Hacktivity 2012 - Joe McCray - Big Bang Theory - Pentesting high security environments

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right everybody how's everybody doing y'all good all right now listen listen one of the things that always happens to me I'm on the road a lot I have no life all right let's just call it what it is so whenever I leave America and I come out to Asia and Europe all these other countries once I start doing my thing I get up on stage I start talking to people I notice how do I politely say this people who aren't American are too damn nice see listen listen listen I'm real casual I think you can kind of see that right so I'm going to kind of do some stuff and I want you to kind of be real casual with me so I need you to kind of just relax a little bit everybody do this with shoulders go ahead people I'm serious do it yeah okay there you go loosen up a little bit there you go now I'm gonna do my thing up here and when I'm doing my thing I want you to kind of get involved with me I got a wireless access point got a couple of vulnerable apps I'm a mess with I got an idea someone let you mess with and last year I did my thing and I was drinking on stage and then they came back and gave me all the critiques now like hey Joe I'm your critique was that your presentation was okay but you didn't do enough demos so now my whole presentation is all demos okay so I want to see what the hell you ask for next year all right guys so been testing high security environments I've been beaten down networks for a good ten years or so networks have sucked for years and they still suck I don't know if any of you have experienced that but networks still suck applications still suck but what's happened now is now we have 50 million security products protecting our applications that what there you go so networks what applications but we've got a whole bunch of stuff that protects all this stuff that that's it so that's how this is going to work for us today so Who am I Network guy most people know me I'm the black guy at security conferences yes that's me I always go into this right everybody here the UM that the Afro colored uh I've seen you before right yeah yeah that's me okay all right guys I've been doing this for a while like I said and what I do i hack I curse and of course anybody who knows me knows what do I drink rum and coke okay now there's been some changes in my life got a new girlfriend so now she gets so mad because I drink too much she really doesn't like how I eat that's why I have to travel that's why I had to come here so I had to eat all this goulash get all this food with a lot of fat that's what I'm talking about man so please don't tell her that I'm eating and drinking all right guys like I said I've been doing this for a minute check out the CRT monitors anybody remember those okay so that was my first Def Con and I got a lot of people who've been talking to me about doing capture the flags and for me capture the flag was just an amazing experience it's just absolutely wonderful change my life like Jesus man you know I'm saying like straight hallelujah this is it so what I want to do is I want to create a capture the flag exercise for beginners so if you're new you probably never competed in a capture the flag we're hosting one it's a month-long training class to prepare you for it the capture the flag is going to have encryption encoding challenges Network challenges malware challenges reverse engineering challenges exploit dev challenges all kinds of stuff big massive competition so we can just have a whole lot of fun so just kind of shameless plug for what I got going on and now let's do the damn thing yeah all right I got a wireless network setup please do not break my poor little cheese your wireless ap okay so if you want to jump on the network its Joe activity demo there's the password for it I've got this text file and the reason for the text file is it'll allow you to copy and paste now normally when I do this I let people do all this like Windows 7 stuff and all that but all you're going to need is just a web browser so if you have Firefox Chrome whatever you want to crack open your iPad or copy open your laptop jump on this network I've got an IDs I've got a snort box running and we're just going to kind of keep it light so we're just going to do a bunch of web app stuff bunch of SQL injection a bunch of cross-site scripting against this host it's got a web app and then we've got another box that's got a web application firewall configured so I'll walk you through some IDs bypass and some Web Application Firewall bypass and we'll just kind of get in there and let's just talk about it and we'll do the thing y'all cool with that okay everybody nod your head all right cool okay do I need to hold this up a little bit longer or can I get started you need a minute hurry up man damn did you see how long Shaq took when he was talking I had like two bowls of goulash back there while Shaq was talking about see how long Shaq ran all right to do alright let's do this okay so we've got ourselves our handy dandy intrusion detection system and we've got this text file let me start let me start zooming okay so if you want to check out the text file here's the text file okay now what I'm gonna go through is just some real trivial SQL injection cross-site scripting and if you want to mess with an app that's a little bit tougher you can check this text file and there's two apps so 2.6 2.6 is an asp.net app that has request validate running it's got a updated version of the dotnet framework with the anti cross-site scripting library and a couple of other security mechanisms and a modified web config file for other security libraries to be loaded 2.7 is the same app but it's got all of those dotnet security features and the Web Application Firewall so I'm going to mess with this app 2.35 and I'm going to kind of talk about that so if you're already familiar with basic cross-site scripting and basic SQL injection why don't you play with 2.6 and 2.5 and 2.7 while I do this one alright guys so we got our text file we can copy and paste because that's what life is all about alright so I've got this now the first thing we want to talk about is parameter passing so we've got book detail dot aspx the question mark signifies parameter passing ID equals 2 so basically what's happening is your web server front end is talking to your database back in your web server is like hey databases yeoman coming what I need to do is I need to know if you've got this record that corresponds with ID and its value is two databases like yeah too easy man I got that here you go so what we want to do is we want to test to see if there's SQL injection so what I'm going to do is I'm going to throw in a simple quote like that and then Oh beg on meep argon BAM on disclose question mark after the character string right all from throwing in a single quote now this is the most common types of tests right you're going to replace the parameter value with the quote or you're going to directly a pin to the parameter value with a quote right this is what you see you all the time no big deal here's a couple of other ones that may interest you okay so I suck at math but that is a for everybody with me everybody nod your head yes that's a for Jo all right cool now something that might interest you if you notice that when I change this to a to ID equals two the page changes when I change it to a for ID equals four the page changes now I'm going to put in parentheses a two and I get the same age as the two without parentheses now if I do 4 minus 2 I get to page two if I do 4 minus 1 the page changes to the same page as ID equals 3 you guys notice that so how many of you have run into these cases where you're doing a penetration test you're messing with the website you go ok I put in a tick it automatically redirects me to the home page I try to do some sort of SQL injection and it redirects me to the same page or redirects me to the home page right what they've done is they've suppressed error messages so I'm not singing my ODBC error message that makes me do the happy dance because I got SQL injection right I see something's wrong but I can't figure out what so what's happened is your developer thinks he's smart right we run into this come on don't don't act like it's just me all right you run into a developer or you run into a sysadmin who's like well I'll just turn off error messages okay but what's really happening is you've got the database to execute arithmetic functions so if the database is executing arithmetic functions like this 4-1 and you're seeing that I get page three we've just proved that SQL injection is now possible so now you can go right back to the custom ranking back no no no no no no no pump the breaks boy you still have SQL injection what happened was you probably knew that you had SQL injection you try to do some get a little fix right this is common we run into these band-aids in this stuff all the time so these are the types of tricks that I've had to use now the games change because a lot of people now use things like web application firewalls so when you're trying to do your normal Select statement you know you're like a real common one you might do something like this right so you might say let me go to or one in select user like this right so this is pretty common and we can see that the app is running is dbo right here's our select user statement well the Web Application Firewall is probably going to trap on that select statement right no no no no can't do selects right so when you see stuff like that you probably go okay well mint I haven't figured out if I'm up against the Web Application Firewall or not doing these arithmatic tricks are good ways to figure out if you have SQL injection and there's a Web Application Firewall in front of you now I have the horribleness function misusing a horrible misfortune of doing a lot of retail chain pen testing okay now anybody tell me what's that mean in English retail chain pen testing there's a compliance regulation I'm getting that come on PCI god I hate PCI so I'm doing retail pen testing all the time now the PCI counsel in their infinite wisdom says thou shalt thou will use secure coding standards in accordance with OAuth secure global secure coding guidance you will do this or you can deploy a web application firewall so every customer that I had what would they do now would they do the right thing like what Shaquille was talking about and do all this threat modeling and you know get in there and let's have a meeting after another meeting after another meeting and eventually fix it no what did they do right they back in the truck up they got the laughs they run down into the rack slide that bad boy into the rack we'll fix so as soon as you start to see these types of things that's when some of these other in my opinion interesting things kind of come into play let's see let's say let's say everything I've done so far would you say that we've identified SQL injection and I'll go like this I'll do or one and select DB main and we can see that the first database is called book app now if I change this 0 to a 1 next database is called wet ok change the database number to a 2 next database is called wet okay now help me here would you say we've identified sequel injection yeah now that's great that's great the problem is my IDs has no red that thing it's got no red now we're doing sequel injection right okay hold on I must be doing something wrong I didn't just get database information directly from the database and this thing tell me what right well no no wait a minute wait no no no no okay wait wait let me try that again how about I try something else how about I go okay well let's try instead of database enumeration let's go for some table enumeration okay so select top one name from sis objects where X height equals char 85 and that first table name is okay now I'm thinking that's SQL injection who's with me Stevie Wonder can see that that's SQL injection right we know that's SQL injection but hmm you know what it's a cheap system it's a cheap system there's a little mistake the rules aren't updated the IDS rules are a little old I uploaded them this morning they're a little old a little old so I maybe I messed up somewhere and I didn't upload the latest rules the rules are about three hours old I don't know okay well let's see what if we try and ask for a database okay now let's try this again there we go well you know you'd think that after this many years I'd be able to copy and paste I'm serious you would think that I would know how to do that but obviously I'm experiencing technical difficulties copying and pasting all right I think I got it huh man really okay so our second database table is called what okay and all we did was we said hey instead of sis objects where X type char equals 85 where that told us it was book master we said hey can you give me the name of the table that's what greater than book master in other words do if book master is this table can you tell me the table of the one that's like right next to you right and this is how we do database enumeration right so as soon as you extract the database name and the table name now once you get your table names you just keep asking hey man can I have the table name that's greater than the one I'm looking at right now and we just keep doing that until we run out of table names right so that's not too hard I think I can handle that and hmm problem okay well what if I try to union-based SQL injection now there's a couple of different types of SQL injection and we just did error based SQL injection so I'm going to try on another type called union based SQL injection so what do I do with the Union I say hey man I say can i order by 100 now think about it like this let's say you have a spreadsheet so you have spreadsheet you got these columns now if I have ten columns can i order by five people can i yeah okay now if I have ten columns can I order by 20 no cuz what no thanks man I don't have 20 columns right so what it's going to tell you is hey man what you're asking for is what out of range man I don't have that many columns so what you can do is you can say alright I'm ordered by a 100 he says dude you don't have that many so I ordered by 50 then he tells me what yeah I got that many either so I write one let me try and what about 25 what about 25 no don't have that how about a gimmick come on ha 12 13 13 s unlucky okay I ordered by 13 mmm no 13 nine okay so I ordered by nine Oh valid records so I have more than nine but less than right and you just keep playing the game right you kind of have this random Matt mini right until you figure out how many columns are in the table so once we figure out how many columns are on the table I'm going to guess that we have nine right so now what we do is we build out what's called a Union statement so with this Union Select statement what you're doing is you're going to say okay like this the Union statement joins the statement that the developer wrote with a statement of your own but you have to have the correct number of columns for both statements combined for the Union to work that's the reason that we do the order by so when you're doing this SQL injection and you see it you're going to do the order by to figure out the correct number of columns then you're going to stick in your Union all select and then you're going to have each of these numbers from 1 to however many columns you have to figure out where your placeholders are going to be now once we do that we need to negate this record right here so - we need to negate it I'm either going to change it to a negative number or the word null so I'm going to put in a negative number and now my screen gets funny check that out I got a 7 a 2 3 of 4 these are the columns that echo back data so now in each one of those guys give you a number one that's on the screen ok all right let's go with 2 so now I'll take 2 I'll go to the placeholder 2 and I'll say user whoops like that and now we're the two was the user shows up makes sense so what if I go for the three so maybe at the three I'll do at at version like that and now what shows up starting to see what's going on now help me guys would you say that we have SQL injection starting to see what I'm getting it so I know this is kind of messed out right and again I started my security career as an IDs analyst and it was a horrible life you know to have to look at packet captures all damn day nothing maybe other than marriage will make you want to put a bullet in your head I mean I was just like this is bad all day of looking at this stuff man like that it was bad so when you start seeing this stuff the stuff that gets by is just mind-boggling flat-out mind-boggling so let's say let's say we want to do some interesting stuff maybe maybe I want to grab let's go from here all the way to here so I'm getting the version database version the server name and this mess master suspension bar Bend a hex string what nothing important right okay all right no I'm thinking that's a helpful thing to have anybody okay now the important thing is we need to know that our IDs is a great thing to have who's with me let's run out and let's buy one you know what let's not get an IDs let's get a simper lot product how about a sim solution wouldn't that be even better that way we can correlate all of our useless logs that we don't look at that'll be awesome so okay let's say we do something interesting all right now we've got some of these things like this right we've got a one equals one got a one equals two and then we've got a one times one okay so everybody with me one equals one yeah okay does one equal two no it doesn't right but what you're trying to do is you're trying to see if there's changes in the page that you can enumerate so let's say I'm doing this I get a valid page here if I change this to a two does the page change if the page changes from some dishonorable way then programmatically I can figure out okay this is called inference based SQL injection so if I can do this one equals one and this one equals two now I can start to figure out okay is the username dbo and one equals one because if you have the and statement if the username is dbl and the one equals one and i get the correct page then i know the user is DB oh that makes sense so that's what inference based SQL injection is no who's like in that IDs it's an awesome product okay now sometimes you might do some other stuff like this okay what do you notice I have here guys one is what greater than negative one so in a lot of these cases or my favorite one that I really like okay again it's it's all these different ways of asking the same question right who has children anybody kids kids if you have kids you've experienced this in your life you've said no you can't have that so your kids like oh what can I can I have this no but you can't have any cookies well how about the Chips Ahoy no you can't have cookies okay but but what about the Oreos no you can't have any yeah see I've been through this I'm just saying I've been through it okay all right now here's another one that we run into so in this case let's say that the database wouldn't throw any error messages we've got this one here it's called a wait for delay this is called time-based blind SQL injection so what you're doing here is you're saying wait for delay 10 seconds now what you'll notice is that thing is what waiting and then after 10 seconds you get a valid page so if you can do that you can say hey you know what database let me ask you a couple of questions you can say something like if the user is Joe what wait 10 seconds makes sense if the users dbo wait 10 seconds okay so these blind SQL injection methods are things that you can do when developers try to patch the instead of fixing them okay so now you notice hey it waited so that actually is SQL injection so let's try something a little bit more interesting here we go so I'm grabbing this one I'm trying that you okay now it's red let's look at it let's look at it okay hold on what happened xpeke command shell so let me see if I get this straight help me here help me with the logic okay we're looking at the packet the IDS says web miscellaneous XP command shell okay all right we get down here we can see the get request and we can see what he flagged on XP command shell with the tick to ping okay that's obviously a bad thing right that's obviously bad now if you look here what happened the SQL server did what hmm SQL server said hey whoa whoa whoa whoa whoa now you can have my database password you can have all the records in my database but look man I really don't want you just running commands on me I don't know if I'm too cool with that so what we have to do is even though the IDS alerted on the XP command shell attempt it failed right the web app as soon as you start dealing with a modern web app you know most people you know if you're using SQL Server 2005 SQL Server 2008 XP command shell is going to be disabled it's not going to let you just up and do that so it's frustrating it's frustrating so you know we have to do we have to ask nicely you have to say hey can I please have the cookies daddy that's what my kids do I'm serious so what we'll do is we'll go to some Advanced Options and we'll reconfigure and then what are we going to do will we enable XP commands shell because we would prefer to have that anybody with me I'd like to have that now all right yes I don't know if you've noticed our IDs has detected us we have been detected look at that whoa we are blowing up the logs lighten up like a Christmas tree huh look at that hey man we caught that hacker we got him we got him we got him now if he's stealing our data we're not worried about that but then if he's going to execute system commands on the box uh-huh I don't care buddy you're not gonna paint traceroute telnet FTP you're not doing any of that you can have my data that's cool that's cool I'm not worried about that but I don't want you to have a shell on the box right oh here's one of the things that really kind of got me right know I work for an organization many many moons ago when I had a job telling you this because my girlfriend says I don't have a job she's like all you do is get up on stage and talk you don't work and I go no sweetheart I'm a consultant it's different I give my opinion that's how I get paid okay it's different I don't work anymore but as you look at this stuff you start to see that we as hackers love to Papa shell come on who's with me well there's not too many greater pleasures in the world other than popping a shell right now IBS analyst as they're writing rules you'll often see that that's the kind of stuff that they write rules for right but data exfiltration now if you had to talk to a cio which do you think you would rather have given the two choices let's say I have an application that makes oh I don't know 100 grand an hour would I rather you have all the data in the application or have a shell on the box seriously pose this question which would you be more concerned about right just because you have a shell on the box doesn't necessarily mean that you have access to the inner workings of the application more than likely if you don't you will pretty soon but but you're going to notice that a lot of these products are built on certain premises and IDS's are very much built on the premise of an attacker driving around your network so they're looking for command execution they're looking for command injection you're going to notice that's the big thing and then they're looking for trivial vulnerabilities really simple cross-site scripting really simple SQL injection not complex ones not encoded ones all that kind of stuff and we're really not worried about that kind of stuff right because you're going to find that most security products look for noise they're looking for noise they're looking to stop the ankle-biters and that's what we have to understand when we're dealing with security products you don't just buy a security product you don't back the truck up throw the thing into the rack and kind of walk away right you really need competent qualified people who understand the technology yes oh my god people people right we don't want to throw millions and millions of dollars at a problem how many of you have worked in environments where as soon as your boss watches a cool commercial he runs into the shop like we've got to get this thing and you're like no no we really don't we got to fix the boat mess that we have back here and that's kind of the premise of this presentation high security environment stuff that I've been dealing with is just spending a lot of time trying to stop spending a lot of time trying to understand the rule set of the defensive mechanism once you understand the rule set of the defensive mechanism bypassing it isn't all that hard so let's say for example let's say for example I have a web application and the web application is protected by a web application firewall that would make sense right so dot seven should be our box with the laughs so we open up set box with said laughs and I try a cross-site scripting that bad boy says danger Will Robinson danger we've been blocked no I'm thinking that's pretty bad anybody with me that's bad you know you got your you've got your security products but what if I want to do something like this whoops let's try let's try this text file it will probably help if I read my notes right I was like no Joe don't read your notes oh no dashes I think he's thinking about it what do you think nope okay hey demo gods can you help me out here all right now the demo gods are being a little mean to me right now let's see if we can make this work yay now help me if I'm wrong would that be SQL injection against the box that's running a web application firewall I'm thinking yeah now let's pretend that we want to start a security company yeah okay so I want you to put on your vendor hat okay you're evil now you're the real blackhat you're put it on your vendor hat I'm a consultant I can talk crap about vendors okay now we want to deploy we want to build and deploy a new intrusion detection system yeah okay so we're going to start an intrusion detection company snort the open-source product has to grab a number a hundred thousand intrusion detection signatures now we're going to do the ethical thing and write all hundred thousand competing signatures on our own we're not going to steal any signatures from any other product because that would be unethical right we're just going to sit down and write all of these hey Bob Tim Joe come on jump in there let's just crank out 100,000 signatures right and we're going to build a scanner we're going to build a vulnerability scanner so necess Nessus has a good eighty thousand signatures and scripts that it checks you know vulnerability checks that it does we're going to do the ethical thing and write all of them ourselves without looking at what necess is doing right so a lot of people ask me why Joe you know you do all these tests against open source products like mod security snort and all this kind of stuff you know how close are do you think they're going to be to the vendor product and I always say not at all not in de difference because vendors don't steal from open source security products so that they can build up their rule set they do the ethical thing and sit down and write all these rules themselves everybody of course they do so if you can make your signatures or your attack strings work against an open-source security product it's a good chance that you're if not going to work against the commercial product moving in the right direction you're going to find that whatever concept that you use is going to help you out so everybody knows that drink let me show you why I drink if you've ever ever ever ever ever ever in your life had the audit source code you drink believe