Un) fucking forensics

•Download as PPTX, PDF•

1 like•455 views

S

DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.

(Un) Fucking Forensics
Active/Passive memory hacking/debugging
K2 / Director @IOACTIVE
https://github.com/K2

About me?
• Hacker for a while
• inVtero.net
• Memory analysis framework for Windows
• Super fast/GBPS throughput
• Memory integrity checking of VM’s/CrashDumps/Memory
• Type aware memory hacking tool
• EhTrace
• Binary trace tool
• Uses hook/patch-less technique for in-process debugging
• Lots of other stuff

Outline / areas
• How to forensic, how to Fuck forensics and how to un fuck it.
• Intx80 AF technique on header wipe/non-resident code/trim()
• How to deal with that
• RoP background, how it’s used in attacks
• Gargoyle attacks & how to protect against them
• CloudLeech – twist on UlfFrisk DMA attacks / PCILeech
• Demo of open source memory integrity platform for Windows!

Can you even
forensic?
• In general: Determine what happened.
Make a timeline of known events.
• “Artifacts” disk & memory (often
incomplete/fragmented) used to build timeline.
• How good can we do? How do we know if were
done?

Artifact
sources
How
attestable are
they?
• Time stamps from all sources to derive timeline
(event logs/syslog/firewall/filesystem time, etc…)
• Wevtutil - Windows Events Command Line Utility.
Configure more than 1189 event log sources
• SysMon (from SysInternals/Mark Russinovich) / neat
config: https://github.com/SwiftOnSecurity/sysmon-
config
• Linux (osquery
https://github.com/facebook/osquery )

Handling memory
• Forensics meets Reverse Engineering
• Dump / disassemble determine what the extent of capability the attacker possesses
• I want to at least clear this guy out & find out how much damage he did
• Volatility/Rekall python forensic engines
• Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit
• Paper: Escaping the sandbox
• GAME HACKING! 
• Let’s look at what people do to cheat sometime?

How to F’it?
• Hide really well
• Wipe/Destroy logging/leave no
trace/Stenography/Encrypt
• Misdirect
• Flood/Annoy/Make analysis so
costly$$$/Obfuscate/Spoof/
• Direct Attack
• DefCon 15: Breaking Forensics
Software: Weaknesses in Critical
Evidence Collection Chris Palmer,
Alex Stamos

Anti-forensics: Furthering digital forensic science through a new extended,
granular taxonomy:

Foreshadowing: normalize you’re operations
• A great way to operate undetected is to ensure you are not an
anomaly.
• Use the resources of you’re target to conduct you’re operations.
• “Configuration” attacks
• Enable IPV6 tunneling & VPN access
• Attacker has trusted CA capability (added their privkey to trusted list)
• The more “normal” the method will be very hard to dig up

Int0x80’s AF counter
Attack against a tool:
Rekall
• Prevent dumping for working
More ways to get it;
• Use VAD (kernel source)
• Use PageTable (ABI)
• Use inVtero.net
• dump.py - VADDump (VAD) or
Dump (PageTable)

RoP: More normal
• RoP is an often discussed topic used mostly for exploitation
• RoP uses the CPU stack semantics to execute as if it were a really large set of return
statements.
• This uses the code that’s already on the system more “normalized” than if you had to inject
an executable payload that did not originate from the target
• RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence
technique that evades memory analysis systems
• There is hope, we can detect RoP attacks through call chain evaluation

RoP is not
perfect
https://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf

Gargoyle
persistence
• Leverages a timer and blocking
wait that moves it into the “active
state”
• Once active, stages page
protection +X
• Then uses this page to invoke it’s
primary payload
• It then mask’s the +X bit back off
and goes inactive

Tools too defend against RoP attack?
• Analysis: ROPEMU: A Framework for the Analysis of Complex Code-
Reuse Attacks
• Dump a complex RoP execution trace into an ELF !! Wow!
• Detection: inVtero.net can perform a stack checking function against
the memory dump.
• Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…)
• From the inVtero output, you really do NOT want to see the Gargoyle gadget,
or anything that looks like a stack pivot

Injection techniques
• Many variegations to achieve the same goal;
• 10 Process Injection Techniques (Ashkan Hosseini/Endgame)
• LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry
keys, APC, SetWindowLong, Shims & IAT shims
• Flame was a sort of hallowing attack
• “hid” inside of ntdll, remained undetected for years

Enter DMA with PCILeech
• Ulf Frisk Direct-Memory-Attack-the-Kernel:
• PCILeech attacks and utility for forensics (memory) collection
• Uses a variety of (very cool) techniques to execute payloads
• One of the simplest is the “unlock” functionality
• It’s an inline patch however
• Hard to detect w/o manual reversing

Integrity validation
• Full validation at any point in time must be able to be conducted
• System state should/must be static
• CPU execution will allow attackers to play games / evade read’s
• RDMA
• LiveMigration / Snapshotting

Tie it together
Un F’d Memory Forensics – Remove the guesswork
• Leverage wide range of information sources
• Have a comprehensive global view of the data set
• Appropriate countermeasures for most attackers (RoP)
• Integrity checking of memory (in line patch protection)
• Symbols and context for analysis of pointers
• Pointer tracking becomes more significant as we can qualify their address/vector

Demo’s & Thank you
• Check out the tools
Github.com/K2

Recommended

Bz backtrack.usage

Bz backtrack.usage

Bz backtrack.usage

This document discusses Backtrack, a Linux distribution for penetration testing and ethical hacking. It provides instructions on installing Backtrack 5 R3 using VirtualBox for testing purposes. It outlines the basic usage of Backtrack, including configuring the network and updating tools. It also describes exploring the pentesting tools directory and creating a simple lab with vulnerable virtual machines for security testing.

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.

Security Testing: Fuzzing

Security Testing: Fuzzing

Security Testing: Fuzzing

Andrei Rubaniuk

After School cyber security class slides - Pat

After School cyber security class slides - Pat

After School cyber security class slides - Pat

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Recommended

Bz backtrack.usage

Bz backtrack.usage

Bz backtrack.usage

This document discusses Backtrack, a Linux distribution for penetration testing and ethical hacking. It provides instructions on installing Backtrack 5 R3 using VirtualBox for testing purposes. It outlines the basic usage of Backtrack, including configuring the network and updating tools. It also describes exploring the pentesting tools directory and creating a simple lab with vulnerable virtual machines for security testing.

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.

Security Testing: Fuzzing

Security Testing: Fuzzing

Security Testing: Fuzzing

Andrei Rubaniuk

After School cyber security class slides - Pat

After School cyber security class slides - Pat

After School cyber security class slides - Pat

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

This document provides an overview of using the Metasploit framework for penetration testing web applications. It discusses Metasploit modules like exploits, payloads, and listeners. It describes using direct exploits against hosts and browser exploits like heap spraying. It also covers using Metasploit for information gathering with Nmap and storing scan data in the Metasploit database. The document demonstrates a client-side attack against Internet Explorer using a binary payload and Immunity Debugger.

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

The document discusses distributed fuzzing, which involves spreading the workload of fuzz testing across multiple machines to dig deeper faster. It proposes a distributed fuzzing solution with the following key components: a database to store fuzzing data, a web interface for management, virtual machine nodes running fuzzers and monitoring targets, and an RPC interface to coordinate communication between components. The goal is to make deployment and management of distributed fuzzing easy while avoiding vendor lock-in.

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

The document discusses automated exploit generation through program analysis techniques. It introduces dynamic binary instrumentation, symbolic execution, and concolic execution as program analysis methods that can help automate finding the path to a vulnerability and generating an exploit. It provides examples of how these techniques work and common tools used like PIN, KLEE, Angr. The document concludes by discussing challenges like defining semantics of vulnerabilities precisely and the potential of program analysis to find more bugs through techniques like automated proving of program correctness.

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available. In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors. The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features. --- Ron Shina Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot. --- Shlomi Oberman Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

Tamas K Lengyel

The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Tamas K Lengyel

The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks. As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process. Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.

Oscp preparation

Oscp preparation

Oscp preparation

Manich Koomsusi

This document provides an overview and preparation guide for the Offensive Security Certified Professional (OSCP) certification. It begins with an introduction and outlines the agenda, which includes an overview of the OSCP, course registration details, prerequisites, an overview of the course content and lab environment, exam preparation tips, and exam details. It then provides additional exam tips, discusses what to expect after passing the OSCP exam, and recommends additional reference materials and websites. The document is intended to help those interested in understanding and preparing for the OSCP certification exam.

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Positive Hack Days

This document provides an overview of a presentation about using human interface devices like keyboards for penetration testing. The presentation covers using the Teensy microcontroller to create payloads that are executed when the device is plugged into a target system. It demonstrates writing payloads using the Kautilya toolkit to perform attacks like installing backdoors, changing system settings, gathering information, and executing code on Windows and Linux machines. The document also discusses limitations and ways to prevent attacks using malicious human interface devices.

More Related Content

What's hot

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

This document provides an overview of using the Metasploit framework for penetration testing web applications. It discusses Metasploit modules like exploits, payloads, and listeners. It describes using direct exploits against hosts and browser exploits like heap spraying. It also covers using Metasploit for information gathering with Nmap and storing scan data in the Metasploit database. The document demonstrates a client-side attack against Internet Explorer using a binary payload and Immunity Debugger.

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

The document discusses distributed fuzzing, which involves spreading the workload of fuzz testing across multiple machines to dig deeper faster. It proposes a distributed fuzzing solution with the following key components: a database to store fuzzing data, a web interface for management, virtual machine nodes running fuzzers and monitoring targets, and an RPC interface to coordinate communication between components. The goal is to make deployment and management of distributed fuzzing easy while avoiding vendor lock-in.

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

The document discusses automated exploit generation through program analysis techniques. It introduces dynamic binary instrumentation, symbolic execution, and concolic execution as program analysis methods that can help automate finding the path to a vulnerability and generating an exploit. It provides examples of how these techniques work and common tools used like PIN, KLEE, Angr. The document concludes by discussing challenges like defining semantics of vulnerabilities precisely and the potential of program analysis to find more bugs through techniques like automated proving of program correctness.

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available. In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors. The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features. --- Ron Shina Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot. --- Shlomi Oberman Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

Tamas K Lengyel

The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Tamas K Lengyel

The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks. As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process. Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.

Oscp preparation

Oscp preparation

Oscp preparation

Manich Koomsusi

This document provides an overview and preparation guide for the Offensive Security Certified Professional (OSCP) certification. It begins with an introduction and outlines the agenda, which includes an overview of the OSCP, course registration details, prerequisites, an overview of the course content and lab environment, exam preparation tips, and exam details. It then provides additional exam tips, discusses what to expect after passing the OSCP exam, and recommends additional reference materials and websites. The document is intended to help those interested in understanding and preparing for the OSCP certification exam.

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.

What's hot (20)

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Oscp preparation

Oscp preparation

Oscp preparation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Similar to Un) fucking forensics

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Positive Hack Days

This document provides an overview of a presentation about using human interface devices like keyboards for penetration testing. The presentation covers using the Teensy microcontroller to create payloads that are executed when the device is plugged into a target system. It demonstrates writing payloads using the Kautilya toolkit to perform attacks like installing backdoors, changing system settings, gathering information, and executing code on Windows and Linux machines. The document also discusses limitations and ways to prevent attacks using malicious human interface devices.

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

AbdelrahmanShaban3

This document provides an overview of reverse engineering through analyzing the Stuxnet computer worm. It describes how Stuxnet spread using Windows vulnerabilities and infected systems running Siemens industrial software. It then manipulated programmable logic controllers to potentially sabotage nuclear centrifuges in Iran. However, the document notes that while theories point to state-sponsored attacks, its true target and author remain unknown due to lack of evidence. Speculation about Stuxnet's origins and purpose are presented to demonstrate how its analysis generated many unproven narratives.

