Security BSides Athens 2022 (live stream part 2)
Show transcript [en]
good morning to everybody sorry for the inconvenience this morning i really hope you can hear us now um we have a third-party sound console here that refused to cooperate it was not any it is not our equipment so there was nothing we could do about it um let me know if you can hear us all right is it the sound okay um um well good morning good morning to everyone good morning from athens um thank you for joining the live stream this morning hope we didn't have this little um issue i have olga with me this morning olga this year's is uh back from london here in athens which is really really great to have her around i haven't seen
her for more than a year i believe um more than two years perhaps wow yeah and um over to olga a very warm welcome from athens uh we are very happy to have you with us i'm not sure if you can hear me i hope you can hear me as well uh with as you may have already noticed we've prepared an exciting um event for you this year and we will be very happy to welcome you on board live from athens next year as well so hope you enjoy your event our event and we'll be here for any questions or any comments that you wish to share with us so enjoy the show
yeah just let's make sure that the sound is as it should i get the feedback from here um um apparently we need to increase our input let's see can you hear us right now is it okay i think it's the um it's better now yeah let me know if um if you can hear us um while everybody's having their coffee break we can still say good morning one more time to everybody let me double check for a second yes i think i think we're okay uh i think sound now it's uh as it should be right yes okay we got the thumbs up from uh nicos pisaneves on the other room we will um stream to you again to see
how things are going up here um yeah let's um good morning to everybody once again for those who are joining the the streaming right now uh again apologies for the inconvenience this morning we have a third-party sound console which is not our equipment and it failed to connect to the mac and apparently there is a known issue with the road console connecting to maximum there is nothing we could do we had to restart our streaming software and the console as well again good morning to everybody i hope everyone is connecting to this new stream at the moment please do comment and invite your friends please refresh please let people know we posted a message to let people know
that we will do this they have to refresh their stream on youtube it's now is live and you should be able to hear us without any issues and we will try to give people time because we have like a 10 minutes coffee break anyway so i believe they will hopefully they will figure out that they simply need to refresh their page so youtube gives them the new um live streaming for them to click on olga how was it covered in the uk did you enjoy your time with boris it was very exciting so very exciting um being locked inside and then we had we gradually had different measures it's like every now and then things were changing i think it was the
same all across the world uh so much uncertainty and so many new things to learn but now it seems like we're getting back to normal well let's see let's finger cross as they say um last week it was infosec um london infosec europe in london for that at excel london basically happening in person again and apparently there were people going there but they were not having the numbers that they used to have yeah i guess so um it seems that yeah it seems that things are trying people are trying to do things but it's not always the same isn't it it's i think there's it comes back to the uncertainty so people don't really know how to to
handle the situation yet or yet or it's going to be an ongoing thing let's let's hope that one um end up you know locking us in for winter again um this year oh no i don't i don't even want to think about it so yeah welcome to anyone and those who are joining the stream again um again apologies for the streaming issues we had an issue with the sound console which is not our equipment and this is the console right here it had an issue and we had to reboot uh reboot fixes almost everything i suppose um we are during the coffee break at the moment so there is enough time for you to go grab a coffee join the stream
message your friends um to join again the stream um let me put the little video on and let us um do some more checks from our side and we'll be right back
[Music] so [Music] so
[Music]
[Music]
[Music]
[Music]
foreign [Music]
[Music]
[Music]
[Music] so [Music]
[Music]
foreign [Music]
[Music] so [Music]
[Music]
[Music] so [Music]
foreign [Music]
[Music] so
[Music] so
[Music]
[Music]
foreign [Music]
[Music] so [Music] so [Music] so
[Music]
[Music]
foreign [Music]
[Music] so [Music]
[Music]
[Music]
[Music]
williams [Music]
[Music]
[Music]
[Music] so [Music]
[Music]
williams [Music]
[Music] so [Music]
[Music]
[Music]
[Music]
good morning to everyone from athens good morning good morning i hope you're here without any issues at the moment and everything works exactly as it should we have also posted the message regarding the cpe certificate i hope everyone can see this you need to go and sign your name and email address to the to this form um once you do that there will be a second form later on in the day those who sign both forms they will qualify to receive the certificate of attendance that means once you receive that document in two three weeks time that means you can claim 10 cps for those who are collecting professional credits let me remove ourselves for a second
from this from the screen so you can read this a lot better um yeah it is more or less the same process as last year so those of you who regularly join us we'll just follow the same process for those of you who joined us for the first time this year you'll see that it's a very simple form we just need to confirm that you've attended the whole day so that's why we've got two separate uh forms for you to complete so once now it's just your first attendance recording if you wish and later on this afternoon you will just need to confirm that you're still here and you can get the full day cp's for
you thank you olga um i hope everyone can see the message of the screen we have a confirmation that you can see the message on the screen please take a few seconds to sign the particular form i think the form also will be a copy paste on discord so you don't have to guess the letters so i think nicos is in the other room um he will also paste the link on our channel on discord so it is for you to simply copy paste the url yeah and um yeah please check discord for the link we will now return here so you can also see us we are ready to move on with our next
talk please stay tuned during the day you have to sign the second form as well for to qualify for the certificate of attendance we have tales from the devsecops let's see enjoy the next talk enjoy
hello people i am gender reiki security engineer at scrooge in this presentation we are going to talk about provisioning museum with code and about the whole thing with our infrastructure school trend and the workflows it suggests sometimes the securities basically to introduce the concept of cm is the thing that might inform us if we're getting hacked and consists of four basic components first of all the search engine that stores and searches the logs and generally does the heavy lifting the various data receivers and the other collectors that deliver the logs to the system an engine that does low correlations depending on specific rules exceptions and finally a system that alerts us on successful correlations in
various ways like emails or slack or whatever at screws we use an elastic cm with kibana elastic agents and that's our kind of stuff our data sources are vary from aws to openondap so it contains all kinds of things finally we use a very small project for echo which has alerts and command trigger so here we play a cm completely from scratch but in our brands at scrooge we use kubernetes with a pretty standard open source setup like nginx asset manager where we've let's encrypt our certificates external dns generally that kind of stuff generally we use heavily tested stuff that work well both on premise and on cloud so to deploy the cm we use an open source
project called blue bar created a while ago by calligrami the repository consists of our terraform modules and examples that deploy elasticsearch hibana and the rest using help the project is inspired from redbar another terraform level for offensive cloud infrastructure such as c2 systems directors bailout servers and such and it works on all kinds of burners classes like from min cube to cloud mineral services anything goes this is how the empty bed where everything will get blown looks like and this is uh how the complete picture looks like and the deployed services that get there so all these services get a tls enabled endpoint for us to reach and consume and also they their interconnections between them are all
tls enabled finally this way we end up with a default gm deployment that has alerting command triggering dashboards an exotic love connection so now george will explain to you how to configure the elastic stack as code hi this is george i'm a security engineer scrooge and we're going to talk about configuring the elastic stack as code logs logs are important they are generated by services and applications these logs provide information for what is happening right now and this kind of information needs to be transformed to provide a value to us or an administrator bits and fluency data zippers and data collectors are used to gather acoustic logs these sets of data are set to elastic
indices or indexes an index has a structure predefined by an index template and the incoming data are enforced much destruction the incoming data might need some transformations and this is achieved by ingest pipelines in steps using processors a processor might be a simple addition of a field or a deletion or a modification or a calculator our indexes can include data retention policies in defined phases the faces are hot warm cold and then delicious finally snapshots are taken regularly as daily backups and all of these components of course can be configured from kibana but it has to be done every time a new setup is deployed so we create a structure portable and auditable way to
maintain these configurations as code and do it only once alright the same applies for users roles and privileges for the cluster and kibana dashboards rows have specific and can have multiple privileges a user might also hold multiple roles to perform its action everything can be configured of course by clicking and dragging jogging and dropping and huffing from ibana but if you do it as code you do it only once and you have the ability to make to maintain it to review it and to monitor any change the elastic stack has multiple moving parts and its deployment includes organization specifics so you have to set up something according to each organization's needs these questions might look familiar to
you tracking rolling back changes retaining backing up logs managing users adding removing whatever clicking around banana can be from tedious impossible so we try to solve all of them with the s-code approach now for a real this is an actual module created to define a composable index template or a legacy one you can set up its type name and policy the alias the intervals and the charts and patterns shown on kibana dashboards even the pipeline and the mappings of special fields such as an ip address some fields such as the final pipeline and the static template mappings are of course optional this way you can configure and create a new template only as code down below you can find an open source
telephone provider for these configurations from field baker and we created modules based on this provider the snarsel module the snapshot module defines the chrome format schedule that the snapshot name where to store the backup and the indices that need to be backed up the index lifecycle management module defines or ilm defines the faces the hot wormhole and deletion alongside the max size and the days passed for its phase that means if we reach a threshold of gigabytes or a date we can move on to the next phase the ilm module might need to wait for a snapshot pipeline the pipeline module specifies some basic fields such as naming description the time is the type is a custom field
because our module can accept a json structure or an inline pen script as a processor some new lines and double slashes need escaping to work their magic with both processors and it's not the most beautiful thing i know but at the moment it does the job and it does it pretty well finally the actual processor this is uh the heart of the pipeline this processor uses both a json and a painless script in two separate files for cleaner code and better reviews probably we could just output a whole script in one line but this is more readable this processor for example includes a group pattern that maps opened up log fields vcs and a pending script that adds and calculates
a new field if the event was captured in companies of ours so with this script you can catch actors if they work at midnight thank you now is kiki hello i'm kj and i work as a security engineer at schools and in this part i'm going to explain to you how we manage to keep elastic cm runes exceptions and lists as well and let me give you an example to explain how exactly they work let's say that we want to create a rule to catch any dns that is not the cloudflare and the exception container contains two items so as not to trigger the rule only when a chromecast device is going to google dns and also when the traffic
is coming from just wi-fi network the ips of chromecast devices are parts as values in the list item structure of elastic rules is as defined by official record of elastic detection rules rules are expressed as common files describing the rule giving some unnecessary properties such as the name of the rule a time range from one two sides indices for example five million packaging and the type of the rule that can be either a queen a threshold rule or an equal rule and here a very interesting thing is the reference of exception containers uh keep in mind that in this way we cannot create exceptions or at least with this in this so the way to overcome this is by
creating exceptions as defined by elastic exception api which can be expressed as java files the yummy file contains the part of the exception container in which simply we describe the items where every entry does have a log field and a value or a list to get it set against finishing the s code part the lists don't innovate they are defined by last week's session api and expressed as yummy files likewise the exceptions the structure of the list consists of list containers and items a list container describes the list items actually and the list items include the values of the container that is the eyepiece of the broadcast devices in the example good to mention that the interconnection
between the item container and the lists happen through directory structures as anyone could imagine maintaining such a convict structure for its cm rule is not is okay that's why infrastructure is one way so every sim room is implemented by a terrible provider abstracted by a repository template that manages the yaml and thumb files of rules exceptions and items hence the only thing you have to do is to write your own dom file and jump file all this code is open source and managed with github workflows for automatic terraform plan and applying integrating with the official elastic detection rules depositor kit is of course our best friends to review change management this way no one is able to make a change
on the repository without being firstly reviewed by the teammates thank you very much feel free to ask
hello athens welcome to kum hijacking vudu presentation my name is nicos vortas i'm glad to be here thank you for the invitation i hope to don't disappoint you for the next 20 minutes i will talk about common hijacking persistence uh who am i my community name is nick wood or ncv my friends call me nick wood it's a counter-strike name i'm cyber security consultant and terrorist at young greece i have oswp and crto the last one is my favorite i was speaker at devsecond chapter greece besides tirana and cyprus i'm community supporter of cloudbridge.io furthermore i'm author of com hunter root and tools i am member of big warriors ctf team shout out to my guys
and this is my twitter if you want any collab please send me dm probably i will answer you i'm not a diva today we will speak about what is calm and we'll explain come more deeply and will show a lie i will show an action about the comm hunter tool com what is com okay the full name of com is a component object model it is a windows built-in software interface com is useful for their communication for rank applications mc1 application functional to another and supports a large variety of different programming languages in order to avoid any conflict or troubleshooting of communication of different applications in different written in different languages here is an simple example of using com
i will have a word document and we want to empty a worksheet from excel file uh for this action com works for you behind the scenes uh and here we have the worksheet in the document okay let's move on com relationship okay we have an application name and and application b application name may be is the word document the application b maybe is the excel document for the previous example the application is the com client the application b is the com server application a request for an referring object from application b and application b returns its functionality any component of application b has a unique identifier named class id okay each comcom component is the is the defined via
class id which is observed randomly globally unique identifier each com component exposes functionality via one or more interfaces identified the interface ids a com class is an implementation of one or more interfaces represented by their class ids or programmatic the identifiers prog id this is an example of class id in probably in your system
the machines the local machines come objects are in hive hive key local machinery is the software classes path and users come objects located in hiveki current user registry software classes path probably you know that okay the hive key class route is the merge of a high key local machine and have key current user registry
but we have something very interesting here it will have the same entry in the local machine registry and the high in the and in the current user registry the entry of current user registry comes first of a local machine register more specifically if an attacker has an entry in current user registry with malicious dll this entry will run first of local machine registry entry okay last but not least about com relationships the local server key represent the full path to an executable implementation the in proc server 32 key represent the full path to a dynamic link library implementation okay this is an example of class class id probably in your system again this is from microsoft teams
as you can see in proc server 32 key and this is uh the dll file as we sent as we said in proc server 32 supports only dll files com hunter okay com header is a 40.8.net framework application ncsr tool about com hijacking persistence author okay it's me and the code review by dimitri cicopoulos i will say a special i want to say special thanks to the mr copulos my exco working from 12 sec uh you are a teacher for me uh thanks for any advice tips about the code the format the optimization and i want to announce that me and dimitris the meters and me will release more tools in the future the current version of com100 is 1.1.5
and this is the ascii art of com hunter probably you will see that this is a long version because we took the picture from the first version
some useful some useful things about com hunter finds out entry vault class id in the victims machine finds out valid class i this via task via task scheduler finds out if someone already used any of those valid classes in order to do com com persistent this is a defense feature it supports local server server 32 in proc server 32 as we said before about the exact dll find out if someone already used any valid class id via scheduler in order to do a comp resistance tries to do automatically comb hijacking persistence with general valve class id tries to automatically come hijacking persistent via task scheduler and tries to use trade task key in order to refer to a different component
okay let's see how comb hunter works in action here is rc2 i use a cobalt strike okay we have access on victi's machine we don't care how would gain the this access okay
okay
let's try to upgrade interactive cell okay here we are first of all we need to upload evil dll invictus machine
okay we will use it soon let's execute commhunt com hunter on memory
okay let's do this for the full screen here is uh the full menu of com hunter as we said before we have two modes search and persist the search mode has two method four methods the persist mode has three methods okay let's use compounder to find a useful class id without using any tool from cc tunnel suite like procmon okay as you can see com hunter found those class ids furthermore it's very interesting if you have if you use compounder in a system which has pre-installed some other application like chrome or firefox browser com100 will find them and will try to find any useful class id as you can see okay back to our example
okay we'll use this class id because it's very promising
persist mode general method here is our class id and this is
the arrival dll okay com hunter says that we have persistence in the victim machines let's restart the machine okay we don't need
this okay
when a machine will power on
the user will be will sign in
will gain a new beacon as you can see we have con persistence under dll host process okay let's go from for from the defense side suppose you are a com a threat hunter okay and you want to use com hunter you can see that the com100 found that someone used this have have used this class id and someone has persistence on your system okay let's go here
okay
and now we'll use it again nothing suspects from found here your system appears to become comparison free okay back to cobalt [Music] we can see that we remove the evil deal from registry but the beacon still works let's use it again to do another transistor persistent page systems
okay full screen okay let's use the search mode get task
okay come hunter found like valid classic dv attack scheduler is very promising let's use this for persist
for task edger we don't don't don't need to add the class id it do it automatically
okay commander says that conversion in this system okay let's restart the system again but no need to restart the system go back and try to sign out okay and sign in again
they'll become stopped but now we had a persistent under the process dll host now we have persistent under the task scheduler
okay let's suppose that the user want to sign out again
bacon stopped as you can see doesn't work
the user will sign in again a new beacon appeared every time that the user will sign out and will sign in we'll take a new beacon and they're all done we will will stop okay let's go from the defense side okay find task scheduler okay sorry
someone used a scheduler and this class id to do comp resistance so back again [Music]
to registry in order to remove it
as you can see this is our level dll let's remove it but the beacon works
okay this is the comb hunter thank you for your attention i hope you like it and last but not least it is what it is boys
williams [Music]
[Music]
[Music] so [Music]
[Music]
[Music]
today we're going to talk about lessons learned automating the incident life cycle within the context of sock but first i want to make a quick introduction my name is alexandra cino i'm the head of the in viso fusion center operations i have some experience building security operations centers out in the middle east previously i used to work for the largest mssp in the world known as del secure works as a senior intrusion analyst and before that i was in the united states military as a fire support specialist and i would like to also introduce my colleague who's a co-presenter with me today roger stinkins uh thank you alex um i'll also quickly introduce myself my name is walter
stinkis i've been working at a visa for four years i have a background as a devops engineer and in cloud security as a development engineer big parts of your work is automating stuff and that's also what i've been doing uh as the source engineering team leads lm visa all right thank you walter um just before we dive into the cool stuff like the automations and those sort of things we should break down the perspective of why automation is so important now when you look at the traditional sock each analyst they have about 20 minutes per security event or 20 minutes to handle a security event right now those numbers actually add up quite a bit
um most of the time a security uh a sock analyst can actually handle a maximum of 25 security events per day and the big problem is okay we have a huge lack of personnel worldwide so how do we deal with that and we know that um from our experiences that automation is key now we took a seven day time span and we calculated that we ingested 647 security events and if you use the map that we displayed above that would take about 26 analysts to handle all of that so you do the math and how what type of a cost that is and now just for you to have 24x7 alone without factoring in all the security
events you need about 12 analysts now when we saw those numbers we decided immediately to start automating and start assisting the analysts with automations the first thing that we saw is that our automations actually decreased the analytical workload by 97.42 of 5790 alerts that we took in that time period only 145 were manually analyzed in seven days by the sock this reduced cost down to 1483 euros as opposed to 59 251 so the math is there and it makes a lot of sense to handle it this way now but now to explain a little bit about why this is important and why it's so effective let's look at the traditional stock so in a traditional sock this is
what you would have you would have isolated components none of them talking to each other and other than working with it with each other so everything in a different silo which increases the number of clicks for an analyst to resolve an incident to find the information that they need significantly and it makes them less apt to going into all those individual devices at the end of the day in order to find the information that they need so what do we do to solve that we use a security orchestration on an automated response platform called xor and we do a lot of development on top of it and that way we can actually work with all the different components
without actually having to go to those platforms so we assemble all of the data into one spot where xor will become the central nervous system of your entire security operations center and all of the uh capabilities that uh that are available for for your analyst will be built into one uh platform so isolating machines running anti-virus scans resetting passwords revoking sessions making a phone call getting information on what ports are open on a specific device by getting a reputational analysis from virustotal from your threat intelligence feeds all in one place for the analyst and just completely handled by automation and presented to them so that it actually takes the analyst significantly less time to handle an incident because they have a
hell of a lot more contacts to work with so these are all important factors so not only just automating from the entire events but also reducing the amount of time and effort that it takes an analyst to make a conclusion on a particular security event now just to go through a bit about the incident life cycle and the way that we manage it here in viso so we put it we built something up at a high level uh the first step is triaging so we build our integrations into the xor platform we only pull in from the security and products such as the edr and the sim and what we do when those are ingested we immediately
start enriching those events with other various types of data so for example we'll take all of the ip addresses all the hashes all of the user accounts the hosts and we'll start converting those into indicators of interest those indicators of interest are actually stored in a panel for the analyst for them to be able to see all the relevant information that they need now in a lot of cases we even store data inside of the indicators themselves so when we extract a phishing email for example that entire phishing email sample is actually laid out for the analyst inside of xor so no need to jump all the way into another tool just to see the layout of a phishing email so
taking it maybe one minute just to analyze fishing events now as opposed to 20 or 30 minutes per each fishing event because you got to jump into you know one or two different platforms to do that now the second step is the incident management portion right this is where you classify events this is where you decide how you want to notify people this is where you want to decide if this should go to an analyst right now and it does a hell of a lot of filtering and and then it goes into the analysis phase the analysis phase we try to do as much automation as possible without uh adding additional risk onto our customer
base or or into any of the customer environments so we don't automate where it's not practical and not wise to do so now um basically a lot of the full automations that we do are um checklist that analysts would do anyway so they're manual steps that we fully automate uh one great example is called the access anomaly classification which we've built and from that we're able to fully automate the analysis of an impossible travel activity and we can do it significantly faster than a human being and most times it's either something interesting or a compromised account that comes in so when that is done we then we um we then notify the customer through ticketing
through phone calls um through other various uh methods and then we determine do we need to destroy the actor now is there something in here that we need to do so again do we want to revoke a session do we want to isolate a machine and how do we give those tools to a socket analyst so that they can start taking action now and this these components is what makes a traditional sock or you know it's the difference between a traditional sock and and a future sock which is built on orchestration and automation and those are very very key elements now from here i'm going to hand it back over to walter who's going to talk a
little bit about sword development okay thank you alexander um as alex said um i'm going to dive in a bit deeper on how to do the soul development um and adam wiesel we've been doing um using xor for more than three years now and we're currently our third generation of the automation stack and we use cortex xor as an automation platform and then you have two concepts to actually create your automations one is playbooks which is drag and drop programming so you can actually define a complete automated workflow without writing a single line of code and you have automations there you can actually host your own python code and do everything in there um generation one and generation two um
playbooks and then automation stack we actually had the principle to do everything within playbooks why because we wanted our engineers to be able to create those playbooks without needing to know python but from experience we've learned this had some disadvantages mainly performance and here you can see the table with the how long it would take to or for us to only do engagement with playbooks generation and a generation three and with um by doing as much as possible actually in python code uh we had well we have improved performance by almost one hundred percent which is well from performance perspective insane to to do it like that uh currently running our entire playbooks can be done
well between well at least under one minute but we'll show you that after uh at the demo at the end of the presentation um one of the consequences of actually doing as much as possible in code is that well it becomes a development development project and this also means that you have to implement some of the principles you would do um when doing development with my background as a devops engineer i did a lot of these things um so the things we actually implemented is things like test driven development deployment pipelines and all of these things and one of the important things that we implemented to structuralize actually all the development effort as we started using uh the scum methodology
scum is actually an agile development methodology which allows you to structure your development efforts and beginning when we started using xor uh we were just two guys um developing playbooks on a production environment and and the requirements weren't clear we just okay we had daily calls with uh with with the sock manager alexander and we were just implementing stuff and we're just going going going um when you do this with two people it's kind of manageable but now we grown our team into six um solar engineers who they are dedicated um uh just uh right automations the entire time well if you grow your team you need a better methodology and what's come as common
actually allows you or requires you to first define all of the requirements for development as user stories and everything needs to be cleared what you need to develop um once that's clear you need to plan it and and the nice thing about scrum is you can incrementally improve all of your processes and at the end of the each scum sprint and when it's come you use a sprint of two weeks where you plan all of your development tasks at the end of the sprint you um you do a retrospective meeting where you actually reflect on the previous spin to see okay what went well what didn't went well and what well then better we've been doing this for almost a year
now and you really see that um we have been able to produce much more we have been able to do a planning because in the beginning it was impossible for us to um to commit to our customers okay this is when your feature request will be delivered that's something we can actually do now because we have an insight on how how many development uh how many development dolls can we actually do within one spend and also when you do development uh some other things actually are also really important first of all um put everything into version control i have to make sure that everybody's working on the same code base very important one um have um
don't develop on production you would think that's logical but that still happens uh we have a development testing qa and and and production server and we use our version control to move everything between those servers uh all of our code is on hit up now we use pull requests between different branches those pull requests need to be reviewed by by somebody else who developed it and all of those things so when you start doing this treat it as a development project implement the same principles as you would as when developing software basically that's a very important one so now to the interesting part uh we're going to show you a demo the scenario of the demo is um where oh first we're
going to show you the end user perspective and the scenario is the ceo opens a malicious document on this laptop um and and first we will show you the end user perspective to show you how long does it take for ultimate automated mediation actions to be applied and then we will show you how this all looks in xor and how this exactly works uh so first we'll show you the end user perspective and this is the laptop of the ceo um we're going to show you exactly how long it takes so let's start top stopwatch and execute the malicious document now we have cortex xdr uh installed as an edr tool and after 39 seconds it has
already detected that okay something malicious has happened on the on the laptop this alert will now be ingested into xor um and uh organelles playbooks will determine that well the cat is actually uh the the malicious document has been allowed to run and it would automatically execute a v scan so here you can see after two minutes after the alert has been generated the av scan has already been executed the second immediate remediation action that will be executed as a machine isolation this is a semi-automated process which requires an approval from a senior analyst so depending of course on how long the scenic analysis takes to approve it the machine will be isolated so here you can see that
after uh well in total four minutes um one total four minutes the the the the threat has been uh detected our remediation actions have been taken and the the cat has been contained so how does this look like in excel here you can see the the xor interface this is one of the dashboard this is actually the dashboard that the analyst looks at every day so if a new incident comes in the it will show up in this dashboard xor pulls alerts every minute so we can take up to one minute before the alert is actually in our swat platform so let's refresh this dashboard until the alert is
there it is this is the alerts let's look at the playbooks that are being executed now it's already on the analysis playbook okay now it's already on the notification playbook and because this is the laptop of the ceo which is defined as a critical asset a different escalation part is actually followed so our analyst will get a phone call because this is alert from the yeti social security operations center this is a severity alert for wildfire malware laptop ceo press one at any time to acknowledge fizzler to hear more details please press two thank you for acknowledging this so that's actually the goal that a senior contribution analyst will get because this is a critical uh severity
alert uh and this is a gold chain that's well if somebody doesn't acknowledge it it will go to the next person so and now we can already see all of the remediation actions actually have been executed um and um well we'll see how this looks like um well maybe first of all i'll show you the interface itself this is the interface of pixel what you can see here is on the left you can see all the case details the severity okay it is a critical asset it's not aggregated the incident is of the outcome is allowed which means that the cat has not been blocked um here you can see the the investigation data so what the result of
the analysis playbooks were so here it says the threads were detected but they were not all contained here on the here you can see all of the indicators which are actually in the alert in the incident so all the hashes the sample uh which user account which hosts all of these things here you can see the actual malicious document that got executed and um we also try we ingest alerts from different seams and we present a unified interface and just one layout to the analyst depend on that doesn't does doesn't matter which um source product actually the alerts generated so in the remediation tab here you can see all of the available remediation actions here is a
list of the ones that have actually been executed so here you can see okay scan the spending and isolation that's pending approval so um this actually requires a proof senior analyst so what they need to do is
first click the load button to see the approvals then they have to approve it and then submit the approval here you can see okay the status approval status is approved and now it's waiting to be executed and this actually runs on the job on the background um so that okay here you can already see that the machine has been isolated so this is actually how this looks like in exo excel allows you to completely customize the interface which is really nice this is a completely custom tab that we created ourselves and with the automations on the background you can actually run all of the python code you want so it's a very flexible platform and this has
allowed us to actually automate as much as as much as possible in arsenal okay so that was the demo um i would like to thank you all for uh viewing this presentation um if you have any questions you can find us on linkedin and well hopefully you guys found it very interesting
hello everyone thank you for joining this presentation welcome back to besides athens my name is leo and today we're going to talk about open source intelligence or austin first off some words about myself i've been around in the industry for a bit over six years i'm a security consultant and researcher in the past of also companies like f-secure which was once called mwr and is now known as websecure and nso group which i'm pretty sure you all know at the moment however i'm serving my country in the hellenic army cyber defense department and you can find me on twitter github and all the things as ali ripping today i want to talk about an auction
trick which is one of my favorites it is a known one so don't expect any novel techniques or zero days and it's extremely easy and surprisingly effective for its purpose we'll refer to it as contact sync first we'll see what it is and why we need it then we'll go over the challenges of creating fake accounts or sock puppets specifically phone backed ones which is a pain depending on where you live in then we look at operational security considerations or opsec and what automation capabilities we have or rather what are the limitations and we'll summarize with an evaluation of this technique its pros and cons compared to other tricks okay imagine you walk up to your phone to
realize you've missed the call and the number doesn't look familiar so naturally you want to see if it's something important or not to maybe call it back maybe it's your boss maybe you won an all-exclusive trip to the greek islands it could happen right who knows this is a typical awesome scenario where we start with an unknown phone number and want to get more intel about it something you might also see mentioned as an enrichment process this problem can of course be tackled with many ways we can see some of them in this excellent diagram from intel techniques a great great source of such diagrams which essentially presents the ultimate landscape for this scenario the path will follow is also covered and
it's the highlighted one it involves a mobile operating system a smartphone and your contacts your address book as we can see but we'll get to it in detail in the next slide so let's see what our solution looks like we'll start with the target number we'll need any smartphone to add this number to our contacts and then using social media and instant messaging applications we will upload this address book to find friends that might take restarting the app rebooting the device or just refreshing the main screen and boom we get some new data for the target typically a name in the picture sometimes also the last active status and not just from one application one
service as we refer to them the cool thing here is that you can do the same thing with multiple apps and get more data a different pick a new name or even different types of data altogether to slowly enrich your target awesome how do we start first you guessed it we need a smartphone but why not use a virtual machine or an emulator you might ask the challenge with with these is that to even install the apps of interest sometimes we'll need to hide the emulation environment or evade wood detection routines and this can get complicated with lots of custom mitigations employed by these apps to prevent abuse this whole topic is massive in bibliography and at the
