SLIDE 1
Introducing Weakness Into Security Devices Tuning To A Different - - PowerPoint PPT Presentation
Introducing Weakness Into Security Devices Tuning To A Different - - PowerPoint PPT Presentation
Introducing Weakness Into Security Devices Tuning To A Different Key BSidesVienna 20/1/12 Arron finux Finnon Evasion T echniques Dancing Past Your Defences!!! BSidesVienna 20/1/12 Arron finux Finnon 3 Things I Want T o Share
SLIDE 2
SLIDE 3
3 Things I Want T
- Share
Today's Outline!
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 4
ONE – Obtaining Samples
Diversity Is Important
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 5
T wo – Knowledge Is Key
Understanding What We Know
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 6
Three – Implementation Is Critical
When Is It Not!
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 7
The Threat
From Vulnerability to Exploit
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 8
MS08-067 Vulnerability
The ChrisJohnRiley of Exploits
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 9
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 10
Metasploit Framework
The Tool of Champions
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 11
Security Devices
Okay Its IDSes today
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 12
The Common Intrusion Detection Framework
Events, Analysers, Countermeasures, Data/Storage
Arron “finux” Finnon BSidesVienna 20/1/12
E-Boxes A-Boxes D-Boxes C-Boxes
SLIDE 13
T
- React or Not T
- React
Events need to be understood
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 14
T aking Something At Face Value
Leaves A Lack of Understating
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 15
So My Story
Finux has a tale or two
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 16
Show Evasions
DCERPC::smbpipeio
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 17
Documentation Time
DCERPC::smb_pipeio Use a different delivery method for accessing named pipes
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 18
“The "trans" option will use a NtTransact command on the named pipe to deliver a request and trigger a reply from the server. During the development process, I noticed that just sending a "read" request after stuffing the request down via plain named pipe writes would also trigger processing.”
HD to Finux – 08/08/11 Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 19
Arron “finux” Finnon BSidesVienna 20/1/12
Set DCERPC::smbpipeio rw
SLIDE 20
Arron “finux” Finnon BSidesVienna 20/1/12
Set DCERPC::smbpipeio trans
SLIDE 21
Popularity Is Social Proof
Because its cool its right?
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 22
Your Added Bonus !
“..and one more thing” Moment!
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 23
The Dangers of Character Matching
The Butthead Evasion Technique
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 24
SID:1239 - RFParalyze
WTF, CVE-2000-0347
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 25
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep";)
Arron “finux” Finnon BSidesVienna 20/1/12
If there is a TCP connection on port 139 and you see the string “BEAVIS” and the String “yep, yep” please alert!!!!!!!
SLIDE 26
Arron “finux” Finnon BSidesVienna 20/1/12
++
SLIDE 27
Arron “finux” Finnon BSidesVienna 20/1/12
++
SLIDE 28
Arron “finux” Finnon BSidesVienna 20/1/12
++
SLIDE 29
That's All Folks!
This Will be That Q&A Time
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 30
Conclusions Time
Brace Yourself
Arron “finux” Finnon BSidesVienna 20/1/12
SLIDE 31