9. Motivation of Hackers
! Is money, no question about it
! People rob banks and pick pocket wallets for
money
! Jail
10.
11. Reality of Today
! Hackers are stealing money from computers
! Soon smartphones
! Smartphone hacking rising
! Take over the world, just like Dr. Evil
12. u sec ure?
Are yo
PCI
u passed
a re if yo
do esn’t c
B ad guy
13. Perimeter is dead
! You might have a firewall
! Tons of traffic are punched through holes in your
firewalls
! Billions of packets
! How do you know you are secure?
15. Bad Guys
! are after you systems. They want to hack you.
16. About me
! Work at Capliano University
! Hack wet paper bags for a living
! I Love 80’s music
! I Love riding my bike from downtown Vancouver
! To North Vancouver
17. About Me
! I love Backtrack4
! Some people call me a blackhat
! But I’ve always been a good guy since the RCMP
18. About Me
! Love Plants vs Zombies
! And my Macbook Pro
! Read NIST publications
! Windows Forensics Analysis Book
! Rootkits Arsenal Book
19. Reading List
! Shellcoders Handbook
! Mac Shellcoders Handbook
! Reverse Engineering Book
! Security Power Tools Book
54. Zeus research
! Source code on the Internet
! Lots of analysis by big anti-virus vendors
! Screenshots on the Internet of the Zeus Builder
interface, Configuration interface
55. Immediately Post-Infection
! Zeus downloads encrypted config
file
! Transmits systems details to C2
server
! Receives additional commands
56. How do get infected?
! Drive by Download
! Phishing scams
! Malicious Email attachments
! Bogus Zeus Crimeware Downloads
! SQL Injected Websites
57.
58. Controllers of ZBOT
! Capture (banking) credentials
! Remote control
! Keystroke logging
! Screen capture
! Proxy services
59. Typical Theft
! Attackers steal credentials
! Set up bogus employee/vendor
accounts
! Accounts are actually “mules”
! Transfers typically kept under $10K
64. Stack Overflow
! Typically found in C type code
! No bounds checking
! Always new C code being created J
65. Heap Spray
! Commonly used in Javascript browser attacks
! Can be used in putting shellcode into various
parts of unused memory
! If you find your code…game over.
66. NOP sled and shellcode
! 0x90 = Intel x86 opcode
! a.k.a = NOP slide or NOP ramp
! NOP (no-operation) instruction sequence meant
to "slide" the CPU's instruction execution flow to
its final, desired, destination.
69. Shellcode
! Local
! Remote
! Download and Execute
! Staged
! Egg Hunt
! Omelet
70. Local
• Local shellcode is used by an attacker who has
limited access to a machine
• Privilege escalation from user to Admin/root
71. Remote
• Remote shellcode can provide the bad guy access
to the victim machine across a network
• Remote shellcode normally use standard TCP/IP
• Connect-back shellcode is used to connect back
to the bad guys's machine
72. Download and Execute
• Download and execute is a type of remote
shellcode
• Instructs the victim machine to download bad
guy’s executable file off the network, save it to disk
and execute it
• This is a drive-by download attack!
73. Staged
• When memory space is small for a process
• Recommned staged shellcode to execute in
stages
• First, a small piece of shellcode (stage 1) is
executed. This code then downloads a larger piece
of shellcode (stage 2) into the process's memory
and executes it
74.
75. Egg-Hunt
• Small egg-hunt shellcode is injected into the
process at a predictable location and executed
• This code then searches the process's address
space for the larger shellcode (the egg) and
executes it
76.
77. Omelet
• This type of shellcode uses multiple small blocks
of data (eggs) and recombines them into one
larger block (the omelet)
97. Oracle Hacking
! Need IP address
! Need Listening Port
! Need SID
! Need Username and Password
98. Oracle Attack
Methodology
! Determine Version and SID
! Guess or Brute Force Username and Password
! Privilege Escalation via SQL Injection
! Data Manipulation or post data
! Cover your tracks…muhahahahaha
99. msfconsole commands
! msf auxiliary(lt_findricset) > set RHOST 172.10.1.109
! msf auxiliary(lt_findricset) > set RPORT 1521
! msf auxiliary(lt_findricset) > set DBUSER SCOTT
! msf auxiliary(lt_findricset) > set DBPASS TIGER
! msf auxiliary(lt_findricset) > set SID ORCL
! msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT
109. Last Resort
! Teensy.pde
! Powershell SAM dumps
! Hacking update services like
windowsupdate.com
! UPS OpenWRT
110. Last Last Resort
! Create prize like IPAD2 win
! W3AF for webscanning apps
! Lock picking Kensington Locks with Toilet roll
! Wireless conversations with Mallory and
JavaSnoop
111. Maintain Access
! The Rootkit Arsenal is a great book
! Create Zombies and Bots
! Use Backtrack4
! Use Metasploit
112. Migrating process
! Avoiding detection
! In Metasploit after you PWN a system
! There is a Meterpreter Script to migrate process
120. Yes, Yes and Yes
! A computer hacker learns from mysterious
rebels about the true nature of his reality and his
role in the war against its controllers
136. You are under arrest for
Section 342.1
Unauthorized use of
computer, do you
understand?
137. You have the right to retain
and instruct counsel without
delay.
We will provide you with a toll-
free telephone lawyer referral
service, if you do not have
your own lawyer.
138. Anything you say can be used
in court as evidence.
Do you understand? Would
you like to speak to a lawyer?