Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drawing blood from a Stone.. haroon meer | marco slaviero SensePost.

Published byAndrea Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "Drawing blood from a Stone.. haroon meer | marco slaviero SensePost."— Presentation transcript:

1 Drawing blood from a Stone.. haroon meer | marco slaviero SensePost

2 2 Agenda.. Introduction What this talk is about Complete control with: –Outbound TCP Connections –IPS in the way ? –Outbound DNS Requests –Outbound *nothing* Lessons Learned Questions ?

3 3 Introduction Who we are –SensePost –{haroon|marco} @ sensepost.com –(with extra case studies from {nick|bradleyj} @ sensepost.com)

4 4 What this talk is about? Breaking into stuff! What this talk is not about? Canned demos of Metasploit vs. 2001 Why ? For a small reality check.. To determine if we need to “sweat the small stuff” Because its fun! How ? Case studies…

5 5 Arbitrary Outbound TCP is bad.. Least privilege is hardly a new concept.. Limiting outbound TCP connections is a no brainer Why? –Because attackers need to call home.. –Because we need our tools.. –Because we want to be comfortable.. –Because its your job to make sure we cant..

6 6 Case Study #1 (plink)

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 14 Why your IPS isn’t a Panacea IPS appears to be interfering with our recon. All we want to do is an innocent little port-scan.. > 10 ports on one target -> shun source > 10 targets in X seconds -> shun source Vertical and Horizontal Scans -> shun source Who does this stop ?

15 15 visio1

16 16 visio2

17 17 visio3

18 18

19 19

20 20 Case Study #2

21 21 I’m ok! I only allow outbound DNS Outbound UDP 53 is common on Firewall Configs. *shrug* we don’t know why! If I get to run commands on your server.. Then outbound DNS is my friend.. SQL Injection + DNS tunnels circa 2002.. SQL Injection + DNS tunnels circa today..

22 22 Case Study #3 (poor mans DNS tunnel)

23 23

24 24 Case Study #4 (poor mans DNS tunnel)

25 25 Ok.. What if I.. Hardened my Web-server –Apache running with limited privileges No outbound TCP No outbound UDP Teeny-Tiny reg-ex problem in my application.. (can you spot it?)

26 26 Case Study #4

27 27 Lessons Learned… Know your enemy? (who are you up against?) Know the limits of your defenses.. Detection is an important piece of the puzzle. Basics are still necessary! There is no unbeatable security measure..

28 Thank You Questions?

Download ppt "Drawing blood from a Stone.. haroon meer | marco slaviero SensePost."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
The Internet and Java Sockets ICW Lecture 5 Tom Chothia.

The Internet and Java Sockets ICW Lecture 5 Tom Chothia.
Network synchronization of Online Games Li, Zetan.

Network synchronization of Online Games Li, Zetan.
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.

IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31.

Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Penetration Testing.

Penetration Testing.
Port Scanning.

Port Scanning.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.

1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
That’s Really not the Point… haroon meer | charl van der walt SensePost.

That’s Really not the Point… haroon meer | charl van der walt SensePost.

Similar presentations

Ads by Google