SlideShare ist ein Scribd-Unternehmen logo

NotaCon 2011 - Networking for Pentesters

Rob Fuller
Rob Fuller
Technologie
1 von 70
Downloaden Sie, um offline zu lesen
Networking for Pentesters JP Bourget @punkrokk Rob Fuller @mubix
JP’s Intro • BS IT, RIT 2005; MS Computer Security and Information Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years experience in computer networking, system administration, and information security. During the day JP is responsible for Network and Security Management for a medium size global company based in the US. JP is also adjunct faculty at Rochester Institute of Technology where he teaches Networking and Security undergraduate classes. JP also performs pen testing and security audits for local companies in Rochester, NY. • You can find me on Twitter at http://www.twitter.com/ punkrokk and his blog: http://syncurity.net.
meterpreter> getuid Rob Fuller – Security Consultant • Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob has 10 years of Information Security and IT experience. Prior to joining Rapid7 he worked at Applied Security as a Network Attack Operator, a Penetration Tester for the Pentagon, a Senior Incident Response Analyst for the Senate and multiple Information Security Positions in the United States Marine Corps. During his 8 years of service in the United States Marine Corps he was a team lead for the Marine Corps’ Computer Emergency Response Team (MARCERT) and became the first Security Test Engineer for the Marine Corps’ R&D section. He has extensive experience in full scope penetration testing, web application assessments,wireless security, incident response, and related development. Rob has spoken at the US Naval Academy, DojoCon, and RSS and holds a CEH, OSCP, and Security+.
Public Service Announcement screw ninjas
I want to be a wizard
to become a wizard you must answer every question with another question.
Samurai are still cool...
Thank you
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Questions • ANY AND ALL TIMES, THERE WILL BE NO Q&A AT THE END • but we will be open to questions after the class physically or digitally
but first... • Select a target: • <insert company name here> ! • Everything we will be doing with these selected targets will be in the open source info gather sense. No malicious traffic will be used against these targets as part of any lab or instructor lead exercise
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Networking for Pentesters • DNS • SMTP • SSH • HTTP • RDP
DNS • Zones • The round trip ride. • Record Types (+200) • Wildcards • Caching / Cache poisoning • Zone Transfers (kicking it like it’s 1995) • Brute forcing records
DNS Digging Deeper • Recursion • Authoritative Servers • Non-Authoritative Servers • DNS TTL • (only matters on target DNS server)
Non-’A’ Records • SOA Records • NS Records • PTR Records • MX Records • SRV Records • TXT Records
Zone Transfer Commands • dig • dig -t AXFR domain.com @ns2.domain.com +short • host -l • nslookup • ls -d • dnscmd (a part of the support tools) • dnscmd /EnumZones • dnscmd /ZonePrint (newer versions of binary) • dnscmd /EnumRecords domain.com @ (older versions)
DNS Brute Force Tools • DNSEnum • Metasploit Module • Yeti • Fierce • Google • Bing • FOCA
LAB TIME • Zone transfers.... • Brute force CompanyX’s records
SMTP • Clear-text protocol • How email has been working since 1982 • VERBS • Display Names • Unforgiving nature (used by machines)
SMTP Verbs • MAIL FROM: • RCPT TO: • VRFY • HELO/EHLO • DATA • From: • To: • Cc: • Date: • Subject: • (body) • . • QUIT
Telnet Email FTW S: 220 smtp.example.com ESMTP Postfix  C: HELO relay.example.org  S: 250 Hello relay.example.org, I am glad to meet you  C: MAIL FROM:<bob@example.org>  S: 250 Ok  C: RCPT TO:<alice@example.com>  S: 250 Ok  C: RCPT TO:<theboss@example.com>  S: 250 Ok  ! !
Telnet Email FTW (contd) C: DATA  S: 354 End data with <CR><LF>.<CR><LF>  C: From: "Bob Example" <bob@example.org>  C: To: "Alice Example" <alice@example.com>  C: Cc: theboss@example.com  C: Date: Tue, 15 Jan 2008 16:02:43 -0500  C: Subject: Test message  C:  C: Hello Alice.  C: This is a test message with 5 header fields and 4 lines in the message body.  C:Your friend,  C: Bob  C: .  S: 250 Ok: queued as 12345  C: QUIT  S: 221 Bye
