Introducing Weakness Into Security Devices Tuning To A Different Key BSidesVienna 20/1/12 Arron “finux” Finnon
Evasion T echniques Dancing Past Your Defences!!! BSidesVienna 20/1/12 Arron “finux” Finnon
3 Things I Want T o Share Today's Outline! BSidesVienna 20/1/12 Arron “finux” Finnon
ONE – Obtaining Samples Diversity Is Important BSidesVienna 20/1/12 Arron “finux” Finnon
T wo – Knowledge Is Key Understanding What We Know BSidesVienna 20/1/12 Arron “finux” Finnon
Three – Implementation Is Critical When Is It Not! BSidesVienna 20/1/12 Arron “finux” Finnon
The Threat From Vulnerability to Exploit BSidesVienna 20/1/12 Arron “finux” Finnon
MS08-067 Vulnerability The ChrisJohnRiley of Exploits BSidesVienna 20/1/12 Arron “finux” Finnon
BSidesVienna 20/1/12 Arron “finux” Finnon
Metasploit Framework The Tool of Champions BSidesVienna 20/1/12 Arron “finux” Finnon
Security Devices Okay Its IDSes today BSidesVienna 20/1/12 Arron “finux” Finnon
The Common Intrusion Detection Framework E-Boxes A-Boxes C-Boxes D-Boxes Events, Analysers, Countermeasures, Data/Storage BSidesVienna 20/1/12 Arron “finux” Finnon
T o React or Not T o React Events need to be understood BSidesVienna 20/1/12 Arron “finux” Finnon
T aking Something At Face Value Leaves A Lack of Understating BSidesVienna 20/1/12 Arron “finux” Finnon
So My Story Finux has a tale or two BSidesVienna 20/1/12 Arron “finux” Finnon
Show Evasions DCERPC::smbpipeio BSidesVienna 20/1/12 Arron “finux” Finnon
Documentation Time DCERPC::smb_pipeio Use a different delivery method for accessing named pipes BSidesVienna 20/1/12 Arron “finux” Finnon
“The "trans" option will use a NtTransact command on the named pipe to deliver a request and trigger a reply from the server. During the development process, I noticed that just sending a "read" request after stuffing the request down via plain named pipe writes would also trigger processing.” HD to Finux – 08/08/11 BSidesVienna 20/1/12 Arron “finux” Finnon
Set DCERPC::smbpipeio rw BSidesVienna 20/1/12 Arron “finux” Finnon
Set DCERPC::smbpipeio trans BSidesVienna 20/1/12 Arron “finux” Finnon
Popularity Is Social Proof Because its cool its right? BSidesVienna 20/1/12 Arron “finux” Finnon
Your Added Bonus ! “..and one more thing” Moment! BSidesVienna 20/1/12 Arron “finux” Finnon
The Dangers of Character Matching The Butthead Evasion Technique BSidesVienna 20/1/12 Arron “finux” Finnon
SID:1239 - RFParalyze WTF, CVE-2000-0347 BSidesVienna 20/1/12 Arron “finux” Finnon
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep";) If there is a TCP connection on port 139 and you see the string “BEAVIS” and the String “yep, yep” please alert!!!!!!! BSidesVienna 20/1/12 Arron “finux” Finnon
++ BSidesVienna 20/1/12 Arron “finux” Finnon
++ BSidesVienna 20/1/12 Arron “finux” Finnon
++ BSidesVienna 20/1/12 Arron “finux” Finnon
That's All Folks! This Will be That Q&A Time BSidesVienna 20/1/12 Arron “finux” Finnon
Conclusions Time Brace Yourself BSidesVienna 20/1/12 Arron “finux” Finnon
Contacting Finux finux@finux.co.uk www.finux.co.uk Twitter @f1nux www.alba13.com - Coming Soon BSidesVienna 20/1/12 Arron “finux” Finnon
Recommend
More recommend