end of the day yes the reverser always wins but overall it's pretty time consuming so it's best if we can avoid this trouble altogether and though the reason an emulator might not be the best idea is that it's trickier to simulate telco functionality the the phone part of the smartphone for instance we cannot insert the sim we cannot accept sms messages for verification codes so it's just easier to use a smartphone then we'll need of course a sim card to create our software account which we'll be searching target numbers from in some countries this is fairly simple as you don't need to provide any id to activate sim cards in cyprus for instance you can
just fetch a dozen of sim cards from your local mini market and then you're good to go no questions asked in other countries though like greece you need to provide a whole lot of personal info to get yourself a number in the name of national security all right say we have no problem with that the first obvious place to get this new sim card is the local telco provider brands unfortunately this solution isn't really good because it's just too expensive i found out that for all prepaid plans you need to first top up this number that you're going to use which is at least 12 euros for the first charge and that's a hefty price to conduct any large scale
operations it just doesn't scale up so this solution was abandoned note however that you can also go shopping in dozier places and get your hands on dirty sim cards without really providing any details or paying anything so long as you know what you're doing and be prepared to get scammed like i was as the sim cards that i obtained through this method were expired and very smartly restarted as brand new what about these promotional offers on subway stations these youngsters selling three numbers loaded with data plans no that doesn't work either as it turns out they're not real free and actually need the same pricey first charge like the install ones now someone might suggest using an
online service like twilio to set up uh to sign up get some phone numbers receive their registration otps in them and get cracking with the applications what's wrong with this uh first uh you bump into this chicken and egg problem as to verify yourself in twilio for instance you need to first provide another number your real number and the whole point is to just hide this real number right what's worse is that even if we decide to provide this real number we'll soon find out that we can't really use it to register on on applications as they somehow detect this is not a real number i've just used and the sms message for the registration just that comes in so that
failed too next i tried a foreign number kindly sponsored by a close friend but that also failed as apparently it's a pretty common requirement globally to frequently top up your balance or it's just deactivated altogether so another thing to keep in mind for any austin operations is that we'll need to actively maintain any stock puppets we create so finally uh disappointed as i was under the cfp time pressure i decided to get back to the shop but right before i gave up and paid for these hefty new sim cards a very helpful employee actually told me hey why don't you just sign up now and top them up later we'll activate this right now and i was surprised to hear
that this is actually an option so that actually worked i just obtained a new sim card without paying absolutely anything other than my personal data of course and the final step is to choose the applications we want to use to search the target number within and for this we can let's say categorize the target applications in three four main categories first on the top row we have the big social media applications on the second roll on the left we can see the biggest messaging apps like whatsapp viber and facebook's messenger on the right though we have the security and privacy focusing instant messaging apps the telegrams signal other good examples and finally on this last role
we can see some applications that are critical for specific regions for instance vcontact is pretty big on russia wechat is the de facto chart application in china and line is also very very popular in japan all right now that we have everything set up let's see how this trick looks like we'll use telegram for demonstration first we can see now we've registered in telegram with our software account we don't have any contacts yet let's go ahead and create one we'll use a question mark for our target account we'll paste the number that we want to get more intel about save it and then get back to telegram where we can see that immediately we have someone that we can add as a friend
and we get some interesting info we get the username we get the picture of course and this bio field right this is manual effort how could we possibly automate this what if we want to script this there are multiple solutions as we discussed we can just load the application in an emulator and maybe script this using testing frameworks to launch the app do the lookup and then pass the results or if there is a web client available for our application we can just reverse engineer this and use dev tools for instance to examine the flow and then scrape any ue elements alternatively and this is the most effective solution we can just reverse engineer the mobile clients for
our applications but again you might ask what about these services that promote social media information about target users services like syncme thatstam.com more people unfortunately they don't really work as they're based on something that's automated and easily accessible aka easily abused and this sort of functionality like facebook's graph is eventually stopped okay so what can we do to defend ourselves from this trick how can we prevent users from getting our personal info through this through the apps we use the solution is to check our settings and mine the defaults unfortunately there is no silver bullet we need a per application solution this also takes some digging unfortunately in telegram for instance the right node to
change is under phone number and we need to explicitly change it to this value to nobody and only then the latter radio option pops up allowing us to select my contacts and make our number uncompensable let's talk about option the first thing we need to keep in mind is that should we decide to use a sock puppet and reuse it all over the place then this account might start getting too much heat and interesting correlations might come up behind the scenes and the graphs that all services use to avoid this it's best to just create new accounts every now and then or use a different sock puppet per service similarly reusing the same device for
multiple operations might introduce some risk this time on our end as the hot address book of this same smartphone should it be compromised or stolen could end up profiling our operations so the consideration here is to remember to clean the device periodically and finally the dreaded you might know bubble popping up on the target sent revealing our accounts and operations this is the worst possible side effect of this complex thing trick but fortunately it's pretty rare the solution is to just avoid repetition where possible as typically this correlation might take more than one search and the good thing with this trick that we're presenting here is that all you need is just one lookup only just one search
but let's just let's just focus on this scenario for a moment this is a serious risk and it would be interesting to see how possible it actually is for this to happen so i've had this idea for a while that maybe we could use the privacy tools offered to us by eu's gdpr the general data protection regulation to find out what exactly is held about our user a target user and specifically whether that includes any passive correlations with other users that may have fallen as contacts of our user so i decided to try it out in telegram specifically you can get all the data that's kept about you through a ddpr bot as we see
in the faq using this very simple to use bot all we need is just two messages to slash commands to request our data download it from the desktop app and then finally export it in a human-friendly html format and browse it easily to find out there's actually no mention of our soft puppet the one we just used to search this target account and uh this is of course just an example telegram is a privacy oriented app expectedly it doesn't really hold any creepy data but let's just keep this tool in our heads for other applications we might not be so innocent okay with all that in mind let's now summarize what we know about this trick
it's gains and losses first it's ease of use us we need no crazy skills nor any specialized software or hardware to perform it secondly it's hard for applications to block and even harder to detect that it's that this feature is being abused let me dive deeper here for a second we shouldn't forget that this is based on a feature contact uploading is a ux functionality to help you get started with a given service and find friends and with regards to detection remember that address books are inherently large and most times this is implemented with a single request to the back end so if you've done eures engineering and you've successfully scripted a contact lookup all you need to search multiple numbers
at once it's just one request also it boasts great performance again if you reverse the api the lookup call is instant it takes milliseconds compare that to waiting for an emulator to boot the app to be launched and then ue buttons to be clicked and that's before results are actually fetched and then parsed so the difference here is massive finally it offers solid result confidence effectively low to zero false positive hits compare that to the fuzzy results that for instance a search feature would provide there are of course some downsides like for starters it's actually hard to automate this trick as we saw this takes some reverse engineering which usually takes both time and skill
even once the apis are reversed you also need to constantly monitor its results and keep an eye out for version updates or changes in the format this however is also true for other techniques like scraping web results of an app's web client also you need to typically have an active session to even perform these requests so factor in additional reverse engineering effort for the login process and some talking juggling after that and finally should we decide to use soft puppets and be reasonably powerful paranoid about our opsec we'll have to accommodate for the overhead of managing all these accounts and keeping them active before we go here's a list of good awesome references good sources for awesome stuff first we
have awesome curious the prolific dutch awesome guy in twitter and of course the awesome olsen list on github but most importantly inteltechnics.com are great source of diagrams however unfortunately the juice is now hidden all these cool diagrams are not even available on the wayback machine so it might take some digging to actually find these nice paths and that's all for today actually i'd like to thank you again uh thanks to cuba saxenos for their overall help with the slides and spot on qa advice i'd like to thank my childhood friend nick for that foreign sim card that featured briefly and last but not least delta my partner in crime in the army's red team helping
out for helping me out in this race to find sim cards folders or puppets that's all folks hope you enjoyed it and if you haven't fallen asleep yet there's a neat little awesome challenge coming up so stay tuned for a chance to win a wii prize right so the talent is pretty simple here it goes assuming we have this phone number as a target user trick we discussed to find the three wheels the first to send us the solution on discord we went besides athens memorabilia cdf certificate and maybe t-shirt we'll reach out to have them shipped to you i repeat given this phone number plus 30 694 94 22 o24 the goal is to
find the three wheels dms on discord and win b-side swag we're going to leave this slide down throughout the lunch break for any hints or questions don't hesitate to hit me on discord happy hunting right so the challenge is pretty simple here it goes assuming we have this phone number as a target use a trick we discussed to find the three wheels the first to send us the solution on discord we went besides athens memorabilia cdf certificate and maybe t-shirt we'll reach out to have them shipped to you i repeat given this phone number plus 3694 94 22 o24 the goal is to find the three wheels dms on discord and win b-side swag we're going to leave this slide down
throughout the lunch break for any hints or questions don't hesitate to hit me on discord happy hunting right so the challenge is pretty simple here it goes assuming we have this phone number as a target user trick we discussed to find the three wheels the first to send us the solution on discord we went besides athens memorabilia cdf certificate and maybe t-shirt we'll reach out to have them shipped to you i repeat given this phone number plus 3694 94 22 or 24 the goal is to find the three wheels dms on discord and win b-side swag we're going to leave this slide down throughout the lunch break for any hints or questions don't hesitate to hit me on
discord happy hunting
hello hello again hope you can hear me alright um please um join leonidas for his um awesome challenge um you can reach out to leonidas on discord for any questions or if you want to participate in the challenge we are planning to also break for lunch however we also have a workshop prepared which is about an hour long and we will initiate that workshop playing streaming during lunch and in order for you to enjoy yourselves i mean have something to watch during last lunch time i really hope you enjoy uh the awesome challenge i really hope you enjoy also the event up to this point in time we had some very interesting presentations we also had
some challenges this morning but i think now we are good to go with sound and everything let me those who are enjoying the ocean silence i hope you have fun let me initiate the workshop during lunch time i hope you find it interesting and we'll be back with you with the next talk stay safe and trust no one right after the lunch break all right see you all in a bit take care
hello everyone welcome with my talk i'm glad for behavioral my talk is called through scatter variety
so
[Music] so
[Music] so [Music]
so [Music]
[Music]
[Music]
hello everyone welcome with my talk i'm glad for be here for you all my talk is called from sc8 the variety of eddie hunter to get a show
instructor
[Music]
qubit conference arab security conference material costa conf managing village besides calgary's etc a military magazine about stack of performance about cover channel for further to get a shell 48 of the right to let the show i leave here my linkedin profile by my email for words take out some doubts you can write me at my linkadin or my email [Music] agenda will you learn what is sch87200 buff overflow we have a park in park we learn the se8 override shorty jump aggie hunter many characters reverse shell and we have a questions exception 100 exception 100 is a chunk of the code from inside of an application which have the objective to handle any exception that can occur during as
execution of the software deception they look like with here we have try and catch and try execute some code you should call some exception should jump to catch a catch execute some specific code where inception core so a flow of execution of the software will pass for the try execute some code if a require some exception will jump to catch and catch it will execute some specific code reception core
the sc8 works in chain and they are localized in end of stack in the classic buffer version of vanilla the exploit of writes the return address without worrying about writing more bites in stack but with the sc8 of the right technique it is possible to obtain my space of financial code in order to have exploit more stable so we have here in our stack remember that the s80 is localized in the end of stack and here we have necessitated recorded scenario
these sc8 work in as a chain
reception is an aspect event an error that occurs in early ccr program where exceptional chorus the problems normal flow of execution is terribility it is important that the application can handle the substance or error to continue running normally the address of deception hundreds are started on the stack the wind separation system has a default handler that gets any exception that is not handled by the program when windows handles an exception in application we usually see the message program has included a problem it needs to close so we learn here that each program has your own exception handler but the windows has two your own when the 700 of the software don't work the exception 100 of the windows work
in the work where we see the message problem has encountered a problem needs to close
buff overflow buff overflow is anomaly where a problem while writing data to a buffer overall the buffers boundaries and the price is said memory locations might be repeat based on stack based repeat based place in the memory which allocates a lot amount of data and dynamically stack based locate a limited or fixed size of data which is data from account variables or functions so we have two class of buffer flows with base and stack based here we have animation of a buffer flow we have in left images variable 4 forever 8 right image variable 458 yes we can see this tacky of a variety stack is a variety if our amount of character is we saw variety
the resistance bp earth sc8 as we can see here sc8 is localized in the end of stack so the sc8 is at a resource of windows to handle deception 100 and the se80 of windows is localized in any of the stack now we have a park the attacker machine will use the color linux 2020.3 and the vulnerable software that we use is the easy fireshell web 7.2 it's running in windows xp and service packet3 here we have a link for the load of enable software i became available on my linkedin profile the link for this slides for after the stalking won't see this slides again [Music] and download the vulnerable software you can we can find these
this is rides on my liquid in profile so now now let's see the video park
let's see the video park let's open the vulnerable software either file sharing server it's running on part 80 let's open the debugger remove file attach let's attach the vulnerable software choose enable software and clicking attach
clicking button run to running run the enable software in monday debugger if enable software is running let's open the exploit code with vi here we have is a title exploit code is exploit code in python variable crash world for what amount of its characters this what amount of characters will say against the target with objective or because crash vulnerable software you send a method get get press crush word below we have attack type track type part 80 this a lot amount of characters was generated by 2.38 let's get in in folder usr share my sprite framework tools exploit and let's execute the two pine create with pioneer create dash and rank 5000 and we have here our amount of
characters we will copy this about amount of characters any paste in our exploited code for after sending this out amount of characters against the target with objective or cause crashing vulnerable software company paste
let's save the exploit code foreign
let's send with title x collect on to send execute the python sprite code and in vulnerable software we have the flow of execution part acts violation click menu view se8 chain and we have a value in s800 now we learn we need we need to find him what's the office set of se e8 what's official c8 for finding the office set of se8 we use a two parent of a set we should type which we must type pineapple dash and link 5000 is a link basic queue and we must type the value of sc 100 46.35
66 46 this is a value of the ec of s800 and we found the offset 4.65 4.65 is offset for our sc let's open the exploit code open the exploit code and then we have here variable crash word character a multiplied by sixty one plus b multiply by four plus simmed pi by four we will overwrite we will overwrite the c hundred with character b in character c after plus 90 90 means noob snoops means no patience because these are functions that do nothing night is an open loop do nothing it's a function let's do nothing so let's restart the debugger
click button well to run the monday debugger
let's execute the pythexploid code
we have here axe violation again click menu view sc chain and here we have the sc handler of variety by forty three forty three forty three and the address override by forty two forty two forty two real variety real variety death e hundred clicky right bottom follow address in stack follow addressing stack and as we can see we overwrite the 300 we have here pointed to next sce recording if you b b b and the sc holder if you see c c c we overwrite it the s e hundred so now we get a control we get a quarter of a 300
we get a quarter of a 300 because we overwrite as he heard with bbb ccc
let's open the exploit code now we need to find it an instruction pop-up return for this we must type in command by exclamation mark se8 exclamation mark sc8
clicking menu view log and as we can see here only the first 20 pointers i show here for my pointers open sc8 point text so let's open the sc8 file local disk c programs file immunity immunity debugger let's open the file sc8 s80 point text and we have a lot of amount of address we need to find some address that make pop pop return and with secure mechanisms as follows we use the address 1003
fe this errors is a pop eci poppy di return if secure mechanisms ascdi is files rebates as files safe seat as files or this files we could use the other address but i'll choose the this address then the word automatically this important that is pop ci pdi return if you secure mechanisms return if it's equipment can easily sdr's files remain as files save sc8 as fast as files this important that it has secure mechanisms files and the in our expert code we type here we create a variable se8 if you have a feed your tweezer world then this address is for pop-up return then there are three fe and we type here when i can do
architecture 8x86 is address fv030 well there is a address for pop-up return now we need to find the eins up code for instruction jump shot shorty jump for this we use a two nas michelle we use a tunas michelle for finding ice up code for instruction pop-pop for instruction charity jump we using a tunas michelle for finding our picot of destruction shorty jump now we create a variable nsc8
now let's type in as me jump shark eight jump shot eight we found the ap code eb06 a b06 code five jump shorty eight again in b06 short jumpy eight we must we must create a valuable any sc8 for short jump we type x 9 90 x 90 nope nope and the view at security xb06 is a short jumpy 8 so we put available crash world character a multiplied by officer for the in for se8 4061 is officiated for se80 plus any s80 plus s80 plus noobs that is 90. so we'll execute pop-up returning and it will return foreign security new penup eb06 eb06 is a shorty jumpy aid so let's save this exploit code and
execute the exploit code to see vulnerable software
we have variable questions for character multiplied by office h of c8 plus nsc8 plus s8 plus knight that's a noob let's save the exploit code
let's restart the moon the burger
we started with the burger roll the munda the burger
software is running execute the exploit code
the flow of the sequence is stopped click minimum view sc80 chain now we have a very re sc 100 right button for addressing stacking and as we can see we have se80 recorded override if charity jump zero six eb 1990 and the s800 a variety of address of the pop-up return understand the world through sc 100 003 fce is a address for pop-up return and he pointed to next as he recorded we have a short jump zero six it be 1990 so now we get a quarter of se recording again we get a culture of se recording and now we overwrite the series required with charity jump in the sc holder if we pop up return
so
let's click if you write the button go to expression and let's find a header standing over there triathlete and then we found i understand zero zero three fe is a public property returning poppy ci puppet behind the return click right at the bottom breakpoints toggle put your battery pointed pci we put your brake points in pci
let's pass forward execution 2 with shift f7 click button 1 and here we stopped it in pci stop the flow of execution embedded party pci full so let's click f7 for press pci f7 to pass pop the eye we are in return we are in return press f7 in return f7 in return and we follow out in loop here we have noob loopy jump shot if b06 as we can see a b06 means don't be short let's pass the loops with f7 f7 and the f seven you'll be short and we we are in oops we are in noobs as we can see we have a lot amount of the noobs but yet this isn't
enough space for putter shell code we should now put our shell code but i already know that this is isn't enough space to put our shell code so where we don't have enough space to put our shell code we use a technique called eddy hunter
in our case we don't have enough space to put our shell code here for this we use a technique called aggie hunter
let's find let's learn more what means technique hunter
as we can see about the pop-up returning now we need to find the moodle instruction of pop-pop return this instruction will as shown mage below make a return to the party to the next sc8 recording the pointer to nexus say to record will variety with a jump to our shell code to get a reverse shell here in flow of execution we have the axe variation actually create se hundred so in current c hundred will execute block return it will make a return for pointer to next sc8 recording imported to necessitate record we make a short jump to our show code pointing to next city was over item if you jump to shell code so again
the flow of the execution is running vulnerable software so cause acts validation x variation incorrect school we execute the pop pop and return return for short jump so we'll execute short jump for our shell code here shell code will execute our shall call to get every shell but as already say already said we don't have enough space to our shell code we don't have enough space for our shell code in this case we need to use a technique called the aggie hunter
so we know that we have a little space to our shell code for this we use a technique called egg hunter egg hunter is a small piece of shell code which search for 12 bigger shell code which the attacker was not able to fit in the available buffer space for this make use of this little piece of shell called aggie hunter to have directed the cushion flow to shell called it bigger so [Music] saying better the egg hunter is small piece of shell code that will have directors for a bigger space in this bigger space we have secure put our shell code together versus shell so remember again we override s800 we overwrite the c100
with pop-up return in the short jump will execute pop pop return and return for short jump short jump execute short jump shot the fellow out in our loops in place of these loops we should put our shell cored together shell but in our case we don't have enough space we don't have enough space to put our shell code here for this we use a technique called ali hunter any hunter is a techniques where in place of these noobs we will put him a small piece of shell code we will put small pieces of shell code called egg hunter that will have directors for a bigger space where in this bigger space we can put our shell code to get a voice shell
let's see it in the video block
in place of this loops we will put our egg hunter we must type in commanded by exclamation mark help egg exclamation mark and do we have here command any the comments of eggy we have the full value is root we use it afterwards after we learn what means this root and you we must type extremely shamona egg for find the eggy hunter shellcode and we have here aggie hunter shell code let's copy write the bottom copy to creepy body whole line copy this aggie hunter shell code and the paste in our shell code and pasting our exploit code
copy this small piece of shell code of aggie hunter and the page in our express code let's open our exploit code
we have here already basically hunter right bottom page selection we have here a shell called a small piece of the shell code of aggie hunter we put variable crush on crash war character a multiplied above set of c8
press n sc 8 process 8 plus 90 moves multiplied by 5.
press aggie hunter plus knight noobs
and we have here payroll 2 equals bad shares we have here bad shares we will send against the target this bad shife this value is since 01 up f f c c zero up f f let's learn more what the functions of this better size
now we need to search for bad characters depending on the application type of vulnerability any protocols you use may be certain characters which are considered bad and should not be used in your your buffer or shell code one example of betty characters is a zero zero this character is considered badly because a new bite is also used to terminate a single corporation which will deteriorate our buffer whenever reaching a new black japanese so has some values that for our vulnerable software are considered bad for this
for this we will send against the target this value is since zero up f to see if requires some error in our target we want to change zero zero because i already know that zero zero is a very characteristic but already we we needed to know if we exist others many characters for this we will send since zero up sff against the target for seeing require others errors
if of course others errors mean that it exists others bad characters we need to find a better characters because after after we will after we will generate a shell code without body characters we need to generate our show code together with shell without the bad characters here we have other agency which you would prosper the two this means that after which would become our shell code after which you would come out below the two part two equals many characters now we put bad characters but after we put our shell code save the exploited code
let's restart the debugger
run the moon in the red vulnerable softimage debugger
write the bottom go to expression put a breaking point in poppy put your bracket pointy poppy ci
i
now let's execute our exploit code python exclamation 5. execute our exploit code
we have access validation pass acceleration shift f7 shift f7 to pass ax violation
and depress f9 or
press f9 we follow out in proper ci press breaking point of f7 f7 f7 f7 pass pci pdi return f7 f7 execute the pop pop return throughout the noobs pass loops enjoy jump shot if f7 pass our loops loops and jump short of f7 here we have a small piece of shell code this small piece of shell code is our eggy hunter again this small piece of shell code is our agriculture that we will have directors for a bigger space where in this bigger space we put our shell code together shell right button scans bracket punch toggle let's put a back point in scans put your back pointing scans to see what is in scans
click it button run click it button run to running the vulnerable software the flow of execution with stopping is scans flow of execution will stop in scans while the button in edx write the button in the x4c what is in the x following them and as we can see we have here multimode we have a value here rule 2 this indicates that after this would will come our shell code after which you would come our shell code will execute jump pdi will execute jpdi and follow out in our banished characters we have here zero one zero two zero three zero five zero five zero zero seven zero eighteen nine zero eight zero b zero c zero d
and etc up ff will send against the title this value of bad characters since 01 up f 01 up ff for c if acquire some error in vulnerable software as we can see we have uh all these values since 01 up ff we have all this value since 01 up f this means that we don't have a more error so this means that unique very characters is a zero zero as we can see we have here all these characters since zero f f that means that we don't have others betty characters building 0 0 so let's we need to generate our shell code we need to generate our shell code just without zero zero so let's restart the mundane debugger
let's resize the dimensional debugger
again
write the button go to expression let's find a puppy ci copy guy return let's write a button puppy ci bracket point toggle put a breakpoint in pci
let's open the exploit code now let's edit the shell code let's select this odd shell code to put in this place our new shell code for generator for generate our neutral code we're using a two msf vino you use a two msf vino for generate
