SlideShare une entreprise Scribd logo

When the tables turn

SensePost
SensePost

Presentation by Roelof Temmingh, Haroon Meer and Charl van der Walt at BlackHat USA in 2004. This presentation is about improving network security to turn the tables on would be attackers. Various tools and techniques to achieve this are discussed.

Technologie
1  sur  26
Télécharger pour lire hors ligne
Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion
Thinking about the concept We’re from South Africa: –Robbery on Atterbury Road in Pretoria –Electric fencing around my house From the insect world: –Acid bugs – “I don’t taste nice” –Electric eel Spy vs. spy: –Disinformation
Introduction Current trends in “assessment” space: –Technology is getting smarter –People are getting lazy –Good “hacker” used to be technically clever –Tool/scanner for every level of attack Perceptions: –Administrators are dumb, “hackers” are clever –Skill = size of your toolbox In many cases the mechanic’s car is always broken.
Types of defensive technology Robbery analogy: –Firewalls: Amour plated windows –IDS: Police –IPS: Driving away –Back Hack: Carry a gun in the car Fence analogy: –Firewalls: Walls –IDS: Police –IPS: Armed response –Back Hack: Trigger happy wife…
Raising the bar Raising the “cost” of an “assessment”: Attacking the technology, not the people Attacking automation; “lets move to the next target” Used to be: “Are you sure it’s not a honey pot?” Now: –Is YOUR network safe? –Are YOUR tools safe from attack? –Do YOU have all the service packs installed? –Do you measure yourself as you measure your targets?
Typical assessment methodology • Foot printing • Vitality • Network level visibility • Vulnerability discovery • Vulnerability exploitation • Web application assessment
Attacks Types: -Avoiding/Stopping individual attacks -Creating noise/confusion -Stopping/Killing the tool -Killing the attacker’s host/network Levels: -Network level -Network application level -Application level
Attacks Attack vectors: All information coming back to the attacker is under OUR control: – Packets (and all its features) – Banners – Forward & reverse DNS entries – Error codes, messages – W eb pages Used in the tool/scanner itself Used in rendering of data, databases Used in secondary scanners, reporters
Examples Foot printing: Avoiding DNS obfuscation Noise: “Eat my zone!” Stopping: Endless loop of forward entries Killing: Eeeevil named…reverse entries
Examples Foot printing: Tools: Very basic – host, nslookup, dig Domains: not a lot we can do there.. DNS entries: forward, reverse, axfr, ns SensePost has some interesting foot printing tools…
Examples
Examples Network level: Avoiding Firewall Noise: honeyd & transparent reverse proxies – Random IPs alive – Random ports open – Traceroute interception/misdirection – Fake network broadcast addresses Stopping: ? Killing: nmap with banner display??
Examples Network level: Tools: Ping sweeps / vitality checkers Port scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
Examples Network level: Tools: Ping sweeps / vitality checkers Port scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
Examples
Examples Network application level Avoiding Patches, patches Noise: – Fake banners – Combined banners – NASL (reverse) interpreter Stopping: – Tar pits Killing: – Buffer overflows – Rendering of data – malicious code in HTML – Where data is inserted into databases – Scanners that use other scanners (e.g. using nessus,nmap)
Examples Network application level Tools: Shareware: Nessus, amap, httpprint, Sara & friends? Commercial: ISS, Retina, Typhon, Foundscan, Qualys, Cisco
Examples Application level & (web server assessment) Avoiding Application level firewall Noise: – On IPs not in use: • Random 404,500,302,200 responses • Not enough to latch “friendly 404”, or intercept 404 checking – Within the application • Bogus forms, fields • Pages with “ODBC ….” Stopping: Spider traps, Flash, Human detectors Killing: – “You are an idiot!” – Bait files.. Admintool.exe and friends in /files,/admin etc.
Examples Tools: Shareware: Nikto, Nessus, Whisker?, WebScarab, Exodus, Pharos, Spike, Httrack, Teleport pro Commercial: Sanctum Appscan, Cenzic Hailstorm, Kavado Scando, SPI Dynamics WebInspect, @stake webproxy
Examples Incoming Armpit1 connection Back to client Back to client Valid Relay yes no cookie? connection Valid Send valid no request yes cookie and string? redirect Build and send Flash
Examples
Examples Armpit2 Incoming connection With IPS Bad cookie Back to client jar Valid cookie? yes no Back to client BlackList Relay Evil Cookie & no yes connection request? close connection Send valid Build and Valid request no yes cookie and send Flash string? redirect
Combining with IPS
Conclusion • These techniques do not make your network safer? • IPS is getting smarter – The closer to the application level they go, the more accurate they become. • IPS can easily switch on “armpits” • It’s a whole new ballgame…
QUESTIONS?? COMMENTS?? FLAMES??

Recommandé

Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?SensePost
 
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...Frank Altenburg
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Dynamic Analysis of Windows Phone 7 Apps
Dynamic Analysis of Windows Phone 7 AppsDynamic Analysis of Windows Phone 7 Apps
Dynamic Analysis of Windows Phone 7 AppsSensePost
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment MetricsSensePost
 
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPFrank Altenburg
 
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...Frank Altenburg
 

Recommandé

Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?SensePost
 
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...
IBM Sametime 8.5.2 IFR1 implementation - From Zero to Mobile - Make your bos...Frank Altenburg
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Dynamic Analysis of Windows Phone 7 Apps
Dynamic Analysis of Windows Phone 7 AppsDynamic Analysis of Windows Phone 7 Apps
Dynamic Analysis of Windows Phone 7 AppsSensePost
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment MetricsSensePost
 
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPIBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAP
IBM Connections 4.0 Installation - From Zero To Social Hero 1.16 for Domino LDAPFrank Altenburg
 
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...
IBM Sametime 8.5.2 Installation ”From Zero to Hero” Upgrade to Interims Featu...Frank Altenburg
 
The FT Web App: Coding Responsively
The FT Web App: Coding ResponsivelyThe FT Web App: Coding Responsively
The FT Web App: Coding ResponsivelyC4Media
 
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill... Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...Quentin Adam
 
Kicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with ScalaKicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with ScalaLinuxmalaysia Malaysia
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityCambridge Intelligence
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Bringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potentialBringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potentialAdrian Hornsby
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
Leaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real WorldLeaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real WorldArmonDadgar
 
Eskwela Openstandard V1.1
Eskwela Openstandard V1.1Eskwela Openstandard V1.1
Eskwela Openstandard V1.1opendesk
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 
Fast Track - Windows 8 Apps
Fast Track - Windows 8 AppsFast Track - Windows 8 Apps
Fast Track - Windows 8 AppsAnkit Kashyap
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercapn|u - The Open Security Community
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersShivanand Arur
 
Quilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWSQuilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWSAjith Jose
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 

Contenu connexe

Similaire à When the tables turn

The FT Web App: Coding Responsively
The FT Web App: Coding ResponsivelyThe FT Web App: Coding Responsively
The FT Web App: Coding ResponsivelyC4Media
 
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill... Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...Quentin Adam
 
Kicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with ScalaKicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with ScalaLinuxmalaysia Malaysia
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityCambridge Intelligence
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Bringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potentialBringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potentialAdrian Hornsby
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
Leaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real WorldLeaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real WorldArmonDadgar
 
Eskwela Openstandard V1.1
Eskwela Openstandard V1.1Eskwela Openstandard V1.1
Eskwela Openstandard V1.1opendesk
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 
Fast Track - Windows 8 Apps
Fast Track - Windows 8 AppsFast Track - Windows 8 Apps
Fast Track - Windows 8 AppsAnkit Kashyap
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialhadooparchbook
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersShivanand Arur
 
Quilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWSQuilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWSAjith Jose
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 

Similaire à When the tables turn (20)

The FT Web App: Coding Responsively
The FT Web App: Coding ResponsivelyThe FT Web App: Coding Responsively
The FT Web App: Coding Responsively
 
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill... Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
Understand immutable infrastructure, what? Why? how? - devops d day Marseill...
 
Kicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with ScalaKicking Butt on Concurrent Enterprise Application with Scala
Kicking Butt on Concurrent Enterprise Application with Scala
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Bringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potentialBringing Wireless Sensing to its full potential
Bringing Wireless Sensing to its full potential
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
 
Leaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real WorldLeaving the Ivory Tower: Research in the Real World
Leaving the Ivory Tower: Research in the Real World
 
Eskwela Openstandard V1.1
Eskwela Openstandard V1.1Eskwela Openstandard V1.1
Eskwela Openstandard V1.1
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
 
Fast Track - Windows 8 Apps
Fast Track - Windows 8 AppsFast Track - Windows 8 Apps
Fast Track - Windows 8 Apps
 
Hadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorialHadoop application architectures - Fraud detection tutorial
Hadoop application architectures - Fraud detection tutorial
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercap
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET Developers
 
Quilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWSQuilt - Distributed Load Simulation from AWS
Quilt - Distributed Load Simulation from AWS
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
 

Plus de SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 

Plus de SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Dernier

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

When the tables turn

  • 1.
  • 2. Agenda –Thinking about the concept –Introduction –Types of defensive technology –Raising the bar –Typical assessment methodology –Attacks –Examples –Conclusion
  • 3. Thinking about the concept We’re from South Africa: –Robbery on Atterbury Road in Pretoria –Electric fencing around my house From the insect world: –Acid bugs – “I don’t taste nice” –Electric eel Spy vs. spy: –Disinformation
  • 4. Introduction Current trends in “assessment” space: –Technology is getting smarter –People are getting lazy –Good “hacker” used to be technically clever –Tool/scanner for every level of attack Perceptions: –Administrators are dumb, “hackers” are clever –Skill = size of your toolbox In many cases the mechanic’s car is always broken.
  • 5. Types of defensive technology Robbery analogy: –Firewalls: Amour plated windows –IDS: Police –IPS: Driving away –Back Hack: Carry a gun in the car Fence analogy: –Firewalls: Walls –IDS: Police –IPS: Armed response –Back Hack: Trigger happy wife…
  • 6. Raising the bar Raising the “cost” of an “assessment”: Attacking the technology, not the people Attacking automation; “lets move to the next target” Used to be: “Are you sure it’s not a honey pot?” Now: –Is YOUR network safe? –Are YOUR tools safe from attack? –Do YOU have all the service packs installed? –Do you measure yourself as you measure your targets?
  • 7. Typical assessment methodology • Foot printing • Vitality • Network level visibility • Vulnerability discovery • Vulnerability exploitation • Web application assessment
  • 8. Attacks Types: -Avoiding/Stopping individual attacks -Creating noise/confusion -Stopping/Killing the tool -Killing the attacker’s host/network Levels: -Network level -Network application level -Application level
  • 9. Attacks Attack vectors: All information coming back to the attacker is under OUR control: – Packets (and all its features) – Banners – Forward & reverse DNS entries – Error codes, messages – W eb pages Used in the tool/scanner itself Used in rendering of data, databases Used in secondary scanners, reporters
  • 10. Examples Foot printing: Avoiding DNS obfuscation Noise: “Eat my zone!” Stopping: Endless loop of forward entries Killing: Eeeevil named…reverse entries
  • 11. Examples Foot printing: Tools: Very basic – host, nslookup, dig Domains: not a lot we can do there.. DNS entries: forward, reverse, axfr, ns SensePost has some interesting foot printing tools…
  • 13. Examples Network level: Avoiding Firewall Noise: honeyd & transparent reverse proxies – Random IPs alive – Random ports open – Traceroute interception/misdirection – Fake network broadcast addresses Stopping: ? Killing: nmap with banner display??
  • 14. Examples Network level: Tools: Ping sweeps / vitality checkers Port scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
  • 15. Examples Network level: Tools: Ping sweeps / vitality checkers Port scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
  • 17. Examples Network application level Avoiding Patches, patches Noise: – Fake banners – Combined banners – NASL (reverse) interpreter Stopping: – Tar pits Killing: – Buffer overflows – Rendering of data – malicious code in HTML – Where data is inserted into databases – Scanners that use other scanners (e.g. using nessus,nmap)
  • 18. Examples Network application level Tools: Shareware: Nessus, amap, httpprint, Sara & friends? Commercial: ISS, Retina, Typhon, Foundscan, Qualys, Cisco
  • 19. Examples Application level & (web server assessment) Avoiding Application level firewall Noise: – On IPs not in use: • Random 404,500,302,200 responses • Not enough to latch “friendly 404”, or intercept 404 checking – Within the application • Bogus forms, fields • Pages with “ODBC ….” Stopping: Spider traps, Flash, Human detectors Killing: – “You are an idiot!” – Bait files.. Admintool.exe and friends in /files,/admin etc.
  • 20. Examples Tools: Shareware: Nikto, Nessus, Whisker?, WebScarab, Exodus, Pharos, Spike, Httrack, Teleport pro Commercial: Sanctum Appscan, Cenzic Hailstorm, Kavado Scando, SPI Dynamics WebInspect, @stake webproxy
  • 21. Examples Incoming Armpit1 connection Back to client Back to client Valid Relay yes no cookie? connection Valid Send valid no request yes cookie and string? redirect Build and send Flash
  • 23. Examples Armpit2 Incoming connection With IPS Bad cookie Back to client jar Valid cookie? yes no Back to client BlackList Relay Evil Cookie & no yes connection request? close connection Send valid Build and Valid request no yes cookie and send Flash string? redirect
  • 25. Conclusion • These techniques do not make your network safer? • IPS is getting smarter – The closer to the application level they go, the more accurate they become. • IPS can easily switch on “armpits” • It’s a whole new ballgame…