SlideShare a Scribd company logo

Attacker Ghost Stories - ShmooCon 2014

Rob Fuller
Rob Fuller

Talk that I gave at ShmooCon 2014 in the One Track Mind track.

Technology
1 of 58
Download to read offline
Attacker Ghost Stories Mostly free defenses that give attackers nightmares
20
Invoking HD. Moore Mode
About me... Mubix “Rob” Fuller Father Husband NoVA Hacker Marine o  o  o  o 
Why are we here?
Untitled Slide
Untitled Slide
Attribution Slide
Attribution Retribution Slide
Attribution Retribution Slide
Why are we here?
Why are we here? o  We want to learn how to attack or defend better. o  We want to hang out in “Lobby Con” o  We want to test our skills against the badge contest, GITS, Wireless CTF or Hack Fortress o  We are afraid of Heidi’s wrath if we don’t show up (staff) o  4 the lulz
I’m a security tree hugger. I’m here to make the world a better place.
Lets share the commonalities of attacks, and care about the effectiveness of our defenses.
EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect Deployable by GPO Logs FREE o  o  o 
Protections
What about EMET bypasses? http://goo.gl/QrJZdd
Another good resource about EMET http://goo.gl/ELlBsi
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 1
Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 2
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 3 This never happens if they can’t pull the code!
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. FREE Stops java exploits loaded by a browser. Attacker cannot modify UA pre-exploit o  o  o  o 
Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
Block Java UA at the Proxy Oh yea, it protects Macs too…
Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) HIPS (enable the prevention part) Vuln Scanning is what a tool does. Lets start Vuln Reporting. Get your pentester/red team involved! o  o  o  o 
Crowdsourcing Security Security Incident / Phishing Incentive Program Reward “top” users for reporting malicious or “phishy” content. Make a big deal out of it (company / section wide emails) Every employee becomes an IDS Quarterly “Think Evil” games o  o  o  o 
Crowdsourcing Security Internal Bug Bounty Program Developers Developers Developers …. Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o  o  o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
WPAD My _favorite_ vulnerability:
WPAD o Make null routed (127.0.0.1) DNS entry for WPAD Make null routed (::1) for DNS entry WPADWPADWPAD Disable NetBIOS resolution domain wide. Your DNS servers can handle it. It’s also a privacy concern NetBIOS traffic is broadcasted to everyone FREE o  o  o  o 
DNS o There is no reason a user needs to resolve Google.com internally Let your web proxies do all the DNS FREE Turn off forward lookups on your internal DNS servers. Point your proxies at DNS servers that only they are allowed to use. o  o  o  o 
Dump your own hashes!
Dump your own hashes! o Crackers o  o  John the Ripper Rockyou.txt o Dumpers o  o  o  o  Depends… Goes back to the, “don’t use code you don’t trust”. List by Bernardo Damele - http://goo.gl/wDpJHc Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” Block all “uncategorized” Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail. o  o 
Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. Stop leaving them out of the loop. o 
Thank you •  Heidi & Bruce •  Shmoo Staff •  And the countless people who listened to me practice this talk ahead of time in prep for today.
Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.

Recommended

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 

Recommended

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White ChapelRob Fuller
 
Classification Station
Classification StationClassification Station
Classification StationJake Kotter
 

More Related Content

What's hot

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 

What's hot (20)

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 

Viewers also liked

Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White ChapelRob Fuller
 
Classification Station
Classification StationClassification Station
Classification StationJake Kotter
 
The COCH project
The COCH projectThe COCH project
The COCH projectaskroll
 
Mobile Marketing
Mobile MarketingMobile Marketing
Mobile Marketingsaafro
 
The Changing Landscape of Public Relations
The Changing Landscape of Public RelationsThe Changing Landscape of Public Relations
The Changing Landscape of Public RelationsGlen Turpin
 
Software development is hard
Software development is hardSoftware development is hard
Software development is hardEd Wong
 
Marketing management
Marketing managementMarketing management
Marketing managementsutrisno2629
 
Self-Defense and the Roots of Black Power
Self-Defense and the Roots of Black PowerSelf-Defense and the Roots of Black Power
Self-Defense and the Roots of Black Powerguestec98d1
 
Presentation1[1]
Presentation1[1]Presentation1[1]
Presentation1[1]elsiegel
 
Public Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban AreasPublic Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban Areasjacquihut
 
Paradox Of Our Times
Paradox Of Our TimesParadox Of Our Times
Paradox Of Our Timessutrisno2629
 
December 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-upDecember 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-upTeachStreet
 
Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs Natalie Downe
 

Viewers also liked (20)

Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
 
Classification Station
Classification StationClassification Station
Classification Station
 
The COCH project
The COCH projectThe COCH project
The COCH project
 
Mobile Marketing
Mobile MarketingMobile Marketing
Mobile Marketing
 
The Changing Landscape of Public Relations
The Changing Landscape of Public RelationsThe Changing Landscape of Public Relations
The Changing Landscape of Public Relations
 
