The document discusses Capture the Flag (CTF) competitions and wargames and why everyone should participate in them. It notes that CTFs are legal hacking games or puzzles that help people improve their information security skills. Wargames are similar but always online and have no time limits. The document outlines different categories of challenges people may encounter in CTFs and wargames, including programming, cryptography, steganography, forensics, reverse engineering, and web challenges. It argues that participating provides free training, is fun, helps improve skills, allows competitive testing of skills, and can help with recruitment and stress testing teams.
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
This document discusses improving network intrusion detection systems by filtering out "noise" from real threats. It proposes collecting data from multiple sensors on different IP ranges to identify traffic that is seen across many networks, which is likely noise rather than targeted attacks. By ignoring or lowering the severity of events originating from noisy IP addresses found on public blacklists or seen across different sensor networks, the system could focus alerts on real adversaries and reduce the number of false alarms. An experimental system using these techniques saw a 35-37% reduction in total events and threats after filtering noise. Further development could help security teams prioritize real network threats.
The document discusses Capture the Flag (CTF) competitions and wargames and why everyone should participate in them. It notes that CTFs are legal hacking games or puzzles that help people improve their information security skills. Wargames are similar but always online and have no time limits. The document outlines different categories of challenges people may encounter in CTFs and wargames, including programming, cryptography, steganography, forensics, reverse engineering, and web challenges. It argues that participating provides free training, is fun, helps improve skills, allows competitive testing of skills, and can help with recruitment and stress testing teams.
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
This document discusses improving network intrusion detection systems by filtering out "noise" from real threats. It proposes collecting data from multiple sensors on different IP ranges to identify traffic that is seen across many networks, which is likely noise rather than targeted attacks. By ignoring or lowering the severity of events originating from noisy IP addresses found on public blacklists or seen across different sensor networks, the system could focus alerts on real adversaries and reduce the number of false alarms. An experimental system using these techniques saw a 35-37% reduction in total events and threats after filtering noise. Further development could help security teams prioritize real network threats.
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
This document discusses the history and techniques of buffer overflow exploits. It begins with an overview of stack-based and heap-based buffer overflows and vulnerable code. It then details the history of buffer overflow exploitation from 1961 to present day. The rest of the document explains techniques used to exploit buffer overflows such as DEP/NX, ASLR, stack canaries, NOP sleds, return-to-libc, egg hunting, heap spraying, and return-oriented programming. It also discusses defenses implemented by operating systems like SEHOP, SafeSEH, and safe functions.
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
This document describes a case study of discovering and exploiting a SQL injection vulnerability. Over the course of three days, the researcher tested various parameters of a web application using sqlmap and custom payloads. After initial failures, the researcher realized the application was using Windows Search and leveraged its Advanced Query Syntax to conduct file queries and infer file contents. This allowed retrieving a local web.config file containing a SQL Server password. The researcher concluded that thorough manual analysis is needed to fully understand vulnerabilities beyond just using automated scanners.
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
This document summarizes sqlmap, an open source penetration testing tool used for detecting and exploiting SQL injection flaws. It discusses sqlmap's features such as supporting large data dumps, storing session data, XML payload and query formats, multithreading, direct database connections, loading requests from files, form and site crawling, authentication, detection of reflection and dynamic content, and fingerprinting of databases and web servers.
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
This document provides an overview of sqlmap, an open source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It discusses the creators and history of the tool, its main features like database enumeration and takeover functionalities, and techniques for detecting different types of SQL injections like blind, error-based, union queries, and time delays. Examples of how each technique works are also provided.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
This document discusses the history and techniques of buffer overflow exploits. It begins with an overview of stack-based and heap-based buffer overflows and vulnerable code. It then details the history of buffer overflow exploitation from 1961 to present day. The rest of the document explains techniques used to exploit buffer overflows such as DEP/NX, ASLR, stack canaries, NOP sleds, return-to-libc, egg hunting, heap spraying, and return-oriented programming. It also discusses defenses implemented by operating systems like SEHOP, SafeSEH, and safe functions.
