SlideShare uma empresa Scribd logo

Tactical Exploitation - hdm valsmith

A
amiable_indian

Tactical Exploitation - hdm valsmith metasploit hacking hacker

Tecnologia
1 de 79
Tactical Exploitation “the other way to pen-test “ hdm / valsmith Black Hat USA 2007 Las Vegas – August 2007
who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007
why listen ? A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) • Las Vegas – August 2007
what do we cover ? Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access • Las Vegas – August 2007
the tactical approach Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. • Las Vegas – August 2007
the tactical approach Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! • Las Vegas – August 2007
the tactical approach Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets • Las Vegas – August 2007
personnel discovery Security is a people problem • People write your software • People secure your network • Identify the meatware first • Las Vegas – August 2007
personnel discovery Identifying the meatware • • Google • Newsgroups SensePost tools • Evolution from Paterva.com • Las Vegas – August 2007
personnel discovery These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites • Las Vegas – August 2007
personnel discovery Las Vegas – August 2007
personnel discovery Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target • Las Vegas – August 2007
personnel discovery Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show • joet@joesbox.company.com Now we have username and a host to target to go • after semi conductor information Las Vegas – August 2007
network discovery Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones • Las Vegas – August 2007
network discovery The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups • Las Vegas – August 2007
network discovery The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com • Las Vegas – August 2007
network discovery DomainTools vs Defcon.org • 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007
network discovery DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings • [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings • Las Vegas – August 2007
network discovery What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info • Las Vegas – August 2007
network discovery Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! • Las Vegas – August 2007
network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007
application discovery If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick • Las Vegas – August 2007
application discovery Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools • Las Vegas – August 2007
application discovery Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips • Las Vegas – August 2007
application discovery Example target had custom IDS to • detect large # of host connections Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) • Las Vegas – August 2007
application discovery Target had internal app for software licensing / • distribution ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed • static Admin password in app's memory All accessible nodes owned, 0 exploits used • Las Vegas – August 2007
application discovery Web Application Attack and Audit • Framework • W3AF: “Metasploit for the web” Metasploit 3 scanning modules • • Scanning mixin Las Vegas – August 2007
application discovery DEMO Las Vegas – August 2007
client app discovery Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance • Las Vegas – August 2007
client app discovery Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases • Las Vegas – August 2007
process discovery Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics • Las Vegas – August 2007
process discovery Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images • Las Vegas – August 2007
process discovery Existing tools? • None, really... • Easy to script • • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007
process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007
process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007
15 Minute Break Come back for the exploits! • Las Vegas – August 2007
re-introduction In our last session... • Discovery techniques and tools • In this session... • • Compromising systems! Las Vegas – August 2007
external network The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions • Las Vegas – August 2007
attacking ftp transfers Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) • Las Vegas – August 2007
attacking web servers Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries • Las Vegas – August 2007
attacking web servers Apache Reverse Proxying • GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting • GET / HTTP/1.1 Host: %00/ Las Vegas – August 2007
load balancers Cause load balancer to “leak” • internal IP information Use TCP half-close HTTP request • Alteon ACEdirector good example • Las Vegas – August 2007
load balancers ACEdirector mishandles TCP half- • close requests • Behavior can be used as signature • for existence of Load Balancer • Direct packets from real webserver • fowarded back to client (with IP) Las Vegas – August 2007
cgi case study Web Host with 1000's of sites • Had demo CGI for customers • CGI had directory traversal • www.host.com/cgi-bin/vuln.pl/../../cgi • CGI executable + writable on every • directory Common on web hosts! • • Las Vegas – August 2007
cgi case study Enumerated: • • Usernames • Dirs • Backup files • Other CGI scripts • VHOSTS Las Vegas – August 2007
cgi case study Target happened to run solaris • • Solaris treats dirs as files • cat /dirname = ls /dirname http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html • Las Vegas – August 2007
cgi case study Found CGI script names • Googled for vulns • Gained shell 100's of different ways • Owned due to variety of layered • configuration issues Las Vegas – August 2007
attacking dns servers Brute force host names • XID sequence analysis • • BIND 9: PRNG / Birthday • VxWorks: XID = XID + 1 Return extra answers in response • Las Vegas – August 2007
authentication relays SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP • More on this later... • Las Vegas – August 2007
social engineering Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make • Las Vegas – August 2007
internal network The soft chewy center • This is the fun part :) • Easy to trick clients • Las Vegas – August 2007
netbios services NetBIOS names are magic • • WPAD • CALICENSE Las Vegas – August 2007
dns services Microsoft DNS + DHCP = fun • • Inject host names into DNS • Hijack the entire network dhcpcd -h WPAD -i eth0 • Las Vegas – August 2007
Hijacking NTLM Quickly own all local workstations • Gain access to mail and web sites • A new twist on “smbrelay2.cpp” • Yes, it was released in 2001. • Now implemented in Metasploit 3 • Las Vegas – August 2007
Hijacking NTLM 1. MITM all outbound web traffic Cache poison the “WPAD” host • Plain old ARP spoofing • DHCP / NetBIOS + “WPAD” • Run a rogue WiFi access point • Manipulate TOR connections • Las Vegas – August 2007
Hijacking NTLM 2. Redirect HTTP requests to “intranet” WPAD + SOCKS server • SQUID + transparent proxying • 302 Redirect • Las Vegas – August 2007
Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src=”ipsharei.jpg”> • Firefox: mozicon-url:file:////ip/share/i.jpg • Third-party plugins: • Adobe PDF Viewer • Windows Media Player • Microsoft Office • Las Vegas – August 2007
Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client • Connect to the target server (or client) • Ask target for Challenge Key • Provide this Key to the client • Allow the client to authenticate • Las Vegas – August 2007
Hijacking NTLM 5. Executing remote code Disconnect the client • Use authenticated session • • ADMIN$ + Service Control Manager • Access data, call RPC routines, etc • Access the remote registry Las Vegas – August 2007
Hijacking NTLM DEMO Las Vegas – August 2007
file servers “NAS appliances are safe and secure” • Don't worry, the vendor sure doesn't • Unpatched Samba daemons • • Snap, TeraServer, OS X, etc. Inconsistent file permissions • AFP vs NFS vs SMB • Las Vegas – August 2007
samba is awesome 1999 called, want their bugs back • Remember those scary “NULL Sessions” • Samba ENUM / SID2USR user listing • Massive information leaks via DCERPC • • Shares, Users, Policies • Brute force accounts (no lockout) Las Vegas – August 2007
smb case study Old bugs back to haunt new boxes • Found OS X Box running SMB • User sent mail touting OS X sec • Previous scans had found vulns • User: “false positive, its OS X” • Us: “Owned” • Las Vegas – August 2007
smb case study Performed Null Session • net use osxsmbipc$ “” /user:”” • Enumerated users and shares • • Brute forced several user accounts • Got shell, escalated to root • User: “but . .but . . its OS X!” Las Vegas – August 2007
samba vs metasploit Metasploit modules for Samba • Linux (vSyscall + Targets) • Mac OS X (PPC/x86) • Solaris (SPARC,x86) • Auxiliary PoCs • Las Vegas – August 2007
nfs services NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting? • Las Vegas – August 2007
nfs services Exported NFS home directories • Important target! • If you get control • Own every node that mounts it • Las Vegas – August 2007
nfs services If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans • Las Vegas – August 2007
nfs services Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed! • Las Vegas – August 2007
file services Example: all nodes were diskless / patched • Clients got software from NFS server • We hacked the software server • Using trust hijacking explained later • Inserted trojaned gnu binaries • 1000's of nodes sent us shells • Las Vegas – August 2007
trust relationships The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) • • Las Vegas – August 2007
trusts Deal with firewalls/TCP wrappers/ACLs • Find a node that is accepted and own it • People wrapper Unix and leave Windows • open Hack the Windows box and port forward • past wrappers Las Vegas – August 2007
trusts Example: Mixed network with Unix • wrapperd Target Solaris homedir server • Had auth credentials but couldn't reach • port 22 Found 1 vulnerable win box , owned / • installed portfworward to homedir port 22 • Las Vegas – August 2007
Hijacking SSH Idea is to abuse legitimate users access • over SSH If user can access other systems, why • can't you? (even without users password) One time passwords? No problem! • Intel gathering • Las Vegas – August 2007
Hijacking SSH Available tools • Metalstorm ssh hijacking • • Trojaned ssh clients • SSH master modes Dont for get TTY hijacking • Appcap • • TTYWatcher Who suspects a dead SSH session? • Las Vegas – August 2007
Hijacking SSH DEMO Las Vegas – August 2007
Hijacking Kerberos Kerberos is great for one time • authentication . . even for hackers Idea is to become a user and hijack • kerberos tickets Gain access to other trusted nodes • • Las Vegas – August 2007
Hijacking Kerberos DEMO Las Vegas – August 2007
Conclusion Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent. • Las Vegas – August 2007

Recomendados

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
 
Ccw
CcwCcw
Ccwcortman121
 
Guerreirus Intro
Guerreirus IntroGuerreirus Intro
Guerreirus Introguerreirusgroup
 
Chapter Eight
Chapter EightChapter Eight
Chapter EightWilliam Harmening
 
Chapter Five
Chapter FiveChapter Five
Chapter FiveWilliam Harmening
 

Recomendados

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace How to Respond to Active Shooter Incidents in the Workplace
How to Respond to Active Shooter Incidents in the Workplace G&A Partners
 
Ccw
CcwCcw
Ccwcortman121
 
Guerreirus Intro
Guerreirus IntroGuerreirus Intro
Guerreirus Introguerreirusgroup
 
Chapter Eight
Chapter EightChapter Eight
Chapter EightWilliam Harmening
 
Chapter Five
Chapter FiveChapter Five
Chapter FiveWilliam Harmening
 
Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)CQB TEAM
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited EntriesCQB TEAM
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disasterneeraj verma
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceMargolis Healy
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptjosecoco1
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooterworkthreatgroup
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystemdigitallibrary
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Kellyn Pot'Vin-Gorman
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudConSanFrancisco123
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojanguest17b7c7
 
Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Martin von Haller Groenbaek
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponsePat Cappelaere
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 

Mais conteúdo relacionado

Destaque

Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)CQB TEAM
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited EntriesCQB TEAM
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disasterneeraj verma
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceMargolis Healy
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptjosecoco1
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooterworkthreatgroup
 

Destaque (6)

Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)Dogmatic Close Quarter Battle (CQB)
Dogmatic Close Quarter Battle (CQB)
 
Immediate versus Limited Entries
Immediate versus Limited EntriesImmediate versus Limited Entries
Immediate versus Limited Entries
 
1 survival drill in NBC disaster
1 survival drill in NBC disaster1 survival drill in NBC disaster
1 survival drill in NBC disaster
 
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA ConferenceActive Shooter Exercise Presentation, 2013 SCCLEA Conference
Active Shooter Exercise Presentation, 2013 SCCLEA Conference
 
Close quarters battle (cqb ).ppt
Close quarters battle (cqb ).pptClose quarters battle (cqb ).ppt
Close quarters battle (cqb ).ppt
 
Threat assessment and the active shooter
Threat assessment and the active shooterThreat assessment and the active shooter
Threat assessment and the active shooter
 

Semelhante a Tactical Exploitation - hdm valsmith

Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystemdigitallibrary
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Kellyn Pot'Vin-Gorman
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Ontico
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudConSanFrancisco123
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojanguest17b7c7
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponsePat Cappelaere
 

Semelhante a Tactical Exploitation - hdm valsmith (14)

Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Toward an Identity Metasystem
Toward an Identity MetasystemToward an Identity Metasystem
Toward an Identity Metasystem
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017Virtualization & the Cloud for Collaborate 2017
Virtualization & the Cloud for Collaborate 2017
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer Systems
 
Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008Tim O'Reilly Mashup Camp 2008
Tim O'Reilly Mashup Camp 2008
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Crouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden TrojanCrouching Powerpoint, Hidden Trojan
Crouching Powerpoint, Hidden Trojan
 
Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)Open Source History And Licenses (15 04 2009)
Open Source History And Licenses (15 04 2009)
 
Geobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency ResponseGeobliki: A Platform For Emergency Response
Geobliki: A Platform For Emergency Response
 

Mais de amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

Mais de amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Tactical Exploitation - hdm valsmith

