SlideShare a Scribd company logo

DERBYCON 2012: Pen Testing from a Hot Tub Time Machine

Chris Gates
Chris Gates

This presentation discusses penetration testing techniques from an unconventional perspective. It advocates for intelligence gathering and footprinting before scanning or exploitation to have a more effective assessment. Specific techniques discussed include using open source intelligence gathering on internal and external systems to develop profiles and target lists. Footprinting activities within the network focus on enumeration of users, shares, services and other details to identify vulnerable systems rather than broad scanning. The presentation provides examples of exploiting old vulnerabilities in applications like Citrix and weaknesses in administration interfaces. It emphasizes continuing post-exploitation activities like privilege escalation and lateral movement within compromised systems to fully evaluate security.

Technology
1 of 74
DERBYCON 2012 PENETRATION TESTING FROM A HOT TUB TIME MACHINE Presented by: Eric Smith Chris Gates
ABOUT US • Senior Partners – LARES Consulting • Penetration Testers • Professional Unicorn Hunters • Mostly trouble makers • Twitter • Chris Gates: @carnal0wnage • Eric Smith: @infosecmafia • Blog • carnal0wnage.attackresearch.com
DISCLAIMER • Not releasing 0days, not releasing tools • Zero exploits will be shown • Not demoing lab projects that fail IRL • Security isn’t that sexy • This is not a demo of MS08-067 • 1 part flashback + 2 parts reminder
MOTIVATION • We see a lot of dirty/scary/shocking <adjective> • Corporations are NOT getting better over time • Penetration testers ARE getting lazier over time • Basic shit gets you owned, if you don’t test it, others will eventually • Stop with smoke and mirrors to sell your value. RESULTS sell value • Step away from the scan + exploit mentality
NEWS FLASH: 0-DAYS DON’T MATTER! • I <3 0day, why? • It keeps people on edge! • BUT • 0days never seem to f* work IRL, well 1 days do - Maybe • If its in an exploit framework then AV is blocking it. THAT they are actually good at. • If I had a (good) 0day I wouldn’t waste it on a pen-test • 0days provide ZERO value to your client
REALITY CHECK • Good hackers don’t use expensive vulnerability scanners • Good hackers don’t use automated penetration testing • Attackers don’t have a scope or timeframes • Attackers don’t stop after first successful exploit
TODAY’S UGLY METHODOLOGY Collect Intel Scan Exploit Report
THE RIGHT WAY TO DO IT Intelligence Gathering Foot printing Vulnerability Analysis Exploitation Post- Exploitation Clean Up www.pentest-standard.org
OSINT: OPEN SOURCE INTELLIGENCE GATHERING • Often excluded from penetration testing • It’s the easiest way to learn about your target w/o being detected • Hackers do it, so should you • Profiling will expedite your chances for success • Basis to formulate your own attack matrix
OSINT VALUE • It’s free! • Someone/Something else already did most of it for you • Develop a Process/Methodology == Habit • Do it EVERY time: *Unicorns* show up occasionally. You can’t take the attitude that “I'll never find/see X” • Put eyes on EVERYTHING! • Don't rely on $OSINT-tool to tell you what’s important • Don’t rely on $scanner to tell you what’s vulnerable
OSINT - EXTERNAL • Support Tools • Harvester, FOCA, Shodan, Maltego, Deep Magic • Metasploit Auxiliary Modules • Nmap scripts (NSE) • Roll your own (ruby, python, bash) • No substitute for your eyes and brain • Is information X important or not? • How can it be applied throughout an engagement? • What’s the value and potential damage of the Intel?
OSINT - EXTERNAL Harvester
OSINT -- EXTERNAL • FOCA (network)
OSINT -- EXTERNAL • FOCA (document metadata)
OSINT -- EXTERNAL • Maltego Radium • New addition is “Machines” to automate common tasks • Like various levels of foot printing
OSINT -- EXTERNAL • Maltego Radium
OSINT -- EXTERNAL • Shodan
OSINT -- EXTERNAL • Deep Magic
OSINT -- EXTERNAL • Metasploit Auxiliary Modules • Email Enumeration • DNS enumeration • SMTP • Etc…
OSINT -- EXTERNAL • Neat examples of network level stuff user@ubuntu:~$ host -t MX domain.net domain.net mail is handled by 10 barracuda01.domain.net. domain.net mail is handled by 10 barracuda02.domain.net. • Zone Transfers • Rare but still pop up • Reveal authentication portals, system role, additional IP space
OSINT -- EXTERNAL • You need to put eyes on everything! • SVN/CVS repos – usernames/file access/source code/passwords/keys • Directory listing – info leakage – credentials, etc. • Internal IP leakage – useful later during compromise, targeted attacks • Send bounce email – get internal IPs, server names, system type, etc. • Eyes on everything + Default passwords ==
OSINT -- EXTERNAL
OSINT -- EXTERNAL • LinkedIN • See my talk from yesterday  • New Hires – EXCELLENT targets • Minimal training • Weaker Passwords – Changme1[23], Welcome1[23]] • Unfamiliar with personnel, policies and procedures
OSINT -- EXTERNAL • jigsaw.rb • https://github.com/pentestgeek/jigsaw
OSINT -- EXTERNAL • Jigsaw.rb
OSINT -- EXTERNAL • Using this information to insert foot in ass • How many of you check to see if you can validate emails via the target’s email servers? • Pro-Tip  the msf module for this is jacked
OSINT -- EXTERNAL Validated
OSINT – DESIRED RESULTS • Attack/Threat Matrix • IP Ranges/Host names • Authentication Portals and Types • Username/Email List • Contact Information/Geo Data • Credentials (possible) • The list is endless…
OSINT -- INTERNAL • Just as important as external profiling • Follow a repeatable methodology/develop a habit • Prioritize the value of your targets and task lists • Intel from external OSINT applies to internal systems (file server names, usernames, etc.) • DHCP leases, DNS zone xfer/lookups, packet captures, ARP, etc.
ATTACK TIME!
SMART BRUTE FORCING • Throw away the 600MB dictionary files • You will most likely lock accounts if you blow your wad • Build a generic accounts list • Take old SAM files, pull out common names • Build a generic account list • Lucky punches are common • Invoices/invoices, training/training, helpdesk/helpdesk • Go build your own  • Space out your runs. 2-3 passwords every few hours. • Smarter Passwords – Welcome1[23], Password1[23], Summer12, Company1[23] • CeWL – Custom Wordlist Generator – Robin Wood • Use your intelligence from OSINT activities
OWA BRUTING • Tons of ways to do it but they all have limitations • Owabf.py • Wmat – custom pattern files • Metasploit auxiliary module • Burp Intruder • PRO TIP: Cookie needs to be reset after a successful login • Major Content Length change = successful login
OWA GAL DUMPING • Useful if you land a weak password and want to try it on more users • OWA 2007 and older have the GAL available for downloading (sometimes) • OWA 2010 requires another step: <params><canary>9f2202c7807a47c0820abb316d58b3b9</canary><St><ADVL VS sId="YqPmr+NBl0eJUY0tnMEtqA==" mL="1" sC="52" sO="0" cki="BxMAAA==" ckii="87" clcid="1033" cPfdDC="dc02.FOO.LOCAL"/></St><SR>4000</SR><RC>100</RC></params> uri="sip:owned@foo.net"></div>
LOTUS NOTES BRUTING • Penetration Tester’s WET DREAM • Names.nsf == GOLD! • Since forever Lotus Notes has suffered from hash disclosure via one account • Tons of ways to do it but they all have limitations • Metasploit auxiliary module • Domino Hunter script • Nmap NSE script • Burp Intruder • JtR hash cracking – dominosec/lotus5
CITRIX ACCESS • Published Application Enumeration • IP address/System name enumeration • Username enumeration (sometimes) • Burp Intruder • Other tools: • Metasploit auxillary modules • Nmap NSE scripts • Defcon 10: Citrix PA Scan/Proxy • Citrix Access Gateway software – ICA creation
CITRIX – APPLICATION BREAKOUT • One published application is usually all you need • Old tricks still work • File open – force browse %SYSTEMROOT% • Help file – search • Unknown file type – open with – explorer • IKAT • See old talks on Citrix for refresher 
CITRIX – NEW(ER) DIRTY SECRETS • System Information – File Open • Explorer -> mmc.exe • Remote manage system • Add local administrator account • Remote Desktop access • Drop binary -> exploit -> pivot -> ….
CITRIX – MMC
CITRIX – MMC SEXINESS
CITRIX – MMC PWNED
SSL VPN BRUTE FORCING • If its single factor its worth doing SMART brute forcing
VPN PRIVILEGES • 9/10 times the VPN drops you right on the network with everyone else • This effectively bypasses NAC and everything else you implemented
FILE UPLOAD • WebDav • HTTP METHOD Abuse (PUT/DELETE) • RFI/LFI • The List goes on…
EXPOSED SERVICES – ADMIN INTERFACES • Admin Interfaces listening on random ports can be gold. • Finding them amongst all the crap can be challenging. • Possible Methodology • Nmap your range • Import into metasploit • Use the db_ searches to pull out all hosts you want • Some ruby to make them into a piece of html • Use linky to open everything
EXPOSED SERVICES – ADMIN INTERFACES
EXPOSED SERVICES – ADMIN INTERFACES • msf > services -o /tmp/demo.csv
EXPOSED SERVICES – ADMIN INTERFACES • Ruby
EXPOSED SERVICES – ADMIN INTERFACES • Linky
EXPOSED SERVICES – ADMIN INTERFACES
EXPOSED SERVICES – ADMIN INTERFACES
JUNIPER SECRET QUESTION BYPASS • Is the below a dead end or a way in?
JUNIPER SECRET QUESTION BYPASS • Is the below a dead end or a way in? • How about now?
SHAREPOINT VALUE • Misconfigured SharePoint can be *really* useful • User/Domain Enumeration • Access to useful files • Authenticated access to SharePoint is *always* useful • That’s really another talk…but its mint • Go ask Nickerson
SHAREPOINT INTEL HUNTING • Stach and Liu’s SharePoint Diggity tools • http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ • Roll your own • http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoin t.fuzz.txt
SHAREPOINT • Open Access
SHAREPOINT • User Enumeration
SHAREPOINT • Can (ab)use web services calls to get account info
INTERNAL PWNAGE • Now what? • If you think you are done. You’ve missed the point!
DOMAIN ENUMERATION (OLD SCHOOL) • Ipconfig/ifconfig • Tells you: • Dual homed? • Ipv6? • Domain Controllers/Domain Name(s) • Net commands • Still works most of the time • Disabled? Use dsquery/dsget • Internal Zone Transfers
DOMAIN ENUMERATION (NEW SCHOOL) • Mubix’s netview
DOMAIN ENUMERATION • Subnets with DC’s are usually the server / production subnets • You at least have a quick starting point for looking for low hanging fruit. • Net view /domain:DOMAINNAME • Dsquery/dsget • Windows server • dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows Server*))" -limit 0 > mylist.txt • Window XP • dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 0 > mylist.txt
USER ENUMERATION • Net commands • Net user /domain • Dsquery | dsget • List users and comments • dsquery user “DC=company,DC=NET" -limit 0 | dsget user -samid -display -desc > company-user-and-comments.txt • Metasploit Aux modules • use auxiliary/scanner/smb/smb_enumusers • use auxiliary/scanner/smb/smb_enumusers_domain • Cain still works great • Plus gives you nuggets of gold like…
USER COMMENT FIELDS
OPEN NFS SHARES • Exported home directories • Server names • Usernames • Passwords? • Backup files • Showmount -e
OPEN SMB SHARES • You have to look in them to find useful stuff • Scanner wont tell you that documentX is important • Metasploit • use auxiliary/scanner/smb/smb_enumshares • Enum.exe • Loose permissions on file servers • World readable user home directories on SAN/NAS devices
FILE MOVEMENT • Clipboard/Buffer • Remote Desktop • Network mapped drives • External drop sites • WebDAV file server • BITS
MSSQL ENUMERATION • OSQL -L
MSSQL msf auxiliary(mssql_ping) > run [*] SQL Server information for 172.30.0.70: [+] ServerName = RBRLIVE12 [+] InstanceName = MSSQLSERVER [+] IsClustered = No [+] Version = 8.00.194 [+] tcp = 1433 [+] np = RBRLIVE12pipesqlquery [*] SQL Server information for 172.30.0.162: [+] ServerName = LOGISTICS02 [+] InstanceName = SQL1 [*] SQL Server information for 172.30.0.185: [+] ServerName = RBRLIVE11
ORACLE • Outdated Oracle on Windows can yield shell • Can be difficult to get it to play nice with metasploit • Isqlplus doesn’t honor routes in metasploit
QUICK ELEVATION • Group Policy Preference Exploit • Metasploit Post Module • Post/windows/gather/credentials/gpp • Domain users part of local administrator group • Similar usernames with Domain Admin accounts • Password reuse
INTERNAL PWNAGE RECAP • Resist the urge to scan all things • Use OSINT and enumeration to your advantage • DHCP leases are awesome • Dns zone xfer – what do we learn again from external slides? • Dig/nslookup domains – reveal server subnets, system naming convention, system role, etc • Dsquery examples • Enumeration against systems (enum.exe, dsquery, cain, msf aux, etc) • NetBIOS never left
INTERNAL PWNAGE RECAP • Active Directory comment fields • SQL enumeration (Cain, dsquery, sqlrecon, msf aux) • Be smart about SA account (blank, password, SA, etc.) and lockouts • Terminal Servers enumeration (Cain, dsquery) • NFS shares/mounts/info leakage (files, users, server names, etc) • SVN/CVS entries – access to source code – web.config files – immediate access • SharePoint – basic user/weak permissions/easy searchable for info to elevate/backups • Citrix access with basic user – great way to elevate (shown during external slides) • File servers – weak permissions/easy searching for “password” files, ssh keys, home directories, etc.
POOR MAN’S PERSISTENCE • Sticky keys / magnifier • Cat passwords.txt • Cisco PCF file • VPN/GRE Tunnel • All user’s startup • Pasword1 
THE DOCTOR IS IN • Are you positive your last assessment was accurate? • Password auditing • Data discovery/classification • System hardening • Segmentation • Egress filtering • Least privilege models

Recommended

Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 

Recommended

Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 

More Related Content

What's hot

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 

What's hot (20)

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 

Similar to DERBYCON 2012: Pen Testing from a Hot Tub Time Machine

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Vlad Styran
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegumJamieMcMurray
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
InheritedASecurityDept
InheritedASecurityDeptInheritedASecurityDept
InheritedASecurityDeptAmanda Berlin
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application SecurityBruce Abernethy
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 

Similar to DERBYCON 2012: Pen Testing from a Hot Tub Time Machine (20)

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Osint, shoelaces, bubblegum
Osint, shoelaces, bubblegumOsint, shoelaces, bubblegum
Osint, shoelaces, bubblegum
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
InheritedASecurityDept
InheritedASecurityDeptInheritedASecurityDept
InheritedASecurityDept
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 

More from Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVChris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary ModulesChris Gates
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionChris Gates
 

More from Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

DERBYCON 2012: Pen Testing from a Hot Tub Time Machine

  • 1. DERBYCON 2012 PENETRATION TESTING FROM A HOT TUB TIME MACHINE Presented by: Eric Smith Chris Gates
  • 2. ABOUT US • Senior Partners – LARES Consulting • Penetration Testers • Professional Unicorn Hunters • Mostly trouble makers • Twitter • Chris Gates: @carnal0wnage • Eric Smith: @infosecmafia • Blog • carnal0wnage.attackresearch.com
  • 3. DISCLAIMER • Not releasing 0days, not releasing tools • Zero exploits will be shown • Not demoing lab projects that fail IRL • Security isn’t that sexy • This is not a demo of MS08-067 • 1 part flashback + 2 parts reminder
  • 4. MOTIVATION • We see a lot of dirty/scary/shocking <adjective> • Corporations are NOT getting better over time • Penetration testers ARE getting lazier over time • Basic shit gets you owned, if you don’t test it, others will eventually • Stop with smoke and mirrors to sell your value. RESULTS sell value • Step away from the scan + exploit mentality
  • 5. NEWS FLASH: 0-DAYS DON’T MATTER! • I <3 0day, why? • It keeps people on edge! • BUT • 0days never seem to f* work IRL, well 1 days do - Maybe • If its in an exploit framework then AV is blocking it. THAT they are actually good at. • If I had a (good) 0day I wouldn’t waste it on a pen-test • 0days provide ZERO value to your client
  • 6. REALITY CHECK • Good hackers don’t use expensive vulnerability scanners • Good hackers don’t use automated penetration testing • Attackers don’t have a scope or timeframes • Attackers don’t stop after first successful exploit
  • 8. THE RIGHT WAY TO DO IT Intelligence Gathering Foot printing Vulnerability Analysis Exploitation Post- Exploitation Clean Up www.pentest-standard.org
  • 9. OSINT: OPEN SOURCE INTELLIGENCE GATHERING • Often excluded from penetration testing • It’s the easiest way to learn about your target w/o being detected • Hackers do it, so should you • Profiling will expedite your chances for success • Basis to formulate your own attack matrix
