Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.
The purpose of this document
is not to show how to use Metasploit tool there are enormous amount of sources available to do that but to show you how to look deeper into the code and try to decipher how the various classes and modules hang
together to produce the various functions we love to use.
In doing so we will learn how the exploit framework could be structured, how the interaction between the
attacker and the exploited vulnerability could be
achieved and how the user can extend the functionality of Metasploit.
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
This document discusses techniques for improving the stealth of hypervisor-based malware analysis. It describes how moving the monitoring component into the hypervisor kernel makes it harder for malware to detect than debugging tools. Challenges include preventing the malware from detecting it is running in a virtualized environment. The document explores solutions like using CPUID filtering and memory sharing techniques to bypass detection of the hypervisor. It also discusses porting these techniques to ARM architectures.
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
KF/x is an open-source fuzzing framework that leverages virtual machine introspection to fuzz code running inside virtual machines. It was used to discover vulnerabilities in the Virtio driver in Linux and a heap overflow in the 7z parser of Symantec Endpoint Protection. KF/x allows taking full memory snapshots of a VM, forking it to generate new test cases, and monitoring for crashes or desired program states. This approach found issues that may have otherwise remained undetected due to the lack of proper fuzzing tools for systems running complex, isolated software like antivirus programs.
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
This document discusses several pitfalls of using virtual machine introspection (VMI) on modern hardware. It describes how software attacks can manipulate kernel data structures or objects to hide from VMI. Hardware attacks like TLB poisoning can also undermine VMI by desynchronizing address translations. Extended page tables used for virtualization introduce ambiguities, and hypervisors can potentially starve system management mode (SMM)-based VMI of interrupts. Intel's dual-mode SMM provides stronger hardware isolation that could help address some of these issues.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
This document discusses virtual machine introspection using the Xen hypervisor. It describes how Xen provides isolation between guest VMs and the hypervisor domain (dom0). It also discusses how Xen security modules can be used to move introspection systems out of dom0. The document then covers how to interpret guest VM state using memory forensics techniques and the LibVMI library. It explains how to use EPT and ARM page table permissions to intercept events in the guest VM and forward them to the hypervisor for processing.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.
The purpose of this document
is not to show how to use Metasploit tool there are enormous amount of sources available to do that but to show you how to look deeper into the code and try to decipher how the various classes and modules hang
together to produce the various functions we love to use.
In doing so we will learn how the exploit framework could be structured, how the interaction between the
attacker and the exploited vulnerability could be
achieved and how the user can extend the functionality of Metasploit.
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
This document discusses techniques for improving the stealth of hypervisor-based malware analysis. It describes how moving the monitoring component into the hypervisor kernel makes it harder for malware to detect than debugging tools. Challenges include preventing the malware from detecting it is running in a virtualized environment. The document explores solutions like using CPUID filtering and memory sharing techniques to bypass detection of the hypervisor. It also discusses porting these techniques to ARM architectures.
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
KF/x is an open-source fuzzing framework that leverages virtual machine introspection to fuzz code running inside virtual machines. It was used to discover vulnerabilities in the Virtio driver in Linux and a heap overflow in the 7z parser of Symantec Endpoint Protection. KF/x allows taking full memory snapshots of a VM, forking it to generate new test cases, and monitoring for crashes or desired program states. This approach found issues that may have otherwise remained undetected due to the lack of proper fuzzing tools for systems running complex, isolated software like antivirus programs.
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
This document discusses several pitfalls of using virtual machine introspection (VMI) on modern hardware. It describes how software attacks can manipulate kernel data structures or objects to hide from VMI. Hardware attacks like TLB poisoning can also undermine VMI by desynchronizing address translations. Extended page tables used for virtualization introduce ambiguities, and hypervisors can potentially starve system management mode (SMM)-based VMI of interrupts. Intel's dual-mode SMM provides stronger hardware isolation that could help address some of these issues.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
This document discusses virtual machine introspection using the Xen hypervisor. It describes how Xen provides isolation between guest VMs and the hypervisor domain (dom0). It also discusses how Xen security modules can be used to move introspection systems out of dom0. The document then covers how to interpret guest VM state using memory forensics techniques and the LibVMI library. It explains how to use EPT and ARM page table permissions to intercept events in the guest VM and forward them to the hypervisor for processing.
Porting Android to new hardware involves 10 main steps:
1) Porting components like the CPU, bootloader, kernel and hardware libraries.
2) Setting up a cross-development toolchain.
3) Porting the bootloader, kernel, and developing device drivers.
4) Getting the Android Open Source Project code and customizing aspects of the user-space.
5) Implementing Android hardware libraries for components like Bluetooth, WiFi, display and sensors.
The process requires adapting the bootloader, kernel, drivers and libraries to support the new hardware while maintaining Android compatibility.
Understanding the Android System ServerOpersys inc.
This document discusses the Android system server. It provides an overview of the bootup sequence where the system server is started. It then describes some of the key services run by the system server, such as the activity manager, package manager, window manager, and others. It also discusses how to observe the system server in action using logcat and how applications interface with system services via Binder.
Mr201309 automated on-execute_test_using_virtual_box_engFFRI, Inc.
This document describes an automated method for on-execute malware testing using Oracle VM VirtualBox. It discusses copying malware into a guest VM, executing it, analyzing the results, reverting the guest to its original state, and then repeating the process. Tools like VBoxManage are used to automate functions like file copying, program execution, snapshotting and reverting. The FFRI AutoMonkey scripts automate the end-to-end process using these VirtualBox APIs. Performance when testing 20,000 samples showed a throughput of around 9 malwares per minute under the described hardware configuration.
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
This document discusses techniques for stealthy malware analysis using hypervisor-based monitoring. It describes how debuggers can be detected by malware and introduces using a hypervisor like Xen to monitor guest VMs in a more stealthy way. It covers using features like alternate page tables (altp2m) to improve stealth when single-stepping or handling events from multiple VCPUs. Challenges of porting these techniques to ARM and hiding from techniques malware uses to detect debugging and virtualization are also discussed.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
This document discusses potential stages and tasks for a recruitment challenge system for the OWASP organization. It proposes 3 stages:
Stage 1 involves basic tasks using telnet/SMTP to test technical skills. Stage 2 involves a social engineering challenge to test security awareness. Stage 3 involves securing a virtualized network using techniques like restricted shells, SSH tunnels, control groups, and firewalls. The goal is to optimize the recruitment process while minimizing risk of rejecting qualified candidates.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
This document provides an overview of Metasploit and how it can be used to perform penetration testing and vulnerability assessments. It defines key Metasploit terminology like exploits, payloads, shellcode, and modules. It describes Metasploit's architecture including its libraries, core, and base components. It also outlines useful MSFconsole commands and provides a step-by-step example of exploiting an Android device with Metasploit that involves generating a payload, setting up a listener, enabling port forwarding, executing the exploit, and using the meterpreter shell for post-exploitation tasks.
This document discusses porting Android to new hardware. It covers components that need to be ported like the bootloader, Linux kernel, and hardware libraries. It also discusses getting the Android Open Source Project code, developing device drivers, customizing the user-space, and building the Android system. The goal is to provide guidance on porting each part of the Android software stack to new CPU architectures and hardware boards.
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
The document discusses various ways to modify and customize the Android Open Source Project (AOSP) operating system, including through forks, ports, and melds (customizations). It specifically mentions several popular Android forks like CyanogenMod, Replicant, and MIUI. It also discusses building a custom Android system using the glibc stack and libraries for added flexibility compared to AOSP's limitations.
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
This document summarizes virtual machine introspection techniques on modern hardware. It discusses Intel's split translation lookaside buffer (TLB) and how TLB poisoning is no longer possible due to virtualization. It then covers Intel's extended page tables (EPT) and how they can be used to trap guest execution for virtual machine introspection. Limitations of EPT are described along with techniques like EPT violation interrupts (#VE) and EPT pointer switching to address them. Intel's system management mode (SMM) and dual monitor mode (DMM) are presented as alternatives for virtual machine introspection. ARM virtualization using two-stage paging is also briefly discussed.
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
This document provides an overview of hacking and customizing the Android operating system. It discusses AOSP's limitations and how AOSP can be torn apart through forks, ports, and mods. Examples of forks like Cyanogenmod, Replicant, and MIUI are described. The document also covers melding Android with the classic Linux stack by overcoming roadblocks, considering different coexistence approaches, reviewing existing work, and addressing unresolved issues. Tools, filesystem structure, libraries, and applications relevant to this effort are outlined.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
Noseevich, petukhov no locked doors no windows barred. hacking open am infr...DefconRussia
This document summarizes a presentation about hacking OpenAM infrastructure through XML external entity (XXE) vulnerabilities. The presentation discusses exploiting XXE to loot the file system, retrieve credentials, enable debugging to read authentication tokens, and use a debugging heap dump to decrypt passwords. It provides advice on properly fixing XXE in Java by disabling XML entity expansion and carefully configuring the XML entity resolver. The document concludes by emphasizing the importance of secure configuration, patching, and privilege separation to prevent such attacks.
The input layer in Android uses the standard Linux input layer in the kernel to handle raw input from devices like touchscreens and keyboards, it then processes this input through a native library and the Input Manager Service which is started and tied to the Window Manager to dispatch input events to apps. Specific device configuration files and the soft keyboard and input method frameworks handle app-specific input handling and text entry.
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
The document discusses using VM forking and hypervisor-based introspection on Xen to perform fuzz testing of kernels. It describes how VM forking allows quickly restoring VMs after each fuzz cycle by copying memory pages on demand. Coverage tracing is done by inserting breakpoints using virtual machine introspection. Crashes can be detected by breakpointing crash handlers. Examples are given of fuzzing with PCI devices passed through and detecting double fetches. The techniques were released as the open source Kernel Fuzzer for Xen Project.
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
This document discusses the pitfalls and limits of dynamic malware analysis. It summarizes that dynamic analysis aims to observe malware execution but is challenging due to evasion techniques. Several problems are outlined, including the difficulty of scalability, isolation, and stealth when analyzing malware. The document also discusses issues with using debuggers, emulators, and hypervisor introspection for dynamic analysis. It notes that complete stealth is not feasible and that halting and evasion problems cannot be fully solved.
