The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be âgamedâ leading to unexpected outcomes.
In this talk, weâll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, weâll describe suspected tampering activity weâve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Zisis Sialveras, CENSUS S.A
This presentation focuses on modern exploitation techniques for VMware
Workstation guest's virtual graphics device in order to achieve code
execution on the host operating system. There will be in-depth analysis
of VMware's graphics pipeline and its implementation details from an
attacker's point of view. Specifically, the talk will cover how VMware
bootstraps the virtual graphics device and how its behavior is affected by
the host and guest operating systems. Once the graphics device is ready, the
so-called SVGA thread is waiting for user commands. The presentation will
enumerate the available ways to issue commands from the guest in order for
them to be processed by the SVGA thread in host context.
VMware uses the SVGA3D protocol to communicate with the guest operating
system (frontend interface). Commands sent by a guest user are processed
by the host operating system using one of the available backend
interfaces. The backend interface is selected with respect to the host
operating system; this talk will focus on Windows hosts. Concepts used by both
the frontend and the backend interfaces will be explained as well. Furthermore,
there will be a discussion of VMware's internal objects and how they can be
abused in order to develop novel primitives that are valuable assets for
exploiting a memory corruption vulnerability. The aforementioned primitives
include a reliable way to spray the host's heap, a way to leak memory from
the host, and of course, a way to execute arbitrary code in host
context. Finally, this purely offensive talk will conclude with a
demonstration of those techniques using a public (patched) VMware
vulnerability on Windows 10.
A Xen MIPS port implementation will be presented. In particular, major techniques used for cpu and memory para-virtualization on top of xen and linux will be presented. The major changes in xen hypervisor, xen tools and linux will be illustrated. The challenges, main issues we faced and solutions we applied will be discussed. Overall porting status and next steps will also be discussed.
Learn about IBM Ported Tools for z/OS: OpenSSH User's Guide. This document presents the information you need to set up and use IBM Ported Tools for z/OS: OpenSSH. This document is for system programmers who run a z/OS system with z/OS UNIX System Services (z/OS UNIX), and for their users who use IBM Ported Tools for z/OS: OpenSSH. On other open systems, some system programmer tasks might be done by an administrator. For more information on IBM System z, visit http://ibm.co/PNo9Cb.
Visit http://bit.ly/KWh5Dx to 'Follow' the official Twitter handle of IBM India Smarter Computing.
USENIX OSDI 2012 Poster "Nested Virtual Machines andăProxies for Easily ImplementableăRollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
A Deep Dive into Apache Cassandra for .NET DevelopersLuke Tillman
Â
.NET developers have a lot of options when it comes to databases these days. Apache Cassandra is a scalable, fault-tolerant database that has already found its way into more than 25% of the Fortune 100 and continues to grow in popularity. But what makes it different from the myriad of other options available? In this talk, weâll take a deep dive into Cassandra and learn about:
- Cassandraâs internals and how it works
- CQL (the SQL-like query language for Cassandra)
- Data Modeling like a pro
- Tools available for developers
- Writing .NET code that talks to Cassandra
If thereâs time and interest, weâll finish up with how some companies are already using Cassandra to power services you probably interact with in your daily life. Youâll leave with all the tools you need to start build highly available .NET applications and services on top of Cassandra.
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
Â
2018 started off with a bang as the world was introduced to a new class of hardware vulnerability which became known as Meltdown and Spectre. New classes of vulnerabilities are exceedingly rare and this one came with ramifications for the security boundaries that web browsers, operating systems, and cloud providers rely on for isolation to protect customer data. Now, rewind back to the summer of 2017. This disclosure and the industry response were months in the making. A new class of vulnerability comes with challenges rarely mounted and the need to pull back to examine our thinking.
In this presentation, we will describe Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities. This approach involved bringing experts from across Microsoft, hiring an industry expert to accelerate our understanding of the issues, and collaborating across the industry in a way not done previously. This team presentation between Microsoft and G DATA will provide a firsthand account of the engineering centric work done and the collaboration necessary to mitigate these issues. We will describe the taxonomy and framework we created which provided the industry foundation for reasoning about this new vulnerability class. This work built on the initial researcher reports and expanded into a larger understanding of the issues. Using this foundation, we will describe the mitigations that Microsoft developed and the impact they have on Spectre and Meltdown.
Santorini is a popular Greek island located in the Cyclades islands in the southern Aegean Sea. It formed from volcanic explosions that left the island with steep cliffs surrounding a central caldera filled with water. The island is home to around 7,000 residents spread across 10 villages and has a temperate climate. Santorini has archaeological sites from the Minoan era and was devastated by a massive volcanic eruption around 1600 BC. Tourism is now the main industry, attracting thousands of visitors each year to see the scenic caldera views and sunset from towns like Oia and Fira.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be âgamedâ leading to unexpected outcomes.
In this talk, weâll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, weâll describe suspected tampering activity weâve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
Zisis Sialveras, CENSUS S.A
This presentation focuses on modern exploitation techniques for VMware
Workstation guest's virtual graphics device in order to achieve code
execution on the host operating system. There will be in-depth analysis
of VMware's graphics pipeline and its implementation details from an
attacker's point of view. Specifically, the talk will cover how VMware
bootstraps the virtual graphics device and how its behavior is affected by
the host and guest operating systems. Once the graphics device is ready, the
so-called SVGA thread is waiting for user commands. The presentation will
enumerate the available ways to issue commands from the guest in order for
them to be processed by the SVGA thread in host context.
VMware uses the SVGA3D protocol to communicate with the guest operating
system (frontend interface). Commands sent by a guest user are processed
by the host operating system using one of the available backend
interfaces. The backend interface is selected with respect to the host
operating system; this talk will focus on Windows hosts. Concepts used by both
the frontend and the backend interfaces will be explained as well. Furthermore,
there will be a discussion of VMware's internal objects and how they can be
abused in order to develop novel primitives that are valuable assets for
exploiting a memory corruption vulnerability. The aforementioned primitives
include a reliable way to spray the host's heap, a way to leak memory from
the host, and of course, a way to execute arbitrary code in host
context. Finally, this purely offensive talk will conclude with a
demonstration of those techniques using a public (patched) VMware
vulnerability on Windows 10.
A Xen MIPS port implementation will be presented. In particular, major techniques used for cpu and memory para-virtualization on top of xen and linux will be presented. The major changes in xen hypervisor, xen tools and linux will be illustrated. The challenges, main issues we faced and solutions we applied will be discussed. Overall porting status and next steps will also be discussed.
Learn about IBM Ported Tools for z/OS: OpenSSH User's Guide. This document presents the information you need to set up and use IBM Ported Tools for z/OS: OpenSSH. This document is for system programmers who run a z/OS system with z/OS UNIX System Services (z/OS UNIX), and for their users who use IBM Ported Tools for z/OS: OpenSSH. On other open systems, some system programmer tasks might be done by an administrator. For more information on IBM System z, visit http://ibm.co/PNo9Cb.
Visit http://bit.ly/KWh5Dx to 'Follow' the official Twitter handle of IBM India Smarter Computing.
USENIX OSDI 2012 Poster "Nested Virtual Machines andăProxies for Easily ImplementableăRollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
A Deep Dive into Apache Cassandra for .NET DevelopersLuke Tillman
Â
.NET developers have a lot of options when it comes to databases these days. Apache Cassandra is a scalable, fault-tolerant database that has already found its way into more than 25% of the Fortune 100 and continues to grow in popularity. But what makes it different from the myriad of other options available? In this talk, weâll take a deep dive into Cassandra and learn about:
- Cassandraâs internals and how it works
- CQL (the SQL-like query language for Cassandra)
- Data Modeling like a pro
- Tools available for developers
- Writing .NET code that talks to Cassandra
If thereâs time and interest, weâll finish up with how some companies are already using Cassandra to power services you probably interact with in your daily life. Youâll leave with all the tools you need to start build highly available .NET applications and services on top of Cassandra.
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
Â
2018 started off with a bang as the world was introduced to a new class of hardware vulnerability which became known as Meltdown and Spectre. New classes of vulnerabilities are exceedingly rare and this one came with ramifications for the security boundaries that web browsers, operating systems, and cloud providers rely on for isolation to protect customer data. Now, rewind back to the summer of 2017. This disclosure and the industry response were months in the making. A new class of vulnerability comes with challenges rarely mounted and the need to pull back to examine our thinking.
In this presentation, we will describe Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities. This approach involved bringing experts from across Microsoft, hiring an industry expert to accelerate our understanding of the issues, and collaborating across the industry in a way not done previously. This team presentation between Microsoft and G DATA will provide a firsthand account of the engineering centric work done and the collaboration necessary to mitigate these issues. We will describe the taxonomy and framework we created which provided the industry foundation for reasoning about this new vulnerability class. This work built on the initial researcher reports and expanded into a larger understanding of the issues. Using this foundation, we will describe the mitigations that Microsoft developed and the impact they have on Spectre and Meltdown.
Santorini is a popular Greek island located in the Cyclades islands in the southern Aegean Sea. It formed from volcanic explosions that left the island with steep cliffs surrounding a central caldera filled with water. The island is home to around 7,000 residents spread across 10 villages and has a temperate climate. Santorini has archaeological sites from the Minoan era and was devastated by a massive volcanic eruption around 1600 BC. Tourism is now the main industry, attracting thousands of visitors each year to see the scenic caldera views and sunset from towns like Oia and Fira.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
The document discusses performing digital forensics investigations using open source tools. It covers the major steps of the process: data acquisition, examination, and report preparation. For data acquisition, it describes how to gather volatile system data like memory dumps and network traffic, as well as disk images. For examination, it discusses forensic analysis software like The Sleuth Kit and Autopsy, analyzing memory dumps with Volatility, and examining network traffic with Wireshark. It also provides examples of timeline creation and registry analysis.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en AfriqueValdes Nzalli
Â
De plus en plus d'ĂŠquipements se retrouvent de nos jours connectĂŠ Ă Internet, la baisse
des prix de la bande passante aidant, il est dorĂŠnavant plus facile d'hĂŠberger par
exemple un service soit mĂŞme. Mais cette croissance n'est pas la mĂŞme pour les
mesures de sĂŠcuritĂŠ appliquĂŠes aux ĂŠquipements connectĂŠs. Notre exposĂŠ aura pour
but de rĂŠvĂŠler les statistiques d'un audit de l'internet en Afrique sur une durĂŠe
mensuelle. Il nous a ainsi ĂŠtĂŠ possible d'identifier plusieurs cas comme les machines
membres de botnets, des serveur ouverts au public mais non patchĂŠs et bien d'autres.
De ces rÊsultats nous avons fait un classement par pays, Application, Système,... ainsi
que leur frĂŠquence.
PrÊsentation passÊe lors de l'atelier sur le thème "RÊseaux Sociaux et SÊcuritÊ" pour le compte de Cameroon Cyber Security avec les Êtudiant de la FacultÊ de GÊnie Industriel de Douala!
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?Valdes Nzalli
Â
Cette prĂŠsentation sera l'occasion de rendre publique une ĂŠtude en cours sur les
statistiques de connexion des ĂŠquipements sur l'Internet Africain au cours d'une pĂŠriode
dĂŠfinie. Dans les pays d'Afrique combien d'appareils sont-ils connectĂŠs en matinĂŠe?
en journĂŠe ? Ă midi ? quel type de devices sont-ils les plus utilisĂŠs pour se connecter en
fonction des pays ?
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseValdes Nzalli
Â
Along with their day-to-day duties, CERT/CSIRT teams need to be aware about the security state of their subscribers/clients. My goal here is to present this initiative named "Project Sonar", started by many members of the Infosec Community. Also, i would like to present an use case in which the collaboration between the CERT/CSIRT team and the Infosec Community can be more profitable for all of us. This use case will be based on an analysis of some data provided by Project Sonar.
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISMValdes Nzalli
Â
Suite aux rĂŠvĂŠlations sur les programmes de renseignement massif des agences
Gouvernementales outre-mer en Juin dernier, les rĂŠactions de part et d'autres se sont fait
entendre un peu partout et en particulier dans la sphère Internet Africaine.
Cette Etude est une enquĂŞte sur les issues gĂŠnĂŠrĂŠes par cet ĂŠtat de choses ;
notamment savoir quelles ont ĂŠtĂŠ les mesures mises en place par les gouvernements,
Entreprises et Internautes Africains pour ce prÊmunir de ce phÊnomène. Par ailleurs,
il sera question de savoir quel est l'impact et l'efficacitĂŠ des mesures prises par les uns
et les autres. Sont-elle efficientes?! comment peuvent-elle ĂŞtre amĂŠliorĂŠe ? sont lĂ les
questions qui trouverons rĂŠponses au cours de cet exposĂŠ.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
Abusing Microsoft Kerberos - Sorry you guys donât get itE Hacking
Â
This document discusses abusing Microsoft Kerberos authentication. It begins with introductions of the presenters Alva "Skip" Duckwall and Benjamin Delpy. It then outlines what will be covered, including Windows Active Directory, mimikatz, NTLM hashes, Kerberos, pass-the-hash/keys/tickets and Golden Tickets. It also notes there will be 3 live demonstrations.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Â
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Â
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
This document discusses using SSH to create secure tunnels through firewalls and between mutually firewalled hosts in 3 main ways:
1) Dynamic port forwarding with SOCKS allows flexible forwarding of any protocol by redirecting destination addresses. This gets around limitations of static port forwarding.
2) "Gateway cryptography" creates an independent encrypted path between client and server by using remote port forwarding to bypass firewall restrictions and authenticate separately.
3) SLIRP/PPTP over SSH can provide a user-mode VPN by forwarding SLIRP or PPTP encapsulated in SSH, without requiring root on both sides. This allows Windows clients to connect remotely through bastion hosts.
This document describes features and architecture for secure mobile virtualization using Xen on ARM processors. It discusses CPU and memory virtualization techniques used to isolate guest domains, including paravirtualization, domain access control registers, and TLB lockdown. The system boot process loads Xen and domain 0 before creating additional guest domains via a user-level application and domain control driver. Experiments were conducted using Xen to virtualize a mini-OS on QEMU's Goldfish ARM emulator platform.
The document discusses various techniques used in Windows malware, including memory residency, modular design, DLL injection, beaconing, internal communication channels like named pipes, attacking Active Directory by dumping hashes and using golden tickets, and living off the land tools. It provides examples of code and demonstrations for many of the techniques. The goal is to understand malware development for defensive purposes like designing better defenses and gaining insight into future threats.
This document summarizes TCPKali, a tool for stress testing and introspecting WebSockets. TCPKali can generate high volumes of WebSocket traffic to test systems handling hundreds of millions of events per second from global users. It allows establishing many idle connections, limiting connection bandwidth, and constructing non-standard WebSocket frames to test edge cases. TCPKali provides developer visibility into traffic through options to dump TCP I/O, measure latency, and export metrics. While not a security or distributed testing tool, its high speed and developer-friendly interface make it suitable for debugging systems under large-scale WebSocket loads.
The document discusses Windows authentication methods and their vulnerabilities. It provides details on how passwords are hashed and stored for different Windows versions. While NTLMv2 and Kerberos provide stronger authentication, LM hashes, NTLMv1, and NTLM authentication are vulnerable to dictionary attacks due to using static challenges. The document also describes how tools like rainbow tables and network sniffers can crack passwords hashes or capture authentication packets.
This document discusses techniques for post-exploitation using Metasploit. It covers maintaining presence on a compromised system by examining users and processes. It also discusses achieving persistence through techniques like dropping executable files and modifying autoruns. Pivoting is covered as moving laterally such as relaying NTLM authentication or abusing trust relationships. Specific demonstrations are provided like exploiting an suid misconfiguration on Nmap or using a LNK file drop combined with SMB relay. The document emphasizes developing reliable and readable Metasploit modules to automate post-exploitation tasks.
This document provides an overview and summary of key concepts around virtualization that will be covered in more depth at a technical deep dive session, including:
- Virtualization capabilities for desktops/laptops and servers including workstation virtualization and server consolidation.
- How virtual machines work and the overhead associated with virtualization.
- Properties of virtualization like partitioning, isolation, and encapsulation.
- Benefits of server virtualization like consolidation, simpler management, and automated resource pooling.
- Comparison of "hosted" and vSphere virtualization architectures.
- Technologies used in virtualization like binary translation, hardware assistance from Intel VT/AMD-V.
- Ability to virtualize CPU intensive applications with
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
The document discusses performing digital forensics investigations using open source tools. It covers the major steps of the process: data acquisition, examination, and report preparation. For data acquisition, it describes how to gather volatile system data like memory dumps and network traffic, as well as disk images. For examination, it discusses forensic analysis software like The Sleuth Kit and Autopsy, analyzing memory dumps with Volatility, and examining network traffic with Wireshark. It also provides examples of timeline creation and registry analysis.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
Etude Statistique d'un mois de VulnĂŠrabilitĂŠs en AfriqueValdes Nzalli
Â
De plus en plus d'ĂŠquipements se retrouvent de nos jours connectĂŠ Ă Internet, la baisse
des prix de la bande passante aidant, il est dorĂŠnavant plus facile d'hĂŠberger par
exemple un service soit mĂŞme. Mais cette croissance n'est pas la mĂŞme pour les
mesures de sĂŠcuritĂŠ appliquĂŠes aux ĂŠquipements connectĂŠs. Notre exposĂŠ aura pour
but de rĂŠvĂŠler les statistiques d'un audit de l'internet en Afrique sur une durĂŠe
mensuelle. Il nous a ainsi ĂŠtĂŠ possible d'identifier plusieurs cas comme les machines
membres de botnets, des serveur ouverts au public mais non patchĂŠs et bien d'autres.
De ces rÊsultats nous avons fait un classement par pays, Application, Système,... ainsi
que leur frĂŠquence.
PrÊsentation passÊe lors de l'atelier sur le thème "RÊseaux Sociaux et SÊcuritÊ" pour le compte de Cameroon Cyber Security avec les Êtudiant de la FacultÊ de GÊnie Industriel de Douala!
PĂŠnĂŠtration de l'Internet en Afrique : Qu'en est-il des ĂŠquipements ?Valdes Nzalli
Â
Cette prĂŠsentation sera l'occasion de rendre publique une ĂŠtude en cours sur les
statistiques de connexion des ĂŠquipements sur l'Internet Africain au cours d'une pĂŠriode
dĂŠfinie. Dans les pays d'Afrique combien d'appareils sont-ils connectĂŠs en matinĂŠe?
en journĂŠe ? Ă midi ? quel type de devices sont-ils les plus utilisĂŠs pour se connecter en
fonction des pays ?
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseValdes Nzalli
Â
Along with their day-to-day duties, CERT/CSIRT teams need to be aware about the security state of their subscribers/clients. My goal here is to present this initiative named "Project Sonar", started by many members of the Infosec Community. Also, i would like to present an use case in which the collaboration between the CERT/CSIRT team and the Infosec Community can be more profitable for all of us. This use case will be based on an analysis of some data provided by Project Sonar.
Internet et Vie PrivÊe Analyse des comportements en Afrique après PRISMValdes Nzalli
Â
Suite aux rĂŠvĂŠlations sur les programmes de renseignement massif des agences
Gouvernementales outre-mer en Juin dernier, les rĂŠactions de part et d'autres se sont fait
entendre un peu partout et en particulier dans la sphère Internet Africaine.
Cette Etude est une enquĂŞte sur les issues gĂŠnĂŠrĂŠes par cet ĂŠtat de choses ;
notamment savoir quelles ont ĂŠtĂŠ les mesures mises en place par les gouvernements,
Entreprises et Internautes Africains pour ce prÊmunir de ce phÊnomène. Par ailleurs,
il sera question de savoir quel est l'impact et l'efficacitĂŠ des mesures prises par les uns
et les autres. Sont-elle efficientes?! comment peuvent-elle ĂŞtre amĂŠliorĂŠe ? sont lĂ les
questions qui trouverons rĂŠponses au cours de cet exposĂŠ.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
Abusing Microsoft Kerberos - Sorry you guys donât get itE Hacking
Â
This document discusses abusing Microsoft Kerberos authentication. It begins with introductions of the presenters Alva "Skip" Duckwall and Benjamin Delpy. It then outlines what will be covered, including Windows Active Directory, mimikatz, NTLM hashes, Kerberos, pass-the-hash/keys/tickets and Golden Tickets. It also notes there will be 3 live demonstrations.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Â
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Â
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
This document discusses using SSH to create secure tunnels through firewalls and between mutually firewalled hosts in 3 main ways:
1) Dynamic port forwarding with SOCKS allows flexible forwarding of any protocol by redirecting destination addresses. This gets around limitations of static port forwarding.
2) "Gateway cryptography" creates an independent encrypted path between client and server by using remote port forwarding to bypass firewall restrictions and authenticate separately.
3) SLIRP/PPTP over SSH can provide a user-mode VPN by forwarding SLIRP or PPTP encapsulated in SSH, without requiring root on both sides. This allows Windows clients to connect remotely through bastion hosts.
This document describes features and architecture for secure mobile virtualization using Xen on ARM processors. It discusses CPU and memory virtualization techniques used to isolate guest domains, including paravirtualization, domain access control registers, and TLB lockdown. The system boot process loads Xen and domain 0 before creating additional guest domains via a user-level application and domain control driver. Experiments were conducted using Xen to virtualize a mini-OS on QEMU's Goldfish ARM emulator platform.
The document discusses various techniques used in Windows malware, including memory residency, modular design, DLL injection, beaconing, internal communication channels like named pipes, attacking Active Directory by dumping hashes and using golden tickets, and living off the land tools. It provides examples of code and demonstrations for many of the techniques. The goal is to understand malware development for defensive purposes like designing better defenses and gaining insight into future threats.
This document summarizes TCPKali, a tool for stress testing and introspecting WebSockets. TCPKali can generate high volumes of WebSocket traffic to test systems handling hundreds of millions of events per second from global users. It allows establishing many idle connections, limiting connection bandwidth, and constructing non-standard WebSocket frames to test edge cases. TCPKali provides developer visibility into traffic through options to dump TCP I/O, measure latency, and export metrics. While not a security or distributed testing tool, its high speed and developer-friendly interface make it suitable for debugging systems under large-scale WebSocket loads.
The document discusses Windows authentication methods and their vulnerabilities. It provides details on how passwords are hashed and stored for different Windows versions. While NTLMv2 and Kerberos provide stronger authentication, LM hashes, NTLMv1, and NTLM authentication are vulnerable to dictionary attacks due to using static challenges. The document also describes how tools like rainbow tables and network sniffers can crack passwords hashes or capture authentication packets.
This document discusses techniques for post-exploitation using Metasploit. It covers maintaining presence on a compromised system by examining users and processes. It also discusses achieving persistence through techniques like dropping executable files and modifying autoruns. Pivoting is covered as moving laterally such as relaying NTLM authentication or abusing trust relationships. Specific demonstrations are provided like exploiting an suid misconfiguration on Nmap or using a LNK file drop combined with SMB relay. The document emphasizes developing reliable and readable Metasploit modules to automate post-exploitation tasks.
This document provides an overview and summary of key concepts around virtualization that will be covered in more depth at a technical deep dive session, including:
- Virtualization capabilities for desktops/laptops and servers including workstation virtualization and server consolidation.
- How virtual machines work and the overhead associated with virtualization.
- Properties of virtualization like partitioning, isolation, and encapsulation.
- Benefits of server virtualization like consolidation, simpler management, and automated resource pooling.
- Comparison of "hosted" and vSphere virtualization architectures.
- Technologies used in virtualization like binary translation, hardware assistance from Intel VT/AMD-V.
- Ability to virtualize CPU intensive applications with
Encrypting and decrypting, choosing a random number, signing and verifying -- it all seems so logical. But the road to hell is paved with good intentions and a copy of "Applied Cryptography".
This talk will cover recent crypto vulnerabilities in widely-deployed systems and how the smallest oversight resulted in catastrophe. You'll learn why public key crypto is like a Ford Pinto in a demolition derby, the meaning of "PBKDF2", and how Web 2.0 reinvented 1970's-style password hashing, badly. And maybe, just maybe, you'll leave with a newfound respect for the utter brittleness of even the simplest crypto.
Nate Lawson is the founder of Root Labs, which specializes in the design and analysis of embedded security and cryptography. Previously, he worked at Cryptography Research, analyzing cryptographic products and co-designing the Blu-ray content protection layer known as BD+.
- The final exam for the cryptography course will take place on June 9 from 9:30-11:18 AM. It will cover materials after RSA but students still need to know RSA. The exam allows open books and notes and calculators.
- The course covered symmetric encryption algorithms like AES and DES, public key encryption like RSA, hash functions like SHA-1, message authentication codes, digital signatures, entity authentication, and key agreement protocols.
- SSL (now called TLS) provides a secure and reliable connection over TCP. It uses the SSL/TLS handshake protocol to authenticate parties and establish encryption keys to protect data sent over the TCP connection.
The document discusses techniques for improving network and I/O performance between the network interface card (NIC) and CPU. It describes technologies like TCP offloading, receive side scaling, and Intel I/O acceleration features that distribute processing load away from the CPU to improve throughput and reduce latency. Optimization goals include more efficiently handling interrupts and direct memory access to reduce CPU utilization for network tasks.
CloudStack, the world's leading open-source cloud infrastructure platform, was recently donated to the Apache Foundation, and is now an incubated Apache project. Ewan Mellor, Director of Engineering in the Citrix Cloud Platforms Group will describe the CloudStack project and explain why Xen is the pre-eminent hypervisor in public clouds today. He will describe the changes coming in CloudStack in the next 12 months, and how they are going to change the way that Xen is consumed in public and private clouds next year.