  • 10. OSINT VALUE • It’s free! • Someone/Something else already did most of it for you • Develop a Process/Methodology == Habit • Do it EVERY time: *Unicorns* show up occasionally. You can’t take the attitude that “I'll never find/see X” • Put eyes on EVERYTHING! • Don't rely on $OSINT-tool to tell you what’s important • Don’t rely on $scanner to tell you what’s vulnerable
  • 11. OSINT - EXTERNAL • Support Tools • Harvester, FOCA, Shodan, Maltego, Deep Magic • Metasploit Auxiliary Modules • Nmap scripts (NSE) • Roll your own (ruby, python, bash) • No substitute for your eyes and brain • Is information X important or not? • How can it be applied throughout an engagement? • What’s the value and potential damage of the Intel?
  • 13. OSINT -- EXTERNAL • FOCA (network)
  • 14. OSINT -- EXTERNAL • FOCA (document metadata)
  • 15. OSINT -- EXTERNAL • Maltego Radium • New addition is “Machines” to automate common tasks • Like various levels of foot printing
  • 16. OSINT -- EXTERNAL • Maltego Radium
  • 18. OSINT -- EXTERNAL • Deep Magic
  • 19. OSINT -- EXTERNAL • Metasploit Auxiliary Modules • Email Enumeration • DNS enumeration • SMTP • Etc…
  • 20. OSINT -- EXTERNAL • Neat examples of network level stuff user@ubuntu:~$ host -t MX domain.net domain.net mail is handled by 10 barracuda01.domain.net. domain.net mail is handled by 10 barracuda02.domain.net. • Zone Transfers • Rare but still pop up • Reveal authentication portals, system role, additional IP space
  • 21. OSINT -- EXTERNAL • You need to put eyes on everything! • SVN/CVS repos – usernames/file access/source code/passwords/keys • Directory listing – info leakage – credentials, etc. • Internal IP leakage – useful later during compromise, targeted attacks • Send bounce email – get internal IPs, server names, system type, etc. • Eyes on everything + Default passwords ==
  • 23. OSINT -- EXTERNAL • LinkedIN • See my talk from yesterday  • New Hires – EXCELLENT targets • Minimal training • Weaker Passwords – Changme1[23], Welcome1[23]] • Unfamiliar with personnel, policies and procedures
  • 24. OSINT -- EXTERNAL • jigsaw.rb • https://github.com/pentestgeek/jigsaw
  • 26. OSINT -- EXTERNAL • Using this information to insert foot in ass • How many of you check to see if you can validate emails via the target’s email servers? • Pro-Tip  the msf module for this is jacked
  • 28. OSINT – DESIRED RESULTS • Attack/Threat Matrix • IP Ranges/Host names • Authentication Portals and Types • Username/Email List • Contact Information/Geo Data • Credentials (possible) • The list is endless…
  • 29. OSINT -- INTERNAL • Just as important as external profiling • Follow a repeatable methodology/develop a habit • Prioritize the value of your targets and task lists • Intel from external OSINT applies to internal systems (file server names, usernames, etc.) • DHCP leases, DNS zone xfer/lookups, packet captures, ARP, etc.
  • 31. SMART BRUTE FORCING • Throw away the 600MB dictionary files • You will most likely lock accounts if you blow your wad • Build a generic accounts list • Take old SAM files, pull out common names • Build a generic account list • Lucky punches are common • Invoices/invoices, training/training, helpdesk/helpdesk • Go build your own  • Space out your runs. 2-3 passwords every few hours. • Smarter Passwords – Welcome1[23], Password1[23], Summer12, Company1[23] • CeWL – Custom Wordlist Generator – Robin Wood • Use your intelligence from OSINT activities
  • 32. OWA BRUTING • Tons of ways to do it but they all have limitations • Owabf.py • Wmat – custom pattern files • Metasploit auxiliary module • Burp Intruder • PRO TIP: Cookie needs to be reset after a successful login • Major Content Length change = successful login
