Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Post Exploitation in Developer Environments

Ian Lee
November 13, 2018

Post Exploitation in Developer Environments

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and/or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source-code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source-code repositories can provide a wealth of information about a target environment, in addition to being a potential value all on its own. Best of all, a large amount of information about an environment can be gleamed quietly without having to actively scan the network.

If you are a penetration tester, are you able to find this information in your customer’s environment? Do you know how to help their developers prevent these leakages in the first place? Remember “prevention is ideal, but detection is a must!”

Ian Lee

November 13, 2018
Tweet

More Decks by Ian Lee

Other Decks in Technology

Transcript

  1. LLNL-PRES-761319
    This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory
    under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
    Post Exploitation in Developer Environments
    SANS Pen Test HackFest Summit 2018
    Ian Lee
    @IanLee1521
    2018-11-13

    View Slide

  2. LLNL-PRES-761319
    2
    § Computer Engineer in Livermore Computing @ LLNL
    § High Performance Computing
    — Red Team
    — ISSO
    § Gov. Open Source Evangelist
    — software.llnl.gov
    — github.com/llnl
    § Many other hats...
    whoami

    View Slide

  3. LLNL-PRES-761319
    3

    View Slide

  4. LLNL-PRES-761319
    4

    View Slide

  5. LLNL-PRES-761319
    5
    https://3.bp.blogspot.com/-w2URcR6u9uQ/VENiIYIDDsI/AAAAAAAAH_c/GC_4nywJh2M/w800-h800/female-hacker.jpg

    View Slide

  6. LLNL-PRES-761319
    6
    Got a shell!

    View Slide

  7. LLNL-PRES-761319
    7

    View Slide

  8. LLNL-PRES-761319
    8

    View Slide

  9. LLNL-PRES-761319
    9
    VICTORY !!
    https://pixabay.com/en/children-win-success-video-game-593313/

    View Slide

  10. LLNL-PRES-761319
    10
    IN THE CLOUD
    https://commons.wikimedia.org/wiki/File:%22Don%27t_Discuss_Secrets_on_the_Telephone%22_-_NARA_-_514138.jpg

    View Slide

  11. LLNL-PRES-761319
    11

    View Slide

  12. LLNL-PRES-761319
    12

    View Slide

  13. LLNL-PRES-761319
    13

    View Slide

  14. LLNL-PRES-761319
    14

    View Slide

  15. LLNL-PRES-761319
    15

    View Slide

  16. LLNL-PRES-761319
    16
    https://pixabay.com/en/history-blackboard-chalk-chalkboard-998337/

    View Slide

  17. LLNL-PRES-761319
    17

    View Slide

  18. LLNL-PRES-761319
    18

    View Slide

  19. LLNL-PRES-761319
    19
    https://www.unixmen.com/prevent-ssh-disconnecting-sessions/

    View Slide

  20. LLNL-PRES-761319
    20

    View Slide

  21. LLNL-PRES-761319
    21

    View Slide

  22. LLNL-PRES-761319
    22

    View Slide

  23. LLNL-PRES-761319
    23

    View Slide

  24. LLNL-PRES-761319
    24
    https://www.flickr.com/photos/christiaancolen/33904011850

    View Slide

  25. LLNL-PRES-761319
    25

    View Slide

  26. LLNL-PRES-761319
    26

    View Slide

  27. LLNL-PRES-761319
    27

    View Slide

  28. LLNL-PRES-761319
    28

    View Slide

  29. LLNL-PRES-761319
    29
    Not just for attackers penetration testers
    http://trulyhappylife.com/wp-content/uploads/2015/02/Persistence-1024x637.jpg

    View Slide

  30. LLNL-PRES-761319
    30

    View Slide

  31. LLNL-PRES-761319
    31
    CTRL + A, CTRL + D

    View Slide

  32. LLNL-PRES-761319
    32

    View Slide

  33. LLNL-PRES-761319
    33

    View Slide

  34. LLNL-PRES-761319
    34

    View Slide

  35. LLNL-PRES-761319
    35

    View Slide

  36. LLNL-PRES-761319
    36
    Recap
    § Loot
    — App tokens
    — SSH keypairs
    — Developer source code (important IP)
    — Passive recon (other servers / services)
    — Built in persistence
    § Mitigations
    — Training / monitoring
    — Static Source Code Analysis
    — Version Control-aware Analysis
    • https://github.com/18F/git-seekret
    • https://github.com/awslabs/git-secrets
    https://cdn.pixabay.com/photo/2017/11/07/23/55/pirate-2928821_960_720.jpg

    View Slide

  37. LLNL-PRES-761319
    37

    View Slide

  38. LLNL-PRES-761319
    38

    View Slide

  39. LLNL-PRES-761319
    39

    View Slide

  40. LLNL-PRES-761319
    40

    View Slide

  41. LLNL-PRES-761319
    41
    https://software.llnl.gov

    View Slide

  42. Thank you!
    @IanLee1521
    [email protected]
    This document was prepared as an account of work sponsored by an agency of the United States government.
    Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees
    makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy,
    completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use
    would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by
    trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement,
    recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The
    views and opinions of authors expressed herein do not necessarily state or reflect those of the United States
    government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product
    endorsement purposes.

    View Slide