2. Are we (the business) in
the Wall Street Journal?
No? Then we aren't under attack.
3. Agenda
● What you do
● What I do
● What is "practical" exploitation?
● Demos
4. We aren't going to talk about
● Stuff I assume you know
○ SQLI
○ Running your Database as root
○ RFI/LFI
○ etc
○ etc
○ OWASP TOP 10
● Stuff you should know
○ Your {SECURITY BLINKY
LIGHTS} won't save you....
5. What you do?
● This is where I ask you awkward questions
about what you do for a living
6. What I do?
● Senior Red Teamer
● Big Co
● Break into mainframes, bank accounts,
SCADA systems, Windows, Linux, wireless,
physical, web apps, UPSs, etc..
● Part of a team of highly skilled peeps
Primarily I'm a sorter of useful info
7. What is practical exploitation?
● The application of techniques, tactics, and
procedures to accomplish objectives and
sub-objectives within a targeted engagement
Also known as:
"if it doesn't get
me more, it's
stupid"
8. What falls in the "Stupid" category
● SSLv2 Enabled
● Traceroute Enabled
● DNS Cache Poisoning
● MD5 "collisions"
Oh ya, and every single public IE, Firefox,
Chrome or Windows exploit. Why? Because
their patch cycles are too fast for attackers.
12. Demo 2 - Windows
Rails vulnerability -> Cred Steal - Mimikatz
You use a web framework that protects you and you have really long passwords?
13. How do I fix that?
● Monitor the security community events,
disable YAML or XML parsing.
● Microsoft has left you out to dry for Mimikatz.
They believe if you have Administrator
access then it's game over.
● Don't run your web server as SYSTEM or
Administrator, keep UAC enabled on your
DMZ hosts
14. Demo 3 - Windows Pivot to Linux
WinRM on IIS -> DistCC
What the..........
15. How do I fix that?
● Don't enable WinRM on DMZ hosts! Stupid.
● Firewall DistCC off to only required hosts.