LAB TIME 1. Send a spoofed email to your buddy 2. Try to send an email with a link 3. Try to send an email with a spoofed display name
SSH • Tunneling traffic with PuTTY • Tunneling traffic with OpenSSH • Master-mode (Man-On-Your-Back) MOYB • No shell tunneling • MITM
PuTTy Tunneling
OpenSSH Tunneling • Local, Dynamic, and Remote ssh -L host:port:host:port! ssh -D host:port! ssh -R host:port:host:port
Examples ssh -f punkrokk@myhomeserver.com -L 2000:myhomeserver.com:25 (localport:host:remote-port) forwards local port 2000 to home port 25   -- Why is this interesting? ! ssh -f -L 3000:talk.google.com:5522 myhomesshserver.net -N
SSH MYOB • Enable ‘Master Mode’ in config Host *! ControlMaster auto! ControlPath /tmp/%r@%h:%p! • Wait for some to connect somewhere...
SSH • MITM http://www.oxid.it/ca_um/topics/ ssh-1_to_pix_example.htm SSH Downgrade attacks (2 -> 1) (ettercap)
LAB TIME • Tunnel (MySQL) port 3306 through a nologin account on Metasploitable to the Windows 2k8 box
HTTP • VERBS • Headers • Response Codes • 1.0 vs 1.1 • DoS Attacks (Slowloris, Strawman) • Ajax, Flash, SOAP, Django, SSL, • also known as: lets pile more state on a stateless protocol!
How’s your HTTP Vocabulary? • GET • POST • HEAD • PUT • DELETE • OPTIONS • PROPFIND • DEBUG • TRACE • CONNECT • PROPPATCH • MKCOL • COPY • MOVE • LOCK • UNLOCK • VERSION- CONTROL • REPORT • CHECKOUT • CHECKIN • UNCHECKOUT • MKWORKSPACE • UPDATE • LABEL • MERGE • BASELINECONTROL • MKACTIVITY • ORDERPATCH • ACL • PATCH • SEARCH
HTTP Response Codes • 100s • You need to wait for some stuff • 200s • Stuff is there • 300s • Stuff Moved • 400s • Stuff isn’t there or you aren’t allowed to see it • 500s • Stuff went wrong
1.0 vs 1.1 • OPTIONS verb • 100 - Continue response code (not cool) • Compression • Persistent Connections (very cool) • Requires the ‘Host:’ header (not cool) • Supports these crazy things called ‘cookies’
Webdav Trick • Name a file mysecretwebshell.aspx;.txt • IIS will reference it as a ASPX page • WebDAV thinks it’s just a text file
LAB TIME • Go to your company’s website • What server type is it? • Apache, Webrick, IIS, pySockets, etc... • What server side code does it run? • ASP{X}, Python, Ruby on Rails, PHP, etc.. • Do you think it has a DB backend? Why?
RDP • RDP Bruteforcing • TSGringer (old school) • ncrack (new school) • RDP MITM • Cain and Able still rules • RDP Hashdump • Cain and Able
NO LAB • Difficult to duplicate much less set up for a lab such as this, but definitely take everything you’ve learned here home and try it out
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Information Operations • Social Networking Rocks • Metadata • Clouds Rain Info • Nmap (some tricks to using it)
Social Networking Rocks • Twitter.com • This is the ONLY service that emails you that someone wants to add you even if they just import your contact info. • Twitterpeeps.com [Fix link] • Facebook.com • “Everything should be public” -- Zuckerberg • LinkedIn.com • Their API is much more open than their site. Think evil. • You probably know all these but they can be horribly twisted
LAB TIME • Start to fill out data on your company, use social networks to find as much information about the target as possible.
Metadata • Documents • Usernames • IP addresses • Hostnames • Domains • Images • Usernames • Locations • Email Headers (Have you ever looked at them?) • FOCA Free/Pro (King of Metadata) • EVERYTHING ;-)
LAB TIME • Open your SPAM folder, and open the email’s header information. • What can you tell about the sender? • What can you tell about the organization/ infrastructure supporting the sender?
Clouds Rain Info • Digital Cloud • clez.net • serversniff.net • centralops.net • whois.sc/[IP/Domain] • Arin.net’s REST documentation • magic-net.info • OldSchool Clouds - ANALOG • DMV (Tell them you are looking up a lost title) • Inteillius (Digital data about Analog targets) • Call HR (Remember you are targeting a physical object, not just a digital one)
LAB TIME • Find as much information as you can on your company. How many emails can you harvest on them?
nmap • What flags do you normally use? • [Book Image Here] • Do you even scan for UDP? • You’d be surprised what odd things listen on 161 on the internet. • Can you name all 1024 ‘ephemeral’ ports? How about just the top 100? ! • NSE Scripts (know them, use them)
LAB TIME • nmap [TARGET] • What do you see? • What ports are open? • What services are running? • What possible vulns are there?
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Vuln Hunting #1 Question I get is: ‘How do you know a system is vulnerable?’ ! Honest truth is that every pentester uses experience and educated guesses. They call us ‘testers’ for a reason.
Vuln Hunting • Web Applications • Network Services • People
Web App Vuln Hunting • Use the check list... • [Web Application Hackers Checklist] • Brute Forcing is now a portion of Information Gathering. Use every scanner possible. None of them do a perfect job, though, so kick off a half dozen scanners then start doing your manual testing. • Remember, people bookmark things • [Demo Delicious Enum module] • The wayback machine is a great source of URLs • [Demo Wayback Enum module]
LAB TIME • See if you can determine any possible lines of attack simply by browsing your target company’s web site. • Is there a id=12 • What about a funny looking cookie or HTTP header? • How about a login form or registration page? • Every Sci-Fi/Fantasy book I have every read with a Wizard in it describes them as crotchey but highly, if not overly observant
Network Services Nessus, other vuln scanners during a pentest • Running NeXpose,are underor time constraint. Skilled attackers will is for people who a only do this if they aren’t worried about getting caught or blocked. • nmap nse vuln checks, if you want to get caught... • DONT USE NMAP, do version checks and make an educated guess. • IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T THROW IT.YOU HAVE FAILED YOUR INTEL GATHERING PHASE out what information • Findpossible vulnerabilities,you have about the service. Determine the gather more information. Rinse Repeat.
LAB TIME • Tell me if [TARGET IP] is vulnerable to anything.Yes you can use prior knowledge. Vuln Hunting is all about experience.
People • Think about where you work. Who is the ‘speaker phone’ for your section/business unit/office/department/company. • Now how would you go about getting that particular person’s work number or email? • This person would know it... How do I get their number? And so on... • Do you send non-phishing emails in pentests? • Why not? • Do you make non-SE phone calls in pentests? • Why not?
LAB TIME • Call the CEO of your target company and complain about their car hitting yours. JUST KIDDING!!!
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Exploitation • Payload Selection • Targeting
Payloads • Metasploit Payloads • Singles - Fully functional, self contained payloads. For example ‘add_user’ • Staged - Uses tiny ‘stager’ shellcode in exploit that connects over the network to the attacker in order to download the reset of the payloads functional code • Shellcode from the net • Put your big boy pants on, because it might be backdoored, trojaned or otherwise evil.
Payload selection • Does your target have egress filtering? • Do they have Windows systems or Macs? • Do they have protocol inspection? • Do they have Java installed?
LAB TIME • What payloads exist in the Metasploit Framework? • Which payload are you going to use? • WHY!!!?
Targeting • ‘show targets’ in Metasploit is an important step in the process • if your at this point and you still aren’t sure, go gather more information.
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Persistence • Know the System • Know the User
Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
Pivoting • Windows ‘Super Secret Ninja Hacker Tools’ • (Ninjas suck, they use Windows) • net • at • dir • Meterpreter tools: • Metasploit Pro VPN pivoting (‘cause it’s PIMP!) • portfwd • Metasploit tools: • route • psexec
LAB TIME • Pivot from our Metasploitable box to the other machine on the DMZ • Then try to find a way into the intranet
thats it.. GTFO 100.100.100.101 Feedback: notaconwizards@gmail.com