  • 33. OWA GAL DUMPING • Useful if you land a weak password and want to try it on more users • OWA 2007 and older have the GAL available for downloading (sometimes) • OWA 2010 requires another step: <params><canary>9f2202c7807a47c0820abb316d58b3b9</canary><St><ADVL VS sId="YqPmr+NBl0eJUY0tnMEtqA==" mL="1" sC="52" sO="0" cki="BxMAAA==" ckii="87" clcid="1033" cPfdDC="dc02.FOO.LOCAL"/></St><SR>4000</SR><RC>100</RC></params> uri="sip:owned@foo.net"></div>
  • 34. LOTUS NOTES BRUTING • Penetration Tester’s WET DREAM • Names.nsf == GOLD! • Since forever Lotus Notes has suffered from hash disclosure via one account • Tons of ways to do it but they all have limitations • Metasploit auxiliary module • Domino Hunter script • Nmap NSE script • Burp Intruder • JtR hash cracking – dominosec/lotus5
  • 35. CITRIX ACCESS • Published Application Enumeration • IP address/System name enumeration • Username enumeration (sometimes) • Burp Intruder • Other tools: • Metasploit auxillary modules • Nmap NSE scripts • Defcon 10: Citrix PA Scan/Proxy • Citrix Access Gateway software – ICA creation
  • 36. CITRIX – APPLICATION BREAKOUT • One published application is usually all you need • Old tricks still work • File open – force browse %SYSTEMROOT% • Help file – search • Unknown file type – open with – explorer • IKAT • See old talks on Citrix for refresher 
  • 37. CITRIX – NEW(ER) DIRTY SECRETS • System Information – File Open • Explorer -> mmc.exe • Remote manage system • Add local administrator account • Remote Desktop access • Drop binary -> exploit -> pivot -> ….
  • 39. CITRIX – MMC SEXINESS
  • 40. CITRIX – MMC PWNED
  • 41. SSL VPN BRUTE FORCING • If its single factor its worth doing SMART brute forcing
  • 42. VPN PRIVILEGES • 9/10 times the VPN drops you right on the network with everyone else • This effectively bypasses NAC and everything else you implemented
  • 43. FILE UPLOAD • WebDav • HTTP METHOD Abuse (PUT/DELETE) • RFI/LFI • The List goes on…
  • 44. EXPOSED SERVICES – ADMIN INTERFACES • Admin Interfaces listening on random ports can be gold. • Finding them amongst all the crap can be challenging. • Possible Methodology • Nmap your range • Import into metasploit • Use the db_ searches to pull out all hosts you want • Some ruby to make them into a piece of html • Use linky to open everything
  • 45. EXPOSED SERVICES – ADMIN INTERFACES
  • 46. EXPOSED SERVICES – ADMIN INTERFACES • msf > services -o /tmp/demo.csv
  • 47. EXPOSED SERVICES – ADMIN INTERFACES • Ruby
  • 48. EXPOSED SERVICES – ADMIN INTERFACES • Linky
  • 49. EXPOSED SERVICES – ADMIN INTERFACES
  • 50. EXPOSED SERVICES – ADMIN INTERFACES
  • 51. JUNIPER SECRET QUESTION BYPASS • Is the below a dead end or a way in?
  • 52. JUNIPER SECRET QUESTION BYPASS • Is the below a dead end or a way in? • How about now?
  • 53. SHAREPOINT VALUE • Misconfigured SharePoint can be *really* useful • User/Domain Enumeration • Access to useful files • Authenticated access to SharePoint is *always* useful • That’s really another talk…but its mint • Go ask Nickerson
  • 54. SHAREPOINT INTEL HUNTING • Stach and Liu’s SharePoint Diggity tools • http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ • Roll your own • http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoin t.fuzz.txt
  • 57. SHAREPOINT • Can (ab)use web services calls to get account info
  • 58. INTERNAL PWNAGE • Now what? • If you think you are done. You’ve missed the point!
  • 59. DOMAIN ENUMERATION (OLD SCHOOL) • Ipconfig/ifconfig • Tells you: • Dual homed? • Ipv6? • Domain Controllers/Domain Name(s) • Net commands • Still works most of the time • Disabled? Use dsquery/dsget • Internal Zone Transfers
