Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical Exploitation - Webappy Style

Given at OWASP NoVA - March 2013

  • Login to see the comments

Practical Exploitation - Webappy Style

  1. 1. Practical Exploitation Timey Wimey WebAppy Style by Mubix
  2. 2. Are we (the business) inthe Wall Street Journal? No? Then we arent under attack.
  3. 3. Agenda● What you do● What I do● What is "practical" exploitation?● Demos
  4. 4. We arent going to talk about● Stuff I assume you know ○ SQLI ○ Running your Database as root ○ RFI/LFI ○ etc ○ etc ○ OWASP TOP 10● Stuff you should know ○ Your {SECURITY BLINKY LIGHTS} wont save you....
  5. 5. What you do?● This is where I ask you awkward questions about what you do for a living
  6. 6. What I do?● Senior Red Teamer● Big Co● Break into mainframes, bank accounts, SCADA systems, Windows, Linux, wireless, physical, web apps, UPSs, etc..● Part of a team of highly skilled peepsPrimarily Im a sorter of useful info
  7. 7. What is practical exploitation?● The application of techniques, tactics, and procedures to accomplish objectives and sub-objectives within a targeted engagementAlso known as: "if it doesnt get me more, its stupid"
  8. 8. What falls in the "Stupid" category ● SSLv2 Enabled ● Traceroute Enabled ● DNS Cache Poisoning ● MD5 "collisions" Oh ya, and every single public IE, Firefox, Chrome or Windows exploit. Why? Because their patch cycles are too fast for attackers.
  9. 9. DEMOS
  10. 10. Demo 1 - Linux Pivot to WindowsTomcat -> MS08_067 Wellllllll..... I was going to patch those DMZ hosts, then........
  11. 11. How do I fix that!?● Patch yo %#@$%@ $#%
  12. 12. Demo 2 - WindowsRails vulnerability -> Cred Steal - Mimikatz You use a web framework that protects you and you have really long passwords?
  13. 13. How do I fix that?● Monitor the security community events, disable YAML or XML parsing.● Microsoft has left you out to dry for Mimikatz. They believe if you have Administrator access then its game over.● Dont run your web server as SYSTEM or Administrator, keep UAC enabled on your DMZ hosts
  14. 14. Demo 3 - Windows Pivot to LinuxWinRM on IIS -> DistCC What the..........
  15. 15. How do I fix that?● Dont enable WinRM on DMZ hosts! Stupid.● Firewall DistCC off to only required hosts.
  16. 16. EOMQuestions?Mubix "Rob" Fuller