  • 1. Tactical Exploitation “the other way to pen-test “ hdm / valsmith Black Hat USA 2007 Las Vegas – August 2007
  • 2. who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007
  • 3. why listen ? A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) • Las Vegas – August 2007
  • 4. what do we cover ? Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access • Las Vegas – August 2007
  • 5. the tactical approach Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. • Las Vegas – August 2007
  • 6. the tactical approach Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! • Las Vegas – August 2007
  • 7. the tactical approach Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets • Las Vegas – August 2007
  • 8. personnel discovery Security is a people problem • People write your software • People secure your network • Identify the meatware first • Las Vegas – August 2007
  • 9. personnel discovery Identifying the meatware • • Google • Newsgroups SensePost tools • Evolution from Paterva.com • Las Vegas – August 2007
  • 10. personnel discovery These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites • Las Vegas – August 2007
  • 12. personnel discovery Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target • Las Vegas – August 2007
  • 13. personnel discovery Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show • joet@joesbox.company.com Now we have username and a host to target to go • after semi conductor information Las Vegas – August 2007
  • 14. network discovery Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones • Las Vegas – August 2007
  • 15. network discovery The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups • Las Vegas – August 2007
  • 16. network discovery The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com • Las Vegas – August 2007
  • 17. network discovery DomainTools vs Defcon.org • 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007
  • 18. network discovery DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings • [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings • Las Vegas – August 2007
  • 19. network discovery What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info • Las Vegas – August 2007
  • 20. network discovery Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! • Las Vegas – August 2007
  • 21. network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007
  • 22. application discovery If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick • Las Vegas – August 2007
  • 23. application discovery Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools • Las Vegas – August 2007
  • 24. application discovery Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips • Las Vegas – August 2007
  • 25. application discovery Example target had custom IDS to • detect large # of host connections Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) • Las Vegas – August 2007
  • 26. application discovery Target had internal app for software licensing / • distribution ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed • static Admin password in app's memory All accessible nodes owned, 0 exploits used • Las Vegas – August 2007
  • 27. application discovery Web Application Attack and Audit • Framework • W3AF: “Metasploit for the web” Metasploit 3 scanning modules • • Scanning mixin Las Vegas – August 2007
  • 28. application discovery DEMO Las Vegas – August 2007
  • 29. client app discovery Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance • Las Vegas – August 2007
  • 30. client app discovery Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases • Las Vegas – August 2007
  • 31. process discovery Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics • Las Vegas – August 2007
  • 32. process discovery Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images • Las Vegas – August 2007
  • 33. process discovery Existing tools? • None, really... • Easy to script • • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007
  • 34. process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007
  • 35. process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007
  • 36. 15 Minute Break Come back for the exploits! • Las Vegas – August 2007
  • 37. re-introduction In our last session... • Discovery techniques and tools • In this session... • • Compromising systems! Las Vegas – August 2007
  • 38. external network The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions • Las Vegas – August 2007
  • 39. attacking ftp transfers Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) • Las Vegas – August 2007
  • 40. attacking web servers Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries • Las Vegas – August 2007
  • 41. attacking web servers Apache Reverse Proxying • GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting • GET / HTTP/1.1 Host: %00/ Las Vegas – August 2007
  • 42. load balancers Cause load balancer to “leak” • internal IP information Use TCP half-close HTTP request • Alteon ACEdirector good example • Las Vegas – August 2007
  • 43. load balancers ACEdirector mishandles TCP half- • close requests • Behavior can be used as signature • for existence of Load Balancer • Direct packets from real webserver • fowarded back to client (with IP) Las Vegas – August 2007
  • 44. cgi case study Web Host with 1000's of sites • Had demo CGI for customers • CGI had directory traversal • www.host.com/cgi-bin/vuln.pl/../../cgi • CGI executable + writable on every • directory Common on web hosts! • • Las Vegas – August 2007
  • 45. cgi case study Enumerated: • • Usernames • Dirs • Backup files • Other CGI scripts • VHOSTS Las Vegas – August 2007
  • 46. cgi case study Target happened to run solaris • • Solaris treats dirs as files • cat /dirname = ls /dirname http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html • Las Vegas – August 2007
  • 47. cgi case study Found CGI script names • Googled for vulns • Gained shell 100's of different ways • Owned due to variety of layered • configuration issues Las Vegas – August 2007
  • 48. attacking dns servers Brute force host names • XID sequence analysis • • BIND 9: PRNG / Birthday • VxWorks: XID = XID + 1 Return extra answers in response • Las Vegas – August 2007
  • 49. authentication relays SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP • More on this later... • Las Vegas – August 2007
  • 50. social engineering Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make • Las Vegas – August 2007
  • 51. internal network The soft chewy center • This is the fun part :) • Easy to trick clients • Las Vegas – August 2007
  • 52. netbios services NetBIOS names are magic • • WPAD • CALICENSE Las Vegas – August 2007
  • 53. dns services Microsoft DNS + DHCP = fun • • Inject host names into DNS • Hijack the entire network dhcpcd -h WPAD -i eth0 • Las Vegas – August 2007
  • 54. Hijacking NTLM Quickly own all local workstations • Gain access to mail and web sites • A new twist on “smbrelay2.cpp” • Yes, it was released in 2001. • Now implemented in Metasploit 3 • Las Vegas – August 2007
  • 55. Hijacking NTLM 1. MITM all outbound web traffic Cache poison the “WPAD” host • Plain old ARP spoofing • DHCP / NetBIOS + “WPAD” • Run a rogue WiFi access point • Manipulate TOR connections • Las Vegas – August 2007
  • 56. Hijacking NTLM 2. Redirect HTTP requests to “intranet” WPAD + SOCKS server • SQUID + transparent proxying • 302 Redirect • Las Vegas – August 2007
  • 57. Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src=”ipsharei.jpg”> • Firefox: mozicon-url:file:////ip/share/i.jpg • Third-party plugins: • Adobe PDF Viewer • Windows Media Player • Microsoft Office • Las Vegas – August 2007
  • 58. Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client • Connect to the target server (or client) • Ask target for Challenge Key • Provide this Key to the client • Allow the client to authenticate • Las Vegas – August 2007
  • 59. Hijacking NTLM 5. Executing remote code Disconnect the client • Use authenticated session • • ADMIN$ + Service Control Manager • Access data, call RPC routines, etc • Access the remote registry Las Vegas – August 2007
  • 60. Hijacking NTLM DEMO Las Vegas – August 2007
  • 61. file servers “NAS appliances are safe and secure” • Don't worry, the vendor sure doesn't • Unpatched Samba daemons • • Snap, TeraServer, OS X, etc. Inconsistent file permissions • AFP vs NFS vs SMB • Las Vegas – August 2007
  • 62. samba is awesome 1999 called, want their bugs back • Remember those scary “NULL Sessions” • Samba ENUM / SID2USR user listing • Massive information leaks via DCERPC • • Shares, Users, Policies • Brute force accounts (no lockout) Las Vegas – August 2007
  • 63. smb case study Old bugs back to haunt new boxes • Found OS X Box running SMB • User sent mail touting OS X sec • Previous scans had found vulns • User: “false positive, its OS X” • Us: “Owned” • Las Vegas – August 2007
  • 64. smb case study Performed Null Session • net use osxsmbipc$ “” /user:”” • Enumerated users and shares • • Brute forced several user accounts • Got shell, escalated to root • User: “but . .but . . its OS X!” Las Vegas – August 2007
  • 65. samba vs metasploit Metasploit modules for Samba • Linux (vSyscall + Targets) • Mac OS X (PPC/x86) • Solaris (SPARC,x86) • Auxiliary PoCs • Las Vegas – August 2007
  • 66. nfs services NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting? • Las Vegas – August 2007
  • 67. nfs services Exported NFS home directories • Important target! • If you get control • Own every node that mounts it • Las Vegas – August 2007
  • 68. nfs services If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans • Las Vegas – August 2007
  • 69. nfs services Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed! • Las Vegas – August 2007
  • 70. file services Example: all nodes were diskless / patched • Clients got software from NFS server • We hacked the software server • Using trust hijacking explained later • Inserted trojaned gnu binaries • 1000's of nodes sent us shells • Las Vegas – August 2007
  • 71. trust relationships The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) • • Las Vegas – August 2007
  • 72. trusts Deal with firewalls/TCP wrappers/ACLs • Find a node that is accepted and own it • People wrapper Unix and leave Windows • open Hack the Windows box and port forward • past wrappers Las Vegas – August 2007
  • 73. trusts Example: Mixed network with Unix • wrapperd Target Solaris homedir server • Had auth credentials but couldn't reach • port 22 Found 1 vulnerable win box , owned / • installed portfworward to homedir port 22 • Las Vegas – August 2007
  • 74. Hijacking SSH Idea is to abuse legitimate users access • over SSH If user can access other systems, why • can't you? (even without users password) One time passwords? No problem! • Intel gathering • Las Vegas – August 2007
  • 75. Hijacking SSH Available tools • Metalstorm ssh hijacking • • Trojaned ssh clients • SSH master modes Dont for get TTY hijacking • Appcap • • TTYWatcher Who suspects a dead SSH session? • Las Vegas – August 2007
  • 76. Hijacking SSH DEMO Las Vegas – August 2007
  • 77. Hijacking Kerberos Kerberos is great for one time • authentication . . even for hackers Idea is to become a user and hijack • kerberos tickets Gain access to other trusted nodes • • Las Vegas – August 2007
  • 78. Hijacking Kerberos DEMO Las Vegas – August 2007
  • 79. Conclusion Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent. • Las Vegas – August 2007