Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
Imagine that you just found the new job of your dreams: You are now a system administrator in a large enterprise. Everything is going like clockwork, except for one major problem: There are 5 different versions of Presentation Server in use and there is no documentation for any system. Now imagine you are a consultant ready to do an assessment of Citrix infrastructure, but nobody in the company knows how many farms and servers exist, or how they are configured. (Wanting a new imaginary job yet?) In this session, Denis Gundarev will share tips on how to document infrastructure and tricks on how to find all components or users that are "forgotten." Attendees will learn several methods for elevating permissions and taking ownership of forgotten systems.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
Imagine that you just found the new job of your dreams: You are now a system administrator in a large enterprise. Everything is going like clockwork, except for one major problem: There are 5 different versions of Presentation Server in use and there is no documentation for any system. Now imagine you are a consultant ready to do an assessment of Citrix infrastructure, but nobody in the company knows how many farms and servers exist, or how they are configured. (Wanting a new imaginary job yet?) In this session, Denis Gundarev will share tips on how to document infrastructure and tricks on how to find all components or users that are "forgotten." Attendees will learn several methods for elevating permissions and taking ownership of forgotten systems.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
A Hacker's Perspective on Embedded Device Security, presented by Paul Dant of Independent Security Evaluators at the Security of Things Forum, Sept. 10, 2015
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
How to Debug IoT Agents Webinar - 17th April 2019
Corresponding webinar recording: https://youtu.be/FRqJsywi9e8
Chapter: IoT Agents
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
How to debug IoT Agents - investigating what goes wrong and how to fix it.
A set of Tips & Tricks in the resolution of the typical problems that you can find and the reason of them when you work with FIWARE IoT Agents and FIWARE Orion Context Broker
Imagine we had the power to understand the code before its complied or embedding a backdoor or even stealing legitimate certificates of a well known vendor and using them to sign malware?
Join me in the journey of exploring security issues that tend to happen during Build Time in typical enterprise environments.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen.
What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Here Be Dragons: Security Maps of the Container New WorldC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1KjxPiO.
Josh Bregman explores some of the unique security challenges created by both the development workflow and application runtime, explains why and how the current approaches in SecDevOps 1.0 are insufficient, and how SecDevOps 2.0 techniques including Software Defined Firewalls (SDF) provide a promising path forward for all parties involved. Filmed at qconnewyork.com.
Josh Bregman is Information Security Architect and Executive Vice President for Technical Sales at Conjur Inc.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Similar to Thick Application Penetration Testing: Crash Course (20)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
During this presentation, we’ll talk about how to identify and triage the large volume of excessive access most standard Active Directory users have to common network shares. Over the course of hundreds of internal network penetration tests and audits one theme has stood out, vulnerability management programs do not adequately identify excessive share privileges. The excessive shares have become a risk for data exposure, ransomware attacks, and privilege escalation within enterprise environments. During this discussion, we will talk about why this gap exists, how to inventory excessive share across an entire Active Directory domain quickly, and how to triage those results to help reduce risk for your organization.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
2. Who am I?
Scott Sutherland
Principal Security Consultant
• Penetration Testing
‒ Networks
‒ Web apps / services
‒ Thick apps
• Community Stuff
‒ Researcher
‒ Blogger
‒ Tool smith (or smithy if you like)
‒ Twitter stalker: @_nullbind
3. What are we going to talk about?
• Why should you care
• Testing Goal and Objectives
• Project Scoping
• Common Architectures
• Accessing the Application
• Testing Requirements
• Application Walkthrough
• Managed vs. Unmanaged
• Testing the Application
• Vulnerability Categories
• Reporting
4. Why am I talking about this?
Thick applications create unique
risks that web applications don't.
5. Why am I talking about this?
Users often have full control over the
application environment which:
‒ Allows attacks on trusted
components
‒ Exposes data, admin/hidden
functions
‒ Leads to application and OS privilege
escalation
6. Why am I talking about this?
Thick applications are the new web
applications.
7. Why am I talking about this?
Publishing thick applications via Terminal
Services and Citrix: Good Stuff
‒ Helps meet client demand for “cloud
services”
‒Converts Client/Server model to SaaS
model
‒Cheaper/Faster than developing
actual web based solution from
scratch
8. Why am I talking about this?
Publishing thick applications via Terminal
Services and Citrix: Bad Stuff
‒Very hard to secure published
desktops/applications
‒Commonly results in direct database
access
‒Often exposes internal networks of
service provider
9. Testing Goal & Objectives
Goal:
Determine what risks the application implementation
presents to the business so they can be mitigated.