Summary of past Cassandra benchmarks performed by Netflix and description of how Netflix uses Cassandra interspersed with a live demo automated using Jenkins and Jmeter that created two 12 node Cassandra clusters from scratch on AWS, one with regular disks and one with SSDs. Both clusters were scaled up to 24 nodes each during the demo.
The document discusses the evolution of XenServer architecture to address scalability limitations. The current architecture works well now but will hit bottlenecks on larger servers. The new "Windsor" architecture uses domain 0 disaggregation to move virtualization functions out of domain 0 and into separate domains for improved performance, scalability, and isolation. Key benefits include better VM density, use of hardware resources, stability, availability, and extensibility. It provides a flexible platform that can scale-out across servers.
This document discusses playing wargames and capture the flag (CTF) competitions for fun and learning. It recommends starting with wargames to gain hands-on experience with a variety of hacking challenges. CTF competitions are described as team-based events where players race to capture digital flags by solving technical security puzzles within time limits. The document shares experiences from CTF competitions, including exploiting vulnerabilities like SQL injection, buffer overflows, and command injection. It provides advice on useful tools and recommends starting CTFs and wargames for their educational benefits.
The document provides an outline for hacking different systems including performing internet footprinting, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. It discusses techniques for scanning systems, enumerating services and users, penetrating targets by exploiting services or escalating privileges, gaining interactive access, and maintaining influence. It provides examples of tools that can be used for reconnaissance, attacks, and privilege escalation on the different system types. The document also covers vulnerabilities in systems like SNMP, HTTP, TFTP, and routing protocols that can be exploited, and techniques for dealing with firewalls like port scanning and redirection.
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
This document discusses various network security concepts including firewalls, proxies, NAT, and VPNs. It provides examples of network infrastructures using different types of firewalls such as packet filtering, stateful, and proxy firewalls. It also discusses standard and extended access control lists (ACLs) used with firewalls to filter traffic. Finally, it covers network address translation (NAT) and port address translation (PAT) which help hide private network addresses from the public internet.
Snort is an open source intrusion detection and prevention system that uses rules written in its own language to inspect network traffic in real-time, detect anomalous activity, and generate alerts. It works by matching packets against signatures in its rules database to identify attacks and exploits, and can detect protocol anomalies, custom signatures, and payload analysis. Snort rules allow it to detect specific patterns in network traffic including payload signatures, TCP flags, and port numbers to identify malicious activity.
The document discusses various types of denial of service (DoS) attacks including layer 4 distributed denial of service (DDoS) attacks using botnets, layer 7 attacks that can be carried out by a single attacker, and link local attacks using fraudulent IPv6 router advertisements. It also profiles various hacktivist groups that have carried out such attacks and outlines defenses against DoS attacks like ModSecurity, load balancing, and router advertisement guard.
This document is the user's manual for sqlmap, an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. The manual provides information on installing and using sqlmap, including requirements, basic usage, supported features, techniques, and numerous configuration options for optimization, injection, detection, enumeration and brute forcing capabilities.
The document is a report from Arbor Networks that analyzes data from a survey of over 500 network operators regarding infrastructure security threats in 2011. Some key findings include:
- Distributed denial-of-service (DDoS) attacks were considered the most significant operational threat. Application-layer DDoS attacks using HTTP floods were most common.
- The largest reported DDoS attacks exceeded 100 Gbps in bandwidth. Major online gaming and gambling sites were frequently targeted.
- Most respondents experienced multiple DDoS attacks per month and detected increased awareness of the DDoS threat over the previous year.
- Network traffic detection, classification, and event correlation tools were commonly used to identify attacks and trace sources. DDo
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
Â
An English đŹđ§ translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech đ¨đż version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
Â
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Â
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
"Choosing proper type of scaling", Olena SyrotaFwdays
Â
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
âTemporal Event Neural Networks: A More Efficient Alternative to the Transfor...Edge AI and Vision Alliance
Â
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the âTemporal Event Neural Networks: A More Efficient Alternative to the Transformerâ tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChipâs Akida neuromorphic hardware IP further enhances TENNsâ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
Â
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Â
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Donât worry, we can help with all of this!
Weâll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. Weâll provide examples and solutions for those as well. And naturally weâll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Â
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Â
Inconsistent user experience and siloed data, high costs, and changing customer expectations â Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their âmodern digital bankâ experiences.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Â
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
2. Windows Authentication
h1 = LMHash(âpwd1â) SAM Database
h2 = NTHash(âpwd1â) User Hash LM Hash NT
cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Network ⢠The cleartext password is not sent
⢠The NTLM protocol is used
3. NTLM Authentication
lmhash = LMHash(âpwd1â)
nthash = NTHash(âpwd1â)
Init connection
Responds C = challenge random
Sends cgarcia, R
SAM Database
R = f(lmhash/nthash, C)
User Hash LM Hash NT
cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
Râ = f(SAM[lmhash/nthash], C) ⌠⌠âŚ
Râ == R => Access Granted
Râ <> R => Access Denied
4. pre-Pass-the-Hash Attacks
⢠After compromising a Windows boxâŚ
â â Dumpâ the SAM
⢠pwdump3/3e/4/5/6/7,fgdump,etc
â Administrator:500:0102030405060708090A0B0C0D0E0F10:1020
30405060708090A0B0C0D0E0F10
â Crack/Brute-Force hashes to obtain cleartext
password
⢠Takes time.. (e.g.: pentest time is limited)
⢠No guarantee the password will be obtained
⢠Rainbow tables were not widely used
â Less computing power, storage, etc
â Still, not the answer to everything
6. Pass-the-hash Technique
lmhash = LMHash(âpwd1â)
nthash = NTHash(âpwd1â)
Init connection
Responds C = challenge random
Sends cgarcia, R
SAM Database
R = f(lmhash/nthash, C) User Hash LM Hash NT
cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⢠Cleartext password is not needed for NTLM auth ⌠⌠âŚ
⢠Only lmhash/nthash are needed
⢠No need to crack/brute-force Râ = f(SAM[lmhash/nthash], C)
⢠Just use the hashes directly Râ == R => Access Granted
Râ <> R => Access Denied
8. 3rd-party SMB+NTLM stacks: Limitations
⢠Limited and partial functionality
⢠Always running behind Windows
â New functionality has to be implemented, some by
reverse engineering
⢠Complex, requires time and effort
⢠Cannot use native Windows applications
â They ask for username and cleartext password, not
hashesâŚ
10. What is WCE?
⢠Tool to manipulate Windows logon sessions
â Add, list, delete, modify
â Obtain credentials associated with logon sessions
â Pass-the-hash (NTLM)
â Pass-the-ticket (Kerberos)
11. Pre-WCE/Pass-the-hash attacks
⢠Without WCE..
â Crack/Brute-force hashes to obtain cleartext password
â Crack/Brute-force ´encrypted´ hashes (C,R->NTLM) to
obtain cleartext password
â Use 3rd-party SMB+NTLM stacks, w/limited and partial
functionality
â More difficult/not possible to do pass-the-hash while
pivoting among Windows boxes
12. Post-WCE/Pass-the-hash attacks
⢠With WCEâŚ
â Do Pass-the-hash directly with the hashes
⢠No need to attempt to crack/brute-force hashes
⢠Will be able to use them even if you cannot crack them
â 3rd-party SMB+NTLM stacks problems eliminated
â Easier to do Pass-the-hash while pivoting among
Windows boxes
14. WCE: âStealâ Credentials from memory
⢠New ´attack´ implemented by WCE
â It is not Pass-the-hash, it´s another technique..
â Sometimes the two are confused, but they are not
the same..
⢠Allows you to obtain usernames and NTLM
hashes stored in memory
15. WCE: âStealâ Credentials from memory
⢠Why are they in memory?
⢠NTLM auth package
⢠SSO
cgarcia
pwd1
Network
16. WCE: âStealâ Credentials from memory
When are they stored in memory?
⢠Interactive logon sessions at the console
⢠Remote logon sessions via RDP
⢠RunAs
⢠Windows Services running under specific user
accounts
⢠Windows APIs used by applications
⢠Etc.
17. WCE: âStealâ Credentials from memory
When are they stored in memory?
⢠Interactive logon sessions at the console
cgarcia
pwd1
18. WCE: âStealâ Credentials from memory
When are they stored in memory?
⢠Remote logon sessions via RDP
Network
21. WCE: âStealâ Credentials from memory
When are they stored in memory?
⢠Windows APIs used by applications
Example:
22. WCE: âStealâ Credentials from memory
⢠WCE can obtain the LM Hash..
â By default, nowadays, Windows does not store
the LM hash in the SAM
⢠It is weak; âeasyâ to crack
23. WCE: âStealâ Credentials from memory
⢠WCE can obtain the LM Hash from memory
â Windows generates and stores the hashes in
memory, including the LM hash
⢠Interactive sessions
⢠Others previously mentioned
â Possible to crack it and obtain cleartext password to
use in places where NTLM is not the auth method
24. WCE: âStealâ Credentials from memory
Example:
The LM Hash is not in the SAM
Pwdump output
The LM Hash is in memory
WCE output
25. WCE: âStealâ Credentials from memory
When are they NOT stored in memory?
⢠Network Logons
â The hashes never reach the remote server
Init Connection
Responds C = challenge random
Sends cgarcia, R
26. WCE: âStealâ Credentials from memory
Post-explotation attack scenario
Attacker compromises
remote Windows box
⢠Run WCE to obtain credentials stored in memory
⢠Use those hashes to do Pass-The-Hash with WCE
28. WCE: âStealâ Credentials from memory
Especially interesting in Windows Domain Environments
Domain
Controller (DC) Domain
User Hash LM Hash NT User
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Backups Server
Domain
User
29. WCE: âStealâ Credentials from memory
WITHOUT WCE..
Domain
Controller (DC) Domain
User Hash LM Hash NT User
SAM cgarcia A6BCD.. B0FD1..
SAM ajuarez B90DF.. CCDF..
User Hash LM Hash NT ⌠⌠âŚ
Administ FDDE.. CCDH1..
rador
Guest AABCD.. FFD4F.. Domain
User
Backups Server
Attacker
⢠Attacker owns remote Windows box
⢠Only has access to local SAM..
⢠No Domain Users there, not very usefulâŚ
30. WCE: âStealâ Credentials from memory
WITH WCE..
Domain
Domain:Admi Controller (DC) Domain
nistrator:CDB User Hash LM Hash NT User
70D9EDA812 SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
DBF:C9DF712 ⌠⌠âŚ
D09D7DF1C
Domain
User
Backups Server
Attacker
⢠Attacker owns Backups server
⢠Obtains credentials from memory..