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
The document summarizes research on small unmanned aerial vehicles (UAVs) and their use by the military. It outlines categories of UAVs from micro to tactical to medium-altitude types. Current UAV missions focus on intelligence, surveillance, and reconnaissance. While UAVs provide benefits like reducing risk to troops, current small UAV systems are manpower intensive with low reliability. The authors propose near-term improvements in areas like human roles and automation, command and control, training, and operating environments. Longer-term, the goal is to shift more functions to automation while ensuring appropriate human oversight.
Micro air vehicles (MAVs) are small, lightweight, autonomous unmanned aerial vehicles that can fit in a backpack. MAVs are small enough to fit in the hand and can transmit pictures back to a portable base station over a range of several kilometers. They have a projected airspeed below most radar detection and can operate within 600 meters of the launch point. MAVs use electric motors powered by batteries and rely on sensors and flight control for stabilization. They communicate with a ground station using Ka-band frequencies. Potential applications of MAVs include disaster management, commercial uses like photography, and defense/security purposes such as surveillance and explosive detection.
Porting Android to new hardware involves 10 main steps:
1) Porting components like the CPU, bootloader, kernel and hardware libraries.
2) Setting up a cross-development toolchain.
3) Porting the bootloader, kernel, and developing device drivers.
4) Getting the Android Open Source Project code and customizing aspects of the user-space.
5) Implementing Android hardware libraries for components like Bluetooth, WiFi, display and sensors.
The process requires adapting the bootloader, kernel, drivers and libraries to support the new hardware while maintaining Android compatibility.
Understanding the Android System ServerOpersys inc.
This document discusses the Android system server. It provides an overview of the bootup sequence where the system server is started. It then describes some of the key services run by the system server, such as the activity manager, package manager, window manager, and others. It also discusses how to observe the system server in action using logcat and how applications interface with system services via Binder.
Mr201309 automated on-execute_test_using_virtual_box_engFFRI, Inc.
This document describes an automated method for on-execute malware testing using Oracle VM VirtualBox. It discusses copying malware into a guest VM, executing it, analyzing the results, reverting the guest to its original state, and then repeating the process. Tools like VBoxManage are used to automate functions like file copying, program execution, snapshotting and reverting. The FFRI AutoMonkey scripts automate the end-to-end process using these VirtualBox APIs. Performance when testing 20,000 samples showed a throughput of around 9 malwares per minute under the described hardware configuration.
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
This document discusses techniques for stealthy malware analysis using hypervisor-based monitoring. It describes how debuggers can be detected by malware and introduces using a hypervisor like Xen to monitor guest VMs in a more stealthy way. It covers using features like alternate page tables (altp2m) to improve stealth when single-stepping or handling events from multiple VCPUs. Challenges of porting these techniques to ARM and hiding from techniques malware uses to detect debugging and virtualization are also discussed.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
This document discusses potential stages and tasks for a recruitment challenge system for the OWASP organization. It proposes 3 stages:
Stage 1 involves basic tasks using telnet/SMTP to test technical skills. Stage 2 involves a social engineering challenge to test security awareness. Stage 3 involves securing a virtualized network using techniques like restricted shells, SSH tunnels, control groups, and firewalls. The goal is to optimize the recruitment process while minimizing risk of rejecting qualified candidates.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
This document provides an overview of Metasploit and how it can be used to perform penetration testing and vulnerability assessments. It defines key Metasploit terminology like exploits, payloads, shellcode, and modules. It describes Metasploit's architecture including its libraries, core, and base components. It also outlines useful MSFconsole commands and provides a step-by-step example of exploiting an Android device with Metasploit that involves generating a payload, setting up a listener, enabling port forwarding, executing the exploit, and using the meterpreter shell for post-exploitation tasks.
This document discusses porting Android to new hardware. It covers components that need to be ported like the bootloader, Linux kernel, and hardware libraries. It also discusses getting the Android Open Source Project code, developing device drivers, customizing the user-space, and building the Android system. The goal is to provide guidance on porting each part of the Android software stack to new CPU architectures and hardware boards.
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
The document discusses various ways to modify and customize the Android Open Source Project (AOSP) operating system, including through forks, ports, and melds (customizations). It specifically mentions several popular Android forks like CyanogenMod, Replicant, and MIUI. It also discusses building a custom Android system using the glibc stack and libraries for added flexibility compared to AOSP's limitations.
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
This document summarizes virtual machine introspection techniques on modern hardware. It discusses Intel's split translation lookaside buffer (TLB) and how TLB poisoning is no longer possible due to virtualization. It then covers Intel's extended page tables (EPT) and how they can be used to trap guest execution for virtual machine introspection. Limitations of EPT are described along with techniques like EPT violation interrupts (#VE) and EPT pointer switching to address them. Intel's system management mode (SMM) and dual monitor mode (DMM) are presented as alternatives for virtual machine introspection. ARM virtualization using two-stage paging is also briefly discussed.
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
This document provides an overview of hacking and customizing the Android operating system. It discusses AOSP's limitations and how AOSP can be torn apart through forks, ports, and mods. Examples of forks like Cyanogenmod, Replicant, and MIUI are described. The document also covers melding Android with the classic Linux stack by overcoming roadblocks, considering different coexistence approaches, reviewing existing work, and addressing unresolved issues. Tools, filesystem structure, libraries, and applications relevant to this effort are outlined.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
Noseevich, petukhov no locked doors no windows barred. hacking open am infr...DefconRussia
This document summarizes a presentation about hacking OpenAM infrastructure through XML external entity (XXE) vulnerabilities. The presentation discusses exploiting XXE to loot the file system, retrieve credentials, enable debugging to read authentication tokens, and use a debugging heap dump to decrypt passwords. It provides advice on properly fixing XXE in Java by disabling XML entity expansion and carefully configuring the XML entity resolver. The document concludes by emphasizing the importance of secure configuration, patching, and privilege separation to prevent such attacks.
The input layer in Android uses the standard Linux input layer in the kernel to handle raw input from devices like touchscreens and keyboards, it then processes this input through a native library and the Input Manager Service which is started and tied to the Window Manager to dispatch input events to apps. Specific device configuration files and the soft keyboard and input method frameworks handle app-specific input handling and text entry.
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
The document discusses using VM forking and hypervisor-based introspection on Xen to perform fuzz testing of kernels. It describes how VM forking allows quickly restoring VMs after each fuzz cycle by copying memory pages on demand. Coverage tracing is done by inserting breakpoints using virtual machine introspection. Crashes can be detected by breakpointing crash handlers. Examples are given of fuzzing with PCI devices passed through and detecting double fetches. The techniques were released as the open source Kernel Fuzzer for Xen Project.
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
This document discusses the pitfalls and limits of dynamic malware analysis. It summarizes that dynamic analysis aims to observe malware execution but is challenging due to evasion techniques. Several problems are outlined, including the difficulty of scalability, isolation, and stealth when analyzing malware. The document also discusses issues with using debuggers, emulators, and hypervisor introspection for dynamic analysis. It notes that complete stealth is not feasible and that halting and evasion problems cannot be fully solved.
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
The document summarizes research on small unmanned aerial vehicles (UAVs) and their use by the military. It outlines categories of UAVs from micro to tactical to medium-altitude types. Current UAV missions focus on intelligence, surveillance, and reconnaissance. While UAVs provide benefits like reducing risk to troops, current small UAV systems are manpower intensive with low reliability. The authors propose near-term improvements in areas like human roles and automation, command and control, training, and operating environments. Longer-term, the goal is to shift more functions to automation while ensuring appropriate human oversight.
Micro air vehicles (MAVs) are small, lightweight, autonomous unmanned aerial vehicles that can fit in a backpack. MAVs are small enough to fit in the hand and can transmit pictures back to a portable base station over a range of several kilometers. They have a projected airspeed below most radar detection and can operate within 600 meters of the launch point. MAVs use electric motors powered by batteries and rely on sensors and flight control for stabilization. They communicate with a ground station using Ka-band frequencies. Potential applications of MAVs include disaster management, commercial uses like photography, and defense/security purposes such as surveillance and explosive detection.
The document discusses nano unmanned aerial vehicles (UAVs or drones). It defines nano drones as extremely small drones less than 15cm intended for use in urban areas. They are remotely controlled and equipped with cameras and microphones. The document outlines the mechanisms of nano drones, including flapping wing designs. It discusses the advantages of nano drones like low cost and ability to operate in constrained environments, as well as disadvantages such as lack of self-power and risk of spying. Examples of specific nano drone models are provided.
Best ppt on Micro air vehicle with flapping wingsRonak Thakare
This document discusses micro air vehicles (MAVs) with flapping wings. It defines MAVs as unmanned aerial vehicles that are less than 15cm long and weigh less than 4 ounces. They can perform military, commercial, and urban surveillance missions with lightweight designs. MAVs require high resolution sensors, lightweight materials like balsa wood and composites, electric motors and batteries. Flapping wing designs provide more lift than fixed wings. Future work aims to further minimize size and weight while improving flight speed, stability, and battery life. Kelvin's circulation theorem and how flapping wings generate lift through diverting airflow are also summarized.
This document discusses research on micro air vehicles (MAVs), which are small unmanned aerial vehicles. It provides an overview of MAV applications such as reconnaissance, surveillance, and chemical/biological sensing. The document outlines key MAV technologies including flight control, propulsion, communication, and guidance/navigation systems. It also discusses aerodynamic challenges at low Reynolds numbers and potential solutions involving MEMS and adaptive wing shaping. Overall, the document presents MAVs as a promising new class of unmanned system that could provide military utility through a variety of potential reconnaissance and sensing missions.
Virtual reality is a user interface that involves real-time simulation and interactions through sensory channels to immerse users in virtual environments. It has its origins in flight simulators from the 1950s and early prototypes in the 1960s, with commercial development beginning in the late 1980s. Current applications of VR include movies, video games, and education/training. Emerging technologies like Project Natal, CAVE systems, and the Nintendo Wii are pushing the boundaries of VR by enabling more natural physical interaction. While the future is uncertain, VR is expected to continue evolving entertainment and other industries through immersive experiences.
Unmanned Aerial Vehicles can be automated using Metasploit to fingerprint clients, scan for servers, and exploit vulnerabilities. Metasploit provides built-in modules to automate scanning networks using tools like Nmap and Nexpose. Exploits and payloads can then be automatically run on vulnerable servers and clients. Post-exploitation activities can also be automated using Meterpreter scripts and plugins to perform tasks like privilege escalation, packet capture, and maintaining persistence.
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
This document discusses using guided missiles in drive-bys through automatic browser fingerprinting and exploitation with the Metasploit Framework's Browser Autopwn module. It describes how the module fingerprints browsers to determine effective exploits, selects targeted exploits, and aims for stealth to evade detection. Examples are provided of writing exploits for the module and its advantages over commercial tools. The document encourages downloading and contributing to its continued development.
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
1) The document provides an overview of using and customizing the Android framework, covering topics like kickstarting the framework, utilities and commands, system services internals, and creating custom services.
2) It describes the core building blocks of the framework, like services, Dalvik, and the boot process. It also covers utilities like am, pm, and dumpsys.
3) The document discusses native daemons like servicemanager and installd. It explains how to observe the system server and interact with services programmatically.
Leveraging Android's Linux Heritage at AnDevCon3Opersys inc.
This document discusses leveraging the Linux heritage in Android. It begins with an overview of Android concepts like components, intents, and manifest files. It then compares the overall architecture of a traditional Linux system to Android. Several roadblocks to integration are identified, such as differences in filesystem structure and IPC mechanisms. Potential approaches for coexistence are outlined, such as using a single filesystem or virtualization. Finally, ongoing work and unresolved challenges are acknowledged, such as implementing intents on Linux or running X applications within Android.
This document discusses malware analysis collaboration and automation. It describes setting up a virtualized malware analysis environment using QEMU/KVM with light-weight, copy-on-write disk clones for consistency and efficiency. It also covers automating tasks like provisioning new virtual machines, inserting and extracting files from guests, and capturing and replaying virtual machine sessions for collaborative training.
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanNETWAYS
Do you want lightweight, or feature full, how far do you want to go with your monitoring, just on OS level, or do you want to dig into your applications, do you want to know how many query per seconds your MySQL database is serving, or do you want to know about the internal state of your Jboss , or be triggered if the OOM killer will start working soon.
This presentation will guide the audience through the different alternatives , based on our experiences in the field. We will be looking both at alerting and trending and how easy or difficult it is to deploy such an environment.
Monitoring the Network, vs Monitoring Applications, or both ?
Tools discussed: Nagios, Zabbix, Zenoss, Hyperic
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
This document discusses leveraging Android's Linux heritage by exploring ways for Linux and Android to coexist and interact. It outlines some of the key differences between the Android and Linux stacks that pose roadblocks, such as the filesystem, C library, IPC mechanisms, and display management. Potential approaches for coexistence discussed include using a single filesystem, chroot jails, virtualization, and bridges between components like intents and DBus. The document concludes with demos of running BusyBox in Android and a client-server app communicating via sockets between the different stacks.
The default applications on an embedded Linux system include many common command line utilities from BusyBox, such as cat, cp, grep, ls, mkdir, more, mv, ping, ps, rm, top, and vi. BusyBox provides minimal versions of many common UNIX commands in a single executable to reduce the size of the system. Other default applications may include services like bootchartd, crond, and syslogd.
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
This document provides an overview of lightweight virtualization using Linux containers and Docker. It begins by explaining the problems of deploying applications across different environments and targets, and how containers can help solve this issue similarly to how shipping containers standardized cargo transportation. It then discusses what Linux containers are, how they provide isolation using namespaces and cgroups. It introduces Docker and how it builds on containers to further simplify deployment by allowing images to be easily built, shared, and run anywhere through standard formats and tools.
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
Docker provides a standardized way to build, ship, and run Linux containers. It uses Linux kernel features like namespaces and cgroups to isolate containers and make them lightweight. Docker allows building container images using Dockerfiles and sharing them via public or private registries. Images can be pulled and run anywhere. Docker aims to make containers easy to use and commoditize the container technology provided by Linux containers (LXC).
This document provides an overview of Android internals through a series of topics:
1. It describes key Android concepts like components, intents, and the manifest file.
2. It outlines the overall Android architecture including system startup processes like the bootloader, kernel, init, zygote and system server.
3. It covers various aspects of the Android system like the Linux kernel customizations, native user-space environment, Dalvik VM, and Java Native Interface.
4. It also profiles important system-level components like the system server, activity manager, and Binder IPC mechanism.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
1) Android's UI consists of layers including the display hardware, kernel driver, HAL modules, SurfaceFlinger, Window Manager and key apps.
2) The display stack includes the kernel driver, HAL definition and module, SurfaceFlinger for compositing surfaces, and Window Manager for managing app windows.
3) OpenGL involves kernel drivers, EGL libraries, and native/Java interfaces to provide 3D graphics capabilities to apps through the GPU hardware.
This document discusses using SaltStack to manage Alienvault infrastructure. SaltStack is an open source tool for configuration management and remote execution that can control and deploy configurations to all servers. It has a simple architecture with a master server and minion clients. Custom modules, states, grains and templates can extend SaltStack's capabilities. Targeting allows applying configurations selectively based on server attributes. This enables centralized yet flexible management of an entire Alienvault deployment.
Linux Server Deep Dives (DrupalCon Amsterdam)Amin Astaneh
Over the past few years the Linux kernel has gained features that allow us to learn more about what's really happening on our servers and the applications that run on them.
This talk will explore how these new features, particularly perf_events and ebpf, enable us to answer questions about what a Drupal site is doing in real time beyond what the standard logs, server performance tools, and even strace will reveal. Attendees will be provided a brief introduction to example uses of these tools to diagnose performance problems.
This talk is intended for attendees that are familiar with Linux, the command line, and have used host observability tools in the past (top, netstat, etc).
This document provides an overview of Metasploit for beginners. It discusses why Metasploit is useful, how to set up a demo environment, and how to use auxiliary and exploit modules. It then demonstrates auxiliary modules for scanning and information gathering. It also demonstrates two exploit modules against ElasticSearch and Jenkins, using reverse shell payloads. The document provides a cheat sheet for navigating msfconsole and describes common commands used prior to demonstrations.
Similar to Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework (20)
This document summarizes techniques for privilege escalation using the Metasploit framework. It begins by explaining why Metasploit is useful and why privilege escalation is important for gaining more access and control. It then provides examples of how to write Metasploit modules for local privilege escalation exploits, including generating payloads, including the necessary Metasploit mixins, and interacting with sessions post-exploitation. Specific local privilege escalation techniques demonstrated include exploiting vulnerable setuid binaries like Nmap, modifying Windows scheduled tasks, and relaying Windows authentication. The document concludes by discussing future work to improve Metasploit module development.
This document provides an overview and update on the Metasploit Framework. Some key points:
- 229 new modules were added since September 2015. Over 800 pull requests were merged from 176 unique authors with 4765 total commits.
- Rex is being broken up into smaller components. New msfconsole commands and a reorganization of the tools directory were introduced.
- New modules, payloads, and exploits were added for platforms like Linux, Windows, Android and mainframes. Module documentation is now in markdown.
- Features added include tools for downloading Microsoft patches, a portable POSIX payload called Mettle, and improved Meterpreter functionality like XOR obfuscation and new extensions.
The document summarizes updates and improvements to the Metasploit framework. It notes that the framework has moved from SVN to GitHub for code hosting. It highlights new exploitation modules for vulnerabilities in SAP, UPnP libraries, IPMI, and WinRM. It also describes new Java, Meterpreter, and Python payloads as well as encoding improvements. The document demonstrates Android and Python Meterpreter functionality and password stealing with Mimikatz. It encourages contacting the author with any other questions.
Open Source, Security, and Open Source Security.pdfegypt
The document discusses open source software, security, and open source security. It outlines the goals of open source software which include producing high-quality programs, sharing work, and democratizing code. People work on open source for puzzles, prestige, profit, and community. Difficulties include getting users and contributors. Security goals include identifying, quantifying, and mitigating risks. People work in security for protection, puzzles, prestige, profit, and politics. Difficulties in security include reporting issues and limited budgets. Open source security aims to standardize vulnerabilities and democratize security, though most people lack programming skills.
The document discusses authenticated code execution by design (ACEbD), where an attacker can leverage legitimate login credentials to access systems and execute code. It provides numerous examples of services that could allow this, such as remote desktop, VNC, SSH, Windows Remote Management, SMB shares, and content management systems like Wordpress or Drupal if exploited. The document stresses that passwords will always enable some level of access and that logging in is preferable to exploiting vulnerabilities. It concludes by advising organizations to carefully audit login activity and restrict which users can access what systems.
This document provides an overview of useful Bash one-liners and commands for tasks like manipulating text and files, working with variables and loops, remote access, and basic system utilities. It covers core Bash concepts like pipes, redirection, grep, awk, sort, and explains how to use commands while avoiding leaving traces on a system.
This document discusses Metasploit and modern cybersecurity attacks. It provides a brief history of exploitation from the Golden Era to the Modern Era. It then demonstrates how modern attacks use credentials obtained through tools like Mimikatz to conduct SMB relay attacks and achieve remote code execution. The document also discusses post-exploitation techniques like maintaining presence, achieving persistence, and pivoting. It concludes by offering some mitigation strategies like disabling WPAD, blocking SMB outbound traffic, requiring SMB signing, and implementing proper access controls and monitoring.
This document summarizes new features and improvements in the Metasploit framework, including over 1200 pull requests and 7500 commits added since September 2014. Key additions include 358 new modules, 20 modules for local privilege escalation, exploits targeting antivirus products and SOHO routers, improved SMB and Kerberos support, and enhancements to payloads such as interactive Powershell and UUID tracking.
- The document discusses the history of exploitation from the Golden Era up to the modern era, noting key developments like the rise of the internet, mobile computing, and secure development practices.
- It describes common exploitation techniques from each era, such as password cracking, client-side attacks, and worms that targeted vulnerabilities in software like IIS and SQL Server.
- Modern exploitation still relies on similar tactics to illegitimately gain access, such as exploiting trust relationships, stealing credentials using tools like mimikatz, and establishing persistence and pivoting within compromised networks. The document demonstrates these post-exploitation techniques using Metasploit.
