SlideShare a Scribd company logo

Thick Application Penetration Testing: Crash Course

Scott Sutherland
Scott Sutherland

Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.

1 of 39
Download to read offline
Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
Why am I talking about this? Thick applications create unique risks that web applications don't.
Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
Why am I talking about this? Thick applications are the new web applications.
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix

Recommended

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 

Recommended

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
wharpreet
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 

More Related Content

What's hot

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
wharpreet
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 

What's hot (20)

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Web application security
Web application securityWeb application security
Web application security
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 

Similar to Thick Application Penetration Testing: Crash Course

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
Fernando Lopez Aguilar
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptxSameer Sapra
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
Mohammed Tanveer
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
Wayne Scarano
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 

Similar to Thick Application Penetration Testing: Crash Course (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 

More from Scott Sutherland (20)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 

Recently uploaded

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 

Recently uploaded (20)

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 

Thick Application Penetration Testing: Crash Course

  • 1. Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
  • 3. What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
  • 4. Why am I talking about this? Thick applications create unique risks that web applications don't.
  • 5. Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
  • 6. Why am I talking about this? Thick applications are the new web applications.
  • 7. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
  • 8. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
  • 9. Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
  • 10. Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
  • 11. Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
  • 12. Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
  • 13. Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
  • 14. Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
  • 15. Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
  • 16. Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
  • 17. UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
  • 18. MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
  • 19. Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
  • 20. Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
  • 21. How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
  • 22. Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
  • 23. Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
  • 24. Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
  • 25. Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
  • 26. Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
  • 27. Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
  • 28. Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 29. Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
  • 30. Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
  • 31. Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
  • 32. Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 33. Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
  • 34. Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
  • 35. Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
  • 36. Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
  • 37. Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
  • 38. Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
  • 39. Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix