SlideShare uma empresa Scribd logo

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

Nelson Brito
Nelson Brito

T50 (an Experimental Mixed Packet Injector) very first public tak about the version 2.5 (The Murder Version). Check the original demonstration videos: - https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx For further source codes, please, refer to: - http://t50.sourceforge.net/

Tecnologia
1 de 49
The Hangover A “modern” (?) high performance approach to build an offensive computing tool! Nelson Brito nbrito[at]sekure[dot]org
Agenda • 0000 – Introduction • 0101 – Results • 0001 – Motivation • 0110 – Demonstration • 0010 – “Hello World” Examples • 0111 – Conclusions • 0011 – Lessons Learned • 1000 – Questions and Answers • 0100 – Comparison
0000 – Introduction
Denial-of-Service
0001 – Motivation
Goals • Firstly, the primary goal of this research was to build a “PERFECT” tool to use in my daily tasks. • Secondly, provide me enough knowledge and perspective of how network devices and computer systems behave under this type of attack. • Thirdly, prove that DoS was and still is a BIG ISSUE to whole Internet infrastructure. • Lastly, but not least: – “The best is yet to come!” • http://fnstenv.blogspot.com/2010/08/best-is-yet-to-come.html – “A fake version of T50!!!” • http://fnstenv.blogspot.com/2010/10/fake-version-of-t50.html
Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Hactivism? Testing” for this presentation. • DoS attacks are significantly harmful, • DoS tools are necessary weapons in a because they violate one of the three key cyber warfare… concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are – Confidentiality more common than many people might – Integrity think, and, when they happen, people – Availability will certainly be aware of. All the codes in this presentation were written in C language and tested on real machines, rather than virtual machines.
0010 – “Hello World” Examples
“Hello World” Example 01 main() loop() Signal() while() kill() malloc() memset() memcpy() Signal() alarm()
“Hello World” Example 02 main() loop() Signal() while() kill() memset() memcpy() Signal() alarm()
“Hello World” Example 03 main() loop() Signal() while() kill() memcpy() Signal() alarm()
“Hello World” Example 04 main() loop() while() malloc() loop() memset() memcpy()
“Hello World” Example 05 main() loop() while() memset() loop() memcpy()
“Hello World” Example 06 main() loop() while() memcpy() loop()
“Hello World” Examples Applied Dell Latitude E6400 Dell Inspiron 910
0011 – Lessons Learned Also known as “Tips and Tricks”
What is the “high-performance” definition? English Language Computer Science • Adj. • A code and/or program that solves any – 1. Modified to give superior problem faster and more efficiently than performance: ordinary codes / programs. • “a high-performance car” superior – of high or superior • A code and/or program which use all – quality or performance; or as much as possible – computer’s • “superior wisdom derived from resources available. experience”; • “superior math students”.
SOCKET(2) • T50 Sukhoi PAK FA is capable to: – Send protocol packets: ICMP, IGMP, TCP and UDP. • NO BIG DEAL, right? – Send ALL of them “ALMOST” on the same time – protocol “T50”! • BIG DEAL! 8) • How many sockets should the code use to send ALL of them “ALMOST” on the same time? – 1 socket file descriptor – 2 socket file descriptors – 4 socket file descriptors – 8 socket file descriptors – 16 socket file descriptors – 32 socket file descriptors – 64 socket file descriptors – NONE • “Just one socket file descriptor? Really?”
SOCKET(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
GETSOCKOPT(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] len = sizeof(n); if(getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, &len) == -1) exit(EXIT_FAILURE); for(n += 128 ; n < 1048576 ; n += 128){ if(setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, len) == -1){ if(errno == ENOBUFS) break; exit(EXIT_FAILURE); } } [...]
FCNTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] flags = fcntl(fd, F_GETFL, 0); if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) == -1) exit(EXIT_FAILURE); [...]
IOCTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if(ioctl(fd, FIONBIO, &n) == -1) exit(EXIT_FAILURE); [...]
SIGNAL(2) & SENDTO(2) • “Signals are used to notify a process or thread of a particular event. Many computer science researchers compare signals with hardware interrupts, which occur when a hardware subsystem, such as a disk I/O (input/output) interface, generates an interrupt to a processor when the I/O completes.” – Linux Journal (Issue 73, May 2000) – By Moshe Bar • “Signals also have been used to communicate and synchronize processes and to simplify interprocess communications (IPCs). Although we now have advanced synchronization tools and many IPC mechanisms, signals play a vital role in Linux for handling exceptions and interrupts. Signals have been used for approximately 30 years without any major modifications.” – Linux Journal (Issue 107, March 2003) – By B. Thangaraju
SIGNAL(2) & SENDTO(2) [...] signal(SIGPIPE, SIG_IGN); [...] redo: if(sendto(fd, &p, p_sz, 0|MSG_NOSIGNAL, &sin, sizeof(sin)) == -1){ if(errno == EPERM) goto redo; else exit(EXIT_FAILURE); } [...]
SELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(select(fd + 1, NULL, &wfds, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
PSELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(pselect(fd + 1, NULL, &wfds, NULL, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
SLEEP(3) • Should the code “sleep()”? – Yes – No • Should the code “usleep()”? – Yes – No • Should the code “nanosleep()”? – Yes – No • The code must never SLEEP(3), USLEEP(3) or NANOSLEEP(3).
RAND(3) • “short” (16-bit) – Which one is faster creating random? • ((rand()&0xffff)<<8)+(rand()&0xffff) •1+(short)(65535.0*rand()/(RAND_MAX+1.0)) • “int” (32-bit) – Which one is faster creating random? • ((rand()&0xffffffff)<<16)+(rand()&0xffffffff) •1+(int)(4294967295.0*rand()/(RAND_MAX+1.0))
RAND(3) Dell Latitude E6400 Dell Inspiron 910
What else? • Choose using local variables rather than global variables. • Choose using “__inline__” in header file (*.h) and “inline” in source code (*.c), enabling GCC switch options: – “-finline-functions” (-O3) – “-fkeep-inline-functions” • Choose using “void” if you do not have to check the “return()” of some “function()”. • Should the code use “unsigned” or “signed”? • Should the code use “fork()” or “pthread_*()”? • Etc... And by “etc…” I mean… • Ohh… I almost forgot!!! Make the code RFC 1918 Compliance.
0100 – Comparison
com.par.i.son English Language C Language (Operators) • n. • To test for equality is “==”. 1. • To test for inequality is “!=”. a.The act of comparing or the • Other operators: process of being compared. – “<” (less than) b. A statement or estimate of – “>” (greater than) similarities and differences. – “<=” (less than or equals) 2. The quality of being similar or – “>=” (greater than or equals) equivalent; likeness: no comparison between the two books. 3. …
com.par.i.son TCP Flood UDP Flood • C4 by live • Geminid by live • Geminid by live • B52 by Nelson Brito • Mausezahn by Herbert Haas • Mausezahn by Herbert Haas • F22 by Nelson Brito • [L]OTUS by labsec team • HPING3 by Salvatore Sanfilippo* • HPING3 by Salvatore Sanfilippo* ICMP Flood IGMP • Geminid by live • STRESSER-0.7 by Shen139? • Mausezahn by Herbert Haas – Please, don’t be silly!!! • HPING3 by Salvatore Sanfilippo*
Methodology
Why do I keep saying “ALMOST”?
0101 – Results
Minimum Frame Size (MFS) • The maximum packet size is 1518 bytes, although to allow the Q-tag for Virtual LAN and priority data in 802.3ac it is extended to 1522 bytes. • If the upper layer protocol submits a protocol data unit (PDU) less than 64 bytes, 802.3 will pad the data field to achieve the minimum 64 bytes. • The Minimum Frame Size will then always be of 64 bytes, but… – The Minimum Frame Size is related to the distance which the network spans, the type of media being used and the number of repeaters which the signal may have to pass through to reach the furthest part of the LAN.
Maximum Packets per Second (PPS) – 64 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 195,312.50 pps • 1,953,125.00 pps
Maximum Packets per Second (PPS) – 88 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 142,045.50 pps • 1,420,455.00 pps
TCP Flood 100BASE-TX 1000BASE-T
UDP Flood 100BASE-TX 1000BASE-T
ICMP Flood 100BASE-TX 1000BASE-T
0110 – Demonstration
T50 Sukhoi PAK FA Mixed Packet Injector Tool Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit • 1 Gbps Network Controller • Cross-over Cable (CAT-5e) • 1 Gbps Network • Cross-over Cable (CAT-5e) http://j.mp/T50-Demo Demonstration!
0111 – Conclusions
Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
1000 – Questions & Answers
Any questions?
The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

Recomendados

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxSeunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 

Recomendados

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxSeunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyInsight Technology, Inc.
 
David-FPGA
David-FPGADavid-FPGA
David-FPGAguest66dc5f
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723Iftach Ian Amit
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 

Mais conteúdo relacionado

Mais procurados

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723Iftach Ian Amit
 

Mais procurados (20)

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threads
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryption
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723
 

Destaque

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Project Student
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyNelson Brito
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Project Student
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practicesProject Student
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / TranslatorsProject Student
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Project Student
 

Destaque (20)

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow Vulnerability
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented Programming
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practices
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / Translators
 
The Caesar Cipher
The Caesar Cipher The Caesar Cipher
The Caesar Cipher
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
FormacaoCrypto
FormacaoCryptoFormacaoCrypto
FormacaoCrypto
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 

Semelhante a The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

6. processes and threads
6. processes and threads6. processes and threads
6. processes and threadsMarian Marinov
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
04_ForkPipe.pptx
04_ForkPipe.pptx04_ForkPipe.pptx
04_ForkPipe.pptxvnwzympx
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPUTomer Gabel
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyAerospike
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Exploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyExploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyMike Hagedorn
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Praticesfarmckon
 
11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.pptSIDDHARTHANANDCSE202
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016kraqa
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
An intro to programming
An intro to programmingAn intro to programming
An intro to programmingWolfFlight
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 

Semelhante a The hangover: A "modern" (?) high performance approach to build an offensive computing tool! (20)

6. processes and threads
6. processes and threads6. processes and threads
6. processes and threads
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
04_ForkPipe.pptx
04_ForkPipe.pptx04_ForkPipe.pptx
04_ForkPipe.pptx
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPU
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Exploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyExploring the Internet of Things Using Ruby
Exploring the Internet of Things Using Ruby
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Pratices
 
11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Process management
Process managementProcess management
Process management
 
An intro to programming
An intro to programmingAn intro to programming
An intro to programming
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
Audible Objects
Audible ObjectsAudible Objects
Audible Objects
 

Mais de Nelson Brito

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support SlidesNelson Brito
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)Nelson Brito
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?Nelson Brito
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Nelson Brito
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryNelson Brito
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seNelson Brito
 

Mais de Nelson Brito (8)

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support Slides
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror History
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-se
 

Último

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Último (20)

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

  • 1. The Hangover A “modern” (?) high performance approach to build an offensive computing tool! Nelson Brito nbrito[at]sekure[dot]org
  • 2. Agenda • 0000 – Introduction • 0101 – Results • 0001 – Motivation • 0110 – Demonstration • 0010 – “Hello World” Examples • 0111 – Conclusions • 0011 – Lessons Learned • 1000 – Questions and Answers • 0100 – Comparison
  • 6. Goals • Firstly, the primary goal of this research was to build a “PERFECT” tool to use in my daily tasks. • Secondly, provide me enough knowledge and perspective of how network devices and computer systems behave under this type of attack. • Thirdly, prove that DoS was and still is a BIG ISSUE to whole Internet infrastructure. • Lastly, but not least: – “The best is yet to come!” • http://fnstenv.blogspot.com/2010/08/best-is-yet-to-come.html – “A fake version of T50!!!” • http://fnstenv.blogspot.com/2010/10/fake-version-of-t50.html
  • 7. Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Hactivism? Testing” for this presentation. • DoS attacks are significantly harmful, • DoS tools are necessary weapons in a because they violate one of the three key cyber warfare… concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are – Confidentiality more common than many people might – Integrity think, and, when they happen, people – Availability will certainly be aware of. All the codes in this presentation were written in C language and tested on real machines, rather than virtual machines.
  • 8. 0010 – “Hello World” Examples
  • 9. “Hello World” Example 01 main() loop() Signal() while() kill() malloc() memset() memcpy() Signal() alarm()
  • 10. “Hello World” Example 02 main() loop() Signal() while() kill() memset() memcpy() Signal() alarm()
  • 11. “Hello World” Example 03 main() loop() Signal() while() kill() memcpy() Signal() alarm()
  • 12. “Hello World” Example 04 main() loop() while() malloc() loop() memset() memcpy()
  • 13. “Hello World” Example 05 main() loop() while() memset() loop() memcpy()
  • 14. “Hello World” Example 06 main() loop() while() memcpy() loop()
  • 15. “Hello World” Examples Applied Dell Latitude E6400 Dell Inspiron 910
  • 16. 0011 – Lessons Learned Also known as “Tips and Tricks”
  • 17. What is the “high-performance” definition? English Language Computer Science • Adj. • A code and/or program that solves any – 1. Modified to give superior problem faster and more efficiently than performance: ordinary codes / programs. • “a high-performance car” superior – of high or superior • A code and/or program which use all – quality or performance; or as much as possible – computer’s • “superior wisdom derived from resources available. experience”; • “superior math students”.
  • 18. SOCKET(2) • T50 Sukhoi PAK FA is capable to: – Send protocol packets: ICMP, IGMP, TCP and UDP. • NO BIG DEAL, right? – Send ALL of them “ALMOST” on the same time – protocol “T50”! • BIG DEAL! 8) • How many sockets should the code use to send ALL of them “ALMOST” on the same time? – 1 socket file descriptor – 2 socket file descriptors – 4 socket file descriptors – 8 socket file descriptors – 16 socket file descriptors – 32 socket file descriptors – 64 socket file descriptors – NONE • “Just one socket file descriptor? Really?”
  • 19. SOCKET(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
  • 20. GETSOCKOPT(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] len = sizeof(n); if(getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, &len) == -1) exit(EXIT_FAILURE); for(n += 128 ; n < 1048576 ; n += 128){ if(setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, len) == -1){ if(errno == ENOBUFS) break; exit(EXIT_FAILURE); } } [...]
  • 21. FCNTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] flags = fcntl(fd, F_GETFL, 0); if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) == -1) exit(EXIT_FAILURE); [...]
  • 22. IOCTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if(ioctl(fd, FIONBIO, &n) == -1) exit(EXIT_FAILURE); [...]
