Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art of Exploitation

A397cb38965ab9f310e7148b8c3d1105?s=47 Kim Carter
March 09, 2017
Technology
1
770

The Art of Exploitation

https://blog.binarymist.net/presentations-publications/#nzjs-2017-the-art-of-exploitation

A397cb38965ab9f310e7148b8c3d1105?s=128

Kim Carter

March 09, 2017
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
200
owaspnz-chch-meetup-2021-workshop-planning-and-covid
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
220
Security Regression Testing on OWASP Zap Node API
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
5.7k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
630
OWASP Quiz Night
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
800
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
480
OWASP NZ Day 2016
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
0
91
Infectious Media with Rubber Ducky
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
1
200
0wn1ng The Web at www.wdcnz.com
A397cb38965ab9f310e7148b8c3d1105?s=48 binarymist
2
1.1k

Other Decks in Technology

See All in Technology
目と耳を持った自然言語処理 - スタートアップにおける価値創出のために
64fb973c47087ece7fb9b45d5b8593a4?s=48 yag_ays
PRO
0
520
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
D2322aa2c45d0190205b3ed8bfdd6717?s=48 takatama
0
570
SRE_チーム立ち上げから1年_気づいたら_SRE_っぽくない仕事まで貢献しちゃってる説
B35fa97f982d550e358a8c689c3f0fef?s=48 bitkey
PRO
0
1.9k
New Features in C# 10/11
1c3658db58f755e44fc1a70255c08ff7?s=48 chack411
0
720
CADDi HCMC Technology Center
E55fbffb4afd0a84d36c945ed68d8c19?s=48 caddi_eng
0
230
tfcon-2022-cpp
Dcc589548f0372645aaeb95bda8e22c2?s=48 cpp
5
4.7k
長年運用されてきたモノリシックアプリケーションをコンテナ化しようとするとどんな問題に遭遇するか? / SRE NEXT 2022
3e77f9dbec6a87756d1dbdddab283aee?s=48 nulabinc
PRO
15
7.2k
ISUCON で使えるツールを作った
Cb17938137021ead2656d0fe58b7c7b1?s=48 shotakitazawa
0
350
【OCHaCafe#5】その Pod 突然落ちても大丈夫ですか?
B2ec9cc63288622b90b772a0ab71adc2?s=48 k6s4i53rx
1
120
HTTP Session Architecture Pattern
484571ccba0db66b69dc11761afdd0c4?s=48 chiroito
1
380
一人から始めるプロダクトSRE / How to start SRE in a product team, all by yourself
12a5cec7a54018170b1a009731acf477?s=48 vtryo
4
2.3k
Power BI ”を” 可視化しよう!
0cc2ebc5781bcb2cae5f9ab7efa40ff2?s=48 hanaseleb
0
140

Featured

See All Featured
Adopting Sorbet at Scale
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
63
7.5k
The Pragmatic Product Professional
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
2.9k
Writing Fast Ruby
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
57k
Fight the Zombie Pattern Library - RWD Summit 2016
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
226
15k
How To Stay Up To Date on Web Technology
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
250k
Build your cross-platform service in a week with App Engine
5f83ef806155b403c3393160ce51f955?s=48 jlugia
219
17k
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
61
9.8k
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.1k
Become a Pro
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
3
770
Designing with Data
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
3.9k
For a Future-Friendly Web
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
164
7.4k

Transcript

  1. The Art of Exploitation

  2. @binarymist

  3. Effective Attack Techniques for Common Vulnerabilities

  4. Effective Attack Techniques for Common Vulnerabilities Password Stealing

  5. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

  6. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells

  7. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook

  8. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  9. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  10. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  11. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  12. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  13. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  14. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  15. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  16. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  17. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  18. C/- psmsf, PowerSploit & Nishang

  19. None

  20. PowerSploit Persistence Techniques: • PermanentWMI • ScheduledTask • Registry At

    stages: • AtLogon • AtStartup • OnIdle • Daily • Hourly • Specified Time

  21. Effective Attack Techniques for Common Vulnerabilities Password Stealing Spear Phishing

    Web Shells FaceBook Weaponised Documents

  22. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    XSS

  23. Countermeasures Password Stealing Spear Phishing Web Shells FaceBook Weaponised Documents

    • NIDS • AV • Know Origin

  24. How the process of Exploitation & Mitigation can & Should

    fit within Each & Every Sprint

  25. Red Team

  26. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  27. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  28. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  29. https://github.com/phage-nz/threatcrawler

  30. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  31. Reconnaissance Vulnerability Scanning & Discovery Vulnerability Searching Exploitation Documenting &

    Reporting

  32. Red Team

  33. Red Team -> Blue Team

  34. Pen testing @ go live -> within each Sprint

  35. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing

  36. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  37. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Hand-crafted Penetration Testing Security Regression Testing Cheapest Place to Deal with Defects

  38. 5: Identify Risks? This is madness! How can we do

    that?

  39. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Establish a Security Champion

  40. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Security Regression Testing Hand-crafted Penetration Testing

  41. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Pair Programming
  42. None

  43. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Code Review

  44. Code Review, Static & Dynamic Analysis

  45. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline

  46. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Techniques for Asserting Discipline Static Type Checking DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/

  47. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline R isk

  48. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Cheapest Place to Deal with Defects Establish a Security Champion Hand-crafted Penetration Testing Consuming Free and Open Source Evil Test Conditions Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline C ounterm easure

  49. Consuming Free and Open Source curl -sL https://deb.nodesource.com/setup_4.x | sudo

    -E bash - sudo apt-get install -y nodejs R isk

  50. Consuming Free and Open Source • Npm-outdated • Npm-check •

    David • RetireJS • NSP • Snyk Tooling

  51. The Sprint Sprint Planning Daily Scrum Sprint Review Retrospective Product

    Backlog Sprint Backlog Sprint Increment Definition of Done Establish a Security Champion Hand-crafted Penetration Testing Security Focussed TDD Security Regression Testing Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects

  52. 5: Identify

  53. 5: Identify Risks? Given When Then There are no items

    in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.

  54. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to th HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTP site from the browser (no HTTP traffic for sslstrip to tamper with

  55. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Evil Test Conditions

  56. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing Security Focussed TDD

  57. Definition of Done The Sprint Sprint Planning Daily Scrum Sprint

    Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Security Regression Testing

  58. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing

  59. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD) or regression testing

  60. 5: Identify Risks? OK I’m starting to get it But

    what now?

  61. Definition of Done The Sprint Security Regression Testing Sprint Planning

    Daily Scrum Sprint Review Retrospective Product Backlog Sprint Backlog Sprint Increment Establish a Security Champion Security Focussed TDD Pair Programming Code Review Techniques for Asserting Discipline Consuming Free and Open Source Evil Test Conditions Cheapest Place to Deal with Defects Hand-crafted Penetration Testing Zap-Api & NodeGoat

  62. https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

  63. 5: Identify Risks? IoT PhysicalPeople Mobile Cloud VPS Network Web

    App Network 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 1: Asset Identification

  64. Product Backlog Sprint Backlog Product Backlog items pulled into Sprint

    to form Increment Forecast 3: Countermeasures

  65. @binarymist https://leanpub.com/holistic-infosec-for-web-developers https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API