Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drawing blood from a Stone.. haroon meer | marco slaviero SensePost.

Similar presentations


Presentation on theme: "Drawing blood from a Stone.. haroon meer | marco slaviero SensePost."— Presentation transcript:

1 Drawing blood from a Stone.. haroon meer | marco slaviero SensePost

2 2 Agenda.. Introduction What this talk is about Complete control with: –Outbound TCP Connections –IPS in the way ? –Outbound DNS Requests –Outbound *nothing* Lessons Learned Questions ?

3 3 Introduction Who we are –SensePost –{haroon|marco} @ sensepost.com –(with extra case studies from {nick|bradleyj} @ sensepost.com)

4 4 What this talk is about? Breaking into stuff! What this talk is not about? Canned demos of Metasploit vs. 2001 Why ? For a small reality check.. To determine if we need to “sweat the small stuff” Because its fun! How ? Case studies…

5 5 Arbitrary Outbound TCP is bad.. Least privilege is hardly a new concept.. Limiting outbound TCP connections is a no brainer Why? –Because attackers need to call home.. –Because we need our tools.. –Because we want to be comfortable.. –Because its your job to make sure we cant..

6 6 Case Study #1 (plink)

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 14 Why your IPS isn’t a Panacea IPS appears to be interfering with our recon. All we want to do is an innocent little port-scan.. > 10 ports on one target -> shun source > 10 targets in X seconds -> shun source Vertical and Horizontal Scans -> shun source Who does this stop ?

15 15 visio1

16 16 visio2

17 17 visio3

18 18

19 19

20 20 Case Study #2

21 21 I’m ok! I only allow outbound DNS Outbound UDP 53 is common on Firewall Configs. *shrug* we don’t know why! If I get to run commands on your server.. Then outbound DNS is my friend.. SQL Injection + DNS tunnels circa 2002.. SQL Injection + DNS tunnels circa today..

22 22 Case Study #3 (poor mans DNS tunnel)

23 23

24 24 Case Study #4 (poor mans DNS tunnel)

25 25 Ok.. What if I.. Hardened my Web-server –Apache running with limited privileges No outbound TCP No outbound UDP Teeny-Tiny reg-ex problem in my application.. (can you spot it?)

26 26 Case Study #4

27 27 Lessons Learned… Know your enemy? (who are you up against?) Know the limits of your defenses.. Detection is an important piece of the puzzle. Basics are still necessary! There is no unbeatable security measure..

28 Thank You Questions?


Download ppt "Drawing blood from a Stone.. haroon meer | marco slaviero SensePost."

Similar presentations


Ads by Google