The Art of Exploitation

The Art of Exploitation

A397cb38965ab9f310e7148b8c3d1105?s=128

Kim Carter

March 09, 2017
Tweet

Transcript

  1. The Art of Exploitation

  2. @binarymist

  3. Effective Attack Techniques for Common Vulnerabilities

  4. Effective Attack Techniques for Common Vulnerabilities Password Stealing

  5. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

  6. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells
  7. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook
  8. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  9. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  10. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  11. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  12. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  13. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  14. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  15. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  16. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  17. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  18. C/- psmsf, PowerSploit & Nishang

  19. None
  20. PowerSploit Persistence Techniques: • PermanentWMI • ScheduledTask • Registry At

    stages: • AtLogon • AtStartup • OnIdle • Daily • Hourly • Specified Time
  21. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents
  22. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    XSS
  23. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    • NIDS • AV • Know Origin
  24. How the process of Exploitation & Mitigation can & Should

    fit within Each & Every Sprint
  25. Red Team

  26. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting
  27. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting
  28. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting
  29. https://github.com/phage-nz/threatcrawler

  30. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting
  31. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting
  32. Red Team

  33. Red Team -> Blue Team

  34. Pen testing @ go live -> within each Sprint

  35. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing
  36. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects
  37. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects
  38. 5: Identify Risks? This is madness! How can we do

    that?
  39. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Establish a Security Champion
  40. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Security Regression Testing Hand-crafted Penetration Testing
  41. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Pair Programming
  42. None
  43. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Code Review
  44. Code Review, Static & Dynamic Analysis

  45. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline
  46. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline Static Type Checking DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/
  47. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline R isk
  48. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline C ounterm easure
  49. Consuming Free and Open Source curl -sL https://deb.nodesource.com/setup_4.x | sudo

    -E bash - sudo apt-get install -y nodejs R isk
  50. Consuming Free and Open Source • Npm-outdated • Npm-check •

    David • RetireJS • NSP • Snyk Tooling
  51. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Establish a Security Champion Hand-crafted Penetration Testing Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects
  52. 5: Identify

  53. 5: Identify Risks? Given When Then There are no items

    in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.
  54. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to th HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTP site from the browser (no HTTP traffic for sslstrip to tamper with
  55. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Evil Test Conditions
  56. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Security Focussed TDD
  57. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing
  58. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing
  59. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD) or regression testing
  60. 5: Identify Risks? OK I’m starting to get it But

    what now?
  61. Definition of Done The Sprint Security Regression Testing Sprint Planning

    Daily Scrum Sprint Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Zap-Api & NodeGoat
  62. https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

  63. 5: Identify Risks? IoT PhysicalPeople Mobile Cloud VPS Network Web

    App Network 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 1: Asset Identification
  64. Product Backlog Sprint Backlog Product Backlog items pulled into Sprint

    to form Increment Forecast 3: Countermeasures
  65. @binarymist https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API