SlideShare a Scribd company logo

BSidesJXN 2016: Finding a Company's BreakPoint

Download as PPT, PDF
Andrew McNicol
Andrew McNicol

The document outlines various techniques that can be used to break into a company's network beyond just scanning for vulnerabilities. It discusses phishing, exploiting web application vulnerabilities, using Responder to poison name resolution and enable man-in-the-middle attacks, SMB relay attacks, and compromising user accounts by combining different vulnerabilities. Specific tools and steps are provided for each technique.

Technology
1 of 48
Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
Modern Day Hacking
Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
Things Have Changed Since the 90s
Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
CEOs Reaction to Opening to Phishing Email
1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
1. Phishing: Finding Vulnerabilities
1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
1. Phishing: Execute Code Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
Responder!
3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
So You Started a Scan
4. SMB Relay Attack Visual: Automated Process
4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Nessus Scanner Scenario
4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
5. Account Compromise
5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs

Recommended

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 

Recommended

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Braga
BragaBraga
BragaActividadesIESULGIJON
 
Visita Junta General 20 diciembre
Visita Junta General 20 diciembreVisita Junta General 20 diciembre
Visita Junta General 20 diciembreActividadesIESULGIJON
 

More Related Content

What's hot

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 

What's hot (20)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 

Viewers also liked

Ficha información padres Visita Junta General
Ficha información padres Visita Junta GeneralFicha información padres Visita Junta General
Ficha información padres Visita Junta GeneralActividadesIESULGIJON
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)KR_Barker
 
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...Eswar Publications
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsAndrew McNicol
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Splunk
 
The Error of Our Ways
The Error of Our WaysThe Error of Our Ways
The Error of Our WaysKevlin Henney
 
Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)KR_Barker
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Ping Identity
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A ImagenesJosé M. Padilla
 
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasGlocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasCAESCG.org
 
Activitat2
Activitat2Activitat2
Activitat2luzzatti
 
Soluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería saSoluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería saMauricio Marquez
 
Nodo23
Nodo23Nodo23
Nodo23nodo23
 

Viewers also liked (20)

Braga
BragaBraga
Braga
 
Visita Junta General 20 diciembre
Visita Junta General 20 diciembreVisita Junta General 20 diciembre
Visita Junta General 20 diciembre
 
Ficha información padres Visita Junta General
Ficha información padres Visita Junta GeneralFicha información padres Visita Junta General
Ficha información padres Visita Junta General
 
Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)Virtual Reality Workshop (3/13/2017)
Virtual Reality Workshop (3/13/2017)
 
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
A Brief Study on Different Intrusions and Machine Learning-based Anomaly Dete...
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
 
The Error of Our Ways
The Error of Our WaysThe Error of Our Ways
The Error of Our Ways
 
Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)Introduction to Digital Life (March 2017)
Introduction to Digital Life (March 2017)
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15Sesion de aprendizaje 17-08-15
Sesion de aprendizaje 17-08-15
 
Dentro De Ti
Dentro De TiDentro De Ti
Dentro De Ti
 
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
67 Php. Superponer, Rotar Y Dotar De Transparencia A Imagenes
 
Virus Y Antivirus
Virus Y AntivirusVirus Y Antivirus
Virus Y Antivirus
 
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierrasGlocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
Glocharid - Subproyecto 9 - Cambios de uso del suelo y abandono de tierras
 
Activitat2
Activitat2Activitat2
Activitat2
 
Soluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería saSoluciones en tecnología y procesos de ingeniería sa
Soluciones en tecnología y procesos de ingeniería sa
 
Nodo23
Nodo23Nodo23
Nodo23
 

Similar to BSidesJXN 2016: Finding a Company's BreakPoint

Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptBUSHRASHAIKH804312
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?HBServices7
 

Similar to BSidesJXN 2016: Finding a Company's BreakPoint (20)

Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Hacking
HackingHacking
Hacking
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Windows network
Windows networkWindows network
Windows network
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

BSidesJXN 2016: Finding a Company's BreakPoint

  • 1. Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
  • 3. Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
  • 4. ~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
  • 5. Things Have Changed Since the 90s
  • 6. Overview Goal: Break the mindset of “Scan then Exploit” Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
  • 7. Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
  • 8. How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
  • 9. 1. Phishing [surprise] Phishing actually works. [/surprise] Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement Full Blog Here: https://breakpoint-labs.com/phishing/
  • 10. 1. Phishing: Planning Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) We prefer to send email via Python (smtp module) We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
  • 11. CEOs Reaction to Opening to Phishing Email
  • 12. 1. Phishing: Scenario 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
  • 13. 1. Phishing: Phishing Domains The scenario will determine what domains we leverage If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: breakpoint-labs.com vs. breakpoint-lab.com If our goal is more common threat we will emulate those TTPs: ups-pkgtracker.com Its important to submit domains to web content filters/proxies
  • 14. 1. Phishing: Finding Vulnerabilities
  • 15. 1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
  • 16. 1. Phishing: Execute Code Click Analysis: We generally use Python to send email + create a unique link per email to targets Credential Grabbing: We generally use PHP to prompt for credentials Execute Code: Usually leverage Empire (Office Macro, HTA method)
  • 17. Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
  • 18. 2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
  • 19. 2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 20. 2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 21. 2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
  • 22. 2. Web App Vulns: Step 3 Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
  • 23. 2. Web App Vulns: Step 4 Attempt to execute code: 1.php = <?php system(‘id’);?>
  • 24. 2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
  • 25. 3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
  • 27. 3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
  • 28. 3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
  • 29. 3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
  • 30. 3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
  • 31. 3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Segment the local networks with VLANS to prevent impact Ensure that only NTLMv2 is in use rather than LM and NTLM
  • 32. 4. SMB Relay Attacks SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. The attacker needs the victim to initiate an HTTP or SMB connection. This initiation can occur often from either: LLMNR/NBNS spoofing Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
  • 33. So You Started a Scan
  • 34. 4. SMB Relay Attack Visual: Automated Process
  • 35. 4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 36. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 37. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 38. 4. SMB Relay Attack: Nessus Scanner Scenario
  • 39. 4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: Require SMB Signing Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) Prevent WPAD Poisoning w/ WPAD file entries in DNS Prevent SMB Traffic Outbound Enable EPA (Extended Protection and Authentication)
  • 41. 5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
  • 42. 5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
  • 43. 5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
  • 44. 5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
  • 45. 5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
  • 46. Final Thoughts and Tips Use Shodan and Censys.io for external reconnaissance Make sure you investigate shares (enum4linux) Unlinked Content enumeration on web applications is key Passwords written down on sticky notes? Yea usually Can you reset a PW via the Help Desk? Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? Once you get valid credentials try them across all the things
  • 47. Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Exploiting Deserialization Vulnerabilities in Java • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit
  • 48. Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs