LLNL-PRES-761319 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC Post Exploitation in Developer Environments SANS Pen Test HackFest Summit 2018 Ian Lee @IanLee1521 2018-11-13 

LLNL-PRES-761319 2 § Computer Engineer in Livermore Computing @ LLNL § High Performance Computing — Red Team — ISSO § Gov. Open Source Evangelist — software.llnl.gov — github.com/llnl § Many other hats... whoami 

LLNL-PRES-761319 3 

LLNL-PRES-761319 4 

LLNL-PRES-761319 5 https://3.bp.blogspot.com/-w2URcR6u9uQ/VENiIYIDDsI/AAAAAAAAH_c/GC_4nywJh2M/w800-h800/female-hacker.jpg 

LLNL-PRES-761319 6 Got a shell! 

LLNL-PRES-761319 7 

LLNL-PRES-761319 8 

LLNL-PRES-761319 9 VICTORY !! https://pixabay.com/en/children-win-success-video-game-593313/ 

LLNL-PRES-761319 10 IN THE CLOUD https://commons.wikimedia.org/wiki/File:%22Don%27t_Discuss_Secrets_on_the_Telephone%22_-_NARA_-_514138.jpg 

LLNL-PRES-761319 11 

LLNL-PRES-761319 12 

LLNL-PRES-761319 13 

LLNL-PRES-761319 14 

LLNL-PRES-761319 15 

LLNL-PRES-761319 16 https://pixabay.com/en/history-blackboard-chalk-chalkboard-998337/ 

LLNL-PRES-761319 17 

LLNL-PRES-761319 18 

LLNL-PRES-761319 19 https://www.unixmen.com/prevent-ssh-disconnecting-sessions/ 

LLNL-PRES-761319 20 

LLNL-PRES-761319 21 

LLNL-PRES-761319 22 

LLNL-PRES-761319 23 

LLNL-PRES-761319 24 https://www.flickr.com/photos/christiaancolen/33904011850 

LLNL-PRES-761319 25 

LLNL-PRES-761319 26 

LLNL-PRES-761319 27 

LLNL-PRES-761319 28 

LLNL-PRES-761319 29 Not just for attackers penetration testers http://trulyhappylife.com/wp-content/uploads/2015/02/Persistence-1024x637.jpg 

LLNL-PRES-761319 30 

LLNL-PRES-761319 31 CTRL + A, CTRL + D 

LLNL-PRES-761319 32 

LLNL-PRES-761319 33 

LLNL-PRES-761319 34 

LLNL-PRES-761319 35 

LLNL-PRES-761319 36 Recap § Loot — App tokens — SSH keypairs — Developer source code (important IP) — Passive recon (other servers / services) — Built in persistence § Mitigations — Training / monitoring — Static Source Code Analysis — Version Control-aware Analysis • https://github.com/18F/git-seekret • https://github.com/awslabs/git-secrets https://cdn.pixabay.com/photo/2017/11/07/23/55/pirate-2928821_960_720.jpg 

LLNL-PRES-761319 37 

LLNL-PRES-761319 38 

LLNL-PRES-761319 39 

LLNL-PRES-761319 40 

LLNL-PRES-761319 41 https://software.llnl.gov 

Thank you! @IanLee1521 [email protected] This document was prepared as an account of work sponsored by an agency of the United States government. Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes.