Defcon 18 - You spent all that money and you still got owned - Joseph McCray - Part .mov

Video Statistics and Information

Video

Captions Word Cloud

Captions

all right as usual just like last year I can't believe people actually come to watch me talk last year it was what 10:00 in the morning on Sunday and I figured like I'm hungover who's going to be here to watch me and then Sunday at 4:00 I'm like it up I wanted to fly home today who you know but hey for everybody who did come out thanks I really appreciate it and just like last year and every year you know I've been coming to Def Con I love this man so I really should everybody came out all right so this year's talk is you spent all that money and you still got owned so I've been doing a lot of pen testing and I'm going all over to all these different countries in pen testing and I'm running up against all these different defensive things you know application firewalls laughs and IP essays and Mac solutions and we're still giving them the beatdown like pretty freakin bad and then in a lot of cases I roll out and I get into the middle of the pen test a message it turns into incident response it's like dude you're already owned you know so that was kind of the topic of this so let's do it so Who am I network application pen tester dude trainer aka the black guy at security conferences everybody always wants to know I'm like dude that's me yes that's me all right and then how do I do my thing man i hack I curse a drink the order changes but it's all the same if you know so if you don't like people who say the word you might want to get up and leave okay all right so I always do this because you know it's that nostalgia especially since I'm here at Def Con man let me take you back all right so this is ten years I've been doing this Def Con thing man and for me back in the old days man pen testing was easy so we would just tell the customer hey dude we're security people and the customer might be like oh okay oh damn the security people are here and then like we would break out our open-source tools like messes who remembers when messes was free so we would break out our man and it would be like yo they're coming in here with em map and necess and all this open source stuff and then we would go out hit our web sites like root shell ve packet storm anybody who's with me that's what I'm talking about right the good old days when you would just yank down your compile it and be like you know I mean these libraries from over here and you know then dot slash the planet just like drop shells every where so then we would like take screenshots and be like yo man we gave your network the beatdown here's the report right and then after that it was like this that's it remember that's it your network sucks pay me well today man everybody's the CISSP and then like the CPU guys go through this like the dude who hires you thinks he knows more than you and like sometimes he actually does but like why'd you hire me then so he's like well you know we're doing this we're doing this we've got the idea so you got the IPS we got the Mac we got the laughs we got the dish we got to that so I'm rolling out there and I'm like this is some so let me let me walk you through a little story not anybody who does my talks knows that I always got a story so story I'm testing this client about a year and a half ago I get out there and the customers like okay Joe you're already been auditing these subnets can I get you to go over to this subnet and do a VLAN ACL on it okay now have any of you ever done a VLAN ACL on it okay well you guys are smarter than me because I had never done one so I'm back there I'm like what exactly do you want me to audit he was like well audit the VLANs so alright I'll go over and I'll look at the config and I'm sitting with the network admin and they've got four 300 users 90 VLANs I'm having a moment I'm like how the you got 90 you ain't even got so I'm like alright cool I tell your wife let's get a little piece of paper and I just walk from persona Paris I was like hey man do you need this VLAN but no do you need this feeling how about this one so I went through this VLAN ACL on it and then I go through all these VLANs that aren't being you so I'm like okay you're not using this one you're not using this one you're not using this one you're not using this one and this is like a big big company so we go through and we audit all these VLANs we do some network resegregate and ship moves them sit around and now I audit one of their DMZ s companies got four DM Z's so I audit one of the DMZ so I'm like yo man these boxes you're on a couple of boxes out here they're like really need some patch updates so I go over and I tell the deputy CIO I'm like yeah well you got these boxes that need to be patched you missing some minus QL patches you're missing some PHP patches got a lot of stuff that needs to be cleaned up so they have a meeting because everything is a meeting they have a meeting and then one of the developers stands up and goes oh no no no no no we can't patch those those are our development servers and how much is this pass in the comments since this you got your dev servers in the DMZ like it gets better so I'm out there and I'm working with the client a little bit more and I start to do my little pen testing and I drop a couple shelves I'm like bail man this network is up because it's too easy to drop sells client says well how come our IDs didn't catch you and I was like there's an IDs so he goes yeah we're being monitored by I can't say them in because somebody all probably worked for him so the company had hired another company to outsource their IDs right to do the management reports and all that kind of so we go over and we go look at the Box I'm like what yo man do I have creds on the box mind if I just take a quick look so - give me credits on the box I try to log into this thing and this thing takes like two minutes to log in over SSH I'm like what the so I log in and I'm like this bitch is slow as hell so I run check rootkit this got four root kids on pentesting at its finest okay so what do I do when I'm up against these big companies people like dude you audit all these banks you audit all these big companies and really I just asked Google to help me that's it so first thing I do is I do a bunch of quick google dorks I look for SQL errors I look for remote file includes anything that's going to give me a quick shell okay I always go for the quick shell go for the jugular when you're on a pen test dude don't do all that bitch scan and go for the jugular okay so I always look for SQL injection always look for RFI's always look for cross-site scripting you know try to find that stuff right away then after that start trying to do your passive recon stuff so I try to figure out like okay well what subnets do they have where's all this stuff located I use this unbelievable tool called Firefox unbelievable man you would be amazed at what it can do so passive recon is one of the tools that I use something you really got to try out I'm sure most of you guys are already using it definitely got to try that out multi go definitely the definitely got to use that and then the next thing I do is go look for load balancers I run into load balancers on probably 30% of my pen test now it's getting real common okay so biggest deal for me figure out if the box is load balanced figure out if it's DMS or HTTP load balancing because like I said if you're shooting packets at it and then you know the load balancer is sending your packets every which way well it kind of makes the test in a little hard so definitely got to figure that out first and then once again we have that amazing tool called Firefox that helps us find that out so throw on live HTTP headers and make some generic requests to the web server see if anything within the HTTP header changes so if your first packet you sinned when you get the response it comes back and says I is five you send another packet to the same box it comes back and it says is six dude it's probably load-balanced same thing with the dick command and net craft net craft is freaking awesome you'll often see stuff we'll tell you right there in it you know f5 big-ip and all of that and you can also get the IP addresses of a load balancer itself so that's been a real big deal for me on pentesting load balancer detection is a shell script that does it halberd is a Python script that does the same thing okay so these are some real good things to help you figure out what is the real IP of the host that you're trying to attack if it's behind a load balancer all right next thing I run into is IPSS so it seems like everybody has an IPS however the overwhelming majority of my customers have it in i.d.s mode anybody else have this issue where you're like begging it turn the thing on dude let's block some traffic really but we'll see what happens okay who's of the belief that if we block some legitimate traffic we'll make note of it and then we'll allow that so it let's block all the rest of the who's with me okay I'm just making sure that I'm not the only one who thinks this right so okay so what I'm trying to figure out if I'm up against an IPS I do some real simple things okay I'm a Linux guy I'm using Windows right now and I feel a little dirty so please bear with me okay so first thing I breakout is I breakout curl and you see that I go for a winning system 32cm dwx eat now guys this attack has not worked since Jesus was walking the earth let me inform you if you do not know okay the only reason that you're doing this is you're just trying to see if something blocks your IP address or sends you reset packets to your connection so if this thing sends you a reset packet when you ask for CMD dot exe well it's probably an IPS if it blocks your IP address it's probably an IPS it's like unbelievable deductive reasoning here right so some guys from pure hacking comm came up with a tool that does this active filter detection the aussies in the house so they got this figured out really good tool I'm working on some stuff in Python to kind of change it up and enhance it little bit so you know for those of you guys who support Python Ruby any of you guys support Python come holla at me we're working on some you'll Ruby good by the way did I mention I curse okay so often times I do run into IPS is what I generally do is I just shoot you know four three four IPs so I shoot from a couple of different IPS to try and see if I get reset packets or if I get my IP blocked so once I know I'm up against an IPS the next thing I try to do is see if the IPS can handle SSL so against why we use Linux just go ahead and create a MX nid X I met D file I call it SSL test so you see that I open it up on port 80 8 88 and then any data that I pipe into localhost 8888 goes into this little shell script you see it's server that's SL proxy dot SH now here you can see my mad mad shell scripting capability look at that one-liner shell scrap ad what so the traffic goes straight into open SSL and then makes the connection to the target and then sends all that same active filter detection or you know CMD dot exe again trying to see if my IP gets blocked okay the overwhelming majority of clients that I have that do deploy in IPS and do deploy in blocking mode do not decrypt the SSL traffic prior to it passing the IDs or IPs so that's one of the things that I really look for if you guys are running into that try to get your client to spend the money hey man get an SSL accelerator terminate the SSL in front of the IPS and then let's actually start trying to decrypt it okay attack through tor I do this a lot so a fire up tor push all my stuff through tor and prove oxy and then that same thing where I just push all my attacks to localhost and it pipes out through tor same thing so for this one the recommendation is get your clients to block tor exit nodes okay most companies don't have a valid reason for needing people to connect to them through privacy sorry I know we give a about privacy but companies so tell everybody blocks our exit nodes that's the big thing that I'm doing with a lot of my customers I don't have a glib proxies in here because the hangover was really affecting my ability to do slides this morning okay and then the last thing that I've been running into is WAAFs web application firewalls so because I do a lot of PCI pin testing and some genius over at the PCI Council figured that hey if you have a web application vulnerability and you don't want to fix it and you deploy a laugh you are somehow now PCI compliant for some reason I'm pen testing a lot of laughs now so things with the laughs they're actually not that difficult to identify pretty much just throw any freaking character attic and this thing gives up the bitches I go okay I'm a laugh really difficult to figure out if you're attacking a host that's behind a laugh so you send it any special character and then the thing like gives you all kinds of weird things so if you request cmd.exe and you get a method 501 instead of a 404 file not found you're probably up against apache modsecurity now newer versions of this have new versions of montt have changed this but who the really upgrades there laughs really so I run into this a lot still also another one that I run into a atronics web night you see that in the HTTP response header it gives us a response code of nine nine nine nine and no hacking so I run into this if you're seeing that you're not up against one you know just start adding things to it to see what it does and see if it gives you a 404 for a file that it should not have you know I request Jody Etsy and then I request netcat dot exe NC dot exe and I just look at the differences between them I mean that's it if you send a good request that gives you a 200 okay you send a bad request for file that doesn't exist and then it gives you a 404 and then all of a sudden you insert something for cross-site scripting and it gives you a completely different error you're up against some sort of defensive mechanism makes sense all right so based on that start playing the encoding game so if you figure that you're up against a laughs see if this thing handles hex see if it handles you tf7 utf-8 utf-16 base64 or mixing of them see how it handles the multiple encoders most laughs cannot handle encoding very well ok especially if you start mixing the encodings together okay so it's a good way to try and see if you could get by the laughs okay good buddy of mine sanjo gachi and Windell they wrote a tool called laughs oof and I started contributing to it last year I think it's the and it's in Python so the cool thing that we're doing here is we're fingerprinting the HTTP response headers and we're identifying web application firewalls and I love it so right now we've got a pretty good list about 10 or 12 laughs and the list is getting bigger and bigger the next thing that we're working on is called laugh fun where we're going to work on a tool that actually brute forces web application firewall rule sets and it's in Python [Music] so I'm real excited about that guys I really wish that we have made more progress with it but you know working drinking working and drinking it was kind of hard to get the tool done so that could have a working demo but hopefully you know the next couple of conferences and next year we'll have a working demo laughs fun so you can see the brute-forcing waffle sets I think that's going to be the okay all right so quick thing that I use Gary O'Leary steel he wrote a tool called Unicode fun and it's great for it's Ruby I know but Ruby so we're going to get this moved over to Python and my tool it's going to be in Python so we're putting that in Python and we'll do the different encoding we want to make a tool specifically for web application attacks that's going to be part of the laugh at framework y fit framework will include web fun and a laugh whoo and will specifically be working on multiple encodings and proxy awareness so that it can jump on tour and it can jump on glib proxies while it's doing all these different different things so that's really what we're looking for okay we already talked about attacking websites through tor I talked about this a little bit last year I don't know if anybody here works for dotnet defender or whatever company makes that in that defender we we found that their ability to defend against SQL injection how do i articulate this sucked so if you throw like right here this is a generic cross-site scripting attack so it's a script alert XSS and the thing is like danger Will Robinson danger you know we've run into cross-site script and then it gives you this big message that says dude we block to you so now here on try mess ql injection with no encoding at all and dotnet defender doesn't care so they block some SQL injection specific statements like the word select this is the hype of IDs and laugh technology right I'm going to block the word select so if you encoded in unicode you walk right by it so they decided to fix this last year but they didn't fix any other encoding so if you use any other encoding you still walk by the thing does anybody work for this company if you do please holler at me like when I get offstage because that I don't get it dude okay and yeah that's still me dumping the admin password hash with no encoding at all against dotnet Defender sorry dude fix your okay so biggest things that I'm doing now getting into the getting into the land from the web um it's getting harder it's getting harder but it's still possible so SQL ninja the dude ice surfer who wrote this tool it's in Perl but I'm not hating for that because I was a Perl monkey but I've seen the light that which is Python 3 I am gone I'm gone I'm gone but his tool works really well you can upload netcat meterpreter DMS tunnel great great great support for that so I really think that's a good project and then he's just released an upgrade not too long ago ok SQL map especially since it's in Python rocks ok it allows you to upload a meterpreter shell and it has its own as LS shell that you can drop freaking awesome so you can just you know go right at it and it drops to where it says OS shell and you can just do your operating system commands you know I'd be config netstat or whatever or you can go straight to a meterpreter shell I use this a lot still works ok all right we have to focus on the important stuff the important stuff is not getting caught okay we're officially going to title this section of the talk don't be a tiger okay the goal when you're doing this is not to get caught I don't know who thinks Tigers a punk Tigers a Punk okay help me here if I'm worth a billion dollars and you're a porn star you know I'm gonna have some people kill you if you talk right I'm just making it to look raise your hand if you would see if I could talk it alright so biggest things that I run into filter evasion you have a lot of people who try to do all types of things so the first thing is client-side filtering this is bad this is bad this is bad this is bad did I say that this is bad this is bad do not use JavaScript or VB script or anything client-side to try to filter input to your critical application or if you're using a framework like j2ee where your frameworks create this JavaScript for you you're going to have to write server-side code that checks to verify what's coming in from the client okay you just got it freaking deal with it man anything that's happening on the clients machine is his so I have to do these little lessons for developers I'm like okay developer I want you to think about this you're going to put all the security on the hackers laptop what do you think right so guys don't use client-side filtering do not use client-side filtering okay all right restricted blacklist often times run into people who now restrict special characters well you can't send an equal sign can't send a greater than sign less than sign or something like that but especially with SQL syntax you don't necessarily have to say that one equals one because isn't one kind of like one two kind of like to rum and coke kind of like rum and coke just the thought so SQL injection actually does work without special characters in a lot of cases okay and then the IDS now how many of you have this as your mousepad come on I'm with the Nerds I'm with the Nerds I'm with the Nerds so you got to have your ASCII decimal chart hex chart break it out as your mousepad or what I just learned the other night while unbelievably drunk drop to a shell and type man a ski that worked I was like Dale drop to a cell in tight ma'am asking the is right there fog dude that's pool so when dealing with the IDs okay so we've got alert TCP any IP coming from any port going to our web servers on our web server ports we're looking for specifically tick or one equals one okay how many hackers are we really going to catch with this one so let's think about it um this to equal two 40-ounce equal 40-ounce most definitions of okay so a lot of what I'm running into when you actually take the time to sit down and read a lot of these ideas rules you're like good god man so yes this is my opinion of IDs okay and you're starting to see that it really doesn't matter I mean you know as people do at this end and or and they're looking for still 1 equals 1 or 9 equals 9 or you know anything like that you're going to find that men it's just a loop it's a losing cause and thank God SQL map does all this obfuscation that I'm showing you appear by default and it's in Python okay so the same thing that I'm showing you here where I did my or 1 or excuse me or 2 and select user where in this case I put the entire thing in hex okay you can do this in Unicode you can do it in you to f7 utf-8 utf-16 all these different you know encoding doesn't matter basics before it doesn't matter okay this stuff works it works you're getting by a lot of ideas and laughs okay last thing but one product in the PHP space that I think is absolutely the is PHP IDs I think it's coolest now they've got something on their website so if you go to demo dot PHP IDs net they've got a smoke test where with the smoke test you can put in all of your SQL injection cross-site scripting or web application attacks and it shows you what signatures it Flags so you can keep practicing your kung fu right here like okay well I tried it this way it got flagged I tried it this way the number of signatures that flag was less and you just keep working and keep working and keep working until that bad boy finally tells you okay that's what you got to do so you just keep working on your kung-fu and working on your kung-fu until you find something that's going to bypass most of the rules now modsecurity has teamed up with PHP IDs and they've got their own smoke test and again I was a little hungover so I didn't add it to my slides but they've got their own smoke test where it actually loads the modsecurity crs core rule set and PHP IDs and snort rules all in one web interface so you just keep throwing it in there until it bypasses all of those and smooth sailin all right so signature IDs joke IPS and laughs to joke and then at least what I'm running into I don't really have clients who really look at it anyway so they bought it but looking at it that's a different story now for those of you who are IDs analysts and laughs people where you actually man the thing all day I know I talk a lot of but I feel your pain because I used to do your job and there's not enough alcohol in the world for the job that you do all right so right now the overwhelming majority of stuff that I'm doing is what I just showed you getting in through the web so like I said you deal with the idea as you deal with the IPS and then pretty much it's its web remote file include war file upload who's been given J basta beatdown with the war file upload that rocks so more file uploads with JBoss SQL injection just encoding some sort of ways that I can get into it that usually gives me a shell either in the land or in the DMZ and I try to work from there after that I do the unbelievable thing and send the client email because it works so I send the client email your client side with Metasploit is beautiful so you just choose whatever the latest browser PDF ActiveX or file format exploit is make sure it's reverse TCP shell and now the Metasploit has reverse HTTPS freaking beautiful the only bad thing about is it's written in Ruby okay so a Python tool is set so to me set is some next-level I think man relic is doing some unbelievable with set so guys for me round of applause to relic this is what we need this is what we need so that we can illustrate the point of what's going on the hacker community does not port scan your networks anymore and if they are port scanning your networks those are Busters anyway they're probably not going to get a real shell ok real hackers are you know pushing everything with you know these drive-by downloads and you know freaking email type stuff this is where it's going so setting up fake website spearfishing and all that kind of stuff that's the kind of thing that we've got to get clients to understand needs to happen in your pen test ok if you deal with the same client that I had who just stood up and says Joe well I'm not going to pay you to tell me I need user training ok no man no you have to replicate the real threat this is what hackers are doing we have to replicate that threat so client side pin testing is where it needs to go ok pivoting into the land well since--since the overwhelming majority of my attacks are client-side after my web stuff pivoting into the land is important so Metasploit supports the pivot if not I have a whole cab file upload thing where I upload some cat files that have all of my executables statically compiled so there's no install and I just use that as my workshop to pivot into the land so jump right into the land and start moving around from there next thing that I look for is common land security solutions so things that I run into no DHCP DHCP Mac reservations port security and Mac so can't get on the network and I'm kind of tying this together so you've pivoted into the land via client-side or you're on the internal assessment and you have to try and get on the land so my kids taught me these because they're unbelievably ineffective so static IP addresses I hope you don't have a client who actually says they're going to stop people by using static IPS so we all know steal the MAC address we get on write DHCP Mac reservations we know that we're going to steal a valid Mac and get on the network right port security you know that we're going to steal a valid Mac and get on the network now who does what I do where you walk by you like lift up the computer and you read the MAC address all right cool now I'll go get on the network right okay Mac solutions the biggest thing that I've been doing is look 802 dot 1x exceptions okay things that can't support 802.1 X like printers copiers cd-rom towers all that kind of stuff is generally excluded from the Mac solution and voice over IP phones can't hint wink wink nudge nudge so from me that really works with getting by this stuff a voice over IP is to me the best I'm running into a lot of clients especially since I used to work for a switching company I'm running into a lot of clients who use automatic provisioning where they plug in a VoIP phone and then based on the MAC address and VLAN tag that automatically migrate the phone into the voice VLAN so you can make your Linux box look like a voice over IP phone and get bumped into the voice VLAN so this is great for getting past nak solutions and then generally you know since most of your clients and all of your phones need to talk to the call manager you can talk straight into the internal DMZ where all the servers are because the call managers right with all the other servers it works beautifully okay there's a tool called VoIP oper that automates this so if you guys are liking that just jump right on VoIP hopper VoIP opera dot sourceforge.net jump your right into the land all right once I'm on the land things that I generally do I need to figure out who's the domain admin remember we go for the jugular right figure out who's the domain domain admin so that's what all these net commands are so see my environment variables that's the sets for and then I do the net view and that View domain net user and net local groups figure out who's in what groups within the network so that we can try to attack this machine now if we're able to get local admin or local system that's even better because the next thing that I do is I look around the network for that specific user on that machine so you just script all these different things to look around the network to figure out where that domain admins box is especially if you've already got local admin or local system so you find what his box is and then jump on his box once you jump on his box you can also use PS exec shell so once you jump on his box that's when I start looking to escalate privileges so escalating privileges is one of the things that I think is really hot on Windows XP built at trick still works even up through service pack 3 who uses that at slash interactive CMD a beautiful so that works and I ran into this on a bank pen test so you see him that I had to kill McAfee I had to turn off the hips turn off intercept agent turn off fire p.m. and then I had to use all this PS kill to unhook all of this other stuff that's running last thing that I didn't get on my slide someone asked me about because they were like well when you do that with McAfee the first thing is you need to do is escalate the system right same thing works for Symantec endpoint protection you have to escalate to system so that you can start trying to kill all this stuff off so you kill all this stuff off and after a while it restarts so you'll have to unhook the DLLs that are in memory to stop that and I didn't put that in my slide but if you holler at me later I'll give you the syntax to do that ok another trick that I just learned about McAfee was there are names of excluded files specifically by name not by hash or anything like that a files that are excluded from McAfee Antivirus so they won't be protected by the buffer overflow protection and the whole bit I thought that was pretty beautiful man I can't wait to use that so holler I mean if you guys want that yes I thought that was sweet ok so killing the hips as system with Metasploit now they've got something called git system rocks so you can just write a Metasploit say git system and it'll pop you straight to system using one of the four methods that main pipe token duplication or kit rod ok and then the last thing that for me has just been the best is owning the domain so as soon as I can get to the admins box then I'll use that token stealing and just try to take his creds so impersonate the domain admin and then you see me create a user group and add them to the domain admins group so for me that's been working great ok defense alright so everything I talked about today I've got these like one page or two page walkthrough of how to do the attack and how to defend against it so if you guys want that just holler at me I'll give you that a lot of customers have been asking me for a lot of that kind of stuff just let me know it's too easy I'll hook you up with that and then if you want to get in touch with me holler at me okay that's all I gots anybody have any questions

Info

Channel: killab66661

Views: 112,131

Rating: 4.9521532 out of 5

Keywords: urdu music, technology, subtitles, defence, garderning, lecture, defense, palestine

Id: tJsNu0VRKYY

Channel Id: undefined

Length: 34min 35sec (2075 seconds)

Published: Sun Dec 12 2010

Reddit Comments