The Art of Exploitation

A397cb38965ab9f310e7148b8c3d1105?s=47 Kim Carter
March 09, 2017
Technology
1
630

The Art of Exploitation

https://blog.binarymist.net/presentations-publications/#nzjs-2017-the-art-of-exploitation

A397cb38965ab9f310e7148b8c3d1105?s=128

Kim Carter

March 09, 2017
Tweet

More Decks by Kim Carter

See All by Kim Carter
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
560
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
380
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
83
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
150
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
950
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
320
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
5
210
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
310
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
3
1.1k

Other Decks in Technology

See All in Technology
D65bdfdd4762c763f71d08fd4d9fa511?s=48 sky_joker
2
490
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
510
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.8k
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
510
F0ec1a6cb9e7be1911ed97b6561ed5ac?s=48 k1nakayama
0
120
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
940
C82711d1ecc5cc7a4474dd9314736f33?s=48 macole
0
150
D5554c0703d71b3f813e658020267954?s=48 masudas75
1
300
B2fefbb30aba7c25bbe0c8819791631a?s=48 gunnargrosch
1
420
0479057e04d0dbef40692b5f171f60e4?s=48 takanakahiko
0
200
A73e465566ed41cd2b66b7d889b31666?s=48 maiamea
1
550
457ada693e168bd1102fec3914040b5d?s=48 uipath_friends
0
140

Featured

See All Featured
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
6
740
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
27k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
155
11k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
190
17k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
5
540
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
356
62k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
285
110k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
254
36k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
224
8.3k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
267
16k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
144
12k

Transcript

  1. The Art of Exploitation

  2. @binarymist

  3. Effective Attack Techniques for Common Vulnerabilities

  4. Effective Attack Techniques for Common Vulnerabilities Password Stealing

  5. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

  6. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells

  7. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook

  8. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  9. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  10. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  11. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  12. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  13. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  14. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  15. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  16. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  17. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  18. C/- psmsf, PowerSploit & Nishang

  19. None

  20. PowerSploit Persistence Techniques: • PermanentWMI • ScheduledTask • Registry At

    stages: • AtLogon • AtStartup • OnIdle • Daily • Hourly • Specified Time

  21. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  22. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    XSS

  23. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    • NIDS • AV • Know Origin

  24. How the process of Exploitation & Mitigation can & Should

    fit within Each & Every Sprint

  25. Red Team

  26. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  27. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  28. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  29. https://github.com/phage-nz/threatcrawler

  30. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  31. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  32. Red Team

  33. Red Team -> Blue Team

  34. Pen testing @ go live -> within each Sprint

  35. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing

  36. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  37. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  38. 5: Identify Risks? This is madness! How can we do

    that?

  39. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Establish a Security Champion

  40. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Security Regression Testing Hand-crafted Penetration Testing

  41. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Pair Programming
  42. None

  43. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Code Review

  44. Code Review, Static & Dynamic Analysis

  45. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline

  46. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline Static Type Checking DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/

  47. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline R isk

  48. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline C ounterm easure

  49. Consuming Free and Open Source curl -sL https://deb.nodesource.com/setup_4.x | sudo

    -E bash - sudo apt-get install -y nodejs R isk

  50. Consuming Free and Open Source • Npm-outdated • Npm-check •

    David • RetireJS • NSP • Snyk Tooling

  51. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Establish a Security Champion Hand-crafted Penetration Testing Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects

  52. 5: Identify

  53. 5: Identify Risks? Given When Then There are no items

    in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.

  54. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to th HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTP site from the browser (no HTTP traffic for sslstrip to tamper with

  55. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Evil Test Conditions

  56. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Security Focussed TDD

  57. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing

  58. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing

  59. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD) or regression testing

  60. 5: Identify Risks? OK I’m starting to get it But

    what now?

  61. Definition of Done The Sprint Security Regression Testing Sprint Planning

    Daily Scrum Sprint Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Zap-Api & NodeGoat

  62. https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

  63. 5: Identify Risks? IoT PhysicalPeople Mobile Cloud VPS Network Web

    App Network 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 1: Asset Identification

  64. Product Backlog Sprint Backlog Product Backlog items pulled into Sprint

    to form Increment Forecast 3: Countermeasures

  65. @binarymist https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API