The Art of Exploitation

Transcript

1. The Art
   of
   Exploitation
   

   View Slide

2. @binarymist
   

   View Slide

3. Effective Attack Techniques
   for
   Common Vulnerabilities
   

   View Slide

4. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   

   View Slide

5. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   Spear Phishing
   

   View Slide

6. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   Spear Phishing
   Web Shells
   

   View Slide

7. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   Spear Phishing
   Web Shells
   FaceBook
   

   View Slide

8. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   Spear Phishing
   Web Shells
   FaceBook
   Weaponised Documents
   

   View Slide

9. Effective Attack Techniques
   for
   Common Vulnerabilities
   Password Stealing
   Spear Phishing
   Web Shells
   FaceBook
   Weaponised Documents
   

   View Slide

10. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

11. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

12. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

13. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

14. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

15. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

16. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

17. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

18. C/- psmsf, PowerSploit & Nishang
    

    View Slide

19. View Slide

20. PowerSploit Persistence Techniques:
    ● PermanentWMI
    ● ScheduledTask
    ● Registry
    At stages:
    ● AtLogon
    ● AtStartup
    ● OnIdle
    ● Daily
    ● Hourly
    ● Specified Time
    

    View Slide

21. Effective Attack Techniques
    for
    Common Vulnerabilities
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    

    View Slide

22. Countermeasures
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    XSS
    

    View Slide

23. Countermeasures
    Password Stealing
    Spear Phishing
    Web Shells
    FaceBook
    Weaponised Documents
    ● NIDS
    ● AV
    ● Know Origin
    

    View Slide

24. How the process of
    Exploitation & Mitigation can
    & Should fit within Each &
    Every Sprint
    

    View Slide

25. Red Team
    

    View Slide

26. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting
    

    View Slide

27. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting
    

    View Slide

28. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting
    

    View Slide

29. https://github.com/phage-nz/threatcrawler
    

    View Slide

30. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting
    

    View Slide

31. Reconnaissance
    Vulnerability Scanning & Discovery
    Vulnerability Searching
    Exploitation
    Documenting & Reporting
    

    View Slide

32. Red Team
    

    View Slide

33. Red Team -> Blue Team
    

    View Slide

34. Pen testing @ go live -> within each Sprint
    

    View Slide

35. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing
    

    View Slide

36. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Hand-crafted Penetration Testing
    Security Regression Testing
    Cheapest Place to Deal with Defects
    

    View Slide

37. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Hand-crafted Penetration Testing
    Security Regression Testing
    Cheapest Place to Deal with Defects
    

    View Slide

38. 5: Identify
    Risks?
    This is madness!
    How can we do that?
    

    View Slide

39. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Establish a Security Champion
    

    View Slide

40. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Security Regression Testing
    Hand-crafted Penetration Testing
    

    View Slide

41. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Pair Programming
    

    View Slide

42. View Slide

43. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Code Review
    

    View Slide

44. Code Review, Static & Dynamic Analysis
    

    View Slide

45. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Techniques for Asserting Discipline
    

    View Slide

46. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Techniques for Asserting Discipline
    Static Type Checking
    DbC https://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/
    

    View Slide

47. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    R
    isk
    

    View Slide

48. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Cheapest Place to Deal with Defects
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Consuming Free and Open Source
    Evil Test Conditions
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    C
    ounterm
    easure
    

    View Slide

49. Consuming Free and Open Source
    curl -sL https://deb.nodesource.com/setup_4.x |
    sudo -E bash -
    sudo apt-get install -y nodejs
    R
    isk
    

    View Slide

50. Consuming Free and Open Source
    ● Npm-outdated
    ● Npm-check
    ● David
    ● RetireJS
    ● NSP
    ● Snyk
    Tooling
    

    View Slide

51. The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Definition of Done
    Establish a Security Champion
    Hand-crafted Penetration Testing
    Security Focussed TDD
    Security Regression Testing
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    

    View Slide

52. 5: Identify
    

    View Slide

53. 5: Identify
    Risks?
    Given When Then
    There are no items in
    the shopping cart
    Customer clicks
    “Purchase” button for a
    book which is in stock
    1 x book is added to
    shopping cart. Book is
    held - preventing
    selling it twice.
    “ Customer clicks
    “Purchase” button for a
    book which is not in
    stock
    Dialog with “Out of
    stock” message is
    displayed and offering
    customer option of
    putting book on back
    order.
    

    View Slide

54. 5: Identify
    Risks?
    Given When Then
    There are no items in
    the shopping cart
    User tries to
    downgrade TLS and the
    HSTS header is not sent
    by the server
    User should be
    redirected (response
    301 status code) to th
    HTTPS site from the
    server
    “ User tries to
    downgrade TLS and the
    HSTS header is sent by
    the server
    User should be
    redirected to the HTTP
    site from the browser
    (no HTTP traffic for
    sslstrip to tamper with
    

    View Slide

55. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Evil Test Conditions
    

    View Slide

56. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    Security Focussed TDD
    

    View Slide

57. Definition of Done
    The Sprint
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Security Regression Testing
    

    View Slide

58. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via
    traditional external Penetration Testing
    

    View Slide

59. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via Security Test
    Driven Development (STDD) or regression testing
    

    View Slide

60. 5: Identify
    Risks?
    OK
    I’m starting to get it
    But what now?
    

    View Slide

61. Definition of Done
    The Sprint
    Security Regression Testing
    Sprint Planning
    Daily Scrum
    Sprint Review
    Retrospective
    Product Backlog
    Sprint Backlog
    Sprint Increment
    Establish a Security Champion
    Security Focussed TDD
    Pair Programming
    Code Review
    Techniques for Asserting Discipline
    Consuming Free and Open Source
    Evil Test Conditions
    Cheapest Place to Deal with Defects
    Hand-crafted Penetration Testing
    Zap-Api & NodeGoat
    

    View Slide

62. https://leanpub.com/holistic-infosec-for-web-developers
    https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API
    

    View Slide

63. 5: Identify
    Risks?
    IoT
    PhysicalPeople Mobile
    Cloud
    VPS Network Web App
    Network
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs
    1: Asset Identification
    

    View Slide

64. Product Backlog Sprint Backlog
    Product Backlog items pulled into
    Sprint to form Increment Forecast
    3: Countermeasures
    

    View Slide

65. @binarymist
    https://leanpub.com/holistic-infosec-for-web-developers
    https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API
    

    View Slide