tactical exploitation tactical exploitation
play

Tactical Exploitation Tactical Exploitation the other way to - PowerPoint PPT Presentation

Nov 22, 2022 •232 likes •1.02k views

Tactical Exploitation Tactical Exploitation the other way to pen-test the other way to pen-test hdm / valsmith hdm / valsmith Black Hat USA 2007 Black Hat USA 2007 Las Vegas August 2007 who are we ? who are we ? H D

  1. Tactical Exploitation Tactical Exploitation “the other way to pen-test “ the other way to pen-test “ “ hdm / valsmith hdm / valsmith Black Hat USA 2007 Black Hat USA 2007 Las Vegas – August 2007

  2. who are we ? who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007

  3. why listen ? why listen ? • A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) Las Vegas – August 2007

  4. what do we cover ? what do we cover ? • Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access Las Vegas – August 2007

  5. the tactical approach the tactical approach • Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. Las Vegas – August 2007

  6. the tactical approach the tactical approach • Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! Las Vegas – August 2007

  7. the tactical approach the tactical approach • Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets Las Vegas – August 2007

  8. personnel discovery personnel discovery • Security is a people problem • People write your software • People secure your network • Identify the meatware first Las Vegas – August 2007

  9. personnel discovery personnel discovery • Identifying the meatware • Google • Newsgroups • SensePost tools • Evolution from Paterva.com Las Vegas – August 2007

  10. personnel discovery personnel discovery • These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites Las Vegas – August 2007

  11. personnel discovery personnel discovery Las Vegas – August 2007

  12. personnel discovery personnel discovery • Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target Las Vegas – August 2007

  13. personnel discovery personnel discovery • Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show joet@joesbox.company.com • Now we have username and a host to target to go after semi conductor information Las Vegas – August 2007

  14. network discovery network discovery • Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones Las Vegas – August 2007

  15. network discovery network discovery • The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups Las Vegas – August 2007

  16. network discovery network discovery • The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com Las Vegas – August 2007

  17. network discovery network discovery • DomainTools vs Defcon.org 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007

  18. network discovery network discovery • DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings [ snipped personal domains ] • 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings Las Vegas – August 2007

  19. network discovery network discovery • What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info Las Vegas – August 2007

  20. network discovery network discovery • Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! Las Vegas – August 2007

  21. network discovery network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007

  22. application discovery application discovery • If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick Las Vegas – August 2007

  23. application discovery application discovery • Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools Las Vegas – August 2007

  24. application discovery application discovery • Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips Las Vegas – August 2007

  25. application discovery application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) Las Vegas – August 2007

  26. application discovery application discovery • Target had internal app for software licensing / distribution • ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed static Admin password in app's memory • All accessible nodes owned, 0 exploits used Las Vegas – August 2007

  27. application discovery application discovery • Web Application Attack and Audit Framework • W3AF: “Metasploit for the web” • Metasploit 3 scanning modules • Scanning mixin Las Vegas – August 2007

  28. application discovery application discovery DEMO Las Vegas – August 2007

  29. client app discovery client app discovery • Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance Las Vegas – August 2007

  30. client app discovery client app discovery • Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases Las Vegas – August 2007

  31. process discovery process discovery • Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics Las Vegas – August 2007

  32. process discovery process discovery • Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images Las Vegas – August 2007

  33. process discovery process discovery • Existing tools? • None, really... • Easy to script • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007

  34. process discovery process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007

  35. process discovery process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007

  36. 15 Minute Break 15 Minute Break • Come back for the exploits! Las Vegas – August 2007

  37. re-introduction re-introduction • In our last session... • Discovery techniques and tools • In this session... • Compromising systems! Las Vegas – August 2007

  38. external network external network • The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions Las Vegas – August 2007

  39. attacking ftp transfers attacking ftp transfers • Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) Las Vegas – August 2007

  40. attacking web servers attacking web servers • Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries Las Vegas – August 2007