  • 60. DOMAIN ENUMERATION (NEW SCHOOL) • Mubix’s netview
  • 61. DOMAIN ENUMERATION • Subnets with DC’s are usually the server / production subnets • You at least have a quick starting point for looking for low hanging fruit. • Net view /domain:DOMAINNAME • Dsquery/dsget • Windows server • dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows Server*))" -limit 0 > mylist.txt • Window XP • dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 0 > mylist.txt
  • 62. USER ENUMERATION • Net commands • Net user /domain • Dsquery | dsget • List users and comments • dsquery user “DC=company,DC=NET" -limit 0 | dsget user -samid -display -desc > company-user-and-comments.txt • Metasploit Aux modules • use auxiliary/scanner/smb/smb_enumusers • use auxiliary/scanner/smb/smb_enumusers_domain • Cain still works great • Plus gives you nuggets of gold like…
  • 64. OPEN NFS SHARES • Exported home directories • Server names • Usernames • Passwords? • Backup files • Showmount -e
  • 65. OPEN SMB SHARES • You have to look in them to find useful stuff • Scanner wont tell you that documentX is important • Metasploit • use auxiliary/scanner/smb/smb_enumshares • Enum.exe • Loose permissions on file servers • World readable user home directories on SAN/NAS devices
  • 66. FILE MOVEMENT • Clipboard/Buffer • Remote Desktop • Network mapped drives • External drop sites • WebDAV file server • BITS
  • 68. MSSQL msf auxiliary(mssql_ping) > run [*] SQL Server information for 172.30.0.70: [+] ServerName = RBRLIVE12 [+] InstanceName = MSSQLSERVER [+] IsClustered = No [+] Version = 8.00.194 [+] tcp = 1433 [+] np = RBRLIVE12pipesqlquery [*] SQL Server information for 172.30.0.162: [+] ServerName = LOGISTICS02 [+] InstanceName = SQL1 [*] SQL Server information for 172.30.0.185: [+] ServerName = RBRLIVE11
  • 69. ORACLE • Outdated Oracle on Windows can yield shell • Can be difficult to get it to play nice with metasploit • Isqlplus doesn’t honor routes in metasploit
  • 70. QUICK ELEVATION • Group Policy Preference Exploit • Metasploit Post Module • Post/windows/gather/credentials/gpp • Domain users part of local administrator group • Similar usernames with Domain Admin accounts • Password reuse
  • 71. INTERNAL PWNAGE RECAP • Resist the urge to scan all things • Use OSINT and enumeration to your advantage • DHCP leases are awesome • Dns zone xfer – what do we learn again from external slides? • Dig/nslookup domains – reveal server subnets, system naming convention, system role, etc • Dsquery examples • Enumeration against systems (enum.exe, dsquery, cain, msf aux, etc) • NetBIOS never left
  • 72. INTERNAL PWNAGE RECAP • Active Directory comment fields • SQL enumeration (Cain, dsquery, sqlrecon, msf aux) • Be smart about SA account (blank, password, SA, etc.) and lockouts • Terminal Servers enumeration (Cain, dsquery) • NFS shares/mounts/info leakage (files, users, server names, etc) • SVN/CVS entries – access to source code – web.config files – immediate access • SharePoint – basic user/weak permissions/easy searchable for info to elevate/backups • Citrix access with basic user – great way to elevate (shown during external slides) • File servers – weak permissions/easy searching for “password” files, ssh keys, home directories, etc.
  • 73. POOR MAN’S PERSISTENCE • Sticky keys / magnifier • Cat passwords.txt • Cisco PCF file • VPN/GRE Tunnel • All user’s startup • Pasword1 
  • 74. THE DOCTOR IS IN • Are you positive your last assessment was accurate? • Password auditing • Data discovery/classification • System hardening • Segmentation • Egress filtering • Least privilege models