The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses Automatic Reference Counting (ARC) in Objective-C, including how it manages memory by retaining and releasing objects. It covers key ARC concepts like strong and weak references, nil assignment, autorelease pools, and how ARC eliminated the need for manual memory management with retain, release, and autorelease. The document also provides examples of how memory management differs between non-ARC and ARC code.
Wtf is happening_inside_my_android_phone_publicJaime Blasco
The document discusses the architecture and analysis of Android malware called Red Bunny or ADRD. It was discovered in 2011 sending device information like IMEI and IMSI to command and control servers. The malware uses encryption, sets an HTTP proxy, and sends specially crafted headers. It decrypts responses and executes commands depending on the decrypted value.
Security and performance designs for client-server communicationsWO Community
This document provides an overview of security and performance designs for client-server communications. It discusses using WebObjects without an extra web server, login authentication options like MD5 and RSA encryption, setting native process security, and designing Java WO to native server protocols. It also covers streaming content to web clients, server-based preview generation, and XML communication between iOS apps and WebObjects.
The document describes a program for a multi-client chat client-server application using Java graphical programming. It includes the code for the ChatServer class that handles connections from multiple clients and broadcasts messages. It also includes the code for the ChatClient class that allows a client to connect to the server, send and receive messages, and view an online users list. The program allows for real-time text communication between multiple clients connected to a central server.
Windows OS is an interesting beast. As it is a popular choice both for desktop users and enterprise environments, it is worth knowing how it works under the hood. During this presentation we will have a look into how Windows Internals work and how to use them to our advantage.
- Practical exercises on the use of the threads with TCP
- References
YouTube link :
https://www.youtube.com/playlist?list=PLtDIUAtyP4lhV7CsYfLuIx26UeG4J-ujZ
GitHub :
https://github.com/Ghadeerof
This document provides an overview of using Puppet to manage Windows configurations. It discusses the Puppet Resource Abstraction Layer (RAL) and Windows-specific resources. It also covers modules, profiles, roles, Hiera for data separation, and some examples including configuring domain membership, BGInfo, antivirus software, logon messages, local administrators, Windows Firewall, filesystem ACLs, time configuration, and monitoring agents. The document concludes with an example role configuration and encourages attendees to try out the example code.
The document describes a network programming report on a Java chat application. It includes the code for a Server class that implements a threaded server to handle multiple client connections simultaneously. The server opens a port to listen for clients and spins up a new thread for each accepted connection. It then reads and writes data between the server and client over buffered input/output streams. The report notes issues with messages from one client not being visible to others and connection errors that can occur between the client and server.
The document discusses Automatic Reference Counting (ARC) in Objective-C, including how it manages memory by retaining and releasing objects. It covers key ARC concepts like strong and weak references, nil assignment, autorelease pools, and how ARC eliminated the need for manual memory management with retain, release, and autorelease. The document also provides examples of how memory management differs between non-ARC and ARC code.
Wtf is happening_inside_my_android_phone_publicJaime Blasco
The document discusses the architecture and analysis of Android malware called Red Bunny or ADRD. It was discovered in 2011 sending device information like IMEI and IMSI to command and control servers. The malware uses encryption, sets an HTTP proxy, and sends specially crafted headers. It decrypts responses and executes commands depending on the decrypted value.
Security and performance designs for client-server communicationsWO Community
This document provides an overview of security and performance designs for client-server communications. It discusses using WebObjects without an extra web server, login authentication options like MD5 and RSA encryption, setting native process security, and designing Java WO to native server protocols. It also covers streaming content to web clients, server-based preview generation, and XML communication between iOS apps and WebObjects.
The document describes a program for a multi-client chat client-server application using Java graphical programming. It includes the code for the ChatServer class that handles connections from multiple clients and broadcasts messages. It also includes the code for the ChatClient class that allows a client to connect to the server, send and receive messages, and view an online users list. The program allows for real-time text communication between multiple clients connected to a central server.
Windows OS is an interesting beast. As it is a popular choice both for desktop users and enterprise environments, it is worth knowing how it works under the hood. During this presentation we will have a look into how Windows Internals work and how to use them to our advantage.
- Practical exercises on the use of the threads with TCP
- References
YouTube link :
https://www.youtube.com/playlist?list=PLtDIUAtyP4lhV7CsYfLuIx26UeG4J-ujZ
GitHub :
https://github.com/Ghadeerof
This document provides an overview of using Puppet to manage Windows configurations. It discusses the Puppet Resource Abstraction Layer (RAL) and Windows-specific resources. It also covers modules, profiles, roles, Hiera for data separation, and some examples including configuring domain membership, BGInfo, antivirus software, logon messages, local administrators, Windows Firewall, filesystem ACLs, time configuration, and monitoring agents. The document concludes with an example role configuration and encourages attendees to try out the example code.
The document describes a network programming report on a Java chat application. It includes the code for a Server class that implements a threaded server to handle multiple client connections simultaneously. The server opens a port to listen for clients and spins up a new thread for each accepted connection. It then reads and writes data between the server and client over buffered input/output streams. The report notes issues with messages from one client not being visible to others and connection errors that can occur between the client and server.
This document describes a multi-client chat client-server application created using Java socket programming. It includes the code for the ChatServer.java and ChatClient.java classes. The ChatServer class handles multiple client connections and broadcasts messages to all connected clients. The ChatClient class represents the graphical client interface that connects to the server and allows users to send and receive chat messages. The application allows for multiple clients to simultaneously chat by connecting to a central chat server.
«Objective-C Runtime в примерах» — Алексей Сторожев, e-Legione-Legion
Цель доклада — вдохновить разработчиков на более глубокое изучение возможностей Objective-C Runtime, показать способы исследования системы, воодушевить аудиторию на эксперименты.
В докладе показаны несколько примеров использования Objective-C Runtime для решения нетипичных задач. Первый пример - реализация простого KVO своими руками тремя способами. Вторым примером показана полезность исследования приватных классов. Рассказано, как во время работы программы получить информацию о протянутых IBOutlet и IBAction в xib и storyboard. В каждом примере присутствуют особенности реализации, на которых сделан акцент и показаны варианты решения или обхода.
ICE is an object-oriented distributed middleware platform that provides features like RPC, a language-neutral specification language called Slice, language mappings, support for transports like TCP and UDP, services for server activation and firewall traversal, and integration with persistence and threading. Developing applications with ICE involves writing Slice definitions, generating code from Slice, implementing servers that activate objects, and writing clients that make calls to servers. The process is demonstrated through a sample counter service application.
The document discusses key aspects of how the Java Virtual Machine (JVM) executes Java programs. It describes the launcher, class loading process, bytecode verification, class initialization, just-in-time compilation, threads, synchronization, memory management including garbage collection, and how exceptions and native methods are handled. Troubleshooting techniques like hs_err logs are also mentioned. The JVM performs complex optimizations to efficiently run Java programs.
This document summarizes key topics around HTML, CSS, JavaScript and Windows 8 development. It discusses the Windows Runtime, navigation patterns, asynchronous programming with promises, memory management, unit testing and the file system API. JavaScript threading, blocking vs non-blocking code, and libraries like jQuery are also covered at a high-level.
Jafka is a fast and lightweight message queue system that is implemented as a single 271KB JAR file. It uses Zookeeper for coordination and has dependencies on common Java libraries like Log4j and Jackson. Jafka aims to eventually become a full implementation of Apache Kafka with features like persistence, high throughput processing of millions of messages per second, load balancing and a simple message format. It currently focuses on providing basic queue functionality through a simple producer/consumer model.
NancyFX is a lightweight web framework for .NET. It emphasizes convention over configuration, testability, and customizability. Nancy modules handle requests and responses. The framework uses pipelines to run code before, after, and on errors. Dependency injection can be configured to resolve dependencies. Routing and model binding are supported. Views can be rendered from code or partial views. Authentication and authorization can be added. NancyFX aims to have minimal overhead and be easy to get started with while running on .NET Core.
This document discusses concurrency and threads in Java. It begins by explaining how to create threads using the Thread class or Runnable interface. It then covers thread states, scheduling, and synchronization to prevent race conditions. Key points include how threads can run concurrently but share resources like memory, the use of synchronized methods to allow only one thread access at a time, and monitors that control access to objects.
What is a Blockchain?
Why do we need such technology? What can it do for us…
How does Blockchain work…
Python Implementation of a Blockchain.
Intro to IBM Hyperledger.
Use case scenarios and real world usage, besides digital money .
2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities o...chen yuki
This document describes three methods for exploiting a Java native vulnerability on Windows 7 with JRE 7 to bypass data execution prevention and address space layout randomization. The first method uses information leakage to conduct return-oriented programming. The second overwrites the length of a Java array and the access control context of a statement object. The third method sprays Java just-in-time compiled functions to control the instruction pointer and execute shellcode. Examples and limitations of each method are provided. In conclusion, the document recommends choosing an exploitation method based on the vulnerability and system configuration.
Mathilde Lemée & Romain Maton
La théorie, c’est bien, la pratique … aussi !
Venez nous rejoindre pour découvrir les profondeurs de Node.js !
Nous nous servirons d’un exemple pratique pour vous permettre d’avoir une premiere experience complete autour de Node.js et de vous permettre de vous forger un avis sur ce serveur Javascript qui fait parler de lui !
http://soft-shake.ch/2011/conference/sessions/incubator/2011/09/01/hands-on-nodejs.html
The document discusses three methods for importing SQL scripts using Hibernate:
1. Specify the import file in hibernate.cfg.xml using the classpath location
2. Directly specify the file path to import.sql
3. Implement a listener to convert the SQL file to the proper encoding on application startup
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
You may all know that JSON is a subset of JavaScript, but... Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak.... And when they don't, they have a shell client which does...
The story of NoSQL and JavaScript goes beyond your expectations and open more opportunities than you might imagine... What better match could you find than a flexible and dynamic language for schemaless databases? Isn't, an event-driven language what you were waiting for to manage eventually consistency? When NoSQL doesn't come to JavaScript, JavaScript comes to NoSQL, and does it very well...
Exploit ie using scriptable active x controls version Englishchen yuki
This document describes using scriptable ActiveX controls in Internet Explorer to bypass EMET protections without using shellcode. It details how to leverage a memory corruption vulnerability to modify a "safe mode flag" in IE's scripting engine, allowing normally restricted ActiveX controls to be called from JavaScript. The technique works in IE 8-11 by setting the flag to 0. In IE11, extra checks are bypassed by forcing loading of an older scripting DLL. A proof-of-concept exploit code is provided.
You may all know that JSON is a subset of JavaScript, but… Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by HTTP co-creator Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak…. And when they don’t, they have a shell client which does. The story of NoSQL and JavaScript goes beyond your expectations and opens more opportunities than you might imagine… What better match could you find than a flexible and dynamic language for schemaless databases? Isn’t an event-driven language what you’ve been waiting for to manage consistency? When NoSQL doesn’t come to JavaScript, JavaScript comes to NoSQL. And does it very well.
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
Post-Mortem debugging is a really powerful technique that allows you, through the use of several tools, to take a memory dump when an issue occurs in your application and later analyze it offline.
The talk will primarily focus on llnode and how you can use this tool to better understand why a Node.js process is behaving odd or is crashing.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
The Ring programming language version 1.2 book - Part 51 of 84Mahmoud Samir Fayed
This document discusses using the Objects library for building RingQt applications. The library provides an object-oriented approach to managing GUI objects and connecting events. It supports creating multiple windows from the same controller class. Key points:
- The Open_Window() function opens new windows from controller classes derived from WindowsControllerParent.
- Views are defined in classes derived from WindowsViewParent and contain a 'win' attribute for the GUI object.
- Method() determines the controller method executed on events.
- Last_Window() returns the last opened window controller for calling methods like SetParentObject().
- Controller classes contain CloseAction() by default to close windows.
An example creates a main window with
The document discusses performing digital forensics investigations using open source tools. It covers the major steps of the process: data acquisition, examination, and report preparation. For data acquisition, it describes how to gather volatile system data like memory dumps and network traffic, as well as disk images. For examination, it discusses forensic analysis software like The Sleuth Kit and Autopsy, analyzing memory dumps with Volatility, and examining network traffic with Wireshark. It also provides examples of timeline creation and registry analysis.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a multi-client chat client-server application created using Java socket programming. It includes the code for the ChatServer.java and ChatClient.java classes. The ChatServer class handles multiple client connections and broadcasts messages to all connected clients. The ChatClient class represents the graphical client interface that connects to the server and allows users to send and receive chat messages. The application allows for multiple clients to simultaneously chat by connecting to a central chat server.
«Objective-C Runtime в примерах» — Алексей Сторожев, e-Legione-Legion
Цель доклада — вдохновить разработчиков на более глубокое изучение возможностей Objective-C Runtime, показать способы исследования системы, воодушевить аудиторию на эксперименты.
В докладе показаны несколько примеров использования Objective-C Runtime для решения нетипичных задач. Первый пример - реализация простого KVO своими руками тремя способами. Вторым примером показана полезность исследования приватных классов. Рассказано, как во время работы программы получить информацию о протянутых IBOutlet и IBAction в xib и storyboard. В каждом примере присутствуют особенности реализации, на которых сделан акцент и показаны варианты решения или обхода.
ICE is an object-oriented distributed middleware platform that provides features like RPC, a language-neutral specification language called Slice, language mappings, support for transports like TCP and UDP, services for server activation and firewall traversal, and integration with persistence and threading. Developing applications with ICE involves writing Slice definitions, generating code from Slice, implementing servers that activate objects, and writing clients that make calls to servers. The process is demonstrated through a sample counter service application.
The document discusses key aspects of how the Java Virtual Machine (JVM) executes Java programs. It describes the launcher, class loading process, bytecode verification, class initialization, just-in-time compilation, threads, synchronization, memory management including garbage collection, and how exceptions and native methods are handled. Troubleshooting techniques like hs_err logs are also mentioned. The JVM performs complex optimizations to efficiently run Java programs.
This document summarizes key topics around HTML, CSS, JavaScript and Windows 8 development. It discusses the Windows Runtime, navigation patterns, asynchronous programming with promises, memory management, unit testing and the file system API. JavaScript threading, blocking vs non-blocking code, and libraries like jQuery are also covered at a high-level.
Jafka is a fast and lightweight message queue system that is implemented as a single 271KB JAR file. It uses Zookeeper for coordination and has dependencies on common Java libraries like Log4j and Jackson. Jafka aims to eventually become a full implementation of Apache Kafka with features like persistence, high throughput processing of millions of messages per second, load balancing and a simple message format. It currently focuses on providing basic queue functionality through a simple producer/consumer model.
NancyFX is a lightweight web framework for .NET. It emphasizes convention over configuration, testability, and customizability. Nancy modules handle requests and responses. The framework uses pipelines to run code before, after, and on errors. Dependency injection can be configured to resolve dependencies. Routing and model binding are supported. Views can be rendered from code or partial views. Authentication and authorization can be added. NancyFX aims to have minimal overhead and be easy to get started with while running on .NET Core.
This document discusses concurrency and threads in Java. It begins by explaining how to create threads using the Thread class or Runnable interface. It then covers thread states, scheduling, and synchronization to prevent race conditions. Key points include how threads can run concurrently but share resources like memory, the use of synchronized methods to allow only one thread access at a time, and monitors that control access to objects.
What is a Blockchain?
Why do we need such technology? What can it do for us…
How does Blockchain work…
Python Implementation of a Blockchain.
Intro to IBM Hyperledger.
Use case scenarios and real world usage, besides digital money .
2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities o...chen yuki
This document describes three methods for exploiting a Java native vulnerability on Windows 7 with JRE 7 to bypass data execution prevention and address space layout randomization. The first method uses information leakage to conduct return-oriented programming. The second overwrites the length of a Java array and the access control context of a statement object. The third method sprays Java just-in-time compiled functions to control the instruction pointer and execute shellcode. Examples and limitations of each method are provided. In conclusion, the document recommends choosing an exploitation method based on the vulnerability and system configuration.
Mathilde Lemée & Romain Maton
La théorie, c’est bien, la pratique … aussi !
Venez nous rejoindre pour découvrir les profondeurs de Node.js !
Nous nous servirons d’un exemple pratique pour vous permettre d’avoir une premiere experience complete autour de Node.js et de vous permettre de vous forger un avis sur ce serveur Javascript qui fait parler de lui !
http://soft-shake.ch/2011/conference/sessions/incubator/2011/09/01/hands-on-nodejs.html
The document discusses three methods for importing SQL scripts using Hibernate:
1. Specify the import file in hibernate.cfg.xml using the classpath location
2. Directly specify the file path to import.sql
3. Implement a listener to convert the SQL file to the proper encoding on application startup
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
You may all know that JSON is a subset of JavaScript, but... Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak.... And when they don't, they have a shell client which does...
The story of NoSQL and JavaScript goes beyond your expectations and open more opportunities than you might imagine... What better match could you find than a flexible and dynamic language for schemaless databases? Isn't, an event-driven language what you were waiting for to manage eventually consistency? When NoSQL doesn't come to JavaScript, JavaScript comes to NoSQL, and does it very well...
Exploit ie using scriptable active x controls version Englishchen yuki
This document describes using scriptable ActiveX controls in Internet Explorer to bypass EMET protections without using shellcode. It details how to leverage a memory corruption vulnerability to modify a "safe mode flag" in IE's scripting engine, allowing normally restricted ActiveX controls to be called from JavaScript. The technique works in IE 8-11 by setting the flag to 0. In IE11, extra checks are bypassed by forcing loading of an older scripting DLL. A proof-of-concept exploit code is provided.
You may all know that JSON is a subset of JavaScript, but… Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by HTTP co-creator Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak…. And when they don’t, they have a shell client which does. The story of NoSQL and JavaScript goes beyond your expectations and opens more opportunities than you might imagine… What better match could you find than a flexible and dynamic language for schemaless databases? Isn’t an event-driven language what you’ve been waiting for to manage consistency? When NoSQL doesn’t come to JavaScript, JavaScript comes to NoSQL. And does it very well.
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
Post-Mortem debugging is a really powerful technique that allows you, through the use of several tools, to take a memory dump when an issue occurs in your application and later analyze it offline.
The talk will primarily focus on llnode and how you can use this tool to better understand why a Node.js process is behaving odd or is crashing.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
The Ring programming language version 1.2 book - Part 51 of 84Mahmoud Samir Fayed
This document discusses using the Objects library for building RingQt applications. The library provides an object-oriented approach to managing GUI objects and connecting events. It supports creating multiple windows from the same controller class. Key points:
- The Open_Window() function opens new windows from controller classes derived from WindowsControllerParent.
- Views are defined in classes derived from WindowsViewParent and contain a 'win' attribute for the GUI object.
- Method() determines the controller method executed on events.
- Last_Window() returns the last opened window controller for calling methods like SetParentObject().
- Controller classes contain CloseAction() by default to close windows.
An example creates a main window with
The document discusses performing digital forensics investigations using open source tools. It covers the major steps of the process: data acquisition, examination, and report preparation. For data acquisition, it describes how to gather volatile system data like memory dumps and network traffic, as well as disk images. For examination, it discusses forensic analysis software like The Sleuth Kit and Autopsy, analyzing memory dumps with Volatility, and examining network traffic with Wireshark. It also provides examples of timeline creation and registry analysis.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
Santorini is a popular Greek island located in the Cyclades islands in the southern Aegean Sea. It formed from volcanic explosions that left the island with steep cliffs surrounding a central caldera filled with water. The island is home to around 7,000 residents spread across 10 villages and has a temperate climate. Santorini has archaeological sites from the Minoan era and was devastated by a massive volcanic eruption around 1600 BC. Tourism is now the main industry, attracting thousands of visitors each year to see the scenic caldera views and sunset from towns like Oia and Fira.
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
The document discusses various ways that authentication tokens can be abused to bypass security protections. It describes how some implementations of token parsing and signature verification are vulnerable to arbitrary code execution or information disclosure attacks due to inconsistencies in how signing keys and security tokens are resolved from token metadata. Specific attacks are demonstrated against Windows Communication Foundation, Windows Identity Foundation, and SharePoint Server due to differences in how key and token resolution are handled for signature verification versus token authentication.
This document provides an overview of lateral movement techniques in Windows systems using credentials. It discusses authentication methods like NTLM and Kerberos, how logon sessions and access tokens are created, and how an attacker can leverage pass-the-hash, pass-the-ticket, and other techniques to authenticate as other users without needing their passwords. It demonstrates how runas and other tools can be used to create new processes under a different user identity. The goal is to understand how credentials are handled in Windows and how an attacker can manipulate logon sessions and access tokens to perform lateral movement.
This document discusses SSL certificates, including their purpose for server/client authentication and secure data transfer. It covers the process of requesting, signing, installing and verifying certificates from both Certificate Authorities (CAs) and self-signing. The different types of SSL certificates - DV, OV and EV - are explained along with OpenSSL tools, certificate structure, chain of trust, trust stores, certificate pinning and free certificate options like Let's Encrypt.
- The document discusses securing Windows NT systems by reviewing the NT security architecture, known vulnerabilities, and methods for exploiting them. It provides guidance on hardening NT security through measures like reducing unnecessary services, restricting file and registry permissions, and enforcing stronger passwords. System administrators can assess their security posture using various scanning and auditing tools to detect vulnerabilities, non-compliant configurations, and potential security breaches.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
- The document discusses remote operations and credential exposure during remote management. It highlights the use of various living off the land techniques like RPC, WMI, PSRemoting and RDP.
- It provides tips for preventing lateral movement without dedicated security products by leveraging configurations like LogonWorkstations to restrict where accounts can logon.
- The key takeaways are to embrace a living off the land mindset, be aware of credential exposure risks during remote operations, and that single configurations can be effective for preventing issues like lateral movement when properly configured and monitored.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Keystone is the identity service for OpenStack. It handles authentication, authorization, and managing service catalogs and endpoints. Keystone provides a user directory and authentication mechanism for other OpenStack services to use. It supports user management, project/tenant isolation, role-based access control and token validation. Keystone uses pluggable backends like SQL, LDAP or Memcached to store user and credential data.
