The Art of Exploitation

A397cb38965ab9f310e7148b8c3d1105?s=47 Kim Carter
March 09, 2017
Technology
1
630

The Art of Exploitation

https://blog.binarymist.net/presentations-publications/#nzjs-2017-the-art-of-exploitation

A397cb38965ab9f310e7148b8c3d1105?s=128

Kim Carter

March 09, 2017
Tweet

More Decks by Kim Carter

See All by Kim Carter
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
550
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
380
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
82
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
150
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
940
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
320
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
5
210
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
300
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
1k

Other Decks in Technology

See All in Technology
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200
945e5c3ef6a52d8d7394b10a99e26277?s=48 guyrleech
0
220
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
4k
5b47136bedcba2799edf4fcd27ea66d7?s=48 yaegashi
0
330
75fd80a8ace6ab292a7de563e018ae11?s=48 takashi_toyosaki
0
250
783718ebd2faaa896d4cb347835c07fb?s=48 tarotaro0
0
420
79dcb04101764d7bf66f898dd446838e?s=48 tsukubachallenge
0
290
80c79a9d024d1e1a253893a78189ce6d?s=48 ujnak
1
150
92e7a56a50535ef4c51c112c71d3f9c1?s=48 jkubota
0
290
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
280
Ace15f29f740e60d42f7a3ff03a4952d?s=48 curanosuke
1
130
Cd6e67775ba3275c466e9927ede23080?s=48 nk35jk
2
1.5k

Featured

See All Featured
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
340
25k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
115
4.7k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
391
60k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
215
16k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
65
250k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
105
9.5k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
86
11k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
83
4.5k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
333
15k
78b475797a14c84799063c7cd073962f?s=48 holman
287
130k

Transcript

  1. The Art of Exploitation

  2. @binarymist

  3. Effective Attack Techniques for Common Vulnerabilities

  4. Effective Attack Techniques for Common Vulnerabilities Password Stealing

  5. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

  6. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells

  7. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook

  8. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  9. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  10. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  11. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  12. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  13. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  14. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  15. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  16. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  17. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  18. C/- psmsf, PowerSploit & Nishang

  19. None

  20. PowerSploit Persistence Techniques: • PermanentWMI • ScheduledTask • Registry At

    stages: • AtLogon • AtStartup • OnIdle • Daily • Hourly • Specified Time

  21. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  22. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    XSS

  23. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    • NIDS • AV • Know Origin

  24. How the process of Exploitation & Mitigation can & Should

    fit within Each & Every Sprint

  25. Red Team

  26. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  27. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  28. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  29. https://github.com/phage-nz/threatcrawler

  30. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  31. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  32. Red Team

  33. Red Team -> Blue Team

  34. Pen testing @ go live -> within each Sprint

  35. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing

  36. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  37. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  38. 5: Identify Risks? This is madness! How can we do

    that?

  39. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Establish a Security Champion

  40. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Security Regression Testing Hand-crafted Penetration Testing

  41. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Pair Programming
  42. None

  43. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Code Review

  44. Code Review, Static & Dynamic Analysis

  45. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline

  46. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline Static Type Checking DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/

  47. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline R isk

  48. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline C ounterm easure

  49. Consuming Free and Open Source curl -sL https://deb.nodesource.com/setup_4.x | sudo

    -E bash - sudo apt-get install -y nodejs R isk

  50. Consuming Free and Open Source • Npm-outdated • Npm-check •

    David • RetireJS • NSP • Snyk Tooling

  51. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Establish a Security Champion Hand-crafted Penetration Testing Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects

  52. 5: Identify

  53. 5: Identify Risks? Given When Then There are no items

    in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.

  54. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to th HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTP site from the browser (no HTTP traffic for sslstrip to tamper with

  55. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Evil Test Conditions

  56. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Security Focussed TDD

  57. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing

  58. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing

  59. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD) or regression testing

  60. 5: Identify Risks? OK I’m starting to get it But

    what now?

  61. Definition of Done The Sprint Security Regression Testing Sprint Planning

    Daily Scrum Sprint Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Zap-Api & NodeGoat

  62. https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

  63. 5: Identify Risks? IoT PhysicalPeople Mobile Cloud VPS Network Web

    App Network 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 1: Asset Identification

  64. Product Backlog Sprint Backlog Product Backlog items pulled into Sprint

    to form Increment Forecast 3: Countermeasures

  65. @binarymist https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API