Empfohlen

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 

Empfohlen

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDan Kaminsky
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
I See You
I See YouI See You
I See YouAndrew Beard
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Confidence web
Confidence webConfidence web
Confidence webDan Kaminsky
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
GiTFO
GiTFOGiTFO
GiTFORob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 

Weitere ähnliche Inhalte

Was ist angesagt?

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 

Was ist angesagt? (20)

Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
I See You
I See YouI See You
I See You
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Confidence web
Confidence webConfidence web
Confidence web
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 

Andere mochten auch

Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Debate Social networking & Social media
Debate Social networking & Social mediaDebate Social networking & Social media
Debate Social networking & Social mediaOscar Fabian
 
Unit 1 – people and relationships
Unit 1 – people and relationshipsUnit 1 – people and relationships
Unit 1 – people and relationshipskimngan_ulis
 
Jeff Bezos: The Ultimate Disrupter
Jeff Bezos: The Ultimate DisrupterJeff Bezos: The Ultimate Disrupter
Jeff Bezos: The Ultimate DisrupterAnggriawan Sugianto
 
zardaszuzek - MéRnöKké VáLáS Folyamata
zardaszuzek - MéRnöKké VáLáS Folyamatazardaszuzek - MéRnöKké VáLáS Folyamata
zardaszuzek - MéRnöKké VáLáS Folyamatazardaszuzek
 
Real Value in Real Time: MongoDB-based Analytics at TeachStreet
Real Value in Real Time: MongoDB-based Analytics at TeachStreetReal Value in Real Time: MongoDB-based Analytics at TeachStreet
Real Value in Real Time: MongoDB-based Analytics at TeachStreetTeachStreet
 
A life without complaints
A life without complaintsA life without complaints
A life without complaintssutrisno2629
 
Ulmer chapter1definingcrisiscommunication
Ulmer chapter1definingcrisiscommunicationUlmer chapter1definingcrisiscommunication
Ulmer chapter1definingcrisiscommunicationOwen Kulemeka
 
Strategy for Startups - NASSCOM Emergeout Delhi 2008
Strategy for Startups - NASSCOM Emergeout Delhi 2008Strategy for Startups - NASSCOM Emergeout Delhi 2008
Strategy for Startups - NASSCOM Emergeout Delhi 2008guest716604
 
You belong here and you can be successful
You belong here and you can be successfulYou belong here and you can be successful
You belong here and you can be successfulcolwilliamson
 
A MéRnöKké VáLáS RöGöS úTja
A MéRnöKké VáLáS RöGöS úTjaA MéRnöKké VáLáS RöGöS úTja
A MéRnöKké VáLáS RöGöS úTjaguestbeafe8
 
From Idea to Exit, the story of our startup
From Idea to Exit, the story of our startupFrom Idea to Exit, the story of our startup
From Idea to Exit, the story of our startupNatalie Downe
 
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...Land 'Grabbing' in the Nile Basin and implications for the regional water sec...
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...Ana Cascao
 
A Touching Story4007
A Touching Story4007A Touching Story4007
A Touching Story4007sutrisno2629
 

Andere mochten auch (20)

GiTFO
GiTFOGiTFO
GiTFO
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Debate Social networking & Social media
Debate Social networking & Social mediaDebate Social networking & Social media
Debate Social networking & Social media
 
Unit 1 – people and relationships
Unit 1 – people and relationshipsUnit 1 – people and relationships
Unit 1 – people and relationships
 
English & Social Networks
English & Social NetworksEnglish & Social Networks
English & Social Networks
 
Jeff Bezos: The Ultimate Disrupter
Jeff Bezos: The Ultimate DisrupterJeff Bezos: The Ultimate Disrupter
Jeff Bezos: The Ultimate Disrupter
 
zardaszuzek - MéRnöKké VáLáS Folyamata
zardaszuzek - MéRnöKké VáLáS Folyamatazardaszuzek - MéRnöKké VáLáS Folyamata
zardaszuzek - MéRnöKké VáLáS Folyamata
 
Real Value in Real Time: MongoDB-based Analytics at TeachStreet
Real Value in Real Time: MongoDB-based Analytics at TeachStreetReal Value in Real Time: MongoDB-based Analytics at TeachStreet
Real Value in Real Time: MongoDB-based Analytics at TeachStreet
 
Mobile Marketing
Mobile MarketingMobile Marketing
Mobile Marketing
 
A life without complaints
A life without complaintsA life without complaints
A life without complaints
 
Jaladas De Awebowey
Jaladas De AweboweyJaladas De Awebowey
Jaladas De Awebowey
 
Ulmer chapter1definingcrisiscommunication
Ulmer chapter1definingcrisiscommunicationUlmer chapter1definingcrisiscommunication
Ulmer chapter1definingcrisiscommunication
 
Strategy for Startups - NASSCOM Emergeout Delhi 2008
Strategy for Startups - NASSCOM Emergeout Delhi 2008Strategy for Startups - NASSCOM Emergeout Delhi 2008
Strategy for Startups - NASSCOM Emergeout Delhi 2008
 
You belong here and you can be successful
You belong here and you can be successfulYou belong here and you can be successful
You belong here and you can be successful
 
A MéRnöKké VáLáS RöGöS úTja
A MéRnöKké VáLáS RöGöS úTjaA MéRnöKké VáLáS RöGöS úTja
A MéRnöKké VáLáS RöGöS úTja
 
From Idea to Exit, the story of our startup
From Idea to Exit, the story of our startupFrom Idea to Exit, the story of our startup
From Idea to Exit, the story of our startup
 
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...Land 'Grabbing' in the Nile Basin and implications for the regional water sec...
Land 'Grabbing' in the Nile Basin and implications for the regional water sec...
 
My personal brand
My personal brandMy personal brand
My personal brand
 
A Touching Story4007
A Touching Story4007A Touching Story4007
A Touching Story4007
 
Callme
CallmeCallme
Callme
 

Ähnlich wie NotaCon 2011 - Networking for Pentesters

Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Reuven Lerner
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Reuven Lerner
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. Shubham Mittal
 
Creating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrCreating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrBrooke Ganz
 
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Justin Carmony
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Oracle REST Data Services: POUG Edition
Oracle REST Data Services: POUG EditionOracle REST Data Services: POUG Edition
Oracle REST Data Services: POUG EditionJeff Smith
 
Introduction to Neo4j and .Net
Introduction to Neo4j and .NetIntroduction to Neo4j and .Net
Introduction to Neo4j and .NetNeo4j
 
DataSploit - BlackHat Asia 2017
DataSploit - BlackHat Asia 2017 DataSploit - BlackHat Asia 2017
DataSploit - BlackHat Asia 2017 Shubham Mittal
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMOrtus Solutions, Corp
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterJohn Adams
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 

Ähnlich wie NotaCon 2011 - Networking for Pentesters (20)

Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
Creating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache SolrCreating an Open Source Genealogical Search Engine with Apache Solr
Creating an Open Source Genealogical Search Engine with Apache Solr
 
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Oracle REST Data Services: POUG Edition
Oracle REST Data Services: POUG EditionOracle REST Data Services: POUG Edition
Oracle REST Data Services: POUG Edition
 
Introduction to Neo4j and .Net
Introduction to Neo4j and .NetIntroduction to Neo4j and .Net
Introduction to Neo4j and .Net
 
DataSploit - BlackHat Asia 2017
DataSploit - BlackHat Asia 2017 DataSploit - BlackHat Asia 2017
DataSploit - BlackHat Asia 2017
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling Twitter
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and rails
 

Mehr von Rob Fuller

KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsRob Fuller
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish TurnsRob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White ChapelRob Fuller
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxRob Fuller
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 HoursRob Fuller
 

Mehr von Rob Fuller (8)

KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 

Kürzlich hochgeladen

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

NotaCon 2011 - Networking for Pentesters

  • 2. JP’s Intro • BS IT, RIT 2005; MS Computer Security and Information Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years experience in computer networking, system administration, and information security. During the day JP is responsible for Network and Security Management for a medium size global company based in the US. JP is also adjunct faculty at Rochester Institute of Technology where he teaches Networking and Security undergraduate classes. JP also performs pen testing and security audits for local companies in Rochester, NY. • You can find me on Twitter at http://www.twitter.com/ punkrokk and his blog: http://syncurity.net.
  • 3. meterpreter> getuid Rob Fuller – Security Consultant • Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob has 10 years of Information Security and IT experience. Prior to joining Rapid7 he worked at Applied Security as a Network Attack Operator, a Penetration Tester for the Pentagon, a Senior Incident Response Analyst for the Senate and multiple Information Security Positions in the United States Marine Corps. During his 8 years of service in the United States Marine Corps he was a team lead for the Marine Corps’ Computer Emergency Response Team (MARCERT) and became the first Security Test Engineer for the Marine Corps’ R&D section. He has extensive experience in full scope penetration testing, web application assessments,wireless security, incident response, and related development. Rob has spoken at the US Naval Academy, DojoCon, and RSS and holds a CEH, OSCP, and Security+.
  • 5. I want to be a wizard
  • 6. to become a wizard you must answer every question with another question.
  • 9. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 10. Questions • ANY AND ALL TIMES, THERE WILL BE NO Q&A AT THE END • but we will be open to questions after the class physically or digitally
  • 11. but first... • Select a target: • <insert company name here> ! • Everything we will be doing with these selected targets will be in the open source info gather sense. No malicious traffic will be used against these targets as part of any lab or instructor lead exercise
  • 12. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 13. Networking for Pentesters • DNS • SMTP • SSH • HTTP • RDP
  • 14. DNS • Zones • The round trip ride. • Record Types (+200) • Wildcards • Caching / Cache poisoning • Zone Transfers (kicking it like it’s 1995) • Brute forcing records
  • 15. DNS Digging Deeper • Recursion • Authoritative Servers • Non-Authoritative Servers • DNS TTL • (only matters on target DNS server)
  • 16. Non-’A’ Records • SOA Records • NS Records • PTR Records • MX Records • SRV Records • TXT Records
  • 17. Zone Transfer Commands • dig • dig -t AXFR domain.com @ns2.domain.com +short • host -l • nslookup • ls -d • dnscmd (a part of the support tools) • dnscmd /EnumZones • dnscmd /ZonePrint (newer versions of binary) • dnscmd /EnumRecords domain.com @ (older versions)
  • 18. DNS Brute Force Tools • DNSEnum • Metasploit Module • Yeti • Fierce • Google • Bing • FOCA
  • 19. LAB TIME • Zone transfers.... • Brute force CompanyX’s records
  • 20. SMTP • Clear-text protocol • How email has been working since 1982 • VERBS • Display Names • Unforgiving nature (used by machines)
  • 21. SMTP Verbs • MAIL FROM: • RCPT TO: • VRFY • HELO/EHLO • DATA • From: • To: • Cc: • Date: • Subject: • (body) • . • QUIT
  • 22. Telnet Email FTW S: 220 smtp.example.com ESMTP Postfix  C: HELO relay.example.org  S: 250 Hello relay.example.org, I am glad to meet you  C: MAIL FROM:<bob@example.org>  S: 250 Ok  C: RCPT TO:<alice@example.com>  S: 250 Ok  C: RCPT TO:<theboss@example.com>  S: 250 Ok  ! !
  • 23. Telnet Email FTW (contd) C: DATA  S: 354 End data with <CR><LF>.<CR><LF>  C: From: "Bob Example" <bob@example.org>  C: To: "Alice Example" <alice@example.com>  C: Cc: theboss@example.com  C: Date: Tue, 15 Jan 2008 16:02:43 -0500  C: Subject: Test message  C:  C: Hello Alice.  C: This is a test message with 5 header fields and 4 lines in the message body.  C:Your friend,  C: Bob  C: .  S: 250 Ok: queued as 12345  C: QUIT  S: 221 Bye