This document discusses certificate issuance and validation using PyOpenSSL. It provides code samples for issuing certificates by loading a certificate request, setting fields on the certificate object, and signing it with a CA private key. It also discusses setting extensions when issuing subordinate CA certificates and validation of certificates through certification path validation and signature validation of each certificate in the chain. Signature validation requires verifying the signature with the CA public key rather than using a single OpenSSL function.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Passbolt Introduction and Usage for secret managmentThierry Gayet
The document provides instructions on how to use the Passbolt command line interface tool to extract secrets from a Passbolt server. It explains how to install the go-passbolt-cli tool, lists available commands like get and create, and provides an example of using the tool to get help and specify required flags like --serverAddress, --userPassword, and --userPrivateKeyFile to authenticate and retrieve secrets.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Attackers can quietly move laterally within networks by first gaining initial access, such as through phishing, then using tools and techniques to discover and access other systems on the network. This includes using powershell to run code without touching disks, download payloads from remote systems, and inject shellcode. It also involves using tools like mimikatz to dump credentials and move access from one system to another to gain higher privileges. The goal is often to compromise domain controllers to access domain admin credentials and gain full control.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
Attackers can laterally move within a network after gaining initial access to one system. Lateral movement involves using techniques like credential dumping, privilege escalation, and PowerShell to access additional systems on the network. Attackers aim to compromise high-value systems like domain controllers to gain domain administrator privileges and full network access. They leverage tools like Mimikatz to dump passwords, PowerShell Empire for remote access, and PowerSploit to automate common post-exploitation tasks during lateral movement. Monitoring PowerShell activity and patching vulnerabilities can help detect and prevent lateral movement.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Similar to Wce internals rooted_con2011_ampliasecurity (20)
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
This document discusses various network security concepts including firewalls, proxies, NAT, and VPNs. It provides examples of network infrastructures using different types of firewalls such as packet filtering, stateful, and proxy firewalls. It also discusses standard and extended access control lists (ACLs) used with firewalls to filter traffic. Finally, it covers network address translation (NAT) and port address translation (PAT) which help hide private network addresses from the public internet.
Snort is an open source intrusion detection and prevention system that uses rules written in its own language to inspect network traffic in real-time, detect anomalous activity, and generate alerts. It works by matching packets against signatures in its rules database to identify attacks and exploits, and can detect protocol anomalies, custom signatures, and payload analysis. Snort rules allow it to detect specific patterns in network traffic including payload signatures, TCP flags, and port numbers to identify malicious activity.
The document discusses various types of denial of service (DoS) attacks including layer 4 distributed denial of service (DDoS) attacks using botnets, layer 7 attacks that can be carried out by a single attacker, and link local attacks using fraudulent IPv6 router advertisements. It also profiles various hacktivist groups that have carried out such attacks and outlines defenses against DoS attacks like ModSecurity, load balancing, and router advertisement guard.
This document is the user's manual for sqlmap, an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. The manual provides information on installing and using sqlmap, including requirements, basic usage, supported features, techniques, and numerous configuration options for optimization, injection, detection, enumeration and brute forcing capabilities.
The document is a report from Arbor Networks that analyzes data from a survey of over 500 network operators regarding infrastructure security threats in 2011. Some key findings include:
- Distributed denial-of-service (DDoS) attacks were considered the most significant operational threat. Application-layer DDoS attacks using HTTP floods were most common.
- The largest reported DDoS attacks exceeded 100 Gbps in bandwidth. Major online gaming and gambling sites were frequently targeted.
- Most respondents experienced multiple DDoS attacks per month and detected increased awareness of the DDoS threat over the previous year.
- Network traffic detection, classification, and event correlation tools were commonly used to identify attacks and trace sources. DDo
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
2. What is WCE?
• Windows Credentials Editor v1.0
• Manipulates Windows Logon Sessions
• Evolution of the Pass-the-Hash Toolkit (also
written by me)
• WCE v1.1 to be published after this is over
3. WCE features
• Dump in-memory credentials of logon
sessions
– Lists in-memory logon sessions
• Dumps in-memory username, domain, LM & NT
hashes
• current, future and terminated (…)
– Great to ‘steal’ credentials not stored locally
4. WCE features
• Pass-The-Hash
– Change/delete NTLM credentials of logon sessions
– Create new logon sessions and associate arbitrary
NTLM credentials
5. WCE features
• Does not require code injection to dump in-
memory credentials (v1.1)
– No need to run code inside LSASS.EXE
– Can locate, list and decrypt Logon Sessions and
NTLM credentials just by reading memory
6. WCE features
• Single executable (wce.exe)
– Easier to use, upload, etc.