you mean you drink so we've got our favorite language the CPP talk to me people C++ who's like oh joy okay so now this is webknight so when I started jumping on webknight I started looking around and I said well okay look what they have for default excludes well that's interesting if I deploy my Web Application Firewall it's not going to protect Outlook Web Access that's great now I need you to realize that a lot of these vendors puff puff give minutes and hand it on to the next do they take rules from one product it throw it right into the next product really without doing a whole lot of research so when I first started deploying web application firewalls I realized that everything about webmail is wrong webmail is a security violation in practice you've got web code that literally executes system commands and queries LDAP or whatever your data store for your user database right in the web I mean just smack dab in front of you on what planet does that sound like it's going to be secure think about it think about it you know you open up Outlook Web Access you hit ctrl K you look up users and all this kind of stuff you are driving Active Directory from the web right you're executing system commands on a linux box if you're using squirrel mail or horde or whatever it is right so everything about it is pulling like evals and all these types of insecure functionality so a lot of web application firewalls exclude it yeah try asking your vendor about that one here's one that I really liked check this out now webknight stole a lot of its rules from URL scan who's like in this one are those IP ranges that are excluded from my product like hard-coded IP ranges that are completely excluded from my product anybody like yeah install that on my network that's what I want running on my network anybody yeah that's awesome okay okay well let's let's jump down here and let's look at all the stuff that he doesn't want you to do okay 1999 called they want their web server back anybody remember that stuff slash scripts ayahs help MS ADC buddy remember that stuff come on a couple people are like oh man hacking was so fun back there and remember go on come on come on remember this that we were killing web servers back in the day man it was great now as we look at this you're not allowed to do any of that em SATC printers samples vti off VT IBM you can't do all of that stuff can't go to any of those places can't do any of that stuff what about commands you're not allowed to execute no ARP at cackles check disk cipher CMD comp command comm and all that stuff right come on who's who's like oh man it's just flashback so the servers that you owned remember those days right now here's the thing that I really think is interesting do you see any wmic up there do you see any PowerShell up there so if you've got a brand new app that's got functionality where it executes scripts on the local system and it's executing modern scripts because hey maybe I just might want to run Server 2008 but I'm going to do the brilliant thing and protect it with rules that are designed to protect is five Windows 2000 you realize that that's what a lot of your wife's are doing really stop and think about that like next time the web vendor comes rolling in why don't you ask him about that hey man are you looking for things like bit's admin are you looking for things like powershell commandlets akyuu are you checking for any of that stuff because you know we've upgraded and we're using the new version of.net it does some of that stuff by default might want to check for it the next thing I wanted to talk to you guys about is logic bugs now let's say let's say I go to 2.6 so I'm going to go to 2.6 same app without the laughs something that's pretty interesting is you'll notice that there's a Contact Us page right so when you look at the source code of the Contact Us page I ran into this I'm gonna pen test so I have my developers build this so if you look at it what do you see it's actually doing think about that think about that think about that yeah whoa whoa whoa see how see how people in the crowd like oh probably shouldn't do that huh so I was on a pen test for a I don't know forty billion dollar bank and I ran into something like this so we had no SQL injection no cross-site scripting none of the bad stuff right but we basically had this so no exaggeration the bank tells us that they have both Qualis and web inspect and they have no highs no highs so I'm like yeah but you can open and read files on the file system like um you can read files on the file system no exaggeration the head of the security team tells me yeah but we found that vulnerability of one of our scanners that's actually a low so I was like okay but wait a minute if I go dot dot slash dot dot slash dot that /boot dot I and I I can read files on the file system and he's like no no no but you understand those aren't critical files and I'm like okay okay but it's Server 2008 he's like yeah I'm like cool you know Server 2008 has a web config file that's in the root directory of the web server right he's like yeah so I'm like so what if the attacker did this he goes well you can't see anything and I'm like well what if I view source I think we may have an issue anybody there's a little problem here now my favorite part is you won't let me execute system commands on the box but when I stole the admin passwords for the web server and the database enumerated all the data in the database yank all the stuff out of the database and bounce like dude I'm out of here with all your stuff that bad boy was like hey man today is a great day anybody kind of feeling that don't let security products become your disease don't let security products become your disease get the nerdy people find them give them Star Trek memorabilia encourage them to stay late because it's those nerdy smelly people the ones who don't shower with a pasty skin they're the ones who make our networks run well they're the ones who help us integrate security products well how many of you could not stand the guy in the room who's like oh I'll just write a script for that I mean I could just write we've all had that guy or we've been that guy and you need people like that to make these security products work security products are stupid let's do this one more time security products are stupid because they what they suck come on they suck security suck I have not seen a good security product yet without a good person to drive it it's the functional equivalent of a damn screwdriver think about it man it's just a big list of rules of saying that's bad that's all it is so I want you guys to look at education look at look at things like security to look at things like the Poli edu right there's plenty of free education online open security training dot info look at places like that learn Python learn assembly right learn web app testing stuff with all this stuff that's going on in a wasp that's what's really going to help you defend your network smart people defend networks products don't defend networks go back to your job and tell your boss that we need more budget for more people I know it's a recession I know that yeah yes I realize that we need more budget for more people we need more budget for training if we buy a product don't disregard the training for the product because that's expensive hello why are you going to buy the product if you're not going to do training on the product right I will disclose that I worked for many a vendor's in my life I even worked for ArcSight at one point so I lived that life of going out and deploying these massive products I am so frickin sick of radius and network access control and all that stuff because I deployed those things and those products suck they suck I went to a customer they were doing a 802 dot 1x deployment so they've got a Mac based off secondary off for each port and I go wow now that's pretty bad so I walked over hit the buttons on the printer and then I got the printer test page you know the one with the MAC address in the IP address all that you know that one well the printer can't handle 802 dot one so it needs to be excluded so when I unplugged it and changed my MAC address to the MAC address of the printer and plugged in my laptop we have now bypassed this expensive Mac solution think about it so what good did that Mac solution do for me if a person can just impersonate a printer or impersonate a VoIP phone let's kind of see the point I'm driving that guy's pentesting high security environments now for me is about spending time trying to understand the security product that the customer bought because now every bank pin test that I do they've got hips nips laughs Macs and a whole bunch of other acronyms that all suck but I just keep trying to go okay well what's this product trying to do and how is your trying to do it and then as soon as you kind of figure out what's the methodology and the thought process behind how the product does its defense circumventing it usually isn't very difficult okay so my favorite one that I'll leave you with we had MS 1103 right which is a browser-based exploit that does a heap spray so literally to bypass the hips signature I just didn't want to do it because time and getting this stuff to work for you guys in the demo but literally to bypass the hips signature for it in the actual vulnerability in the actual exploit code changing the word from heap spray to HS bypass the hips I want you to take that with you guys I'm out of here you
Info
Channel: Hacktivity - IT Security Festival
Views: 186,682
Rating: 4.942812 out of 5
Keywords: Hacktivity 2012, Joe McCray, Big Bang Theory, APT, Advanced Persistent Threat, SQLi, IDS, IPS, SIEM, Penetration testing
Id: qBVThFwdYTc
Channel Id: undefined
Length: 50min 52sec (3052 seconds)
Published: Fri Nov 23 2012
Related Videos
Hacktivity 2012 - Vivek Ramachandran - Cracking WPA/WPA2 Personal and Enterprise for Fun and Profit
Hacktivity - IT Security Festival
168K
DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data
Christiaan008
242K
Former CIA Officer Will Teach You How to Spot a Lie l Digiday
Digiday
12M
Inside the mind of a master procrastinator | Tim Urban
TED
41M
Everything you need to know to become a penetration tester....
Joseph McCray
23K
Magnificent Storyteller Soldier Reveals What He Saw In Vietnam
David Hoffman
12M
Secret Pentesting Techniques Dave Kennedy
Adrian Crenshaw
63K
How Smartcard Payment Systems Fail
Black Hat
128K
100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman
Adrian Crenshaw
38K
DEF CON 25 - Roger Dingledine - Next Generation Tor Onion Services
DEFCONConference
73K
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
9.5M
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP
1M
BsidesRI 2013 1 4 Exploit Development for Mere Mortals Joe McCray
Adrian Crenshaw
15K
How TOR Works- Computerphile
Computerphile
1.1M
How does a USB keyboard work?
Ben Eater
564K
Beginner's Guide to the Bash Terminal
Joe Collins
1.6M
Deviant Ollam | The Four Types of Locks | SOURCE Conference Boston 2010
Big Brain Security
94K
Become Anonymous: The Ultimate Guide To Privacy, Security, & Anonymity
Techlore
270K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.