counterattack
play

Counterattack Turning the tables on exploitation attempts from - PowerPoint PPT Presentation

Nov 09, 2023 •257 likes •1.02k views

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

  1. Counterattack Turning the tables on exploitation attempts from tools like Metasploit

  2. whoami • scriptjunkie – Security research – Metasploit contributor

  3. whoami • wrote this thing…

  4. whoami • I work here

  5. Disclaimer • This presentation is all my own research • This research is not funded by or associated with the USAF in any way • My opinions do not represent the US government

  6. Previous work • Honeypots

  7. Previous Work • Backtrack vulnerabilities… – Rob DeGulielmo , “Con Kung - Fu” DC17

  8. Exploit pack Exploits • LuckySploit, UniquePack referrer XSS – Paul Royal, Purewire, August 2009 • Zeus – BK, xs-sniper.com Sept 2010

  9. Ethics • Some ideas: – Self-defense – Neutralizing – Unintended Consequences – Worms • Left as an exercise for the student

  10. Generic Counterattacks • Worms – Get weaponized version of exploit – Neutralize attacking systems – Be careful!

  11. Windows Counterattacks • SMB is your friend • Getting attackers to bite – May require IE – Vulnerable-looking web pages that only work on IE 6? • SMB relay FTW! • Or at least capture

  12. Demo

  13. Popular security tools • Nmap • Firesheep • Nessus • Cain & Abel • Snort • Wireshark • Metasploit

  14. Nmap • No RCE • Can still mislead • Open ports • Tarpits • DoS • Demo

  15. Firesheep • And then there’s blacksheep to detect • And there’s fireshepherd to DoS

  16. Nessus • CVE-2010-2989 – nessusd_www_server.nbin in the Nessus Web Server plugin 1.2.4 for Nessus allows remote attackers to obtain sensitive information via a request to the /feed method. • CVE-2010-2914 – Cross-site scripting (XSS) vulnerability in nessusd_www_server.nbin in the Nessus Web Server plugin 1.2.4 for Nessus. • ...

  17. Cain & Abel • CVE-2005-0807 – Multiple buffer overflows in Cain & Abel before 2.67 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via (1) an IKE packet with a large ID field that is not properly handled by the PSK sniffer filter, (2) the HTTP sniffer filter, or the (3) POP3, (4) SMTP, (5) IMAP, (6) NNTP, or (7) TDS sniffer filters. • CVE-2008-5405 – Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier...

  18. Snort CVE-2009-3641 • – Snort before 2.8.5.1, when the -v option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol. CVE-2008-1804 • – preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment. – –

  19. Wireshark • CVE-2010-4301 – epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wireshark 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted ZCL packet… • CVE-2010-4300 – Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 …

  20. Wireshark • Vulnerabilities! – 100’s of protocol dissectors – Non memory-safe language – Usually run as root on linux – Build a fuzzer!

  21. Wireshark • Or just look it up

  22. Wireshark • Stack traces at no extra charge!

  23. Wireshark • And fuzzers come for free!

  24. Wireshark • Well, at least you can update

  25. Wireshark • Unless you can’t

  26. Metasploit

  27. Finding vulnerabilities - or - Why not fuzz? • Memory corruption – Openssl? – Ruby • Logic errors

  28. Web UI • Things get more interesting • Classic webapp attacks up for grabs • Control of msfweb = control of metasploit • Control of metasploit = control of system

  29. Web UI Structure • Frame based module launching • Available Exploits -> Select Target -> Select Payload -> Options -> Launch • Server is stateless • Until launch • /exploits/config post with options

  30. Web UI • New console creation from module • /console/index/0 • /console/index/1 … • Request to /console manually creates • Polls for output

  31. Web UI Console • Disabled commands – irb – System commands • Reliability issues – Commands occasionally fail

  32. Web UI Features • Payload generation • Frame sequence/option processing like exploits

  33. First Vulnerability • Reflected XSS in payload generation • Your encoded payload is displayed in a textarea • Stars to align: – Payload must reflect arbitrary content (can’t use normal shell/meterpreter payloads) – Encoder must generate predictable output (can’t use most encoders, like shikata ga nai) – Format must preserve output (all listed formats only display hex of encoded payload)

  34. XSS • Payload cmd/unix/generic reflects arbitrary content • Encoder generic/none leaves payload intact • Payload format still works as a filter – Ruby, Java, Javascript, C arrays

  35. XSS • Unless you use an unlisted format – raw fmt + generic/none encoder + generic CMD payload = XSS http://localhost:55555/payloads/view?badchars=&commit=Generate& &refname= &step=1& – Inserted into <textarea > … </ textarea> – XSS! </textarea><script>alert(1)</script>

  36. Vulnerability Impact • No ; or = or , allowed • Eval, String.fromCharCode first stage • XSS console control • Getting RCE – Command injection – Metasploit

  37. Vulnerability Impact • Getting RCE – Key command – loadpath – Downloading a file • Servers • Meterpreter

  38. Meterpreter • Connection process – Stager connections – SSL – Initial request – Plugins – Command flow

  39. Meterpreter • Packet structure – TLV’s

  40. Meterpreter • Packet structure – TLV’s

  41. Meterpreter debugger • View each TLV packet sent or received decoded • Get all the information needed to emulate meterpreter calls

  42. Exploit release • XSS – Creates console – Launches meterpreter payload handler – Downloads ruby payload file – Loads ruby code • Fake meterpreter to host shellcode • Targets for all your favorite platforms

  43. XSS Demo

  44. Command Injection • auxiliary/scanner/http/sqlmap – Is a special module – Options compose command line

  45. Command Injection • Also have – auxiliary/fuzzers/wifi/fuzz_beacon.rb – auxiliary/fuzzers/wifi/fuzz_proberesp.rb

  46. CSRF Vulnerability • Input validation? • CSRF • Single-shot • Generating a console – Finding a console – Reliable RCE metepreter-style difficult

  47. CSRF Demo

  48. Motivation • I’m a Metasploit developer • These were never patched • Why release? Why not just fix the problems? – Maintainability – Disclosures

  49. Meterpreter Vulnerability • Meterpreter download process: meterpreter> download foo • In lib/rex/post/meterpreter/ui/console/ command_dispatcher/stdapi/fs.rb

  50. Meterpreter Vulnerability • File is saved as its basename • In lib/rex/post/meterpreter/extensions/ stdapi/fs/file.rb

  51. Meterpreter Vulnerability • Filtering out directory traversal

  52. Meterpreter Vulnerability • Filtering out directory traversal • File::SEPARATOR == "/" even on Windows!

  53. Meterpreter Vulnerability • But nobody’s going to type “download ./.. \\..\\..\\ evil” • But they might type “download juicydirname ” • Directories will take children with them

  54. Meterpreter Traversal Demo

  55. TFTP server • Getting basename for file upload: – tr[:file][:name].split(File::SEPARATOR)[-1]

  56. TFTP Traversal Demo

  57. FTP server • Directory traversal filtering

  58. FTP server • Directory traversal filtering

  59. Irony • titanftp_xcrc_traversal.rb • FTP traversal exploit with CRC brute force • Byte-by-byte decode via XCRC command

  60. FTP Traversal Demo

  61. Scripts • Often use client system name for log files

  62. Client system name • Straight from not-to-be-trusted network data

  63. Scripts • arp_scanner, domain_list_gen, dumplinks, enum_chrome, enum_firefox, event_manager, get_filezilla_creds, get_pidgin_creds, packetrecorder, persistence, search_dwld, winenum

  64. domain_list_gen • Counterattack can save file in arbitrary directory relative to home dir • Starting with arbitrary contents

  65. Lame DoS attacks • Exploit handlers without ExitOnSession • Meterpreter memory exhaustion • Disk exhaustion: never-ending download

  66. Writing Payloads • Cross-platform RCE – Ruby is your friend – All msf libraries available for use – Can embed platform-specific or java payloads

  67. Payloads • New thread spinoff • Multithreaded bind shell with error recovery • Reverse shell with error handling

  68. Wireshark Payloads • Hard to do cross-platform • Hard to do exploits cross-platform too • Memory layouts, heap structures, system calls…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
WHAT WILL WE MAKE OF THIS MOMENT BLYTH TECHNOLOGY GROUP Chad Mitchell, Luke Chen, Paa Adu, Udai

WHAT WILL WE MAKE OF THIS MOMENT BLYTH TECHNOLOGY GROUP Chad Mitchell, Luke Chen, Paa Adu, Udai

WHAT WILL WE MAKE OF THIS MOMENT BLYTH TECHNOLOGY GROUP Chad Mitchell, Luke Chen, Paa Adu, Udai Baisiwala, and Wayne Shu Recent Performance A Guide to the Counterattack 11 consecutive quarters of declining revenue Over 10% decline in

411 views • 15 slides
PHP Chapter 1 Introduction Survey Have you ever written a web application? Have you used

PHP Chapter 1 Introduction Survey Have you ever written a web application? Have you used

MCIS/UA PHP Training 2003 PHP Chapter 1 Introduction Survey Have you ever written a web application? Have you used any of the following languages? C PHP C++ Java Perl Have you ever written an object-oriented

535 views • 27 slides
Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical

Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical

Peer-to-Peer Networks 01: Organization and Introduction Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Web &amp; Dates Web page -

494 views • 17 slides
a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University,

a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University,

Experiments on quantum heat transport through a superconducting qubit and a single-electron transistor Jukka Pekola, Aalto University, Helsinki, Finland 1. Heat in circuits: measurement and control 2. Thermometry 3. Single-electron transistor:

390 views • 36 slides
Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper

Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper

Nursing Nursing Informati tion Syste tem A relevant t substi titu tute te of th the paper record M.B. Michel-Verkerke Saxion University of Applied Sciences, Enschede, The Netherlands MIE 2011 Oslo, August 31 Nurse Donna Taylor uses a

404 views • 19 slides
Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga

Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga

10/21/2003 Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga (inki@bu.edu) Georgios Smaragdakis (gsmaragd@bu.edu) Wei Li (wli@bu.edu) Vijay Erramilli (evijay@bu.edu) References Adaptive Protocols

633 views • 23 slides
DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris

DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris

DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris Hayes Rensselaer Polytechnic Inst itute (formerly UMAS S Lowell) Yan Luo University of Massachusetts Lowell Agenda Baseline Design Design

535 views • 20 slides
QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms

QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms

QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms related to Quality of Service Chapters from book: Chapter 1: The Big Picture Course

338 views • 9 slides
Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of

Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of

Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS

323 views • 19 slides
The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my

The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my

The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my $the_server = shift; my $userid = shift; my $passwd = shift; my $server = Net::NNTP-&gt;new( $the_server ) or die &quot;nws: Cant connect to

631 views • 21 slides
Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and

Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and

Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and Scheduling Quality and software testing Knowing when to ship 3x Programming Program System 3x 9x Programming Programming System Product

884 views • 40 slides
Web Systems &amp; Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due,

Web Systems &amp; Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due,

Web Systems &amp; Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due, Universit di Bologna a Cesena andrea.omicini@unibo.it 2005-2006 Web Systems Architecture Basic architecture information is structured as ipertext

560 views • 20 slides
Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P.

Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P.

Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P. Sandford High Speed Networks Group Loughborough University Presentation Summary Overview of the Detecting and Preventing Criminal Activities on

346 views • 32 slides
The Jasmin Script MIB Implementation and its Use for Policy-based Management Frank Strau

The Jasmin Script MIB Implementation and its Use for Policy-based Management Frank Strau

The Jasmin Script MIB Implementation and its Use for Policy-based Management Page 1 The Jasmin Script MIB Implementation and its Use for Policy-based Management Frank Strau Institute of Operating Systems and Computer Networks Technical

213 views • 18 slides
Security &amp; Privacy in P2P Networks Niels Olof Bouvin 1 Overview Aspects of security*

Security &amp; Privacy in P2P Networks Niels Olof Bouvin 1 Overview Aspects of security*

Security &amp; Privacy in P2P Networks Niels Olof Bouvin 1 Overview Aspects of security* Venues of attack Techniques for anonymity &amp; censorship resistance Securing a DHT *This is not the interesting part to talk about during the exam 2

964 views • 62 slides
3D Tricks: Engineering Innovation on the Nintendo DS Chuck Homic &amp; Greg Oberg Vicarious

3D Tricks: Engineering Innovation on the Nintendo DS Chuck Homic &amp; Greg Oberg Vicarious

3D Tricks: Engineering Innovation on the Nintendo DS Chuck Homic &amp; Greg Oberg Vicarious Visions Who are we? Vicarious Visions An Activision Studio 10+ years in handheld and console development Handheld experience in Game

751 views • 62 slides
TF-NOC flash presentation NOC at DeIC (Danish eInfrastructure Coorperation) Mashed up by Jan

TF-NOC flash presentation NOC at DeIC (Danish eInfrastructure Coorperation) Mashed up by Jan

TF-NOC flash presentation NOC at DeIC (Danish eInfrastructure Coorperation) Mashed up by Jan Ferr, Network Op. Man., May 2013 Network What infrastructure have your organization deployed? Fibre and collapsed backbone (Cisco 7600) What

525 views • 10 slides
Performance Implications of NoCs on 3D-Stacked Memories: Insights from the Hybrid Memory Cube

Performance Implications of NoCs on 3D-Stacked Memories: Insights from the Hybrid Memory Cube

Performance Implications of NoCs on 3D-Stacked Memories: Insights from the Hybrid Memory Cube (HMC) Ramyad Hadidi, BaharAsgari, Jeffrey Young, Burhan Ahmad Mudassar, KartikayGarg, TusharKrishna, and HyesoonKim Introduction to HMC 2 } Hybrid

663 views • 25 slides
Monitoring at CCC NOC How the Internetmanufaktur uses prometheus Frederic Jaeckel GitHub, Inc.

Monitoring at CCC NOC How the Internetmanufaktur uses prometheus Frederic Jaeckel GitHub, Inc.

Monitoring at CCC NOC How the Internetmanufaktur uses prometheus Frederic Jaeckel GitHub, Inc. fjaeckel @jaycieh Whats the CCC Congress/Camp? Non-profit organisation of computer hackers/nerds/professionals Event that runs for 4-6

657 views • 18 slides
Hardwired networks on chip for FPGAs Kees Goossens (TUD, NXP) Muhammad Aqeel Wahlah (TUD) 2

Hardwired networks on chip for FPGAs Kees Goossens (TUD, NXP) Muhammad Aqeel Wahlah (TUD) 2

Hardwired networks on chip for FPGAs Kees Goossens (TUD, NXP) Muhammad Aqeel Wahlah (TUD) 2 overview applications network on chip FPGA key ideas hardwired NOC unified interconnect data coercion / type casting dynamic partial

408 views • 16 slides
Digital Circuits and Systems NOC, Spring 2015 Quiz 6 Solutions For questions, refer to the Quiz

Digital Circuits and Systems NOC, Spring 2015 Quiz 6 Solutions For questions, refer to the Quiz

Digital Circuits and Systems NOC, Spring 2015 Quiz 6 Solutions For questions, refer to the Quiz page. Only the solutions are given below. Q1: When a number is divided by 4, then we will get a remainder either 0,1,2, or 3. So, FSM needs 4

301 views • 9 slides
Constrained Nonlinear Optimization Moritz Diehl &amp; S ebastien Gros S. Gros, M. Diehl 1 /

Constrained Nonlinear Optimization Moritz Diehl &amp; S ebastien Gros S. Gros, M. Diehl 1 /

Constrained Nonlinear Optimization Moritz Diehl &amp; S ebastien Gros S. Gros, M. Diehl 1 / 12 Outline KKT conditions 1 Some intuitions on the KKT conditions 2 Second Order Sufficient Conditions (SOSC) 3 S. Gros, M. Diehl 2 / 12

732 views • 44 slides
Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI STMicroelectronics Forum Mthodes Formelles &quot;Le Model-Checking en action&quot; Toulouse, France, Oct 2014 Agenda 2 20 years of Hardware Validation

569 views • 33 slides

More recommend