Objectives:
Identify vulnerabilities that may exist in:
‒ The client application and server components
‒ The workstation or published application configuration
‒ The server or network configuration
10. Scoping Projects
Estimate effort:
‒ Number of forms
‒ Number of files
‒ Number of registry keys
‒ Number of user levels
‒ Application architecture
‒ Application technology
‒ Constraints
‒ Environment
Generally…
‒ More stuff = more time
‒ More complexity = more time
11. Common Architectures
Desktop Client Remote Database
‒ Usually entire implementation is on internal network
Desktop Client local DB Remote Database
‒ Local db typically syncs with remote db
‒ Usually client and local db are on internal network
remote db is hosted by service provider
Desktop Client Application Server Database
‒ Usually client in on internal network and app/db server
is located is hosted by service provider
‒ Common technologies: Web Services, Web
Applications, JBOSS, and IBM WebSphere
12. Common Architectures
Terminal Services Application
‒ RDP Terminal Server Published app
‒ Website RDP Terminal Server Published app
Citrix Application
‒ Citrix client Terminal Server Published app
‒ Website Citrix client Published app
Thin Application
‒ VMware application
‒ Hyper-V application
13. Accessing the Application
• Install locally, and test over VPN
• Install locally, and test over the internet
• Test over VPN, RDP to a client system,
and install the tool sets for testing
• VPN + Terminal Services (TS)
• Web based TS
• VPN + Citrix Client
• Web based Citrix
• Run from network share
14. Testing Requirements
Minimum Requirements:
• 2 application credentials
for each role
• Application Access
Potential Requirements:
• VPN access
• Local administrator
on client test system
• Internet endpoints
• Installation package
15. Application Walkthrough
• Verify connectivity to application
• Verify all credentials
• Walk through common use cases
• Identify potential areas of client concern
• Better understand application
architecture
17. UNMANAGED CODE APPLICATIONS
• General Information
‒ C and C++ (“unmanaged” or “native” languages)
‒ Compiled to machine code
‒ Include exportable functions
• Pros
‒ Typically run faster due to pre compiled code
‒ Can’t be easily decompiled to the original source code
• Cons
‒ Architecture specific
‒ Disassembly and reassembly is still possible
‒ API hooking is still possible
18. MANAGED CODE APPLICATIONS
• General Information
‒ Frameworks: .net (C# VB), Java Runtime, Dalvik
‒ Compiled to bytecode
‒ Usually does not include exportable functions
‒ Uses reflection to share public functions
• Pros
‒ Architecture independent
‒ Can be coded in different languages
‒ Can access unmanaged/native code
• Cons
‒ Slower due to Just in Time (JIT) compiling
‒ Disassembly and reassembly of CIL code is still possible
‒ Decompiling via reflection is still possible
‒ Global Assembly Cache (GAC) poisoning is possible
‒ API hooking is still possible
19. Attack Vectors
The usual suspects:
• Application GUI • Network traffic
• Files and folders • Application memory
• Windows registry • Configurations
20. Application Test Plan
Create a test plan and follow it…
• Address high priority test cases identified by
clients and business owners first
• Testing can be broken out by vector:
‒ GUI Review
‒ File Review
‒ Registry Review
‒ Network Review
‒ Memory Review
‒ Configuration Review
21. How far do we take this?
Stay in scope!
• That means only networks, servers, and
applications defined by the client
• On in scope systems:
‒ Application admin = yes
‒ Database user = yes
‒ Database admin = yes
‒ Local OS admin = yes
‒ Remote OS admin = yes
‒ Domain Admin = yes
(IF logged into system)
…then no more escalation
22. Testing the Servers
• Automated authenticated scanning
‒ Multiple tools
‒ Multiple rounds
• Manual testing using standardized
penetration test approach
‒ Information Gathering
‒ Vulnerability Enumeration
‒ Penetration
‒ Escalation
‒ Evidence Gathering
‒ Clean up
23. Testing the Application: GUI
• GUI object privileges
Show hidden form objects
Enable disabled functionality
Reveal masked passwords (GUI B GONE)
• GUI content
Review for sensitive data and passwords
• GUI logic
Bypass controls using intended GUI Functionality
Common Examples:
‒ SQL query windows
‒ Access control fields
‒ Export functions allow more access to data
‒ Break out of Citrix and Terminal Server applications
‒ External program execution
24. Testing the Application: GUI
Tool Description
UISpy Enable disabled functions, and call actions related to disabled functions.
Show hidden objects, enabled disabled objects, execution functions, and generally
WinCheat manipulate remote form objects.
View form object properties including the value of masked password fields, and mask
Window Detective card numbers.
25. Testing the Application: Files
• File permissions
Files and folders
• File Integrity
Strong naming, Authenticode signing
• File content
Debugging Symbols/files, sensitive data, passwords, and settings
• File and content manipulation
Backdoor the framework
DLL pre loading
Race conditions
Replacing files and content
Common Examples:
‒ Application settings
‒ Trusted paths and executables
‒ Trusted hosts
‒ Update servers
‒ Passwords and Private keys
26. Testing the Application: Files
• Exported Functions (usually native code)
Identify and run exported functions without authenticating
• Public Methods (managed code reflection)
Create a wrapper to access public methods without authenticating
• Decompile and Recompile
Recover source code, passwords, keys, and create patched assembly
• Decrypt and Deobfuscate
Recover source code, passwords, keys, etc
• Disassemble and Reassemble
Create patched assembly
27. Testing the Application: Files
Tool Description
AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script
schtasks locations.
