This document summarizes common techniques used to breach small and medium enterprises. It discusses how networks are typically assessed through discovery, vulnerability assessment, exploitation, and post-exploitation. It then outlines several weaknesses that are commonly leveraged, including lack of security patches, default credentials, excessive network footprint, lack of network segregation, exceptions in configurations, and failure to implement whitelisting over blacklisting. Specific scenarios are provided for each to illustrate how access can be gained and privilege escalated within a network. The document stresses the importance of security fundamentals like patching, access control, and network segmentation.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
Internet Accessible ICS in Japan (English)Digital Bond
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
Internet Accessible ICS in Japan (English)Digital Bond
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
This session will cover the pro's and con's of virtualization as well as lessons learned from real world virtualization of DCS environments. Chris has deployed virtualization in ICS with and without ICS vendor cooperation.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!
Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:
- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
Ведущий: Джефф Кац
По прогнозам Cisco, в этом году 25 млрд устройств будут подключены к интернету, а к 2020 году число увеличится вдвое. Планируя разработку решения в сфере Интернета вещей (IoT), вы должны подумать о том, что в один прекрасный день к вам нагрянет ФСБ . Вопрос безопасности пользователей нужно продумать заранее, не следует откладывать его на потом. Докладчик расскажет, как использовать преимущества IoT-продуктов, не ущемляя личных прав ваших клиентов. Доклад сопровождается примерами услуг, в которых конфиденциальность и безопасность были обеспечены в начале разработки.
CNIT 125 7. Security Assessment and TestingSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
This session will cover the pro's and con's of virtualization as well as lessons learned from real world virtualization of DCS environments. Chris has deployed virtualization in ICS with and without ICS vendor cooperation.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!
Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:
- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
Ведущий: Джефф Кац
По прогнозам Cisco, в этом году 25 млрд устройств будут подключены к интернету, а к 2020 году число увеличится вдвое. Планируя разработку решения в сфере Интернета вещей (IoT), вы должны подумать о том, что в один прекрасный день к вам нагрянет ФСБ . Вопрос безопасности пользователей нужно продумать заранее, не следует откладывать его на потом. Докладчик расскажет, как использовать преимущества IoT-продуктов, не ущемляя личных прав ваших клиентов. Доклад сопровождается примерами услуг, в которых конфиденциальность и безопасность были обеспечены в начале разработки.
CNIT 125 7. Security Assessment and TestingSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
Implementing Cisco IOS Network Security (IINS). For a complete list of available network security training, visit the Security Training page.http://bit.ly/1Lgc2LW
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Elevating Tactical DDD Patterns Through Object Calisthenics
How we breach small and medium enterprises (SMEs)
1. How we breach small and medium
enterprises (SMEs)
Bernardo Damele, NCC Group
2. Bernardo Damele
• Principal consultant and lead trainer with NCC Group
• Open source developer of widely used offensive security
tools
• 10 years professional experience in IT
• 8+ years in IT security
3. Agenda
• What is security?
• Quick recap
• How we assess and breach networks
• Network design mistakes and defective assumptions
• Weakest entry points of a network perimeter
• Leverage access to the network and why
4. What is security?
“Security is a degree of resistance to, or protection from a
threat.”
Security provides
“A form of protection where a separation is
created between the assets and the threat."
5. How we assess networks
Lifecycle of an infrastructure security assessment
• Discovery – scan the network to establish live hosts, their open ports
and services exposed
• VulnerabilityAssessment – establish where security issues exist from
an unauthenticated standpoint and investigate potential entry points
into the network
• Exploitation – compromise of a host through a vulnerability, or
misconfiguration
• Post Exploitation – credential harvesting and progression through the
network to achieve maximum compromise within the network
boundaries of the scope
6. Exploitation and post exploitation
Why is it important to exploit vulnerabilities?