• Supports
– Windows XP
– Windows 2003
– Windows Vista
– Windows 7
– Windows 2008
7. How does it work?
• Windows NT Logon and authentication model
Logon
LSA
Processes
Authentication
Packages
8. Windows NT Logon and
Authentication Model
WINLOGON.EXE
LSA AUTH API
(LSASRV.DLL)
MSV1_0.DLL
(NTLM AUTH PKG)
…
LSASS.EXE
9. Windows NT Logon and Authentication Model:
NTLM
WINLOGON.EXE
NTLM
CREDS
msv1_0.dll!LsaApLogonUser/Ex/Ex2()
Logon
• Authenticates user
Session
• Create logon session
(LUID)
• Add Credentials to Session
LSASS.EXE
17. Windows NT Logon and Authentication Model:
NTLM in detail
WINLOGON.EXE
LUID luid = LsaLogonUser( …,MSV1_0_PACKAGE_ID,… )
msv1_0.dll!LsaApLogonUser/Ex/Ex2()
• Create logon session
• Authenticates against local sam or AD
• msv1_0.dll!NlpAddPrimaryAddCredential(LUID, [username, domain,
LM/NT hashes],…)
• Lsasrv.dll!AddCredential(LUID,…)
18. 'Use Auth
Implementation:
Package API’
Method
Summary
• Find by ‘signatures’ and heuristics
• MSV1_0.DLL!NlpAddPrimaryCredential
• MSV1_0.DLL!NlpDeletePrimaryCredential
• MSV1_0.DLL!NlpGetPrimaryCredential
• Run code inside LSASS.EXE
• Call *PrimaryCredential functions
• LSASRV.DLL functions are not called directly, eg:
• MSV1_0.DLL!NlpAddPrimaryCredential()
• LSASRV.DLL!AddCredential()
• No need to encrypt/decrypt credentials
22. 'Use Auth
Package Implementation:
API’
Method
working with Session Isolation
23. 'Use Auth
Package Implementation:
API’
Method
working with Session Isolation
Inject code LSASS.EXE
WCE.EXE
INJECTED CODE
Call
msv1_0.dll!NlpAdd
PrimaryCredential
Etc.
Session 1 Session 0
24. 'Use Auth
Package
Implementation:
API’ working with Session Isolation
Method
25. 'Use Auth
Package
Implementation:
API’ working with Session Isolation
Method
26. 'Use Auth
Package
Implementation:
API’ working with Session Isolation
Method
27. 'Use Auth
Package Implementation:
API’
Method
working with Session Isolation
(Note: CreateRemoteThread() is not the the only way to inject & run code...)
28. 'Use Auth
Package Implementation:
API’
Method
working with Session Isolation
• Windows Vista/7/2008
• NTDLL.DLL!NtCreateThreadEx
• Windows XP/2003
• RDP / Terminal Services
• Create a Windows Service and do everything there
• WCE.EXE also acts as a Windows Service
• Installs, starts, stops and removes itself
• IPC via Named Pipe
29. ‘Read LSASS
Memory’ Implementation
Method
• No need to run code inside LSASS.EXE (SUPER SAFE!)
• ReadProcessMemory() only!
