SlideShare una empresa de Scribd logo

Everyone Matters In Infosec 2014

Descargar como PPTX, PDF
M
Micah Hoffman

Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory Enumeration vulnerability and making a better exploitation tool. Or perhaps contributing in other ways.

Tecnología
1 de 17
Everyone matters in infosec IIS TILDE ENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
Sometimes it is the little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
We can all contribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
Ask yourself…. Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 5
Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
How can we do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
tilde_enum.py Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
tilde_enum.py (con’t) Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
Demo 13Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
Continue to… Investigate the mysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
Questions? https://github.com/WebBreacher/tilde_enum EVERYONE MATTERS IN INFOSEC 17Micah Hoffman @WebBreacher

Recomendados

Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1Mohammad Mafi
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...Cisco DevNet
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 

Recomendados

Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1Mohammad Mafi
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...Cisco DevNet
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
Windows 8 fuzz
Windows 8 fuzzWindows 8 fuzz
Windows 8 fuzzOlav Tvedt
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityJie Liau
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Top 10 Mentor Tips
Top 10 Mentor TipsTop 10 Mentor Tips
Top 10 Mentor TipsMicah Hoffman
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 

Más contenido relacionado

La actualidad más candente

Windows 8 fuzz
Windows 8 fuzzWindows 8 fuzz
Windows 8 fuzzOlav Tvedt
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityJie Liau
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype
 

La actualidad más candente (20)

Windows 8 fuzz
Windows 8 fuzzWindows 8 fuzz
Windows 8 fuzz
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route Integrity
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
Mod security
Mod securityMod security
Mod security
 

Destacado

Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDThreat Stack
 
How To Train Your Python
How To Train Your PythonHow To Train Your Python
How To Train Your PythonJordi Riera
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockBringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockThreat Stack
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux MalwareMichael Boelen
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisObserveIT
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Pythonpycontw
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systemsMichael Boelen
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

Destacado (20)

Top 10 Mentor Tips
Top 10 Mentor TipsTop 10 Mentor Tips
Top 10 Mentor Tips
 
Audit
AuditAudit
Audit
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
How To Train Your Python
How To Train Your PythonHow To Train Your Python
How To Train Your Python
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockBringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Network Security and Analysis with Python
Network Security and Analysis with PythonNetwork Security and Analysis with Python
Network Security and Analysis with Python
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systems
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Similar a Everyone Matters In Infosec 2014

Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...Martin Leyrer
 
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...LetsConnect
 
The-Power-Of-Recon (1)-poerfulo.pptx.pdf
The-Power-Of-Recon (1)-poerfulo.pptx.pdfThe-Power-Of-Recon (1)-poerfulo.pptx.pdf
The-Power-Of-Recon (1)-poerfulo.pptx.pdfnezidsilva
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
IIS for Developers
IIS for DevelopersIIS for Developers
IIS for DevelopersIdo Flatow
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the InstallersKlaus Bild
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 

Similar a Everyone Matters In Infosec 2014 (20)

Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web Ecosystem
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...
 
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
 
The-Power-Of-Recon (1)-poerfulo.pptx.pdf
The-Power-Of-Recon (1)-poerfulo.pptx.pdfThe-Power-Of-Recon (1)-poerfulo.pptx.pdf
The-Power-Of-Recon (1)-poerfulo.pptx.pdf
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
IIS for Developers
IIS for DevelopersIIS for Developers
IIS for Developers
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the Installers
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
IIS-Settings
IIS-SettingsIIS-Settings
IIS-Settings
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Everyone Matters In Infosec 2014

  • 1. Everyone matters in infosec IIS TILDE ENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
  • 2. Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
  • 3. Sometimes it is the little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
  • 4. We can all contribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
  • 5. Ask yourself…. Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 5
  • 6. Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
  • 7. What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
  • 8. An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
  • 9. Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
  • 10. How can we do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
  • 11. tilde_enum.py Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
  • 12. tilde_enum.py (con’t) Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
  • 13. Demo 13Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
  • 14. Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
  • 15. Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
  • 16. Continue to… Investigate the mysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16

Notas del editor

  1. Every start something out that you thought was one thing and morphed to another? Yeah, that is this talk.
  2. As a senior infosec engineer, I mentor junior staff.They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”I tell them…
  3. This is so true!I’ve been backpacking and had that annoying buzzing in my tent. I didn’t sleep at all.Same is true for vulnerabilities. Sometimes the small ones matter the most. Don’t ignore them.