SlideShare une entreprise Scribd logo

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

Nelson Brito
Nelson Brito

T50 (an Experimental Mixed Packet Injector) very first public tak about the version 2.5 (The Murder Version). Check the original demonstration videos: - https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx For further source codes, please, refer to: - http://t50.sourceforge.net/

Technologie
1  sur  49
The Hangover A “modern” (?) high performance approach to build an offensive computing tool! Nelson Brito nbrito[at]sekure[dot]org
Agenda • 0000 – Introduction • 0101 – Results • 0001 – Motivation • 0110 – Demonstration • 0010 – “Hello World” Examples • 0111 – Conclusions • 0011 – Lessons Learned • 1000 – Questions and Answers • 0100 – Comparison
0000 – Introduction
Denial-of-Service
0001 – Motivation
Goals • Firstly, the primary goal of this research was to build a “PERFECT” tool to use in my daily tasks. • Secondly, provide me enough knowledge and perspective of how network devices and computer systems behave under this type of attack. • Thirdly, prove that DoS was and still is a BIG ISSUE to whole Internet infrastructure. • Lastly, but not least: – “The best is yet to come!” • http://fnstenv.blogspot.com/2010/08/best-is-yet-to-come.html – “A fake version of T50!!!” • http://fnstenv.blogspot.com/2010/10/fake-version-of-t50.html
Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Hactivism? Testing” for this presentation. • DoS attacks are significantly harmful, • DoS tools are necessary weapons in a because they violate one of the three key cyber warfare… concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are – Confidentiality more common than many people might – Integrity think, and, when they happen, people – Availability will certainly be aware of. All the codes in this presentation were written in C language and tested on real machines, rather than virtual machines.
0010 – “Hello World” Examples
“Hello World” Example 01 main() loop() Signal() while() kill() malloc() memset() memcpy() Signal() alarm()
“Hello World” Example 02 main() loop() Signal() while() kill() memset() memcpy() Signal() alarm()
“Hello World” Example 03 main() loop() Signal() while() kill() memcpy() Signal() alarm()
“Hello World” Example 04 main() loop() while() malloc() loop() memset() memcpy()
“Hello World” Example 05 main() loop() while() memset() loop() memcpy()
“Hello World” Example 06 main() loop() while() memcpy() loop()
“Hello World” Examples Applied Dell Latitude E6400 Dell Inspiron 910
0011 – Lessons Learned Also known as “Tips and Tricks”
What is the “high-performance” definition? English Language Computer Science • Adj. • A code and/or program that solves any – 1. Modified to give superior problem faster and more efficiently than performance: ordinary codes / programs. • “a high-performance car” superior – of high or superior • A code and/or program which use all – quality or performance; or as much as possible – computer’s • “superior wisdom derived from resources available. experience”; • “superior math students”.
SOCKET(2) • T50 Sukhoi PAK FA is capable to: – Send protocol packets: ICMP, IGMP, TCP and UDP. • NO BIG DEAL, right? – Send ALL of them “ALMOST” on the same time – protocol “T50”! • BIG DEAL! 8) • How many sockets should the code use to send ALL of them “ALMOST” on the same time? – 1 socket file descriptor – 2 socket file descriptors – 4 socket file descriptors – 8 socket file descriptors – 16 socket file descriptors – 32 socket file descriptors – 64 socket file descriptors – NONE • “Just one socket file descriptor? Really?”
SOCKET(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
GETSOCKOPT(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] len = sizeof(n); if(getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, &len) == -1) exit(EXIT_FAILURE); for(n += 128 ; n < 1048576 ; n += 128){ if(setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, len) == -1){ if(errno == ENOBUFS) break; exit(EXIT_FAILURE); } } [...]
FCNTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] flags = fcntl(fd, F_GETFL, 0); if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) == -1) exit(EXIT_FAILURE); [...]
IOCTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if(ioctl(fd, FIONBIO, &n) == -1) exit(EXIT_FAILURE); [...]
SIGNAL(2) & SENDTO(2) • “Signals are used to notify a process or thread of a particular event. Many computer science researchers compare signals with hardware interrupts, which occur when a hardware subsystem, such as a disk I/O (input/output) interface, generates an interrupt to a processor when the I/O completes.” – Linux Journal (Issue 73, May 2000) – By Moshe Bar • “Signals also have been used to communicate and synchronize processes and to simplify interprocess communications (IPCs). Although we now have advanced synchronization tools and many IPC mechanisms, signals play a vital role in Linux for handling exceptions and interrupts. Signals have been used for approximately 30 years without any major modifications.” – Linux Journal (Issue 107, March 2003) – By B. Thangaraju
SIGNAL(2) & SENDTO(2) [...] signal(SIGPIPE, SIG_IGN); [...] redo: if(sendto(fd, &p, p_sz, 0|MSG_NOSIGNAL, &sin, sizeof(sin)) == -1){ if(errno == EPERM) goto redo; else exit(EXIT_FAILURE); } [...]
SELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(select(fd + 1, NULL, &wfds, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
PSELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(pselect(fd + 1, NULL, &wfds, NULL, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
SLEEP(3) • Should the code “sleep()”? – Yes – No • Should the code “usleep()”? – Yes – No • Should the code “nanosleep()”? – Yes – No • The code must never SLEEP(3), USLEEP(3) or NANOSLEEP(3).
RAND(3) • “short” (16-bit) – Which one is faster creating random? • ((rand()&0xffff)<<8)+(rand()&0xffff) •1+(short)(65535.0*rand()/(RAND_MAX+1.0)) • “int” (32-bit) – Which one is faster creating random? • ((rand()&0xffffffff)<<16)+(rand()&0xffffffff) •1+(int)(4294967295.0*rand()/(RAND_MAX+1.0))
RAND(3) Dell Latitude E6400 Dell Inspiron 910
What else? • Choose using local variables rather than global variables. • Choose using “__inline__” in header file (*.h) and “inline” in source code (*.c), enabling GCC switch options: – “-finline-functions” (-O3) – “-fkeep-inline-functions” • Choose using “void” if you do not have to check the “return()” of some “function()”. • Should the code use “unsigned” or “signed”? • Should the code use “fork()” or “pthread_*()”? • Etc... And by “etc…” I mean… • Ohh… I almost forgot!!! Make the code RFC 1918 Compliance.
0100 – Comparison
com.par.i.son English Language C Language (Operators) • n. • To test for equality is “==”. 1. • To test for inequality is “!=”. a.The act of comparing or the • Other operators: process of being compared. – “<” (less than) b. A statement or estimate of – “>” (greater than) similarities and differences. – “<=” (less than or equals) 2. The quality of being similar or – “>=” (greater than or equals) equivalent; likeness: no comparison between the two books. 3. …
com.par.i.son TCP Flood UDP Flood • C4 by live • Geminid by live • Geminid by live • B52 by Nelson Brito • Mausezahn by Herbert Haas • Mausezahn by Herbert Haas • F22 by Nelson Brito • [L]OTUS by labsec team • HPING3 by Salvatore Sanfilippo* • HPING3 by Salvatore Sanfilippo* ICMP Flood IGMP • Geminid by live • STRESSER-0.7 by Shen139? • Mausezahn by Herbert Haas – Please, don’t be silly!!! • HPING3 by Salvatore Sanfilippo*
Methodology
Why do I keep saying “ALMOST”?
0101 – Results
Minimum Frame Size (MFS) • The maximum packet size is 1518 bytes, although to allow the Q-tag for Virtual LAN and priority data in 802.3ac it is extended to 1522 bytes. • If the upper layer protocol submits a protocol data unit (PDU) less than 64 bytes, 802.3 will pad the data field to achieve the minimum 64 bytes. • The Minimum Frame Size will then always be of 64 bytes, but… – The Minimum Frame Size is related to the distance which the network spans, the type of media being used and the number of repeaters which the signal may have to pass through to reach the furthest part of the LAN.
Maximum Packets per Second (PPS) – 64 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 195,312.50 pps • 1,953,125.00 pps
Maximum Packets per Second (PPS) – 88 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 142,045.50 pps • 1,420,455.00 pps
TCP Flood 100BASE-TX 1000BASE-T
UDP Flood 100BASE-TX 1000BASE-T
ICMP Flood 100BASE-TX 1000BASE-T
0110 – Demonstration
T50 Sukhoi PAK FA Mixed Packet Injector Tool Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit • 1 Gbps Network Controller • Cross-over Cable (CAT-5e) • 1 Gbps Network • Cross-over Cable (CAT-5e) http://j.mp/T50-Demo Demonstration!
0111 – Conclusions
Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
1000 – Questions & Answers
Any questions?
The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

Recommandé

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxSeunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 

Recommandé

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxSeunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyInsight Technology, Inc.
 
David-FPGA
David-FPGADavid-FPGA
David-FPGAguest66dc5f
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723Iftach Ian Amit
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 

Contenu connexe

Tendances

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723Iftach Ian Amit
 

Tendances (20)

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threads
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryption
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
 
Binary instrumentation - dc9723
Binary instrumentation - dc9723Binary instrumentation - dc9723
Binary instrumentation - dc9723
 

En vedette

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Project Student
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyNelson Brito
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Project Student
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practicesProject Student
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / TranslatorsProject Student
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Project Student
 

En vedette (20)

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow Vulnerability
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented Programming
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practices
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / Translators
 
The Caesar Cipher
The Caesar Cipher The Caesar Cipher
The Caesar Cipher
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
FormacaoCrypto
FormacaoCryptoFormacaoCrypto
FormacaoCrypto
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 

Similaire à The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

6. processes and threads
6. processes and threads6. processes and threads
6. processes and threadsMarian Marinov
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
04_ForkPipe.pptx
04_ForkPipe.pptx04_ForkPipe.pptx
04_ForkPipe.pptxvnwzympx
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPUTomer Gabel
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyAerospike
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Exploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyExploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyMike Hagedorn
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Praticesfarmckon
 
11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.pptSIDDHARTHANANDCSE202
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016kraqa
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
An intro to programming
An intro to programmingAn intro to programming
An intro to programmingWolfFlight
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 

Similaire à The hangover: A "modern" (?) high performance approach to build an offensive computing tool! (20)

6. processes and threads
6. processes and threads6. processes and threads
6. processes and threads
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
04_ForkPipe.pptx
04_ForkPipe.pptx04_ForkPipe.pptx
04_ForkPipe.pptx
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPU
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Golang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war storyGolang Performance : microbenchmarks, profilers, and a war story
Golang Performance : microbenchmarks, profilers, and a war story
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Exploring the Internet of Things Using Ruby
Exploring the Internet of Things Using RubyExploring the Internet of Things Using Ruby
Exploring the Internet of Things Using Ruby
 
IOT Firmware: Best Pratices
IOT Firmware: Best PraticesIOT Firmware: Best Pratices
IOT Firmware: Best Pratices
 
11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt11_UNIX_Processes_Including_Select.ppt
11_UNIX_Processes_Including_Select.ppt
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Process management
Process managementProcess management
Process management
 
An intro to programming
An intro to programmingAn intro to programming
An intro to programming
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
Audible Objects
Audible ObjectsAudible Objects
Audible Objects
 

Plus de Nelson Brito

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support SlidesNelson Brito
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)Nelson Brito
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?Nelson Brito
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Nelson Brito
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryNelson Brito
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seNelson Brito
 

Plus de Nelson Brito (8)

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support Slides
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror History
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-se
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

  • 1. The Hangover A “modern” (?) high performance approach to build an offensive computing tool! Nelson Brito nbrito[at]sekure[dot]org
  • 2. Agenda • 0000 – Introduction • 0101 – Results • 0001 – Motivation • 0110 – Demonstration • 0010 – “Hello World” Examples • 0111 – Conclusions • 0011 – Lessons Learned • 1000 – Questions and Answers • 0100 – Comparison
  • 6. Goals • Firstly, the primary goal of this research was to build a “PERFECT” tool to use in my daily tasks. • Secondly, provide me enough knowledge and perspective of how network devices and computer systems behave under this type of attack. • Thirdly, prove that DoS was and still is a BIG ISSUE to whole Internet infrastructure. • Lastly, but not least: – “The best is yet to come!” • http://fnstenv.blogspot.com/2010/08/best-is-yet-to-come.html – “A fake version of T50!!!” • http://fnstenv.blogspot.com/2010/10/fake-version-of-t50.html
  • 7. Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Hactivism? Testing” for this presentation. • DoS attacks are significantly harmful, • DoS tools are necessary weapons in a because they violate one of the three key cyber warfare… concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are – Confidentiality more common than many people might – Integrity think, and, when they happen, people – Availability will certainly be aware of. All the codes in this presentation were written in C language and tested on real machines, rather than virtual machines.
  • 8. 0010 – “Hello World” Examples
  • 9. “Hello World” Example 01 main() loop() Signal() while() kill() malloc() memset() memcpy() Signal() alarm()
  • 10. “Hello World” Example 02 main() loop() Signal() while() kill() memset() memcpy() Signal() alarm()
  • 11. “Hello World” Example 03 main() loop() Signal() while() kill() memcpy() Signal() alarm()
  • 12. “Hello World” Example 04 main() loop() while() malloc() loop() memset() memcpy()
  • 13. “Hello World” Example 05 main() loop() while() memset() loop() memcpy()
  • 14. “Hello World” Example 06 main() loop() while() memcpy() loop()
  • 15. “Hello World” Examples Applied Dell Latitude E6400 Dell Inspiron 910
  • 16. 0011 – Lessons Learned Also known as “Tips and Tricks”
  • 17. What is the “high-performance” definition? English Language Computer Science • Adj. • A code and/or program that solves any – 1. Modified to give superior problem faster and more efficiently than performance: ordinary codes / programs. • “a high-performance car” superior – of high or superior • A code and/or program which use all – quality or performance; or as much as possible – computer’s • “superior wisdom derived from resources available. experience”; • “superior math students”.
  • 18. SOCKET(2) • T50 Sukhoi PAK FA is capable to: – Send protocol packets: ICMP, IGMP, TCP and UDP. • NO BIG DEAL, right? – Send ALL of them “ALMOST” on the same time – protocol “T50”! • BIG DEAL! 8) • How many sockets should the code use to send ALL of them “ALMOST” on the same time? – 1 socket file descriptor – 2 socket file descriptors – 4 socket file descriptors – 8 socket file descriptors – 16 socket file descriptors – 32 socket file descriptors – 64 socket file descriptors – NONE • “Just one socket file descriptor? Really?”
  • 19. SOCKET(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
  • 20. GETSOCKOPT(2) & SETSOCKOPT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] len = sizeof(n); if(getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, &len) == -1) exit(EXIT_FAILURE); for(n += 128 ; n < 1048576 ; n += 128){ if(setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, len) == -1){ if(errno == ENOBUFS) break; exit(EXIT_FAILURE); } } [...]
  • 21. FCNTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] flags = fcntl(fd, F_GETFL, 0); if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) == -1) exit(EXIT_FAILURE); [...]
  • 22. IOCTL(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if(ioctl(fd, FIONBIO, &n) == -1) exit(EXIT_FAILURE); [...]
  • 23. SIGNAL(2) & SENDTO(2) • “Signals are used to notify a process or thread of a particular event. Many computer science researchers compare signals with hardware interrupts, which occur when a hardware subsystem, such as a disk I/O (input/output) interface, generates an interrupt to a processor when the I/O completes.” – Linux Journal (Issue 73, May 2000) – By Moshe Bar • “Signals also have been used to communicate and synchronize processes and to simplify interprocess communications (IPCs). Although we now have advanced synchronization tools and many IPC mechanisms, signals play a vital role in Linux for handling exceptions and interrupts. Signals have been used for approximately 30 years without any major modifications.” – Linux Journal (Issue 107, March 2003) – By B. Thangaraju
  • 24. SIGNAL(2) & SENDTO(2) [...] signal(SIGPIPE, SIG_IGN); [...] redo: if(sendto(fd, &p, p_sz, 0|MSG_NOSIGNAL, &sin, sizeof(sin)) == -1){ if(errno == EPERM) goto redo; else exit(EXIT_FAILURE); } [...]
  • 25. SELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(select(fd + 1, NULL, &wfds, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
  • 26. PSELECT(2) socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] while(flood || threshold--){ FD_ZERO(&wfds); FD_SET(fd, &wfds); if(pselect(fd + 1, NULL, &wfds, NULL, NULL, NULL) == -1) exit(EXIT_FAILURE); if(FD_ISSET(fd, &wfds)){ [...]
  • 27. SLEEP(3) • Should the code “sleep()”? – Yes – No • Should the code “usleep()”? – Yes – No • Should the code “nanosleep()”? – Yes – No • The code must never SLEEP(3), USLEEP(3) or NANOSLEEP(3).
  • 28. RAND(3) • “short” (16-bit) – Which one is faster creating random? • ((rand()&0xffff)<<8)+(rand()&0xffff) •1+(short)(65535.0*rand()/(RAND_MAX+1.0)) • “int” (32-bit) – Which one is faster creating random? • ((rand()&0xffffffff)<<16)+(rand()&0xffffffff) •1+(int)(4294967295.0*rand()/(RAND_MAX+1.0))
  • 29. RAND(3) Dell Latitude E6400 Dell Inspiron 910
  • 30. What else? • Choose using local variables rather than global variables. • Choose using “__inline__” in header file (*.h) and “inline” in source code (*.c), enabling GCC switch options: – “-finline-functions” (-O3) – “-fkeep-inline-functions” • Choose using “void” if you do not have to check the “return()” of some “function()”. • Should the code use “unsigned” or “signed”? • Should the code use “fork()” or “pthread_*()”? • Etc... And by “etc…” I mean… • Ohh… I almost forgot!!! Make the code RFC 1918 Compliance.
  • 32. com.par.i.son English Language C Language (Operators) • n. • To test for equality is “==”. 1. • To test for inequality is “!=”. a.The act of comparing or the • Other operators: process of being compared. – “<” (less than) b. A statement or estimate of – “>” (greater than) similarities and differences. – “<=” (less than or equals) 2. The quality of being similar or – “>=” (greater than or equals) equivalent; likeness: no comparison between the two books. 3. …
  • 33. com.par.i.son TCP Flood UDP Flood • C4 by live • Geminid by live • Geminid by live • B52 by Nelson Brito • Mausezahn by Herbert Haas • Mausezahn by Herbert Haas • F22 by Nelson Brito • [L]OTUS by labsec team • HPING3 by Salvatore Sanfilippo* • HPING3 by Salvatore Sanfilippo* ICMP Flood IGMP • Geminid by live • STRESSER-0.7 by Shen139? • Mausezahn by Herbert Haas – Please, don’t be silly!!! • HPING3 by Salvatore Sanfilippo*
  • 35. Why do I keep saying “ALMOST”?
  • 37. Minimum Frame Size (MFS) • The maximum packet size is 1518 bytes, although to allow the Q-tag for Virtual LAN and priority data in 802.3ac it is extended to 1522 bytes. • If the upper layer protocol submits a protocol data unit (PDU) less than 64 bytes, 802.3 will pad the data field to achieve the minimum 64 bytes. • The Minimum Frame Size will then always be of 64 bytes, but… – The Minimum Frame Size is related to the distance which the network spans, the type of media being used and the number of repeaters which the signal may have to pass through to reach the furthest part of the LAN.
  • 38. Maximum Packets per Second (PPS) – 64 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 195,312.50 pps • 1,953,125.00 pps
  • 39. Maximum Packets per Second (PPS) – 88 bytes 100BASE-TX 1000BASE-T • 100 Mbps • 1 Gbps • 100,000,000 bits/sec • 1,000,000,000 bits/sec • 12,500,000 bytes/sec • 125,000,000 bytes/sec • 142,045.50 pps • 1,420,455.00 pps
  • 40. TCP Flood 100BASE-TX 1000BASE-T
  • 41. UDP Flood 100BASE-TX 1000BASE-T
  • 42. ICMP Flood 100BASE-TX 1000BASE-T
  • 44. T50 Sukhoi PAK FA Mixed Packet Injector Tool Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit • 1 Gbps Network Controller • Cross-over Cable (CAT-5e) • 1 Gbps Network • Cross-over Cable (CAT-5e) http://j.mp/T50-Demo Demonstration!
  • 46. Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
  • 47. 1000 – Questions & Answers