SlideShare una empresa de Scribd logo

Thick App Penetration Test Crash Course

Scott Sutherland
Scott Sutherland

Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.

Tecnología
1 de 39
Descargar para leer sin conexión
Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
Why am I talking about this? Thick applications create unique risks that web applications don't.
Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
Why am I talking about this? Thick applications are the new web applications.
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix

Recomendados

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 

Recomendados

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

Más contenido relacionado

La actualidad más candente

Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 

La actualidad más candente (20)

Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 

Similar a Thick App Penetration Test Crash Course

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptxSameer Sapra
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 

Similar a Thick App Penetration Test Crash Course (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 

Más de Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 

Más de Scott Sutherland (20)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Thick App Penetration Test Crash Course

  • 1. Thick Application Penetration Test CRASH COURSE v1.0 Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland Principal Security Consultant • Penetration Testing ‒ Networks ‒ Web apps / services ‒ Thick apps • Community Stuff ‒ Researcher ‒ Blogger ‒ Tool smith (or smithy if you like) ‒ Twitter stalker: @_nullbind
  • 3. What are we going to talk about? • Why should you care • Testing Goal and Objectives • Project Scoping • Common Architectures • Accessing the Application • Testing Requirements • Application Walkthrough • Managed vs. Unmanaged • Testing the Application • Vulnerability Categories • Reporting
  • 4. Why am I talking about this? Thick applications create unique risks that web applications don't.
  • 5. Why am I talking about this? Users often have full control over the application environment which: ‒ Allows attacks on trusted components ‒ Exposes data, admin/hidden functions ‒ Leads to application and OS privilege escalation
  • 6. Why am I talking about this? Thick applications are the new web applications.
  • 7. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Good Stuff ‒ Helps meet client demand for “cloud services” ‒Converts Client/Server model to SaaS model ‒Cheaper/Faster than developing actual web based solution from scratch
  • 8. Why am I talking about this? Publishing thick applications via Terminal Services and Citrix: Bad Stuff ‒Very hard to secure published desktops/applications ‒Commonly results in direct database access ‒Often exposes internal networks of service provider
  • 9. Testing Goal & Objectives Goal: Determine what risks the application implementation presents to the business so they can be mitigated. Objectives: Identify vulnerabilities that may exist in: ‒ The client application and server components ‒ The workstation or published application configuration ‒ The server or network configuration
  • 10. Scoping Projects Estimate effort: ‒ Number of forms ‒ Number of files ‒ Number of registry keys ‒ Number of user levels ‒ Application architecture ‒ Application technology ‒ Constraints ‒ Environment Generally… ‒ More stuff = more time ‒ More complexity = more time
  • 11. Common Architectures Desktop Client  Remote Database ‒ Usually entire implementation is on internal network Desktop Client  local DB Remote Database ‒ Local db typically syncs with remote db ‒ Usually client and local db are on internal network remote db is hosted by service provider Desktop Client  Application Server  Database ‒ Usually client in on internal network and app/db server is located is hosted by service provider ‒ Common technologies: Web Services, Web Applications, JBOSS, and IBM WebSphere
  • 12. Common Architectures Terminal Services Application ‒ RDP  Terminal Server  Published app ‒ Website  RDP  Terminal Server  Published app Citrix Application ‒ Citrix client  Terminal Server  Published app ‒ Website  Citrix client  Published app Thin Application ‒ VMware application ‒ Hyper-V application
  • 13. Accessing the Application • Install locally, and test over VPN • Install locally, and test over the internet • Test over VPN, RDP to a client system, and install the tool sets for testing • VPN + Terminal Services (TS) • Web based TS • VPN + Citrix Client • Web based Citrix • Run from network share
  • 14. Testing Requirements Minimum Requirements: • 2 application credentials for each role • Application Access Potential Requirements: • VPN access • Local administrator on client test system • Internet endpoints • Installation package
  • 15. Application Walkthrough • Verify connectivity to application • Verify all credentials • Walk through common use cases • Identify potential areas of client concern • Better understand application architecture
  • 16. Application Targets UNMANAGED CODE APPLICATIONS and MANAGED CODE APPLICATIONS
  • 17. UNMANAGED CODE APPLICATIONS • General Information ‒ C and C++ (“unmanaged” or “native” languages) ‒ Compiled to machine code ‒ Include exportable functions • Pros ‒ Typically run faster due to pre compiled code ‒ Can’t be easily decompiled to the original source code • Cons ‒ Architecture specific ‒ Disassembly and reassembly is still possible ‒ API hooking is still possible
  • 18. MANAGED CODE APPLICATIONS • General Information ‒ Frameworks: .net (C# VB), Java Runtime, Dalvik ‒ Compiled to bytecode ‒ Usually does not include exportable functions ‒ Uses reflection to share public functions • Pros ‒ Architecture independent ‒ Can be coded in different languages ‒ Can access unmanaged/native code • Cons ‒ Slower due to Just in Time (JIT) compiling ‒ Disassembly and reassembly of CIL code is still possible ‒ Decompiling via reflection is still possible ‒ Global Assembly Cache (GAC) poisoning is possible ‒ API hooking is still possible
  • 19. Attack Vectors The usual suspects: • Application GUI • Network traffic • Files and folders • Application memory • Windows registry • Configurations
  • 20. Application Test Plan Create a test plan and follow it… • Address high priority test cases identified by clients and business owners first • Testing can be broken out by vector: ‒ GUI Review ‒ File Review ‒ Registry Review ‒ Network Review ‒ Memory Review ‒ Configuration Review
  • 21. How far do we take this? Stay in scope! • That means only networks, servers, and applications defined by the client • On in scope systems: ‒ Application admin = yes ‒ Database user = yes ‒ Database admin = yes ‒ Local OS admin = yes ‒ Remote OS admin = yes ‒ Domain Admin = yes (IF logged into system) …then no more escalation
  • 22. Testing the Servers • Automated authenticated scanning ‒ Multiple tools ‒ Multiple rounds • Manual testing using standardized penetration test approach ‒ Information Gathering ‒ Vulnerability Enumeration ‒ Penetration ‒ Escalation ‒ Evidence Gathering ‒ Clean up
  • 23. Testing the Application: GUI • GUI object privileges Show hidden form objects Enable disabled functionality Reveal masked passwords (GUI B GONE) • GUI content Review for sensitive data and passwords • GUI logic Bypass controls using intended GUI Functionality Common Examples: ‒ SQL query windows ‒ Access control fields ‒ Export functions allow more access to data ‒ Break out of Citrix and Terminal Server applications ‒ External program execution
  • 24. Testing the Application: GUI Tool Description UISpy Enable disabled functions, and call actions related to disabled functions. Show hidden objects, enabled disabled objects, execution functions, and generally WinCheat manipulate remote form objects. View form object properties including the value of masked password fields, and mask Window Detective card numbers.
  • 25. Testing the Application: Files • File permissions Files and folders • File Integrity Strong naming, Authenticode signing • File content Debugging Symbols/files, sensitive data, passwords, and settings • File and content manipulation Backdoor the framework DLL pre loading Race conditions Replacing files and content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords and Private keys
  • 26. Testing the Application: Files • Exported Functions (usually native code) Identify and run exported functions without authenticating • Public Methods (managed code reflection) Create a wrapper to access public methods without authenticating • Decompile and Recompile Recover source code, passwords, keys, and create patched assembly • Decrypt and Deobfuscate Recover source code, passwords, keys, etc • Disassemble and Reassemble Create patched assembly
  • 27. Testing the Application: Files Tool Description AccessEnum, Privesc, autoruns, Dump file, registry, and service permissions. Also, review scheduled tasks excessive privilege and write script schtasks locations. .Net Reflector, Reflexil, ildasm, IL_Spy, Decompile or disassemble binaries to recover source code, IL code, or assembly code. Use code review tools to Graywolf,JD Java decompiler, java byte identify vulnerabilities, and review for sensitive data such as passwords, private keys, proprietary algorithms. code editor, Metasm, CFFExplorer Reflexil .net reflector plugin, Graywolf De obfuscate decompiled assemblies Review exports, view/edit imports, edit and extract resources, view disk/memory usage to identify compression, CFF Explorer, dllexp disassemble binary, and finger print language MSFpayload. MSFencode, and MSFVenom can be used to generate shell code, DLL and EXE payloads for Metasploit injection and side loading. This also ships with METASM ruby library that can be used to disassemble and compile binaries Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables View DEP/ASLR settings, image file settings, process, connections, threads, permissions, strings from process, Process Hacker 2 environmental variables Process Monitor, API Monitor Monitors calls to file, registry keys, and sockets. API monitor does what it sounds like. Spider2008 Search file system for interesting strings with regular expressions Strings Dump strings from files Symantec EPP Scan all files for know malware PE Explorer Detect compiler or packer type and version UPX, MPRESS, Iexpress, 7zip Decompress/unpack binaries and other files Visual Studio, Ilasm, Metasm, winhex Edit exported .net reflector projects, IL, or assembly and create patched executables.
  • 28. Testing the Application: Registry • Registry permissions Read and write access to registry keys • Registry content Sensitive data, passwords, and settings • Registry manipulation Bypass authentication and authorization Replace content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 29. Testing the Application: Registry Tool Description Tools: AccessEnum Dump file and registry permissions Regedit Backup, review, and edit the registry Regshot Registry diffing tool. Process Monitor Monitors calls to file, registry keys, and sockets
  • 30. Testing the Application: Network • Network Rules Local and network firewall rules • Network content Sensitive data, files, passwords, and settings • Network manipulation Bypass authentication and authorization (SQL) Replacing content (Parameters) Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys • Reverse and Fuzz Proprietary Protocols
  • 31. Testing the Application: Network Tool Description Cain Can be used for ARP based man in the middle attacks. Can be used to parse password in live traffic or a pcap file. Burp Can be used to manipulate HTTP traffic. Metasploit Create custom fuzzer for RPC protocols. Sully Create custom fuzzing templates. Echo Mirage Generic TCP proxy. Ettercap Can be used for man in the middle attacks. Can be used to modify traffic in transit with filters. Evilgrade, interceptor-ng Tool for delivering Metasploit payloads instead of legitimate updates. Network Miner Parse network traffic for files, systems, and shares. oSpy, API Monitor 2 Dump data like encrypted SSL traffic and connection strings when DLL calls are made. SOAPUI Can be used to interact directly with web services, and is often used with BURP Web Inspect Service Attack Tool Generic web service review. Wireshark, windump, Dump all network traffic. Rawcap is the bomb. tcpdump,Rawcap
  • 32. Testing the Application: Memory • Process controls DEP, ASLR, permissions, and privileges • Memory content Sensitive data, passwords, and settings • Memory manipulation Bypass authentication and authorization Replacing content Common Examples: ‒ Application settings ‒ Trusted paths and executables ‒ Trusted hosts ‒ Update servers ‒ Passwords ‒ Private keys
  • 33. Testing the Application: Memory Run-time Modifications • Direct editing • DLL injection • Shell code Injection • Process replacement • Modify assembly in memory • Identification of dangerous functions • Check if debugger can be run • Debugging via stepping and breakpoints to analyze and modify
  • 34. Testing the Application: Memory Tool Description Metasploit Can be used to generate shell code, exe, and DLL payloads. Can also be used to migrate into a running process. Process Explorer View image file settings, process, connections, threads, permissions, strings from process, environmental variables Process Hacker 2 View image file settings, DEP/ASLR settings, connections, threads, permissions, environmental variables, inject DLL RemoteDLL Can be used to inject a DLL into a process. Tsearch Can be used to quickly find and replace strings in memory. Immunity, OllyDBG, Can be used to step through the application and modify assembly instructions on the fly. Windbg, and IDA Debuggers Winhex Can be used to quickly find and replace strings in memory. Userdump Dump memory from process.
  • 35. Testing the Application: Configurations • Application user privileges • Service account privileges • Service configuration privileges • Service registration • Database account privileges • Remote share permissions • TS breakouts to OS • Citrix breakouts to OS
  • 36. Testing the Application: Configurations Tool Description windows-privesc- Check privileges on servers and associated program directories, and manually check check for insecurely registered services. Citrix Client Used to connect to Citrix applications. Data Source (ODBC) Look for existing ODBC connection and use tools like excel to leverage them. Administrative Tool Services.msc, Review application services for insecure registration, binary paths, and windows-privesc- determine users who is running the service. check SQL Clients Used to connect directly to the database. Examples include OSQL, ISQL, SQLCMD, RAZOR SQL,TOAD, Microsoft SQL Management Studio Express. Windows Explorer and Access Windows dialog boxes to obtain access to a cmd console or common dialog boxes Powershell. Target links, shortcuts, open file functions, export functions, import functions, and reporting functions. Help menus and verbose error pages can also be handy.
  • 37. Vulnerability Categories 1. Application Logic 2. Code Injection 3. Excessive Privileges 4. Unencrypted Storage of Sensitive Data 5. Unencrypted Transmission of Sensitive Data 6. Weak Encryption Implementations 7. Weak Assembly Controls 8. Weak GUI Controls 9. Weak or Default Passwords
  • 38. Reporting Stuff • Create severity ranking system based on static criteria • Internally, criteria should take compensating controls into consideration • Prioritize findings based on ranking system • Include instructions or screen shots to help reproduce and fix issues • Don’t forget recommendations
  • 39. Wrap Up • General Summary ‒ Attack thick applications and related infrastructure from many vectors using many tools ‒ Managed code suffers from inherent weaknesses that can’t be fixed and is easier to attack • General Advice ‒ Never store sensitive anything in an assembly ‒ If something sensitive “must” be stored in an assembly use unmanaged coding languages like C and C++ ‒ Be very careful to implement sufficient controls when deploying thick applications via terminal services or Citrix