This document discusses techniques for post-exploitation using Metasploit. It covers maintaining presence on a compromised system by examining users and processes. It also discusses achieving persistence through techniques like dropping executable files and modifying autoruns. Pivoting is covered as moving laterally such as relaying NTLM authentication or abusing trust relationships. Specific demonstrations are provided like exploiting an suid misconfiguration on Nmap or using a LNK file drop combined with SMB relay. The document emphasizes developing reliable and readable Metasploit modules to automate post-exploitation tasks.
State of the Framework Address: Recent Developments in the Metasploit Frameworkegypt
The document summarizes the past, present, and future of the Metasploit framework. In the past, the framework was tied to its directory structure and modules would break if moved. Currently, the focus is on usability, scalability, passwords, better payloads, and post exploitation. Going forward, there will be continued work on authenticated code execution, payloads for additional platforms, and improving post exploitation modules and APIs.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
2. # whoami
● James Lee
● egypt
● Core Developer, Metasploit Project
● Working full time on Metasploit for
2
3. User Interface
Scanning for Fingerprinting
Servers Clients
Exploiting Exploiting
Servers Clients
Post-
Exploitation
Overview
3
4. Automating msfconsole
● Resource files
● A list of commands to be run in sequence
● Can be anything you would type at the msf> prompt
● setg
● save
4
6. Example Resource File
setg RHOSTS 10.1.1.1-254
setg USERNAME Administrator
setg PASSWORD password
use auxiliary/scanner/smb/smb_login
run
use auxiliary/scanner/telnet/telnet_login
run
6
8. Scanning
● Have to find servers
before you can exploit
them
● Metasploit has several
ways to do this
● Run nmap and nexpose
directly from the console Israeli Orbiter, surveillance UAV
● Import other tools‟ output
● MSF built-in scanners
(auxiliary/scanner/*)
8
9. nmap
● Two options:
● Run nmap normally with -oX and use db_import to
store the results
● db_nmap command will run nmap and handle the
import for you
● Either way, results get stored in the database
9
10. ● nexpose_scan
● db_import
● If you have a Community license (free), limited to 32
IP addresses at a time
● Msf will scan the whole range in 32-address chunks
10
11. Nexpose
● Also stores vulnerability references
● CVE, BID, …
● Without these, figuring out which exploits to run can
be more difficult
● Can be used to launch exploits as well
11
12. MSF Built-in Scanning
● Implemented as
auxiliary modules
● Aux is like an exploit
without a payload
● Usage similar to
exploits
FanWing Surveillance Platform ● Can go through
meterpreter routes
12
13. Faster Setup
● RHOSTS can be nmap-notation or
“file:<filename>”
● File should contain nmap-notation address
ranges
● e.g.:
10.1.1.2,5,7-254
10.2.2.*
10.3.3.0/24
13
14. Faster Scanning
● set THREADS 256
● Windows freaks out after 16 threads
● Cygwin doesn‟t handle more than about 200
● Linux? Go to town.
● Caveat: tunneling through meterpreter
14
16. Server Exploits
● The bulk of msf's exploit modules
● 385 as of Jan 9
● Many protocols implemented in an exploit-
friendly way
● smtp, imap, http, smb, dcerpc, sunrpc, ftp, …
● Wide range of protocol-level IDS evasions
16
18. db_autopwn
● Need to have targets stored in the db
● If vulnerability references are available, can
cross-reference against specific hosts
● Can just use matching ports if you don't have
refs
● Checks global MinimumRank to limit exploits to
a particular safety level
18
19. NeXpose
● Scan, detect, exploit all in one command
● nexpose_scan -x <host range>
1. Populates the db with hosts, services, vulns
2. Cross-references vulns and exploits
3. Throws exploits at vulnerable servers
● Has the potential to give you tons of shells
● Can take a long time for lots of hosts
● Uses MinimumRank as well
19
21. Client Fingerprinting
● User Agent
● Easy to spoof
● Easy to change in a
proxy
● Some third-party
software changes it
● Less often changed in
JavaScript
21
22. Fingerprinting the Client
● Various JS objects only exist in one browser
● window.opera, Array.every
● Some only exist in certain versions
● window.createPopup, Array.every, window.Iterator
● Rendering differences and parser bugs
● IE's conditional comments
22
23. Internet Explorer
● Parser bugs, conditional comments
● Reliable, but not precise
● ScriptEngine*Version()
● Almost unique across all combinations of client and
OS, including service pack
● ClientCaps
23
24. Opera
● window.opera.version()
● Includes minor version, e.g. “9.61”
● window.opera.buildNumber()
● Different on each platform for a given version
● e.g.: “8501” == Windows
● Not precise, only gives platform, no version or
service pack
24
25. Hybrid Approach for FF
● Existence of
document.getElementsByClassName
means Firefox 3.0
● If UA says IE6, go with FF 3.0
● If UA says FF 3.0.8, it's probably not lying, so
use the more specific value
25
26. Firefox OS Detection
● Most of the objects used in standard detection
scripts are affected by the User-Agent
● E.g., when spoofing as iPhone,
navigator.platform = “iPhone”
● navigator.oscpu is not
● “Linux i686”
● “Windows NT 6.0”
26
27. Safari / Webkit
● Infuriatingly standards compliant in JS
● Can detect its existence easily
● window.WebkitPoint, many others
● Most Safari-specific stuff has been around since
1.2, so not useful for version detection
27
28. Chrome / Webkit
● Same javascript engine as Safari
● So far, no easy way to change UA
● navigator.vendor is always “Google Inc.”
28
29. Client Exploits in MSF
● Extensive HTTP support
● Heapspray in two lines of code
● Sotirov's .NET DLL, heap feng shui
● Wide range of protocol-level IDS evasion
● Simple exploit in ~10 lines of code
29
30. Automatically Exploiting Clients
● Browser Autopwn Auxiliary module
● I spoke about this at Defcon in 2009
● Fingerprints a client
● Stores detection in the database
● Determines what exploits might work
● Uses MinimumRank, too
● Tries the ones most likely to succeed
30
31. Advantages of Browser Autopwn
● OS and client detection is client-side, more
reliable in presence of spoofed or broken UA
● Detection results automatically stored in the
database
● Not written in PHP
● PHP sucks
31
32. Browser Autopwn Usage
msf> use auxiliary/server/browser_autopwn
msf (browser_autopwn)> set URIPATH /
msf (browser_autopwn)> set EXCLUDE opera
msf (browser_autopwn)> set MATCH .*
msf (browser_autopwn)> run
[*] Starting exploit modules on host 10.1.1.1...
[*] ---
32
33. Automating Users
● Browser Autopwn automates the exploits but
how do we get users to come to our evil web
server?
33
34. Karmetasploit
● Wireless Access Point of Doom
● Using aircrack-ng, appears to be every access
point that anybody probes for
● “Why, yes, I am Office_WiFi, please connect”
● Lets you control the route, the DNS, everything
● “Yup, I'm your internal web server. And your email
server. And your file server. And...”
34
35. More on Karma
● Actually about 5 years old
● It still works amazingly well
● More info about getting it working is on our wiki:
http://www.metasploit.com/redmine/projects/framework/wiki/Karmetasploit
35
36. Assagai
● Complete phishing framework
● Uses Metasploit exploits and payloads
● Gathers other statistics
● Has common email templates
36
40. Metaphish
● Use the target‟s public information against them
● See valsmith, Colin, and dkerb‟s talk from BH
USA 2009
40
41. Automating Post-exploitation
● Meterpreter scripts
● set AutoRunScript <script name>
● Plugins
● Can be auto loaded at startup with resource files
41
42. Meterpreter scripts
● Just a ruby script
● Easy to write, lots of flexibility
● Access to Meterpreter API
42
43. Meterpreter API
● Core + Extensions
● Core is basic, mostly useful for loading extensions
● Current extensions:
● Stdapi
● Priv, Incognito
● Espia
● Sniffer
43
44. Meterpreter Stdapi: process
● client.sys.process
● Acts like a Hash, where keys are image names and
values are process IDs
● client.sys.process[„explorer.exe‟]
● => 1408
44
47. Priv and Incognito
● Stuff that requires privileges, SYSTEM
preferred
● Priv
● Dump hashes, alter file MACE
● Incognito
● list impersonation/delegation tokens
47
48. Espia
● client.espia.espia_image_get_dev_screen
● Returns a bitmap as a String
● From commandline, „screenshot‟ stores to file
● client.espia.espia_audio_get_dev_audio
● No command for this yet, only available from API
48
49. Meterpreter Sniffer
● client.sniffer.capture_start
● Starts capturing
● client.sniffer.capture_dump
● Puts the captured packets into a buffer we can read
● client.sniffer.capture_dump_read
● Reads from the buffer
49
50. Sniffer caveat
● The packet format isn‟t standard, so we have to
convert it to PCAP to be useful
● Console command does it for you
50
51. Some Nifty Existing Scripts
● vnc -- Uploads a VNC server to the target and
tunnels traffic through the current TCP
connection or a new connect-back
● packetrecorder -- Starts a sniffer on the target
and retrieves packets every <interval> seconds
● persistence -- Builds a meterpreter.exe that
connects back every <interval> seconds
● killav -- Runs through a list of known Anti-Virus
process names and kills anything that matches
51
52. Colin and Dave‟s talk
● Don‟t miss it
● Right after lunch
● About using meterpreter‟s memory API for
doing all kinds of crazy stuff
52
53. MSF Plugins
● Can extend or replace parts of the framework
● Full access to Rex and Msf APIs
● Can add callbacks for various events, add
commands to the console, anything you can
think of
53
54. Hooking sessions from a plugin
include SessionEvent
def on_session_open(session)
# Do something with the session
end
def initialize(framework, opts)
framework.events.add_session_subscriber(self)
end
54
56. Some Nifty Existing Plugins
● db_credcollect – automatically retrieves hashes
from new meterpreter sessions, stores them in
the database
● pcap_log – just like running tcpdump in the
background
● session_tagger – creates a directory on new
sessions as proof of compromise
56
58. Conclusions
● Lots of automation available that requires no
programming skills
● A little bit of ruby gives you lots of power and
flexibility
● Don‟t type any more than you have to
● Carpal Tunnel Syndrome sucks
58
59. Download it
● svn co http://metasploit.com/svn/framework3/trunk
● Submit patches to msfdev@metasploit.com
59