To evaluate their risk and impact in the context of the
network under assessment and produce a high-value report
to the client
7. External versus internal assessment
External infrastructure assessment is carried out beyond the
network perimeter of the client
Focused on services exposed to the Internet across an IP range
defined by the client
Internal infrastructure assessment is carried out at the client’s site,
with a direct connection to the corporate network or DMZ
depending on the scope
Larger network footprint
Greater number of exposed services
Numerous Layer 2 and Layer 3 weaknesses and attacks
8. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
9. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
10. Lack of security patches
• Missing patches are easy entry points for attackers
• For a large number of critical publicly known vulnerabilities there
are reliable exploits
• In a typicalWindows network changes are high that one
workstation will not be patched
• Till
• Smart card reader
• Camera
• Embedded devices in general
11. Lack of security patches – scenario
• Office-based network
• Windows powered
• No centralized solution (e.g.WSUS) to deploy Microsoft patched onto
the workstations
• Different patching levels
• Largely outdated machines – vulnerable to reliable exploits
• Local System is an easy win
• Leverage foothold and compromise theWindows domain / forest
12. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
13. Default credentials
• It is a fact that device under test are kept with default credentials
• Application servers and management interfaces too
• Wordlists of default credentials for all these are easily available
• Tools to carry on login brute-force attacks exist
• When they do not, they are easy to develop with limited
development skills
14. Default credentials – scenario
• DMZ environment
• UNIX / Linux powered production servers
• Exploitation of memory corruption vulnerabilities is not an option
• Avoidance of DoS is mandated
• ApacheTomcat runs with default credentials admin / tomcat
• Used to deploy a customWAR to achieve command execution
• Local users’ password hashes dumped, cracked offline
• Leveraged to access over SSH /Telnet the rest of the servers
15. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
16. Excessive network footprint
• Unnecessary services are often exposed internally to the network
perimeter
• Effort to maintain large heterogeneous networks leave room for
oversight in network footprint
• Services that run on localhost may prove helpful to compromise
further the network – post exploitation
17. Excessive network footprint – scenario
• Despite SSH in use, R*Services are still used for management
purposes
• Easy to brute-force ACL for R*Services remotely
• Or… NIS used to manage users centrally on a UNIX / Linux
network
• Can be queried anonymously to retrieve users’ password hashes
• Cracked offline
• Leverage to compromise the rest of the systems
18. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
19. Lack or weak network segregation
• Network segregation by mere DHCP netmask restriction is
ineffective
• Segregating at the application layer is defective
• Leaves room to exfiltration / tunnelling attacks
• MAC filtering is ineffective
• NAC solutions do not always guarantee network segregation /
access
20. Lack or weak network segregation – scenario
• Two distinctWindows domains: CORP and GUEST
• Not part of the sameWindows forest
• No direct access between the two networks
• They’re physically hosted in two separate buildings, different physical
devices, no apparent interconnections
• Users of the GUEST domain can surf the Internet, so can users of the
CORP domain
• They share the same web proxy on a third network
• This proxy is reachable by both networks
• Hence, it can be used to pivot traffic from the GUEST network to the
CORP network – CONNECT method (enabled by default, for HTTPS)
21. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
22. Exceptions
• Temporary firewall rules turn permanent
• Network configurations are usually complex, undocumented and hard
to maintain, hence exceptions are added and rules overwrite / duplicate
one another
• Exceptions and defective regular expressions may lead to more harm
than good
23. Exceptions – scenario
• Web management interface
• Backed by JBoss Application Server
• Configured manually to prompt user for credentials at any
unauthenticated GET and POST request
• HTTPVerbTampering
• Intercept the login request and replace POST with HEAD
• Get a valid session ID tied to a legitimate user
• Once authenticated, from the web management compromise the
underlying OS
24. How we breach networks
• Lack of security patches
• Default credentials
• Excessive network footprint
• Lack or weak network segregation
• Exceptions
• White-listing preferred over black-listing
• More
25. White-listing over black-listing
• Black-list (“reject known bad”)
• Reject data matching a list of known attack strings or patterns
• Accept everything else
• Can hinder simple attacks and automated attack tools
• Highly vulnerable to bypasses using encoding and other techniques
• White-list (“accept known good”)
• Accept data matching a list of known benign strings or patterns
• Reject everything else
• Highly effective method if feasible
26. Prioritise avenues of attack
• Abuse of intended functionality
• Example: download of files from an anonymous FTP server
• Extended use of functionality
• Example: using xp_cmdshell extended stored procedure on a Microsoft SQL
Server, or deploying additional .war files on an ApacheTomcat Server
• Mature, public exploit
• Example: exploit for MS08-067 vulnerability
• Proof of concept code
• Example: code downloaded from exploit-db.com or other exploit repository to
exploit a third-party product
27. Move sideways
• Once a foothold onto the target network is gained, next step is to
retain access
• Create an admin user, deploy a backdoor, etc.
• Leverage access to inspect the file system, query the DC, sniff traffic
• Move sideways
• Password reuse for local OS users is a very bad practice
• Once dumped, password hashes can be sprayed, no need to be
cracked offline
• Dual-homed systems – pivot traffic / extend control
28. Conclusions, once more
• Don’t buy product vendor hype
• Cyber security is not about products
• Cyber security doesn’t have to be costly
• An incident will happen so have a plan
29. Thank you! Questions?
training@nccgroup.com
Contact us
UK Offices
Manchester - Head Office
London
Leatherhead
Milton Keynes
Cheltenham
Edinburgh
North American Offices
San Francisco
New York
Seattle
Chicago
Austin
Atlanta
Australian Offices
Sydney
European Offices
Amsterdam – Netherlands
Munich – Germany
Zurich - Switzerland