SlideShare une entreprise Scribd logo

Exploiting appliances presentation v1.1-vids-removed

Télécharger en tant que PPTX, PDF
NCC Group
NCC Group

Presentation deliuvered at Black Hat Europe 2013 looking at the vulnerabilities in appliances

Technologie
1  sur  63
Hacking Appliances: Ironic exploits in security products Ben Williams 9:10 AM
Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:10 AM 9:10 AM
Which kind of appliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:10 AM 9:10 AM
Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:10 AM 9:10 AM
How are they deployed? 9:10 AM 9:10 AM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:10 AM 9:10 AM
Interesting system in a Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:10 AM 9:10 AM
Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:10 AM 9:10 AM
Really obvious vulnerabilities • Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:10 AM 9:10 AM
Command-injection (and root shell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:10 AM 9:10 AM
Direct attack 9:10 AM 9:10 AM
Reflective attack 9:10 AM 9:10 AM Attacker
What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:10 AM 9:10 AM
Appliances are not “Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:10 AM 9:10 AM
Meanwhile… Post exploitation That looks like a cosy shell… I think I’ll move in! 9:10 AM 9:10 AM
Stealing passwords • Plain-text passwords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:10 AM 9:10 AM
Sophos fix info: Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14th 2013 9:10 AM 9:10 AM
The ironic thing about Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:10 AM 9:10 AM
Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:10 AM 9:10 AM
Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:10 AM 9:10 AM
Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:10 AM 9:10 AM
Erm… That’s a bit odd… ssh admin@192.168.233.55 9:10 AM 9:10 AM
Where’s my hashes to crack? 9:10 AM 9:10 AM
Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:10 AM 9:10 AM
Potential access to internal systems! Attacker 9:10 AM 9:10 AM
Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:10 AM 9:10 AM
Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:10 AM 9:10 AM
Combination attacks • Combining multiple common issues 9:10 AM 9:10 AM
Proofpoint: ownage by Email (last year) 9:10 AM 9:10 AM
Out-of-band XSS and OSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:10 AM 9:10 AM
Backup-restore flaws - revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:10 AM 9:10 AM
CSRF backup/restore attack 9:10 AM 9:10 AM
Symantec Email Appliance (9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:10 AM 9:10 AM
Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:10 AM 9:10 AM
XSS Email to reverse-shell as root 9:10 AM 9:10 AM
Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 9:10 AM 9:10 AM
Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:10 AM 9:10 AM
TrendMicro Email Appliance 9:10 AM 9:10 AM
Trend Email Appliance (8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 9:10 AM 9:10 AM
9:10 AM
End-user Email XSS ownage 9:10 AM 9:10 AM
Admin Email XSS ownage 9:10 AM 9:10 AM
Trend Fix info: Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 9:10 AM 9:10 AM
Other Research • Poking about with binaries • Investigation of memory corruption issues • Processing of messages etc 9:10 AM 9:10 AM
Kernel protections 9:10 AM 9:10 AM
Compiled Binaries 9:10 AM 9:10 AM
“Banned” (insecure) functions in use 9:10 AM 9:10 AM
Conclusions • The majority of Security Appliances tested were insecure • Interesting state of play in 2012 - 2013 • Variable responses from vendors • Some fixed within 3 months, some not • Evolution • Software > Appliances > Virtual Appliances > Cloud Services • Huawei 9:10 AM 9:10 AM
Solutions • Regular software maintenance • Secure Development Lifecycle (SDL) • Product security testing • Penetration testing 9:10 AM 9:10 AM
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Questions? 9:10 AM
Exploiting appliances presentation v1.1-vids-removed

Recommandé

How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 

Recommandé

How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Securing the cloud and your assets
Securing the cloud and your assetsSecuring the cloud and your assets
Securing the cloud and your assetsMarcus Dempsey
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020n|u - The Open Security Community
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 

Contenu connexe

Tendances

CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Securing the cloud and your assets
Securing the cloud and your assetsSecuring the cloud and your assets
Securing the cloud and your assetsMarcus Dempsey
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 

Tendances (20)

CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Securing the cloud and your assets
Securing the cloud and your assetsSecuring the cloud and your assets
Securing the cloud and your assets
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 

En vedette

NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Pawel Krawczyk
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Ncc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalNcc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalTony_Clarke
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
NCC Group Presentation
NCC Group PresentationNCC Group Presentation
NCC Group PresentationNCC AB
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Pragmatic Real-World Scala (short version)
Pragmatic Real-World Scala (short version)Pragmatic Real-World Scala (short version)
Pragmatic Real-World Scala (short version)Jonas Bonér
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Jonnyhyde
 
How Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHow Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHakka Labs
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 

En vedette (20)

NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Ncc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalNcc group overview presentation august 2012 final
Ncc group overview presentation august 2012 final
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
NCC Group Presentation
NCC Group PresentationNCC Group Presentation
NCC Group Presentation
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Pragmatic Real-World Scala (short version)
Pragmatic Real-World Scala (short version)Pragmatic Real-World Scala (short version)
Pragmatic Real-World Scala (short version)
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
 
How Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHow Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris Angove
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 

Similaire à Exploiting appliances presentation v1.1-vids-removed

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systemsfajjarrehman
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
Top 15 Exchange Questions that Senior Admin ask - Jaap WesseliusTop 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
Top 15 Exchange Questions that Senior Admin ask - Jaap WesseliusKemp
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksKeith Brooks
 
Slide Deck Class Session 10 – FRSecure CISSP Mentor Program
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 10 – FRSecure CISSP Mentor Program
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesInformation Technology
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS VulnerabilitiesSecurityTube.Net
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 

Similaire à Exploiting appliances presentation v1.1-vids-removed (20)

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
Top 15 Exchange Questions that Senior Admin ask - Jaap WesseliusTop 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
Top 15 Exchange Questions that Senior Admin ask - Jaap Wesselius
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
 
Slide Deck Class Session 10 – FRSecure CISSP Mentor Program
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 10 – FRSecure CISSP Mentor Program
Slide Deck Class Session 10 – FRSecure CISSP Mentor Program
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 

Dernier

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Dernier (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Exploiting appliances presentation v1.1-vids-removed

  • 1. Hacking Appliances: Ironic exploits in security products Ben Williams 9:10 AM
  • 2. Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:10 AM 9:10 AM
  • 3. Which kind of appliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:10 AM 9:10 AM
  • 4. Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:10 AM 9:10 AM
  • 5. How are they deployed? 9:10 AM 9:10 AM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
  • 6. Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:10 AM 9:10 AM
  • 7. Interesting system in a Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:10 AM 9:10 AM
  • 8.
  • 9. Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:10 AM 9:10 AM
  • 10. Really obvious vulnerabilities • Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:10 AM 9:10 AM
  • 11.
  • 12. Command-injection (and root shell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:10 AM 9:10 AM
  • 14.
  • 16.
  • 17. What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:10 AM 9:10 AM
  • 18. Appliances are not “Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:10 AM 9:10 AM
  • 19. Meanwhile… Post exploitation That looks like a cosy shell… I think I’ll move in! 9:10 AM 9:10 AM
  • 20.
  • 21. Stealing passwords • Plain-text passwords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:10 AM 9:10 AM
  • 22.
  • 23. Sophos fix info: Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14th 2013 9:10 AM 9:10 AM
  • 24. The ironic thing about Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:10 AM 9:10 AM
  • 25. Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:10 AM 9:10 AM
  • 26. Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:10 AM 9:10 AM
  • 27. Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:10 AM 9:10 AM
  • 28. Erm… That’s a bit odd… ssh admin@192.168.233.55 9:10 AM 9:10 AM
  • 29. Where’s my hashes to crack? 9:10 AM 9:10 AM
  • 30. Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:10 AM 9:10 AM
  • 31.
  • 32. Potential access to internal systems! Attacker 9:10 AM 9:10 AM
  • 33.
  • 34. Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:10 AM 9:10 AM
  • 35. Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:10 AM 9:10 AM
  • 36. Combination attacks • Combining multiple common issues 9:10 AM 9:10 AM
  • 37. Proofpoint: ownage by Email (last year) 9:10 AM 9:10 AM
  • 38. Out-of-band XSS and OSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:10 AM 9:10 AM
  • 39. Backup-restore flaws - revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:10 AM 9:10 AM
  • 40.
  • 42. Symantec Email Appliance (9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:10 AM 9:10 AM
  • 43. Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:10 AM 9:10 AM
  • 44.
  • 45. XSS Email to reverse-shell as root 9:10 AM 9:10 AM
  • 46. Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 9:10 AM 9:10 AM
  • 47. Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:10 AM 9:10 AM
  • 49. Trend Email Appliance (8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 9:10 AM 9:10 AM
  • 50.
  • 52. End-user Email XSS ownage 9:10 AM 9:10 AM
  • 53.
  • 54. Admin Email XSS ownage 9:10 AM 9:10 AM
  • 55. Trend Fix info: Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 9:10 AM 9:10 AM
  • 56. Other Research • Poking about with binaries • Investigation of memory corruption issues • Processing of messages etc 9:10 AM 9:10 AM
  • 59. “Banned” (insecure) functions in use 9:10 AM 9:10 AM
  • 60. Conclusions • The majority of Security Appliances tested were insecure • Interesting state of play in 2012 - 2013 • Variable responses from vendors • Some fixed within 3 months, some not • Evolution • Software > Appliances > Virtual Appliances > Cloud Services • Huawei 9:10 AM 9:10 AM
  • 61. Solutions • Regular software maintenance • Secure Development Lifecycle (SDL) • Product security testing • Penetration testing 9:10 AM 9:10 AM
  • 62. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Questions? 9:10 AM