  • 24. LAB TIME 1. Send a spoofed email to your buddy 2. Try to send an email with a link 3. Try to send an email with a spoofed display name
  • 25. SSH • Tunneling traffic with PuTTY • Tunneling traffic with OpenSSH • Master-mode (Man-On-Your-Back) MOYB • No shell tunneling • MITM
  • 27. OpenSSH Tunneling • Local, Dynamic, and Remote ssh -L host:port:host:port! ssh -D host:port! ssh -R host:port:host:port
  • 28. Examples ssh -f punkrokk@myhomeserver.com -L 2000:myhomeserver.com:25 (localport:host:remote-port) forwards local port 2000 to home port 25   -- Why is this interesting? ! ssh -f -L 3000:talk.google.com:5522 myhomesshserver.net -N
  • 29. SSH MYOB • Enable ‘Master Mode’ in config Host *! ControlMaster auto! ControlPath /tmp/%r@%h:%p! • Wait for some to connect somewhere...
  • 31. LAB TIME • Tunnel (MySQL) port 3306 through a nologin account on Metasploitable to the Windows 2k8 box
  • 32. HTTP • VERBS • Headers • Response Codes • 1.0 vs 1.1 • DoS Attacks (Slowloris, Strawman) • Ajax, Flash, SOAP, Django, SSL, • also known as: lets pile more state on a stateless protocol!
  • 33. How’s your HTTP Vocabulary? • GET • POST • HEAD • PUT • DELETE • OPTIONS • PROPFIND • DEBUG • TRACE • CONNECT • PROPPATCH • MKCOL • COPY • MOVE • LOCK • UNLOCK • VERSION- CONTROL • REPORT • CHECKOUT • CHECKIN • UNCHECKOUT • MKWORKSPACE • UPDATE • LABEL • MERGE • BASELINECONTROL • MKACTIVITY • ORDERPATCH • ACL • PATCH • SEARCH
  • 34. HTTP Response Codes • 100s • You need to wait for some stuff • 200s • Stuff is there • 300s • Stuff Moved • 400s • Stuff isn’t there or you aren’t allowed to see it • 500s • Stuff went wrong
  • 35. 1.0 vs 1.1 • OPTIONS verb • 100 - Continue response code (not cool) • Compression • Persistent Connections (very cool) • Requires the ‘Host:’ header (not cool) • Supports these crazy things called ‘cookies’
  • 36. Webdav Trick • Name a file mysecretwebshell.aspx;.txt • IIS will reference it as a ASPX page • WebDAV thinks it’s just a text file
  • 37. LAB TIME • Go to your company’s website • What server type is it? • Apache, Webrick, IIS, pySockets, etc... • What server side code does it run? • ASP{X}, Python, Ruby on Rails, PHP, etc.. • Do you think it has a DB backend? Why?
  • 38. RDP • RDP Bruteforcing • TSGringer (old school) • ncrack (new school) • RDP MITM • Cain and Able still rules • RDP Hashdump • Cain and Able
  • 39. NO LAB • Difficult to duplicate much less set up for a lab such as this, but definitely take everything you’ve learned here home and try it out
  • 40. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 41. Information Operations • Social Networking Rocks • Metadata • Clouds Rain Info • Nmap (some tricks to using it)
  • 42. Social Networking Rocks • Twitter.com • This is the ONLY service that emails you that someone wants to add you even if they just import your contact info. • Twitterpeeps.com [Fix link] • Facebook.com • “Everything should be public” -- Zuckerberg • LinkedIn.com • Their API is much more open than their site. Think evil. • You probably know all these but they can be horribly twisted
  • 43. LAB TIME • Start to fill out data on your company, use social networks to find as much information about the target as possible.
  • 44. Metadata • Documents • Usernames • IP addresses • Hostnames • Domains • Images • Usernames • Locations • Email Headers (Have you ever looked at them?) • FOCA Free/Pro (King of Metadata) • EVERYTHING ;-)
  • 45. LAB TIME • Open your SPAM folder, and open the email’s header information. • What can you tell about the sender? • What can you tell about the organization/ infrastructure supporting the sender?
  • 46. Clouds Rain Info • Digital Cloud • clez.net • serversniff.net • centralops.net • whois.sc/[IP/Domain] • Arin.net’s REST documentation • magic-net.info • OldSchool Clouds - ANALOG • DMV (Tell them you are looking up a lost title) • Inteillius (Digital data about Analog targets) • Call HR (Remember you are targeting a physical object, not just a digital one)
  • 47. LAB TIME • Find as much information as you can on your company. How many emails can you harvest on them?
  • 48. nmap • What flags do you normally use? • [Book Image Here] • Do you even scan for UDP? • You’d be surprised what odd things listen on 161 on the internet. • Can you name all 1024 ‘ephemeral’ ports? How about just the top 100? ! • NSE Scripts (know them, use them)
  • 49. LAB TIME • nmap [TARGET] • What do you see? • What ports are open? • What services are running? • What possible vulns are there?
  • 50. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 51. Vuln Hunting #1 Question I get is: ‘How do you know a system is vulnerable?’ ! Honest truth is that every pentester uses experience and educated guesses. They call us ‘testers’ for a reason.
  • 52. Vuln Hunting • Web Applications • Network Services • People
  • 53. Web App Vuln Hunting • Use the check list... • [Web Application Hackers Checklist] • Brute Forcing is now a portion of Information Gathering. Use every scanner possible. None of them do a perfect job, though, so kick off a half dozen scanners then start doing your manual testing. • Remember, people bookmark things • [Demo Delicious Enum module] • The wayback machine is a great source of URLs • [Demo Wayback Enum module]
  • 54. LAB TIME • See if you can determine any possible lines of attack simply by browsing your target company’s web site. • Is there a id=12 • What about a funny looking cookie or HTTP header? • How about a login form or registration page? • Every Sci-Fi/Fantasy book I have every read with a Wizard in it describes them as crotchey but highly, if not overly observant
  • 55. Network Services Nessus, other vuln scanners during a pentest • Running NeXpose,are underor time constraint. Skilled attackers will is for people who a only do this if they aren’t worried about getting caught or blocked. • nmap nse vuln checks, if you want to get caught... • DONT USE NMAP, do version checks and make an educated guess. • IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T THROW IT.YOU HAVE FAILED YOUR INTEL GATHERING PHASE out what information • Findpossible vulnerabilities,you have about the service. Determine the gather more information. Rinse Repeat.
  • 56. LAB TIME • Tell me if [TARGET IP] is vulnerable to anything.Yes you can use prior knowledge. Vuln Hunting is all about experience.
  • 57. People • Think about where you work. Who is the ‘speaker phone’ for your section/business unit/office/department/company. • Now how would you go about getting that particular person’s work number or email? • This person would know it... How do I get their number? And so on... • Do you send non-phishing emails in pentests? • Why not? • Do you make non-SE phone calls in pentests? • Why not?
  • 58. LAB TIME • Call the CEO of your target company and complain about their car hitting yours. JUST KIDDING!!!
  • 59. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 61. Payloads • Metasploit Payloads • Singles - Fully functional, self contained payloads. For example ‘add_user’ • Staged - Uses tiny ‘stager’ shellcode in exploit that connects over the network to the attacker in order to download the reset of the payloads functional code • Shellcode from the net • Put your big boy pants on, because it might be backdoored, trojaned or otherwise evil.
  • 62. Payload selection • Does your target have egress filtering? • Do they have Windows systems or Macs? • Do they have protocol inspection? • Do they have Java installed?
  • 63. LAB TIME • What payloads exist in the Metasploit Framework? • Which payload are you going to use? • WHY!!!?
  • 64. Targeting • ‘show targets’ in Metasploit is an important step in the process • if your at this point and you still aren’t sure, go gather more information.
  • 65. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 66. Persistence • Know the System • Know the User
  • 67. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  • 68. Pivoting • Windows ‘Super Secret Ninja Hacker Tools’ • (Ninjas suck, they use Windows) • net • at • dir • Meterpreter tools: • Metasploit Pro VPN pivoting (‘cause it’s PIMP!) • portfwd • Metasploit tools: • route • psexec
  • 69. LAB TIME • Pivot from our Metasploitable box to the other machine on the DMZ • Then try to find a way into the intranet