Recommend

Exploiting Surveillance Cameras Like a Hollywood Hacker Craig Heffner, Tactical Network Solutions

Exploiting Surveillance Cameras Like a Hollywood Hacker Craig Heffner, Tactical Network Solutions

Exploiting Surveillance Cameras Like a Hollywood Hacker Craig Heffner, Tactical Network Solutions Friday, July 12, 2013 Introduction Embedded vulnerability analyst for Tactical Network Solutions Embedded Device Exploitation course

1.45k views • 120 slides
Tactical Imperatives A quick summary of key tactical initiatives that will: Improve your

Tactical Imperatives A quick summary of key tactical initiatives that will: Improve your

TACTICS FOR TODAY, STRATEGIES FOR TOMORROW Steven J Tringale Estes Park Institute November 5, 2014 Tactical Imperatives A quick summary of key tactical initiatives that will: Improve your institutions short term performance, and strategic

292 views • 5 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Delay assignment optimization strategies at pre-tactical and tactical levels A. Montlaur and L.

Delay assignment optimization strategies at pre-tactical and tactical levels A. Montlaur and L.

Delay assignment optimization strategies at pre-tactical and tactical levels A. Montlaur and L. Delgado Dr Luis Delgado Senior Research Fellow University of Westminster _______________________ Universitat Politcnica de Catalunya Fifth

517 views • 41 slides
Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science

Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science

DM810 Computer Game Programming II: AI Lecture 12 Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Tactical Analysis Tactical Pathfinding Outline Coordinated Action

468 views • 35 slides
2012 National Service Conditions Championships Service/Tactical Pistol SERVICE/TACTICAL PISTOL

2012 National Service Conditions Championships Service/Tactical Pistol SERVICE/TACTICAL PISTOL

2012 National Service Conditions Championships Service/Tactical Pistol SERVICE/TACTICAL PISTOL - INDIVIDUAL MATCHES SERIES A Match 20 Open Mr. Keith Cunningham 100.016 CF/RCMP Capt Pete Savage, CFS St.Johns 100.014 Tyro CF WO

219 views • 4 slides
Target or tactical June, 2020 spotting scopes TARGET OR TACTICAL SPOTTING SCOPES Target or

Target or tactical June, 2020 spotting scopes TARGET OR TACTICAL SPOTTING SCOPES Target or

Target or tactical June, 2020 spotting scopes TARGET OR TACTICAL SPOTTING SCOPES Target or tactical spotting scopes are one and the same devices Two names are just because of two different user groups that use these kinds of optics

717 views • 8 slides
Tactical Analysis Board Games Marco Chiarandini Department of Mathematics &amp; Computer Science

Tactical Analysis Board Games Marco Chiarandini Department of Mathematics &amp; Computer Science

DM842 Computer Game Programming: AI Lecture 9 Tactical Analysis Board Games Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Tactical and Strategic AI Outline Board game AI 1. Tactical and

548 views • 27 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial

An Introduction to Elder Abuse for Professionals: Financial Exploitation NCEA Financial Exploitation 1 Learning Objectives At the end of this presentation, you will be able to: Define and describe financial exploitation Identify

386 views • 34 slides
CARMANAH SOLUTIONS FOR DEFENSE 1 Tactical Lighting Applications Over 40,000 Carmanah solar

CARMANAH SOLUTIONS FOR DEFENSE 1 Tactical Lighting Applications Over 40,000 Carmanah solar

CARMANAH SOLUTIONS FOR DEFENSE 1 Tactical Lighting Applications Over 40,000 Carmanah solar airfield lights have been installed at bases around the world Assault Strips: Domestic and in theater tactical airfield lighting operations and training

324 views • 13 slides
Project Quicklook Final Presentation Tactical Satellite 3 System Design May 11, 2007 Team:

Project Quicklook Final Presentation Tactical Satellite 3 System Design May 11, 2007 Team:

Project Quicklook Final Presentation Tactical Satellite 3 System Design May 11, 2007 Team: Tactical Science Solutions (TSS) Team lead: David Alexander Team members: Soroush (Kevin) Sadeghian Siroos Sekhavat Thomas Saltysiak Faculty

399 views • 35 slides
Fullbacks Fullbacks Tactical and Positional analysis Tactical and Positional analysis Kieran

Fullbacks Fullbacks Tactical and Positional analysis Tactical and Positional analysis Kieran

Fullbacks Fullbacks Tactical and Positional analysis Tactical and Positional analysis Kieran Smith Kieran Smith UEFA A Licence Coach UEFA A Licence Coach The attacking fullback is seen by many as the most important position in the modern

369 views • 19 slides
Approach to Solve the AGC API Issue in the Tactical SDR Domain A Waveform Provider Perspective

Approach to Solve the AGC API Issue in the Tactical SDR Domain A Waveform Provider Perspective

www.thalesgroup.com Approach to Solve the AGC API Issue in the Tactical SDR Domain A Waveform Provider Perspective Scope 2 / Content Tactical Radio Scenario AGC Principle in Legacy Receiver AGC Principle in SDR Receiver SDR AGC

336 views • 20 slides
exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS

CluBE and biowaste exploitation initiatives Monday, 10 December 2018 Biowaste treatment and exploitation SYMBIOSIS Sensitization Event Nikolaos Ntavos Cluster Manager n.ntavos@clube.gr Cluster of Bioenergy &amp; Environment Formally

632 views • 37 slides
Technical and Tactical Discussion October 2018 Sasha Rearick Skills of Successful WC skiers

Technical and Tactical Discussion October 2018 Sasha Rearick Skills of Successful WC skiers

Technical and Tactical Discussion October 2018 Sasha Rearick Skills of Successful WC skiers Tactical Skills Technical skills Pressure in the fall line 1. Balanced skiing Direct path of CM 2. Fundamentally sound Reduce

810 views • 42 slides
Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science

Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science

DM842 Computer Game Programming: AI Lecture 8 Tactical and Strategic AI Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Decision Making Outline Tactical and Strategic AI 1. Decision Making

897 views • 52 slides
WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution Solomon Sonya @Carpenter1010 What to

680 views • 63 slides
Bridging the Digital Divide with Net-Centric Tactical Services (NCTS) Agenda Introduction

Bridging the Digital Divide with Net-Centric Tactical Services (NCTS) Agenda Introduction

Bridging the Digital Divide with Net-Centric Tactical Services (NCTS) Agenda Introduction &amp; Background Digital Divide Challenge NCTS Questions 1 1 Experience with Tactical Sensors &amp; Systems Integration Sensors

405 views • 8 slides
Introduction to Tactical Generation with HPSG Woodley Packard University of Washington March 5,

Introduction to Tactical Generation with HPSG Woodley Packard University of Washington March 5,

Introduction to Tactical Generation with HPSG Woodley Packard University of Washington March 5, 2013 Introduction Natural Language Generation: the task of automatically producing natural language utterances Tactical NLG: deciding how to

547 views • 18 slides
CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Exploitation: Context/Disclaimer In this module

411 views • 37 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Update on the Finish SDR Program WInnComm Europe 2018 SDR Tactical Communications Workshop

Update on the Finish SDR Program WInnComm Europe 2018 SDR Tactical Communications Workshop

Finnish Defence Research Agency Update on the Finish SDR Program WInnComm Europe 2018 SDR Tactical Communications Workshop Principal Scientist MSc (EE) Heikki Rantanen Finnish Defence Research Agency Outline 1. Finnish Tactical C4I System

650 views • 39 slides
Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Introduction General concepts Internals Adrien

Exploitation techniques for NT kernel Adrien Adr1 Garin Exploitation techniques for NT kernel Introduction General concepts Internals Adrien Adr1 Garin Exploitation Stack overflow Integer overflow Write What Where EPITA

623 views • 47 slides

More recommend