• Reverse engineer inner workings of LSASS.EXE (LSASRV.DLL)
• Structures used internally to hold logon sessions
• Structures used internally to hold credentials
• Structures used internally to hold NTLM Hashes
• Decrypt credentials
• Find keys
• Algorithm
• Anything else needed to decrypt (e.g.: IV)
32. Implementation:
LsaEncryptMemory()
Windows XP/2003 Windows Vista/7/2008
Lsasrv.dll!LsaEncryptMemory()
NTLM_CREDS_BLOCK
• Encrypted with desX-CBC or RC4 • Encrypted with 3DES-CBC or AES-128-CFB
• If mod(size/8) == 0 => desX-cbc • If mod(size/8) == 0 => 3DES-CBC
• Otherwise use RC4 • Otherwise use 3DES-CBC
• Encrypted with desX-CBC • Encrypted with 3DES-CBC
35. Implementation:
crypto functions used
Windows XP/2003 Windows Vista/7/2008
• Uses custom desX-CBC • Uses Cryptography API: Next
implementation Generation (CNG)
– Located in LSASRV.DLL • Exported by BCRYPT.DLL
– Is not an API • BCryptOpenAlgorithmProvider
– Not exported by any Win32
• BCryptSetProperty /
DLL
BCryptGetProperty
• BCryptGenRandom
• BCryptGenerateSymmetricKey
• BCryptEncrypt / BCryptDecrypt
36. Implementation
• desX-cbc ‘trick’ – ‘Reuse’ LsaEncryptMemory
CODE!LSASRV.DLL
LsaEncrptMemory()
DATA DATA
IV, DESXTABLE IV, DESXTABLE
LSASRV.DLL
LSASRV.DLL
LSASS.EXE PROCESS.EXE
39. Implementation
Finding the encryption key (Vista/7/2008)
• BCRYPT_KEY_HANDLE hKey
– hKey = Pointer to Memory Block (BLOB)
– hKey + 0x3C => encryption key
• To extract key, read from LSASS.EXE(LSASRV.DLL)
– ((unsigned char*)h3DesKey)+0x3C
– ((unsigned char*))hAesKey)+0x3C
40. Implementation
Finding the encryption key (Vista/7/2008)
• Actually, offset changes between OSes
– hKey + 0x3C => encryption key (Win7)
– hKey + 0x2C => encryption key (Win2008)
• To be safe, I ‘discover’ the offset at runtime
– I wrote a custom function for that
‘KeyDiscoverOffset()’
41. Implementation
Finding the encryption key (Vista/7/2008)
• KeyDiscoverOffset()
– Uses CNG API to create key object with hard-coded key
– Look for hard-coded key inside BLOB pointed to by
BCRYPT_KEY_HANDLE
BCRYPT_KEY_HANDLE hKey +0h
hKey = +3Ch KKKKKKKK…
BCryptGenerateSymmetricKey(...,”K
KKKKKKK…”)
+...h
42. Implementation
Finding the IV (Vista/7/2008)
• IV is also needed
• To extract IV
– Read IV from LSASS.EXE (LSASRV.DLL) memory
– Symbol ‘InitializationVector’
• With IV and Key, just use CNG
– BCryptDecrypt and friends
– No need to run code inside LSASS.EXE
44. Implementation:
Addresses Needed
• Database of addresses
• ID by SHA1 hash of LSASRV.DLL
• Yes, addresses still an issue..
• But ..
• Getlsasrvaddr.exe to the rescue..
45. GetLSASRVADDR.exe
• Finds needed addresses automatically
• User-friendly
• No IDC script, IDA or anything weird like that
is needed
• Uses Microsoft symbol server
• Requires http outbound connection (!)
• Associates addresses and DLLs using SHA1
47. GetLSASRVADDR.exe
• Could be integrated with WCE but..
• The outbound connection might be an
issue
• huge not-there-by-default DLLs needed
• Symsrv.dll and dbghelp.dll (new version,
not the default one)
• Could implement own version of ‘symbol
server’ protocol
• Or perhaps it is best to use heuristics..
48. Implementation:
ASLR and Windows Vista/7/2008
• LSASRV.DLL addresses and ASLR
– Not an issue..
– To locate symbols don’t use hard-coded addresses
– Use Offsets instead
– ASLR is just at boot time
– Get current LSASRV.DLL Base Address at run-time
and add offset
49. WCE execution flow (simplified)
List READ
START END
Creds? MEM
XP/2003
Install/Run/Use ? Vista/7 INJECT
WCE Service /2008 CODE
CurSessionID ==
LSASessionID?
50. WCE vs PTH
Feature WCE PTH
Supports Windows Vista/7/2008 YES NO
Single executable YES NO
(many executables,
need to upload dll, etc)
Delete NTLM Credentials YES NO
Works with session isolation YES NO
(e.g.: via RDP)
Programmatic discovery of new YES NO
LSASRV addresses (via
getlsasrvaddr)
Seamlessly chooses code injection or YES NO
reading from memory
51. Conclusions
• WCE v1.1
– More features and OSes supported
– Works via RDP/Terminal Services
– No code injection needed
– Better solution for ‘addresses issue’
– ‘zombie’ logon sessions and credentials still
around in Windows 7 and family..
– Download WCE v1.1!
• http://www.ampliasecurity.com/research/wce_v1_1.tgz
52. ‘zombie’ logon sessions and credentials
NTLM
CREDS
Logon
Session RDP/Terminal Services
connection
Domain Admin
Some Server
(e.g.: backup
server nobody
cares about)
Attacker