SlideShare ist ein Scribd-Unternehmen logo

Tactical Exploitation - hdm valsmith

A
amiable_indian

Tactical Exploitation - hdm valsmith metasploit hacking hacker

Technologie
1 von 79
Tactical Exploitation “the other way to pen-test “ hdm / valsmith Black Hat USA 2007 Las Vegas – August 2007
who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007
why listen ? A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) • Las Vegas – August 2007
what do we cover ? Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access • Las Vegas – August 2007
the tactical approach Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. • Las Vegas – August 2007
the tactical approach Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! • Las Vegas – August 2007
the tactical approach Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets • Las Vegas – August 2007
personnel discovery Security is a people problem • People write your software • People secure your network • Identify the meatware first • Las Vegas – August 2007
personnel discovery Identifying the meatware • • Google • Newsgroups SensePost tools • Evolution from Paterva.com • Las Vegas – August 2007
personnel discovery These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites • Las Vegas – August 2007
personnel discovery Las Vegas – August 2007
personnel discovery Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target • Las Vegas – August 2007
personnel discovery Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show • joet@joesbox.company.com Now we have username and a host to target to go • after semi conductor information Las Vegas – August 2007
network discovery Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones • Las Vegas – August 2007
network discovery The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups • Las Vegas – August 2007
network discovery The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com • Las Vegas – August 2007
network discovery DomainTools vs Defcon.org • 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007
network discovery DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings • [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings • Las Vegas – August 2007
network discovery What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info • Las Vegas – August 2007
network discovery Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! • Las Vegas – August 2007
network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007
application discovery If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick • Las Vegas – August 2007
application discovery Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools • Las Vegas – August 2007
application discovery Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips • Las Vegas – August 2007
application discovery Example target had custom IDS to • detect large # of host connections Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) • Las Vegas – August 2007
application discovery Target had internal app for software licensing / • distribution ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed • static Admin password in app's memory All accessible nodes owned, 0 exploits used • Las Vegas – August 2007
application discovery Web Application Attack and Audit • Framework • W3AF: “Metasploit for the web” Metasploit 3 scanning modules • • Scanning mixin Las Vegas – August 2007
application discovery DEMO Las Vegas – August 2007
client app discovery Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance • Las Vegas – August 2007
client app discovery Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases • Las Vegas – August 2007
process discovery Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics • Las Vegas – August 2007
process discovery Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images • Las Vegas – August 2007
process discovery Existing tools? • None, really... • Easy to script • • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007
process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007
process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007
15 Minute Break Come back for the exploits! • Las Vegas – August 2007
re-introduction In our last session... • Discovery techniques and tools • In this session... • • Compromising systems! Las Vegas – August 2007
external network The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions • Las Vegas – August 2007
attacking ftp transfers Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) • Las Vegas – August 2007
attacking web servers Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries • Las Vegas – August 2007
attacking web servers Apache Reverse Proxying • GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting • GET / HTTP/1.1 Host: %00/ Las Vegas – August 2007
load balancers Cause load balancer to “leak” • internal IP information Use TCP half-close HTTP request • Alteon ACEdirector good example • Las Vegas – August 2007
load balancers ACEdirector mishandles TCP half- • close requests • Behavior can be used as signature • for existence of Load Balancer • Direct packets from real webserver • fowarded back to client (with IP) Las Vegas – August 2007
cgi case study Web Host with 1000's of sites • Had demo CGI for customers • CGI had directory traversal • www.host.com/cgi-bin/vuln.pl/../../cgi • CGI executable + writable on every • directory Common on web hosts! • • Las Vegas – August 2007
cgi case study Enumerated: • • Usernames • Dirs • Backup files • Other CGI scripts • VHOSTS Las Vegas – August 2007
cgi case study Target happened to run solaris • • Solaris treats dirs as files • cat /dirname = ls /dirname http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html • Las Vegas – August 2007
cgi case study Found CGI script names • Googled for vulns • Gained shell 100's of different ways • Owned due to variety of layered • configuration issues Las Vegas – August 2007
attacking dns servers Brute force host names • XID sequence analysis • • BIND 9: PRNG / Birthday • VxWorks: XID = XID + 1 Return extra answers in response • Las Vegas – August 2007
authentication relays SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP • More on this later... • Las Vegas – August 2007
social engineering Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make • Las Vegas – August 2007
internal network The soft chewy center • This is the fun part :) • Easy to trick clients • Las Vegas – August 2007
netbios services NetBIOS names are magic • • WPAD • CALICENSE Las Vegas – August 2007
dns services Microsoft DNS + DHCP = fun • • Inject host names into DNS • Hijack the entire network dhcpcd -h WPAD -i eth0 • Las Vegas – August 2007
Hijacking NTLM Quickly own all local workstations • Gain access to mail and web sites • A new twist on “smbrelay2.cpp” • Yes, it was released in 2001. • Now implemented in Metasploit 3 • Las Vegas – August 2007
Hijacking NTLM 1. MITM all outbound web traffic Cache poison the “WPAD” host • Plain old ARP spoofing • DHCP / NetBIOS + “WPAD” • Run a rogue WiFi access point • Manipulate TOR connections • Las Vegas – August 2007
Hijacking NTLM 2. Redirect HTTP requests to “intranet” WPAD + SOCKS server • SQUID + transparent proxying • 302 Redirect • Las Vegas – August 2007
Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src=”ipsharei.jpg”> • Firefox: mozicon-url:file:////ip/share/i.jpg • Third-party plugins: • Adobe PDF Viewer • Windows Media Player • Microsoft Office • Las Vegas – August 2007
Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client • Connect to the target server (or client) • Ask target for Challenge Key • Provide this Key to the client • Allow the client to authenticate • Las Vegas – August 2007
Hijacking NTLM 5. Executing remote code Disconnect the client • Use authenticated session • • ADMIN$ + Service Control Manager • Access data, call RPC routines, etc • Access the remote registry Las Vegas – August 2007
Hijacking NTLM DEMO Las Vegas – August 2007
file servers “NAS appliances are safe and secure” • Don't worry, the vendor sure doesn't • Unpatched Samba daemons • • Snap, TeraServer, OS X, etc. Inconsistent file permissions • AFP vs NFS vs SMB • Las Vegas – August 2007
samba is awesome 1999 called, want their bugs back • Remember those scary “NULL Sessions” • Samba ENUM / SID2USR user listing • Massive information leaks via DCERPC • • Shares, Users, Policies • Brute force accounts (no lockout) Las Vegas – August 2007
smb case study Old bugs back to haunt new boxes • Found OS X Box running SMB • User sent mail touting OS X sec • Previous scans had found vulns • User: “false positive, its OS X” • Us: “Owned” • Las Vegas – August 2007
smb case study Performed Null Session • net use osxsmbipc$ “” /user:”” • Enumerated users and shares • • Brute forced several user accounts • Got shell, escalated to root • User: “but . .but . . its OS X!” Las Vegas – August 2007
samba vs metasploit Metasploit modules for Samba • Linux (vSyscall + Targets) • Mac OS X (PPC/x86) • Solaris (SPARC,x86) • Auxiliary PoCs • Las Vegas – August 2007
nfs services NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting? • Las Vegas – August 2007
nfs services Exported NFS home directories • Important target! • If you get control • Own every node that mounts it • Las Vegas – August 2007
nfs services If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans • Las Vegas – August 2007
nfs services Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed! • Las Vegas – August 2007
file services Example: all nodes were diskless / patched • Clients got software from NFS server • We hacked the software server • Using trust hijacking explained later • Inserted trojaned gnu binaries • 1000's of nodes sent us shells • Las Vegas – August 2007
trust relationships The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) • • Las Vegas – August 2007
trusts Deal with firewalls/TCP wrappers/ACLs • Find a node that is accepted and own it • People wrapper Unix and leave Windows • open Hack the Windows box and port forward • past wrappers Las Vegas – August 2007
trusts Example: Mixed network with Unix • wrapperd Target Solaris homedir server • Had auth credentials but couldn't reach • port 22 Found 1 vulnerable win box , owned / • installed portfworward to homedir port 22 • Las Vegas – August 2007
Hijacking SSH Idea is to abuse legitimate users access • over SSH If user can access other systems, why • can't you? (even without users password) One time passwords? No problem! • Intel gathering • Las Vegas – August 2007
Hijacking SSH Available tools • Metalstorm ssh hijacking • • Trojaned ssh clients • SSH master modes Dont for get TTY hijacking • Appcap • • TTYWatcher Who suspects a dead SSH session? • Las Vegas – August 2007
Hijacking SSH DEMO Las Vegas – August 2007
Hijacking Kerberos Kerberos is great for one time • authentication . . even for hackers Idea is to become a user and hijack • kerberos tickets Gain access to other trusted nodes • • Las Vegas – August 2007
Hijacking Kerberos DEMO Las Vegas – August 2007
Conclusion Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent. • Las Vegas – August 2007

Empfohlen

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
 
Ccw
CcwCcw
Ccwcortman121
 
Guerreirus Intro
Guerreirus IntroGuerreirus Intro
Guerreirus Introguerreirusgroup
 
Chapter Eight
Chapter EightChapter Eight
Chapter EightWilliam Harmening
 
Chapter Five
Chapter FiveChapter Five
Chapter FiveWilliam Harmening
 

Empfohlen

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
 
Ccw
CcwCcw
Ccwcortman121
 
Guerreirus Intro
Guerreirus IntroGuerreirus Intro
Guerreirus Introguerreirusgroup
 
Chapter Eight
Chapter EightChapter Eight
Chapter EightWilliam Harmening
 
Chapter Five
Chapter FiveChapter Five
Chapter FiveWilliam Harmening
 
Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)CQB TEAM
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited EntriesCQB TEAM
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disasterneeraj verma
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceMargolis Healy
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptjosecoco1
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooterworkthreatgroup
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystemdigitallibrary
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Kellyn Pot'Vin-Gorman
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudConSanFrancisco123
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojanguest17b7c7
 
Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Martin von Haller Groenbaek
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponsePat Cappelaere
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 

Weitere ähnliche Inhalte

Andere mochten auch

Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)CQB TEAM
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited EntriesCQB TEAM
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disasterneeraj verma
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceMargolis Healy
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptjosecoco1
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooterworkthreatgroup
 

Andere mochten auch (6)

Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited Entries
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disaster
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).ppt
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooter
 

Ähnlich wie Tactical Exploitation - hdm valsmith

Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystemdigitallibrary
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Kellyn Pot'Vin-Gorman
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudConSanFrancisco123
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojanguest17b7c7
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponsePat Cappelaere
 

Ähnlich wie Tactical Exploitation - hdm valsmith (14)

Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystem
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer Systems
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojan
 
Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency Response
 

Mehr von amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

Mehr von amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Kürzlich hochgeladen

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Kürzlich hochgeladen (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Tactical Exploitation - hdm valsmith

  • 1. Tactical Exploitation “the other way to pen-test “ hdm / valsmith Black Hat USA 2007 Las Vegas – August 2007
  • 2. who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007
  • 3. why listen ? A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) • Las Vegas – August 2007
  • 4. what do we cover ? Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access • Las Vegas – August 2007
  • 5. the tactical approach Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. • Las Vegas – August 2007
  • 6. the tactical approach Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! • Las Vegas – August 2007
  • 7. the tactical approach Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets • Las Vegas – August 2007
  • 8. personnel discovery Security is a people problem • People write your software • People secure your network • Identify the meatware first • Las Vegas – August 2007
  • 9. personnel discovery Identifying the meatware • • Google • Newsgroups SensePost tools • Evolution from Paterva.com • Las Vegas – August 2007
  • 10. personnel discovery These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites • Las Vegas – August 2007
  • 12. personnel discovery Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target • Las Vegas – August 2007
  • 13. personnel discovery Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show • joet@joesbox.company.com Now we have username and a host to target to go • after semi conductor information Las Vegas – August 2007
  • 14. network discovery Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones • Las Vegas – August 2007
  • 15. network discovery The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups • Las Vegas – August 2007
  • 16. network discovery The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com • Las Vegas – August 2007
  • 17. network discovery DomainTools vs Defcon.org • 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007
  • 18. network discovery DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings • [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings • Las Vegas – August 2007
  • 19. network discovery What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info • Las Vegas – August 2007
  • 20. network discovery Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! • Las Vegas – August 2007
  • 21. network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007
  • 22. application discovery If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick • Las Vegas – August 2007
  • 23. application discovery Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools • Las Vegas – August 2007
  • 24. application discovery Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips • Las Vegas – August 2007
  • 25. application discovery Example target had custom IDS to • detect large # of host connections Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) • Las Vegas – August 2007
  • 26. application discovery Target had internal app for software licensing / • distribution ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed • static Admin password in app's memory All accessible nodes owned, 0 exploits used • Las Vegas – August 2007
  • 27. application discovery Web Application Attack and Audit • Framework • W3AF: “Metasploit for the web” Metasploit 3 scanning modules • • Scanning mixin Las Vegas – August 2007
  • 28. application discovery DEMO Las Vegas – August 2007
  • 29. client app discovery Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance • Las Vegas – August 2007
  • 30. client app discovery Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases • Las Vegas – August 2007
  • 31. process discovery Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics • Las Vegas – August 2007
  • 32. process discovery Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images • Las Vegas – August 2007
  • 33. process discovery Existing tools? • None, really... • Easy to script • • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007
  • 34. process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007
  • 35. process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007
  • 36. 15 Minute Break Come back for the exploits! • Las Vegas – August 2007
  • 37. re-introduction In our last session... • Discovery techniques and tools • In this session... • • Compromising systems! Las Vegas – August 2007
  • 38. external network The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions • Las Vegas – August 2007
  • 39. attacking ftp transfers Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) • Las Vegas – August 2007
  • 40. attacking web servers Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries • Las Vegas – August 2007
  • 41. attacking web servers Apache Reverse Proxying • GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting • GET / HTTP/1.1 Host: %00/ Las Vegas – August 2007
  • 42. load balancers Cause load balancer to “leak” • internal IP information Use TCP half-close HTTP request • Alteon ACEdirector good example • Las Vegas – August 2007
  • 43. load balancers ACEdirector mishandles TCP half- • close requests • Behavior can be used as signature • for existence of Load Balancer • Direct packets from real webserver • fowarded back to client (with IP) Las Vegas – August 2007
  • 44. cgi case study Web Host with 1000's of sites • Had demo CGI for customers • CGI had directory traversal • www.host.com/cgi-bin/vuln.pl/../../cgi • CGI executable + writable on every • directory Common on web hosts! • • Las Vegas – August 2007
  • 45. cgi case study Enumerated: • • Usernames • Dirs • Backup files • Other CGI scripts • VHOSTS Las Vegas – August 2007
  • 46. cgi case study Target happened to run solaris • • Solaris treats dirs as files • cat /dirname = ls /dirname http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html • Las Vegas – August 2007
  • 47. cgi case study Found CGI script names • Googled for vulns • Gained shell 100's of different ways • Owned due to variety of layered • configuration issues Las Vegas – August 2007
  • 48. attacking dns servers Brute force host names • XID sequence analysis • • BIND 9: PRNG / Birthday • VxWorks: XID = XID + 1 Return extra answers in response • Las Vegas – August 2007
  • 49. authentication relays SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP • More on this later... • Las Vegas – August 2007
  • 50. social engineering Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make • Las Vegas – August 2007
  • 51. internal network The soft chewy center • This is the fun part :) • Easy to trick clients • Las Vegas – August 2007
  • 52. netbios services NetBIOS names are magic • • WPAD • CALICENSE Las Vegas – August 2007
  • 53. dns services Microsoft DNS + DHCP = fun • • Inject host names into DNS • Hijack the entire network dhcpcd -h WPAD -i eth0 • Las Vegas – August 2007
  • 54. Hijacking NTLM Quickly own all local workstations • Gain access to mail and web sites • A new twist on “smbrelay2.cpp” • Yes, it was released in 2001. • Now implemented in Metasploit 3 • Las Vegas – August 2007
  • 55. Hijacking NTLM 1. MITM all outbound web traffic Cache poison the “WPAD” host • Plain old ARP spoofing • DHCP / NetBIOS + “WPAD” • Run a rogue WiFi access point • Manipulate TOR connections • Las Vegas – August 2007
  • 56. Hijacking NTLM 2. Redirect HTTP requests to “intranet” WPAD + SOCKS server • SQUID + transparent proxying • 302 Redirect • Las Vegas – August 2007
  • 57. Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src=”ipsharei.jpg”> • Firefox: mozicon-url:file:////ip/share/i.jpg • Third-party plugins: • Adobe PDF Viewer • Windows Media Player • Microsoft Office • Las Vegas – August 2007
  • 58. Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client • Connect to the target server (or client) • Ask target for Challenge Key • Provide this Key to the client • Allow the client to authenticate • Las Vegas – August 2007
  • 59. Hijacking NTLM 5. Executing remote code Disconnect the client • Use authenticated session • • ADMIN$ + Service Control Manager • Access data, call RPC routines, etc • Access the remote registry Las Vegas – August 2007
  • 60. Hijacking NTLM DEMO Las Vegas – August 2007
  • 61. file servers “NAS appliances are safe and secure” • Don't worry, the vendor sure doesn't • Unpatched Samba daemons • • Snap, TeraServer, OS X, etc. Inconsistent file permissions • AFP vs NFS vs SMB • Las Vegas – August 2007
  • 62. samba is awesome 1999 called, want their bugs back • Remember those scary “NULL Sessions” • Samba ENUM / SID2USR user listing • Massive information leaks via DCERPC • • Shares, Users, Policies • Brute force accounts (no lockout) Las Vegas – August 2007
  • 63. smb case study Old bugs back to haunt new boxes • Found OS X Box running SMB • User sent mail touting OS X sec • Previous scans had found vulns • User: “false positive, its OS X” • Us: “Owned” • Las Vegas – August 2007
  • 64. smb case study Performed Null Session • net use osxsmbipc$ “” /user:”” • Enumerated users and shares • • Brute forced several user accounts • Got shell, escalated to root • User: “but . .but . . its OS X!” Las Vegas – August 2007
  • 65. samba vs metasploit Metasploit modules for Samba • Linux (vSyscall + Targets) • Mac OS X (PPC/x86) • Solaris (SPARC,x86) • Auxiliary PoCs • Las Vegas – August 2007
  • 66. nfs services NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting? • Las Vegas – August 2007
  • 67. nfs services Exported NFS home directories • Important target! • If you get control • Own every node that mounts it • Las Vegas – August 2007
  • 68. nfs services If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans • Las Vegas – August 2007
  • 69. nfs services Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed! • Las Vegas – August 2007
  • 70. file services Example: all nodes were diskless / patched • Clients got software from NFS server • We hacked the software server • Using trust hijacking explained later • Inserted trojaned gnu binaries • 1000's of nodes sent us shells • Las Vegas – August 2007
  • 71. trust relationships The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) • • Las Vegas – August 2007
  • 72. trusts Deal with firewalls/TCP wrappers/ACLs • Find a node that is accepted and own it • People wrapper Unix and leave Windows • open Hack the Windows box and port forward • past wrappers Las Vegas – August 2007
  • 73. trusts Example: Mixed network with Unix • wrapperd Target Solaris homedir server • Had auth credentials but couldn't reach • port 22 Found 1 vulnerable win box , owned / • installed portfworward to homedir port 22 • Las Vegas – August 2007
  • 74. Hijacking SSH Idea is to abuse legitimate users access • over SSH If user can access other systems, why • can't you? (even without users password) One time passwords? No problem! • Intel gathering • Las Vegas – August 2007
  • 75. Hijacking SSH Available tools • Metalstorm ssh hijacking • • Trojaned ssh clients • SSH master modes Dont for get TTY hijacking • Appcap • • TTYWatcher Who suspects a dead SSH session? • Las Vegas – August 2007
  • 76. Hijacking SSH DEMO Las Vegas – August 2007
  • 77. Hijacking Kerberos Kerberos is great for one time • authentication . . even for hackers Idea is to become a user and hijack • kerberos tickets Gain access to other trusted nodes • • Las Vegas – August 2007
  • 78. Hijacking Kerberos DEMO Las Vegas – August 2007
  • 79. Conclusion Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent. • Las Vegas – August 2007