  • 23. SIGNAL(2) & SENDTO(2) • “Signals are used to notify a process or thread of a particular event. Many computer science researchers compare signals with hardware interrupts, which occur when a hardware subsystem, such as a disk I/O (input/output) interface, generates an interrupt to a processor when the I/O completes.” – Linux Journal (Issue 73, May 2000) – By Moshe Bar • “Signals also have been used to communicate and synchronize processes and to simplify interprocess communications (IPCs). Although we now have advanced synchronization tools and many IPC mechanisms, signals play a vital role in Linux for handling exceptions and interrupts. Signals have been used for approximately 30 years without any major modifications.” – Linux Journal (Issue 107, March 2003) – By B. Thangaraju
  • 24. SIGNAL(2) & SENDTO(2) [...] signal(SIGPIPE, SIG_IGN); [...] redo: if(sendto(fd, &p, p_sz, 0|MSG_NOSIGNAL, &sin, sizeof(sin)) == -1){ if(errno == EPERM) goto redo; else exit(EXIT_FAILURE); } [...]
  • 25. SELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(select(fd + 1, NULL, &wfds, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
  • 26. PSELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(pselect(fd + 1, NULL, &wfds, NULL, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
  • 27. SLEEP(3) • Should the code “sleep()”? – Yes – No • Should the code “usleep()”? – Yes – No • Should the code “nanosleep()”? – Yes – No • The code must never SLEEP(3), USLEEP(3) or NANOSLEEP(3).
  • 28. RAND(3) • “short” (16-bit) – Which one is faster creating random? • ((rand()&0xffff)<<8)+(rand()&0xffff) •1+(short)(65535.0*rand()/(RAND_MAX+1.0)) • “int” (32-bit) – Which one is faster creating random? • ((rand()&0xffffffff)<<16)+(rand()&0xffffffff) •1+(int)(4294967295.0*rand()/(RAND_MAX+1.0))
  • 29. RAND(3) Dell Latitude E6400 Dell Inspiron 910
  • 30. What else? • Choose using local variables rather than global variables. • Choose using “__inline__” in header file (*.h) and “inline” in source code (*.c), enabling GCC switch options: – “-finline-functions” (-O3) – “-fkeep-inline-functions” • Choose using “void” if you do not have to check the “return()” of some “function()”. • Should the code use “unsigned” or “signed”? • Should the code use “fork()” or “pthread_*()”? • Etc... And by “etc…” I mean… • Ohh… I almost forgot!!! Make the code RFC 1918 Compliance.
  • 32. com.par.i.son English Language C Language (Operators) • n. • To test for equality is “==”. 1. • To test for inequality is “!=”. a.The act of comparing or the • Other operators: process of being compared. – “<” (less than) b. A statement or estimate of – “>” (greater than) similarities and differences. – “<=” (less than or equals) 2. The quality of being similar or – “>=” (greater than or equals) equivalent; likeness: no comparison between the two books. 3. …
  • 33. com.par.i.son TCP Flood UDP Flood • C4 by live • Geminid by live • Geminid by live • B52 by Nelson Brito • Mausezahn by Herbert Haas • Mausezahn by Herbert Haas • F22 by Nelson Brito • [L]OTUS by labsec team • HPING3 by Salvatore Sanfilippo* • HPING3 by Salvatore Sanfilippo* ICMP Flood IGMP • Geminid by live • STRESSER-0.7 by Shen139? • Mausezahn by Herbert Haas – Please, don’t be silly!!! • HPING3 by Salvatore Sanfilippo*
  • 35. Why do I keep saying “ALMOST”?
  • 37. Minimum Frame Size (MFS) • The maximum packet size is 1518 bytes, although to allow the Q-tag for Virtual LAN and priority data in 802.3ac it is extended to 1522 bytes. • If the upper layer protocol submits a protocol data unit (PDU) less than 64 bytes, 802.3 will pad the data field to achieve the minimum 64 bytes. • The Minimum Frame Size will then always be of 64 bytes, but… – The Minimum Frame Size is related to the distance which the network spans, the type of media being used and the number of repeaters which the signal may have to pass through to reach the furthest part of the LAN.
  • 38. Maximum Packets per Second (PPS) – 64 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 195,312.50 pps • 1,953,125.00 pps
  • 39. Maximum Packets per Second (PPS) – 88 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 142,045.50 pps • 1,420,455.00 pps
  • 40. TCP Flood 100BASE-TX 1000BASE-T
  • 41. UDP Flood 100BASE-TX 1000BASE-T
  • 42. ICMP Flood 100BASE-TX 1000BASE-T
  • 44. T50 Sukhoi PAK FA Mixed Packet Injector Tool Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit • 1 Gbps Network Controller • Cross-over Cable (CAT-5e) • 1 Gbps Network • Cross-over Cable (CAT-5e) http://j.mp/T50-Demo Demonstration!
  • 46. Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
  • 47. 1000 – Questions & Answers