This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and/or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.
Every day, developers interact with a variety of source-code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source-code repositories can provide a wealth of information about a target environment, in addition to being a potential value all on its own. Best of all, a large amount of information about an environment can be gleamed quietly without having to actively scan the network.
If you are a penetration tester, are you able to find this information in your customer’s environment? Do you know how to help their developers prevent these leakages in the first place? Remember “prevention is ideal, but detection is a must!”
This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory
under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
Post Exploitation in Developer Environments
SANS Pen Test HackFest Summit 2018
§ Computer Engineer in Livermore Computing @ LLNL
§ High Performance Computing
— Red Team
§ Gov. Open Source Evangelist
§ Many other hats...
Got a shell!
IN THE CLOUD
Not just for attackers penetration testers
CTRL + A, CTRL + D
— App tokens
— SSH keypairs
— Developer source code (important IP)
— Passive recon (other servers / services)
— Built in persistence
— Training / monitoring
— Static Source Code Analysis
— Version Control-aware Analysis
This document was prepared as an account of work sponsored by an agency of the United States government.
Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees
makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by
trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The
views and opinions of authors expressed herein do not necessarily state or reflect those of the United States
government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product