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
This document describes a case study of discovering and exploiting a SQL injection vulnerability. Over the course of three days, the researcher tested various parameters of a web application using sqlmap and custom payloads. After initial failures, the researcher realized the application was using Windows Search and leveraged its Advanced Query Syntax to conduct file queries and infer file contents. This allowed retrieving a local web.config file containing a SQL Server password. The researcher concluded that thorough manual analysis is needed to fully understand vulnerabilities beyond just using automated scanners.
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
This document summarizes sqlmap, an open source penetration testing tool used for detecting and exploiting SQL injection flaws. It discusses sqlmap's features such as supporting large data dumps, storing session data, XML payload and query formats, multithreading, direct database connections, loading requests from files, form and site crawling, authentication, detection of reflection and dynamic content, and fingerprinting of databases and web servers.
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
This document provides an overview of sqlmap, an open source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It discusses the creators and history of the tool, its main features like database enumeration and takeover functionalities, and techniques for detecting different types of SQL injections like blind, error-based, union queries, and time delays. Examples of how each technique works are also provided.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
1. WARNING:WARNING:
Do Not Feed the BearsDo Not Feed the Bears
Miroslav Štampar
(mstampar@zsis.hr; miroslav@sqlmap.org)
WARNING:WARNING:
Do Not Feed the BearsDo Not Feed the Bears
Miroslav Štampar
(mstampar@zsis.hr; miroslav@sqlmap.org)
2. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 2
ContextContext
Croatian Government CERT
Dealing with vast diversity of different
incidents (e.g. ransomware, defacements, DoS
attacks, etc.)
Most interesting (by far) are APT attacks
“Have you noticed anything strange with your
computer lately? -Nope. Though, IE with Twitter
is popping out here and there… and I don’t use
Twitter” (recent APT incident)
We are part of NATO and EU – hence, natural
target of “advanced persistent threats”
3. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 3
IntroductionIntroduction
In January got two (forwarded) suspicious
emails with question “was this an attack?”
August (Bulletin.doc - bigger) and November
(Operation_in_Mosul.doc - smaller) of 2016
Originally addressed to one “sensitive”
government institution, hence, we expected
the “unexpected”
Attachments were Microsoft Office documents
(.doc), regular attacking vector in this kind of
(spear) phishing attacks
In majority of cases, malicious Macros are
used, while in this case, there were no Macros
30. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 30
nshwmpfs.dll (string (de)obfuscation)nshwmpfs.dll (string (de)obfuscation)
31. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 31
nshwmpfs.dll (what it is all about?)nshwmpfs.dll (what it is all about?)
Reconnaissance (first stage) malware (aka.
JHUHUGIT)
Downloading, execution and deletion of
arbitrary files
Collects basic data about the infected system
and sends it (in encrypted form) to C&C
In case that C&C server and/or operator finds
the system “interesting” leaves command for
downloading of second stage malware
Second stage malware: SPLM (aka Xagent, aka
CHOPSTICK) and AZZY (aka. ADVSTORESHELL,
NETUI, EVILTOSS)
34. BSidesLjubljana 0x7E1, Ljubljana (Slovenia) March 10th, 2017 34
Related workRelated work
Palo Alto Networks, “‘DealersChoice’ is Sofacy’s
Flash Player Exploit Platform”, Oct. 2016.
Palo Alto Networks, “Let It Ride: The Sofacy
Group’s DealersChoice Attacks Continue”, Dec.
2016.
FireEye, “CVE-2016-4117: Flash Zero-Day
Exploited in the Wild”, May. 2016.
SonicWall, “Adobe Type Confusion Vulnerability
CVE-2015-7645 Exploits in the Wild”, 2016.
Trend Micro, “A Look Into Adobe Flash Player
CVE-2016-1019 Zero-Day Attack”, Apr. 2016.