo 1 - Linux Pivot to Windows
Tomcat -> MS08_067
Wellllllll..... I was going to patch those DMZ hosts, then........

11. How do I fix that!?
● Patch yo %#@$%@ $#%

12. Demo 2 - Windows
Rails vulnerability -> Cred Steal - Mimikatz
You use a web framework that protects you and you have really long passwords?

13. How do I fix that?
● Monitor the security community events,
disable YAML or XML parsing.
● Microsoft has left you out to dry for Mimikatz.
They believe if you have Administrator
access then it's game over.
● Don't run your web server as SYSTEM or
Administrator, keep UAC enabled on your
DMZ hosts

14. Demo 3 - Windows Pivot to Linux
WinRM on IIS -> DistCC
What the..........

15. How do I fix that?
● Don't enable WinRM on DMZ hosts! Stupid.
● Firewall DistCC off to only required hosts.

16. EOM
Questions?
Mubix "Rob" Fuller
http://www.room362.com
@mubix
mubix@room362.com