⢠Probably will find Domain Users there..
⢠Can possibly compromise the whole domain!
31. WCE: âStealâ Credentials from memory
Typical Scenario
Domain
Controller (DC) Domain
Administrator
Domain
User
Backups Server
Attacker
32. WCE: âStealâ Credentials from memory
Typical Scenario
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller (DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
User
Backups Server
Attacker
33. WCE: âStealâ Credentials from memory
Typical Scenario
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller(DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
User
Backups Server
Attacker
⢠WCE âstealsâ the Domain Administrator
Credentials!
34. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials
⢠When you RDP to a remote box, you leave the
NTLM hashes of your password in the remote
server´s memory
⢠NTLM hashes are equivalent to the cleartext
password (pass-the-hash+wce)
⢠So, we could say you are leaving there your
passwordâŚ
35. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials
⢠Even when using pass-through authentication
⢠Credentials (user+domain+hashes) are stored in
Domain Controller
⢠But when you use RDP, they are also left in the
memory of the remote Windows box you are
RDPing to!
⢠Be careful where you are RDPing toâŚ
36. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials
⢠Attacker on the remote Windows box can obtain
credentials from memory
⢠Local Administrator
⢠Regular Domain User w/local admin privs
⢠Attacker that owns less secured box, regular
users are more vulnerable
⢠Etc.
37. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials: Example
Domain
Controller (DC) Domain
User Hash LM Hash NT
Administrator
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Domain User
Workstation
Attacker
38. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials: Example
Domain
Controller (DC) Domain
User Hash LM Hash NT
Administrator
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Domain User
Workstation
Attacker
39. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials: Example
Domain:Admi
nistrator:CDB
Domain 70D9EDA812
Controller (DC) DBF:C9DF712 Domain
User Hash LM Hash NT D09D7DF1C Administrator
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Domain User
Workstation
Attacker
40. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials: Example
Domain
Controller (DC) Domain
User Hash LM Hash NT
Administrator
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Domain:Admi
Domain User
nistrator:CDB
Workstation
70D9EDA812 Attacker
DBF:C9DF712
D09D7DF1C
41. WCE: âStealâ Credentials from memory
RDP ´exposes´ credentials: Example
Domain
Controller (DC) Domain
User Hash LM Hash NT
Administrator
SAM cgarcia A6BCD.. B0FD1..
ajuarez B90DF.. CCDF..
⌠⌠âŚ
Domain
User
Domain:Admi
Domain User nistrator:CDB
Workstation 70D9EDA812 Attacker
DBF:C9DF712
D09D7DF1C
45. WCE: âStealâ Credentials from memory
RDP: Disconnect != Log Off
⢠´Disconnect´ leaves NTLM hashes in memory
⢠The Logon session is not terminated
⢠´Log Off´ terminates the logon session
⢠Hashes are erased from memory
⢠Always ´Log Off´!
⢠Users tend to just ´Disconnect´âŚ
⢠Including Administrators..
47. WCE: âStealâ Credentials from memory
Bug: Zombie Logon Sessions!
Domain
Controller (DC) Domain
Administrator
Domain
User
Backups Server
Attacker
Day 1
48. WCE: âStealâ Credentials from memory
Bug: Zombie Logon Sessions!
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller (DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
User
Backups Server
Attacker
Day 1
49. WCE: âStealâ Credentials from memory
Bug: Zombie Logon Sessions!
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller (DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
User
⢠Administrator logs off,
Backups Server disconnects, finished
what he/she was
Attacker
doing..
Day 1
50. WCE: âStealâ Credentials from memory
Bug: Zombie Logon Sessions!
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller (DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
BUG! User
Windows does not erase
from memory NTLM
Backups Server hashes!
Attacker
Day 1
51. WCE: âStealâ Credentials from memory
Bug: Zombie Logon Sessions!
Domain:Admi
nistrator:CDB Domain
70D9EDA812 Controller (DC) Domain
DBF:C9DF712 Administrator
D09D7DF1C
Domain
User
Backups Server
Attacker
Day 31.. ~ A month later..
52. WCE: Pass-the-Ticket (Kerberos)
⢠New attack implemented by WCE v1.2
â First and only tool that implements this AFAIK
⢠Post-exploitation
⢠Equivalent to Pass-The-Hash for NTLM
⢠You can âstealâ Kerberos TGT/tickets & use them
in other Windows and *Unix boxes
53. WCE: Pass-the-Ticket (Kerberos)
⢠´Stolen´ tickets can be used to access remote
services
â Example: SMB shares
⢠The TGT (Ticket Granting Ticket) can be used
to create new tickets
â Gain access to more services / computers
54. Conclusions
⢠WCE brings new post-exploitation techniques
â Pass-the-Hash (NTLM)
â Steal NTLM from memory
â Pass-the-ticket (Kerberos)
⢠Useful for pentests
⢠You need to know them to defend yourself
â Not just to attack..
55. More information
⢠âWCE Internalsâ Presentation
â RootedCon 2011; Madrid, EspaĂąa
â More technical details about implementation
http://www.ampliasecurity.com/research/WCE_
Internals_RootedCon2011_ampliasecurity.pdf