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

Hackito Ergo Sum

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed. Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER! https://www.hackitoergosum.org

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Touhami Kasbaoui

The document discusses two cyber threats that existed in Morocco: 1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco. 2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized. The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

centralohioissa

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends: 1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections. 2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity. 3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Tiago Henriques

The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

Linux EDRs present challenges for adversaries seeking to evade detection. The document discusses several strategies and techniques for evading Linux EDRs, including: 1) Utilizing existing trusted system binaries as decoys to bypass process pattern matching. Techniques include using ld.so and busybox to launch payloads. 2) Developing "Uber preloaders" that can load modular payloads and provide command line arguments for evasion. 3) Storing payloads in volatile memory using techniques like memfd_create to avoid detection by EDRs scanning files on disk. 4) Coordinating payloads and preloaders through a "Zombie Ant Farm" module that stores

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.

Hacking the Gateways

Hacking the Gateways

Hacking the Gateways

This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labor-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. On the one hand, this is because their technical approaches explore exploitability only in the context of a crashing process whereas generating an exploit for a kernel vulnerability typically needs to vary the context of a kernel panic. On the other hand, this is due to the fact that the program analysis techniques used for exploit generation are suitable only for simple programs but not the OS kernel which has higher complexity and scalability. In this talk, we will introduce and release a new exploitation framework to fully automate the exploitation of kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability under different contexts. We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects. First, it augments a security analyst with the ability to automate the identification of system calls that he needs to take advantages for vulnerability exploitation. Second, it provides security analysts with the ability to achieve security mitigation bypassing. Third, it allows security analysts to automatically generate exploits with different exploitation objectives (e.g., privilege escalation or data leakage). Last but not least, it equips security analysts with an ability to generate exploits even for those kernel vulnerabilities for which the exploitability has not yet been confirmed or verified. Along with this talk, we will also release many unpublished working exploits against several kernel vulnerabilities. It should be noted that, the vulnerabilities we experimented cover primarily Use-After-Free and heap overflow. Among all these test cases, more than 50% of them do not have working exploits publicly available. To illustrate this release, I have already disclosed one working exploit at my personal website (http://ww9210.cn/). The exploit released on my site pertains to CVE-2017-15649 for which there has not yet been an exploit publicly available with the demonstration of bypassing SMAP.

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

This document discusses techniques for detecting and evading malware analysis sandboxes. It begins by outlining common sandbox detection methods like checking screen resolution, installed software, CPU/system information, and network settings. It then discusses challenges like simulating sleep functions and network connections. The document emphasizes that while evading analysis is possible, manual review remains difficult to defeat. It concludes by advising blue teams to thoroughly test sandboxes and customize them to their environment before purchasing.

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

The document discusses bypassing endpoint detection and response (EDR) systems. It begins with an introduction and agenda, then provides background on the evolution of endpoint security technologies. It describes how EDRs and antiviruses work, including userland hooking techniques. The document outlines various 2022 EDR bypass techniques such as direct system calls, unhooking, and .NET evasion. It focuses on researching techniques to bypass AM-PPL (Antimalware Protected Process Light) and describes how to bypass it by abusing a 2018 vulnerability in Object Manager directories.

L27

NathannyabvureMapisa

This lecture discusses principles of secure coding and lessons learned from past security incidents. It covers topics like: - Design principles like least privilege and complete mediation. - Common coding errors that led to vulnerabilities like buffer overflows. - The importance of input validation, logging, and avoiding risky functions. - Lessons from fuzz testing programs and the need for secure development practices. - Authentication techniques like hashing passwords and limiting privileges. - The role of policy, usability, and social aspects in security.

