Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art of Exploitation

The Art of Exploitation

Kim Carter

March 09, 2017
Tweet

More Decks by Kim Carter

Other Decks in Technology

Transcript

  1. The Art
    of
    Exploitation

    View Slide

  2. @binarymist

    View Slide

  3. Effective Attack Techniques
    for
    Common Vulnerabilities

    View Slide

  4. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing

    View Slide

  5. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing

    View Slide

  6. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells

    View Slide

  7. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook

    View Slide

  8. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  9. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  10. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  11. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  12. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  13. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  14. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  15. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  16. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  17. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  18. C/- psmsf, PowerSploit & Nishang

    View Slide

  19. View Slide

  20. PowerSploit Persistence Techniques:
    ● PermanentWMI
    ● ScheduledTask
    ● Registry
    At stages:
    ● AtLogon
    ● AtStartup
    ● OnIdle
    ● Daily
    ● Hourly
    ● Specified Time

    View Slide

  21. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents

    View Slide

  22. Countermeasures
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    XSS

    View Slide

  23. Countermeasures
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    ● NIDS
    ● AV
    ● Know Origin

    View Slide

  24. How the process of
    Exploitation & Mitigation can
    & Should fit within Each &
    Every Sprint

    View Slide

  25. Red Team

    View Slide

  26. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting

    View Slide

  27. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting

    View Slide

  28. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting

    View Slide

  29. https://github.com/phage-nz/threatcrawler

    View Slide

  30. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting

    View Slide

  31. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting

    View Slide

  32. Red Team

    View Slide

  33. Red Team -> Blue Team

    View Slide

  34. Pen testing @ go live -> within each Sprint

    View Slide

  35. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing

    View Slide

  36. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Hand-crafted Penetration Testing
    Security Regression Testing
    Cheapest Place to Deal with Defects

    View Slide

  37. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Hand-crafted Penetration Testing
    Security Regression Testing
    Cheapest Place to Deal with Defects

    View Slide

  38. 5: Identify
    Risks?
    This is madness!
    How can we do that?

    View Slide

  39. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Establish a Security Champion

    View Slide

  40. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Security Regression Testing
    Hand-crafted Penetration Testing

    View Slide

  41. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Pair Programming

    View Slide

  42. View Slide

  43. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Code Review

    View Slide

  44. Code Review, Static & Dynamic Analysis

    View Slide

  45. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Techniques for Asserting Discipline

    View Slide

  46. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Techniques for Asserting Discipline
    Static Type Checking
    DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/

    View Slide

  47. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    R
    isk

    View Slide

  48. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    C
    ounterm
    easure

    View Slide

  49. Consuming Free and Open Source
    curl -sL https://deb.nodesource.com/setup_4.x |
    sudo -E bash -
    sudo apt-get install -y nodejs
    R
    isk

    View Slide

  50. Consuming Free and Open Source
    ● Npm-outdated
    ● Npm-check
    ● David
    ● RetireJS
    ● NSP
    ● Snyk
    Tooling

    View Slide

  51. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects

    View Slide

  52. 5: Identify

    View Slide

  53. 5: Identify
    Risks?
    Given When Then
    There are no items in
    the shopping cart
    Customer clicks
    “Purchase” button for a
    book which is in stock
    1 x book is added to
    shopping cart. Book is
    held - preventing
    selling it twice.
    “ Customer clicks
    “Purchase” button for a
    book which is not in
    stock
    Dialog with “Out of
    stock” message is
    displayed and offering
    customer option of
    putting book on back
    order.

    View Slide

  54. 5: Identify
    Risks?
    Given When Then
    There are no items in
    the shopping cart
    User tries to
    downgrade TLS and the
    HSTS header is not sent
    by the server
    User should be
    redirected (response
    301 status code) to th
    HTTPS site from the
    server
    “ User tries to
    downgrade TLS and the
    HSTS header is sent by
    the server
    User should be
    redirected to the HTTP
    site from the browser
    (no HTTP traffic for
    sslstrip to tamper with

    View Slide

  55. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Evil Test Conditions

    View Slide

  56. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Security Focussed TDD

    View Slide

  57. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing

    View Slide

  58. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via
    traditional external Penetration Testing

    View Slide

  59. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via Security Test
    Driven Development (STDD) or regression testing

    View Slide

  60. 5: Identify
    Risks?
    OK
    I’m starting to get it
    But what now?

    View Slide

  61. Definition of Done
    The Sprint
    Security Regression Testing
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Zap-Api & NodeGoat

    View Slide

  62. https://leanpub.com/holistic-infosec-for-web-developers
    https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

    View Slide

  63. 5: Identify
    Risks?
    IoT
    PhysicalPeople Mobile
    Cloud
    VPS Network Web App
    Network
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs
    1: Asset Identification

    View Slide

  64. Product Backlog Sprint Backlog
    Product Backlog items pulled into
    Sprint to form Increment Forecast
    3: Countermeasures

    View Slide

  65. @binarymist
    https://leanpub.com/holistic-infosec-for-web-developers
    https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

    View Slide