.Net Reflector, Reflexil, ildasm, IL_Spy,
Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to
Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms.
code editor, Metasm, CFFExplorer
Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies
Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression,
CFF Explorer, dllexp disassemble binary, and finger print language
MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for
Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and
compile binaries
Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental
variables
View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process,
Process Hacker 2 environmental variables
Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like.
Spider2008 Search file system for interesting strings with regular expressions
Strings Dump strings from files
Symantec EPP Scan all files for know malware
PE Explorer Detect compiler or packer type and version
UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files
Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
28. Testing the Application: Registry
• Registry permissions
Read and write access to registry keys
• Registry content
Sensitive data, passwords, and settings
• Registry manipulation
Bypass authentication and authorization
Replace content
Common Examples:
‒ Application settings
‒ Trusted paths and executables
‒ Trusted hosts
‒ Update servers
‒ Passwords
‒ Private keys
29. Testing the Application: Registry
Tool Description
Tools:
AccessEnum Dump file and registry permissions
Regedit Backup, review, and edit the registry
Regshot Registry diffing tool.
Process Monitor Monitors calls to file, registry keys, and sockets
30. Testing the Application: Network
• Network Rules
Local and network firewall rules
• Network content
Sensitive data, files, passwords, and settings
• Network manipulation
Bypass authentication and authorization (SQL)
Replacing content (Parameters)
Common Examples:
‒ Application settings
‒ Trusted paths and executables
‒ Trusted hosts
‒ Update servers
‒ Passwords
‒ Private keys
• Reverse and Fuzz Proprietary Protocols
31. Testing the Application: Network
Tool Description
Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file.
Burp Can be used to manipulate HTTP traffic.
Metasploit Create custom fuzzer for RPC protocols.
Sully Create custom fuzzing templates.
Echo Mirage Generic TCP proxy.
Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters.
Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates.
Network Miner Parse network traffic for files, systems, and shares.
oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made.
SOAPUI Can be used to interact directly with web services, and is often used with BURP
Web Inspect Service Attack Tool Generic web service review.
Wireshark, windump, Dump all network traffic. Rawcap is the bomb.
tcpdump,Rawcap
32. Testing the Application: Memory
• Process controls
DEP, ASLR, permissions, and privileges
• Memory content
Sensitive data, passwords, and settings
• Memory manipulation
Bypass authentication and authorization
Replacing content
Common Examples:
‒ Application settings
‒ Trusted paths and executables
‒ Trusted hosts
‒ Update servers
‒ Passwords
‒ Private keys
33. Testing the Application: Memory
Run-time Modifications
• Direct editing
• DLL injection
• Shell code Injection
• Process replacement
• Modify assembly in memory
• Identification of dangerous functions
• Check if debugger can be run
• Debugging via stepping and breakpoints
to analyze and modify
34. Testing the Application: Memory
Tool Description
Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to
migrate into a running process.
Process Explorer View image file settings, process, connections, threads, permissions, strings from
process, environmental variables
Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions,
environmental variables, inject DLL
RemoteDLL Can be used to inject a DLL into a process.
Tsearch Can be used to quickly find and replace strings in memory.
Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the
fly.
Windbg, and IDA
Debuggers
Winhex Can be used to quickly find and replace strings in memory.
Userdump Dump memory from process.
35. Testing the Application: Configurations
• Application user privileges
• Service account privileges
• Service configuration privileges
• Service registration
• Database account privileges
• Remote share permissions
• TS breakouts to OS
• Citrix breakouts to OS
36. Testing the Application: Configurations
Tool Description
windows-privesc- Check privileges on servers and associated program directories, and manually
check check for insecurely registered services.
Citrix Client Used to connect to Citrix applications.
Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them.
Administrative Tool
Services.msc, Review application services for insecure registration, binary paths, and
windows-privesc- determine users who is running the service.
check
SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL,
SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express.
Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or
common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions,
import functions, and reporting functions. Help menus and verbose error
pages can also be handy.
37. Vulnerability Categories
1. Application Logic
2. Code Injection
3. Excessive Privileges
4. Unencrypted Storage of Sensitive Data
5. Unencrypted Transmission of Sensitive Data
6. Weak Encryption Implementations
7. Weak Assembly Controls
8. Weak GUI Controls
9. Weak or Default Passwords
38. Reporting Stuff
• Create severity ranking system based on
static criteria
• Internally, criteria should take compensating
controls into consideration
• Prioritize findings based on
ranking system
• Include instructions or
screen shots to help
reproduce and fix issues
• Don’t forget recommendations
39. Wrap Up
• General Summary
‒ Attack thick applications and related infrastructure
from many vectors using many tools
‒ Managed code suffers from inherent weaknesses
that can’t be fixed and is easier to attack
• General Advice
‒ Never store sensitive anything in an assembly
‒ If something sensitive “must” be stored in an
assembly use unmanaged coding languages like C
and C++
‒ Be very careful to implement sufficient controls
when deploying thick applications via terminal
services or Citrix