Download the Containers! Exploitation 101 Download the Containers! Github:/Microcentillion/snowfroc_metasploit Github:/Microcentillion/snowfroc_joomla Since this is a 101 course, we'll do a quick run-down of what we'll cover in this presentation: We'll start with fundamentals and basic terminology in what exploitation *is*. We'll talk about the four most common categorizations of attacks, and then we'll jump into the demo to show you how simple yet phenomenally powerful the attacker's toolkit really is. REMINDER CONTAINERS The demo uses docker containers. If you haven't already built the containers, you can get the links to the repos in the description for this talk on the SnowFROC website.

Exploitation 101 Brad Woodward Senior Engineer – AppliedTrust bwoodward@appliedtrust.com Welcome to SnowFROC 2016 and Exploitation 101 My name is Brad Woodward. I've worked in the IT field for 12 years, and am currently a Senior Engineer at AppliedTrust. Glad to be here Thanks to SnowFROC Crew for the opportunity to speak.

Agenda What is Exploitation? Classes of Exploits Hands-on Demonstration Identifying Vulnerable Applications Configuring Metasploit 'Pulling the Trigger' Since this is a 101 course, we'll do a quick run-down of what we'll cover in this presentation: We'll start with fundamentals and basic terminology in what exploitation *is*. We'll talk about the four most common categorizations of attacks, and then we'll jump into the demo to show you how simple yet phenomenally powerful the attacker's toolkit really is. REMINDER CONTAINERS The demo uses docker containers. If you haven't already built the containers, you can get the links to the repos in the description for this talk on the SnowFROC website.

What is…? What is Exploitation? Exploitation 101 Whether it's a computer system, a building, or a person, exploitation is the process of leveraging a weakness for personal gain. In the context of Computing, it generally refers to the process of bypassing security controls through software vulnerabilities. In our case, we're specifically attempting to gain unauthorized access to a computer system

What is…? What is Exploitation? Exploitation 101 The process of leveraging software vulnerabilities to bypass security controls, with the intent of gaining unauthorized access to a computer system. In our case we're specifically attempting to gain unauthorized access to a computer system.

What is…? What is Exploitation? What is an 'exploit'? Exploitation 101 The process of leveraging software vulnerabilities to bypass security controls, with the intent of gaining unauthorized access to a computer system. What is an 'exploit'? How about the term 'Exploit'?

What is…? What is Exploitation? What is an 'exploit'? Exploitation 101 The process of leveraging software vulnerabilities to bypass security controls, with the intent of gaining unauthorized access to a computer system. What is an 'exploit'? “A software tool designed to take advantage of a flaw in a computer system.”

Exploitation 101 What is…? What is a vulnerability?

What is…? What is a vulnerability? Exploitation 101 “A weakness in design, implementation, operation or internal control.” A vulnerability is: Put simply, Exploitation is taking advantage of a weakness. The vulnerability is the weakness itself, and the exploit is the what you *use* to take advantage.

Classes of Exploits Denial of Service Unauthorized Data Access Exploitation 101 Classes of Exploits Denial of Service Unauthorized Data Access Privilege Escalation Local/Remote Code Execution When reviewing lists of exploits, you'll find that they are commonly categorized into one of the following types. This isn't an exhaustive list, but the grand majority will fall into one of the following categories. DOS make a service inaccessible to legitimate use. The LAND Attack – TCP SYN Heartbleed is an example of Unauthorized Data Access, where a modified request would cause additional information to be divulged in the response. Shift user contexts. e.g. from apache to root. Local and Remote Code Execution allow

Hands-on Demo The containers use your host IP Start the containers Exploitation 101 Hands-on Demo The containers use your host IP Disconnect from untrusted networks and set a static IP on the host before starting them. Start the containers Joomla: run_joomla.sh Metasploit: start_metasploit.sh Without further ado, let's jump into the Demo. A few things to note if you plan to follow along with the demo: Once that's all taken care of, you can launch the two containers with the commands here.

Hands-on Demo joomla_http_header_rce Affected Exploitation 101 Released Dec 14th 2015 'rce' = Remote Code Execution Buffer overflow in X-Forwarded-For and User-Agent HTTP Headers Affected Joomla 1.5.0 – 3.4.5 PHP < 5.5.9+dfsg-1ubuntu4.13 Pay attention to the version number at the end

Next steps? Exploitation 101 We've gone from zero to sixty, and if this is your first exposure to exploitation, you're probably really excited about what's possible. If this field interests you and you want to continue to develop your skills, I have a few suggestions:

Next steps? Start simple Exploitation 101 Start simple. It may be tempting Sophisticated

Next steps? Start simple Watch for new CVEs and Exploits Exploitation 101 Next steps? Start simple Watch for new CVEs and Exploits

Next steps? Start simple Watch for new CVEs and Exploits Exploitation 101 Next steps? Start simple Watch for new CVEs and Exploits Practice 'off the field' Re-use the containers!

Resources cve.mitre.org offensive-security.com meetup.com Exploitation 101 Resources cve.mitre.org offensive-security.com meetup.com Denver OWASP OWASP Boulder Chapter Without further ado, let's jump into the Demo. A few things to note if you plan to follow along with the demo: Also keep your IP in mind, since we'll need it during the demo. Once that's all taken care of, you can launch the two containers with the commands here.