Cyber attacks 101

Cyber attacks 101

Cyber attacks 101

A software bug is an error in a computer program that produces unexpected or incorrect results. Security bugs compromise authentication, authorization, data confidentiality, or integrity. Hackers find security bugs through reverse engineering code or fuzzing software to discover vulnerabilities. An exploit is a piece of code that activates a bug to run malicious code. Shellcode is typically used as the payload in an exploit to gain control of a compromised system. Cyber attacks can target individuals, networks, or remote systems. Advanced persistent threats (APTs) are sophisticated, well-funded hacking groups that persistently target specific entities over long periods using social engineering and zero-day exploits. APT attacks involve penetrating targets, spreading to other systems, aggregating data, and covert

Similar to Un) fucking forensics (20)

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Hacking the Gateways

Hacking the Gateways

Hacking the Gateways

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

L27

Cyber attacks 101

Cyber attacks 101

Cyber attacks 101

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Programming Foundation Models with DSPy - Meetup Slides

Programming Foundation Models with DSPy - Meetup Slides

Programming Foundation Models with DSPy - Meetup Slides

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Full-RAG: A modern architecture for hyper-personalization

Full-RAG: A modern architecture for hyper-personalization

Full-RAG: A modern architecture for hyper-personalization

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Essentials of Automations: The Art of Triggers and Actions in FME

Essentials of Automations: The Art of Triggers and Actions in FME

Essentials of Automations: The Art of Triggers and Actions in FME

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

Claudio Di Ciccio

Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus. Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain. Paper: https://doi.org/10.1007/978-3-031-61000-4_16

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

National Security Agency - NSA mobile device best practices

National Security Agency - NSA mobile device best practices

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.

Artificial Intelligence for XMLDevelopment

Artificial Intelligence for XMLDevelopment

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Best 20 SEO Techniques To Improve Website Visibility In SERP

Best 20 SEO Techniques To Improve Website Visibility In SERP

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Generating privacy-protected synthetic data using Secludy and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Programming Foundation Models with DSPy - Meetup Slides

Programming Foundation Models with DSPy - Meetup Slides

Programming Foundation Models with DSPy - Meetup Slides

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Driving Business Innovation: Latest Generative AI Advancements & Success Story

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

Full-RAG: A modern architecture for hyper-personalization

Full-RAG: A modern architecture for hyper-personalization

Full-RAG: A modern architecture for hyper-personalization

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Essentials of Automations: The Art of Triggers and Actions in FME

Essentials of Automations: The Art of Triggers and Actions in FME

Essentials of Automations: The Art of Triggers and Actions in FME

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

National Security Agency - NSA mobile device best practices

National Security Agency - NSA mobile device best practices

National Security Agency - NSA mobile device best practices

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Artificial Intelligence for XMLDevelopment

Artificial Intelligence for XMLDevelopment

Artificial Intelligence for XMLDevelopment

Best 20 SEO Techniques To Improve Website Visibility In SERP

Best 20 SEO Techniques To Improve Website Visibility In SERP

Best 20 SEO Techniques To Improve Website Visibility In SERP

Generating privacy-protected synthetic data using Secludy and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

Un) fucking forensics

1. (Un) Fucking Forensics Active/Passive memory hacking/debugging K2 / Director @IOACTIVE https://github.com/K2

2. About me? • Hacker for a while • inVtero.net • Memory analysis framework for Windows • Super fast/GBPS throughput • Memory integrity checking of VM’s/CrashDumps/Memory • Type aware memory hacking tool • EhTrace • Binary trace tool • Uses hook/patch-less technique for in-process debugging • Lots of other stuff

3. Outline / areas • How to forensic, how to Fuck forensics and how to un fuck it. • Intx80 AF technique on header wipe/non-resident code/trim() • How to deal with that • RoP background, how it’s used in attacks • Gargoyle attacks & how to protect against them • CloudLeech – twist on UlfFrisk DMA attacks / PCILeech • Demo of open source memory integrity platform for Windows!

4. Can you even forensic? • In general: Determine what happened. Make a timeline of known events. • “Artifacts” disk & memory (often incomplete/fragmented) used to build timeline. • How good can we do? How do we know if were done?

5. Artifact sources How attestable are they? • Time stamps from all sources to derive timeline (event logs/syslog/firewall/filesystem time, etc…) • Wevtutil - Windows Events Command Line Utility. Configure more than 1189 event log sources • SysMon (from SysInternals/Mark Russinovich) / neat config: https://github.com/SwiftOnSecurity/sysmon- config • Linux (osquery https://github.com/facebook/osquery )

6. Handling memory • Forensics meets Reverse Engineering • Dump / disassemble determine what the extent of capability the attacker possesses • I want to at least clear this guy out & find out how much damage he did • Volatility/Rekall python forensic engines • Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit • Paper: Escaping the sandbox • GAME HACKING!  • Let’s look at what people do to cheat sometime?

7. How to F’it? • Hide really well • Wipe/Destroy logging/leave no trace/Stenography/Encrypt • Misdirect • Flood/Annoy/Make analysis so costly$$$/Obfuscate/Spoof/ • Direct Attack • DefCon 15: Breaking Forensics Software: Weaknesses in Critical Evidence Collection Chris Palmer, Alex Stamos

8. Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy:

9. Foreshadowing: normalize you’re operations • A great way to operate undetected is to ensure you are not an anomaly. • Use the resources of you’re target to conduct you’re operations. • “Configuration” attacks • Enable IPV6 tunneling & VPN access • Attacker has trusted CA capability (added their privkey to trusted list) • The more “normal” the method will be very hard to dig up

10. Int0x80’s AF counter Attack against a tool: Rekall • Prevent dumping for working More ways to get it; • Use VAD (kernel source) • Use PageTable (ABI) • Use inVtero.net • dump.py - VADDump (VAD) or Dump (PageTable)

11. RoP: More normal • RoP is an often discussed topic used mostly for exploitation • RoP uses the CPU stack semantics to execute as if it were a really large set of return statements. • This uses the code that’s already on the system more “normalized” than if you had to inject an executable payload that did not originate from the target • RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence technique that evades memory analysis systems • There is hope, we can detect RoP attacks through call chain evaluation

12. RoP is not perfect https://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf

13. Gargoyle persistence • Leverages a timer and blocking wait that moves it into the “active state” • Once active, stages page protection +X • Then uses this page to invoke it’s primary payload • It then mask’s the +X bit back off and goes inactive

14. Tools too defend against RoP attack? • Analysis: ROPEMU: A Framework for the Analysis of Complex Code- Reuse Attacks • Dump a complex RoP execution trace into an ELF !! Wow! • Detection: inVtero.net can perform a stack checking function against the memory dump. • Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…) • From the inVtero output, you really do NOT want to see the Gargoyle gadget, or anything that looks like a stack pivot

15. Injection techniques • Many variegations to achieve the same goal; • 10 Process Injection Techniques (Ashkan Hosseini/Endgame) • LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry keys, APC, SetWindowLong, Shims & IAT shims • Flame was a sort of hallowing attack • “hid” inside of ntdll, remained undetected for years

16. Enter DMA with PCILeech • Ulf Frisk Direct-Memory-Attack-the-Kernel: • PCILeech attacks and utility for forensics (memory) collection • Uses a variety of (very cool) techniques to execute payloads • One of the simplest is the “unlock” functionality • It’s an inline patch however • Hard to detect w/o manual reversing

17. Integrity validation • Full validation at any point in time must be able to be conducted • System state should/must be static • CPU execution will allow attackers to play games / evade read’s • RDMA • LiveMigration / Snapshotting

18. Tie it together Un F’d Memory Forensics – Remove the guesswork • Leverage wide range of information sources • Have a comprehensive global view of the data set • Appropriate countermeasures for most attackers (RoP) • Integrity checking of memory (in line patch protection) • Symbols and context for analysis of pointers • Pointer tracking becomes more significant as we can qualify their address/vector

19. Demo’s & Thank you • Check out the tools Github.com/K2