Software development is hard
Software development is hardSoftware development is hard
Software development is hard
 
6. Games
6. Games6. Games
6. Games
 
Listings Update
Listings UpdateListings Update
Listings Update
 
Marketing management
Marketing managementMarketing management
Marketing management
 
Anger
AngerAnger
Anger
 
Self-Defense and the Roots of Black Power
Self-Defense and the Roots of Black PowerSelf-Defense and the Roots of Black Power
Self-Defense and the Roots of Black Power
 
Presentation1[1]
Presentation1[1]Presentation1[1]
Presentation1[1]
 
Innovating
InnovatingInnovating
Innovating
 
Public Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban AreasPublic Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban Areas
 
3. Transformatie
3. Transformatie3. Transformatie
3. Transformatie
 
Callme
CallmeCallme
Callme
 
Paradox Of Our Times
Paradox Of Our TimesParadox Of Our Times
Paradox Of Our Times
 
Benvinguda al curs de Perl
Benvinguda al curs de PerlBenvinguda al curs de Perl
Benvinguda al curs de Perl
 
December 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-upDecember 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-up
 
Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs
 

Similar to Attacker Ghost Stories - ShmooCon 2014

Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł WachełkaPLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł WachełkaPROIDEA
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise F _
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 

Similar to Attacker Ghost Stories - ShmooCon 2014 (20)

Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł WachełkaPLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 

More from Rob Fuller

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsRob Fuller
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish TurnsRob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxRob Fuller
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 HoursRob Fuller
 

More from Rob Fuller (7)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
 
GiTFO
GiTFOGiTFO
GiTFO
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

Attacker Ghost Stories - ShmooCon 2014

  • 1. Attacker Ghost Stories Mostly free defenses that give attackers nightmares
  • 2. 20
  • 4. About me... Mubix “Rob” Fuller Father Husband NoVA Hacker Marine o  o  o  o 
  • 5. Why are we here?
  • 6.
  • 12. Why are we here?
  • 13. Why are we here? o  We want to learn how to attack or defend better. o  We want to hang out in “Lobby Con” o  We want to test our skills against the badge contest, GITS, Wireless CTF or Hack Fortress o  We are afraid of Heidi’s wrath if we don’t show up (staff) o  4 the lulz
  • 14. I’m a security tree hugger. I’m here to make the world a better place.
  • 15. Lets share the commonalities of attacks, and care about the effectiveness of our defenses.
  • 16.
  • 17. EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect Deployable by GPO Logs FREE o  o  o 
  • 19. What about EMET bypasses? http://goo.gl/QrJZdd
  • 20. Another good resource about EMET http://goo.gl/ELlBsi
  • 21.
  • 22. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 1
  • 23. Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
  • 24. Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
  • 25. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 2
  • 26. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 3 This never happens if they can’t pull the code!
  • 27. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. FREE Stops java exploits loaded by a browser. Attacker cannot modify UA pre-exploit o  o  o  o 
  • 28. Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
  • 29. Block Java UA at the Proxy Oh yea, it protects Macs too…
  • 30.
  • 31. Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) HIPS (enable the prevention part) Vuln Scanning is what a tool does. Lets start Vuln Reporting. Get your pentester/red team involved! o  o  o  o 
  • 32.
  • 33. Crowdsourcing Security Security Incident / Phishing Incentive Program Reward “top” users for reporting malicious or “phishy” content. Make a big deal out of it (company / section wide emails) Every employee becomes an IDS Quarterly “Think Evil” games o  o  o  o 
  • 34. Crowdsourcing Security Internal Bug Bounty Program Developers Developers Developers …. Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o  o  o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
  • 35.
  • 36. Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
  • 37.
  • 39. WPAD o Make null routed (127.0.0.1) DNS entry for WPAD Make null routed (::1) for DNS entry WPADWPADWPAD Disable NetBIOS resolution domain wide. Your DNS servers can handle it. It’s also a privacy concern NetBIOS traffic is broadcasted to everyone FREE o  o  o  o 
  • 40.
  • 41. DNS o There is no reason a user needs to resolve Google.com internally Let your web proxies do all the DNS FREE Turn off forward lookups on your internal DNS servers. Point your proxies at DNS servers that only they are allowed to use. o  o  o  o 
  • 42.
  • 43. Dump your own hashes!
  • 44. Dump your own hashes! o Crackers o  o  John the Ripper Rockyou.txt o Dumpers o  o  o  o  Depends… Goes back to the, “don’t use code you don’t trust”. List by Bernardo Damele - http://goo.gl/wDpJHc Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
  • 45.
  • 46. Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” Block all “uncategorized” Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail. o  o 
  • 47. Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
  • 48.
  • 49. Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
  • 50. Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
  • 51. Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
  • 52. Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. Stop leaving them out of the loop. o 
  • 53.
  • 54. Thank you •  Heidi & Bruce •  Shmoo Staff •  And the countless people who listened to me practice this talk ahead of time in prep for today.
  • 55. Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
  • 56. Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
  • 57. Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
  • 58. Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.