our new shell code
let's use a 2msf window to generate our new shell code you must type message vino dash a act x86 dash dash platform
by the character 0 0 the c interactive between this f file python generator shell code for a file python that should be avoiding by the character 0 0 so here we put dash b bendy characters avoided by the character zero zero we will generate our shell coil we will generate our shell avoiding by the character zero zero because this unique very characters for our vulnerable software is a zero zero so we generated shall call the avoiding by the characters zero zero
we have variable crucial character a multiplied by officer plus nsc8 plus 680 plus nine loops plus 800 plus loops in the below we have it variable pair of the two equals both birth is a shell code
we have nsc8 our jump charge a eb06 is our jump shot sc8 our noop noob our pop-up return sc8 our pop-up return
i see eight our pop-up return we have our egg hunter remember that aggie hunter is small piece of shell cody that will direct us for a bigger space where in this bigger space we put our shell code
so let's copy let's copy our new shell code in the paste in our exploit code
copy selection
and write a button paste selection paste our new shell code in our exploit code
we have here payload 2 equals birthday our shout cody below we have audi after all to become our period 2 payload 2 equals birth as our code so after we the root will execute our payload to payout 2 is because birth but is our shell called together versus shell
so now let's execute our meta sprite framework to list 1.555 wait for connect back execute msf console let's configure our meta sprite framework
let's configure our methods by the framework using multihandler setup flight framework search payload windows shell reverse tcp it at payload windows shelves tcp search early host localhost our ip we configure our metasploit framework to listing on part 5554 for our local ip using a payroll the windows reverse tcp tell any part of local part 555 and the security exploit
execute exploit so now let's execute our exploit code of title x collector 6 execute our exploit code we have the ax violation pass access validation shift f7 the flow of execute is paused as we have acceleration pass acceleration with shift f7 shift f7 and press f9 or clicking button run flow of execution now is stopped in pci we have stopped in breaking point pop ci pass pc ipi and return if f7 f7 f7 to execute pop pop returning we follow out in loops we will pass loop in oop with f7 f7 and jump short if b06 will pass with f7 f7 f7 f7 press jump short we'll follow out in our aggie hunter we have a small piece of shell called
hunter we put right button scans back punch toggle to stop the flow of execution scans clicking button run button run to continue flow of execution stopped in scans right about in the x right about in the x following them here we have our root this indicates that after after this watch will execute our shell code this means that after our root will execute our shell code because any aggie hunter is a small piece of shell code that will have directors for a bigger space where in this bigger space this bigger space will execute our shell code press f7 f7 jump pdi with f7 jump the i with f7 and now we have d8dc d964 this is our shell code
our shell code as we can see in our exploit code as we can see in our exploit code we have here our shell code da dc d974 and we can see in our flow of execution of neighbor software the aadc 974 is our shell code click button run to execute the flow of execution to pass flow of execution clicking button run and do we have a meta sprite we have a method writer versus shell we got a shell so we can type net user to see the user of the victim user hotdogs and administrator user of the victim you can type ipconfig for a cd ip of a victim is it so as we can see we have here in this
slides step by step of how you can write the wrong spot code using i see eight of variety with egg hunter technique remember that this egg hunter is small piece of the shell called that the wheel head directors for a bigger space where in this bigger space we can put our shell pole together shell and the belly characters should be fined should be we must think against the targeting this character sees the role of ffs to find it what is these bad characters for this vulnerable software because we need to avoid the better characters when we generate our shell code so we need to generate our shell code without the body characters for data call
where we execute our reverse voiceshell is it everyone um become available on my linkedin profile this this link for this slide for who won't reproduce this pocky you can download these slides on my linkedin profile and the executive the step by step how can writer works party called using ic8 a variety with eddie hunter technique now i prefer the questions thank you very much
hello um we're back we're still on our lunch break i have nicos with me here um olga will be back later on we are still on the lunch break and for those who want to see the workshop or all the technical talks in more detail don't worry everything will be posted on our youtube channel as individual videos as well after the conference so you can go through in more detail because we know that this workshop was a little bit too technical there was a little bit too much of sell code in it and it will be a lot easier if you have the video so you can pause look at it what it what it
says and all that nikos uh hi there from me um i hope you enjoyed all the talks uh actually we are a little earlier than our schedule so if you are still on your lunch break uh i hope you enjoyed we'll start at uh two um i see on the aussie challenge that there were very few that they tried to [Music] to play you still have time so we'll see you at two egg excellent so um yeah you have uh half an hour to enjoy your lunch enjoy your coffee or any other favorite beverage you might have most probably be in a mega pint it's been an inside joke for uh for the past few weeks
um yeah and see you approximately in half an hour thank you enjoy
foreign [Music]
[Music] oh
[Music] what [Music]
[Music]
[Music]
foreign [Music] so
[Music] oh
[Music] what
[Music] so
foreign [Music]
[Music]
[Music]
[Music] so [Music]
foreign [Music]
[Music]
[Music]
[Music]
[Music]
foreign [Music]
[Music]
so
[Music]
[Music]
[Music] so [Music]
foreign [Music]
[Music]
[Music]
so
[Music]
so
[Music]
foreign [Music]
[Music]
[Music]
[Music]
[Music] good
[Music]
[Music]
williams [Music]
[Music]
so
[Music]
[Music]
[Music]
so
[Music]
williams [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
will you jump [Music]
[Music]
so
[Music]
[Music]
[Music] whatever
so
[Music]
[Music]
williams [Music]
[Music]
[Music] oh
[Music]
[Music]
foreign [Music]
[Music] oh
[Music]
[Music]
welcome welcome back we hope you had a good lunch you had a good break you enjoyed the previous talks and you had time to um look through the technical workshop that we had earlier on nikos um yeah i hope you enjoy our uh podcast here our new setup it's i think better than last year and we promise you that next year we'll have a fiscal event and we'll all enjoy our network community well you need to remember that security besides often is an open platform for you to come and present share ideas we cannot know everything right so it is best for you to bring your research bring what you do present it to the people in the audience participate
in an active manner initia discussions get to know us get let us note you get to know each other through this community-based event the motto of the event is it is by information security professionals for information security professionals we are not sitting behind any branding or any commercial products or any commercial companies yes we accept sponsorships only for the sake of being able to provide you with the best open and community based event that means for those who have already participated the previous years you get you know for a fact that you leave the event with a lot of useful swag you enjoy the day you don't pay anything to have an amazing day at the event
you get like all-day coffee and lunch and all the other things that we do there's usually an after party so the drinks are also for free so that's the only reason why we do the sponsor to be able to provide this community-based event to you if you have talks if you have ideas if you have anything you can offer to security besides which can it's giving back to the community with knowledge information whatever you want to share reach out to us let's in our new version of the event after this limitation of the covet restriction let's make it even better and our plan for next year because we have been preparing for this is um to go really big and you'll see
what that means when we go live next year again in person because yeah i would like to end with the fact that this is a community-driven conference and uh we are here to open discussions and disagreements uh on a framework that is uh ethical i mean if somebody disagree with somebody he has to just uh on on a framework that he will not offend somebody or a product so just try to read the ethics that we have in our site and try to follow them and i hope you enjoy the uh the rest of the day and uh see you yeah um and we move on with us with the next talk thank you so much and
um we'll be back very soon
hello hi there i'm constantina cuckoo i'm a cyber security expert and i'm currently working in checkpoint software technologies today in besides athens 2022 i want to discuss with you about something that for me it's very interesting it's been around for quite some time i think that you already heard of it's about zero trust model it's a new term everybody is talking about it and maybe has a project on it so i would like to navigate on it uh together so uh before actually start start talking about zero trust model i would like to generally start talking about a little about trust and as a human factor and something that you could trust as a human uh personally for
me i had i have zero trust in an airport sushi i don't know if you have ever tried that it's terrible i would never use a used mattress in my own place i don't believe in competition scam of course as a security person and also i don't have trust in everything that has ip and it's communicating so if traditional access we would say it's about the principle of trust but verify zero trust is rooted around the principle never trust and always verify and on the network level this is a nice picture of what zero trust would uh would be uh next i would uh i would like to state that zero trust security is not a product of course as
you may know it's a process there are many best practices there are principles that organizations should observe on the path to zero trust security and to better understand that i would drop an analogy with our physical world with the real world and it's not other than the airport i think you you use you visited uh quite some times and in doing so i think that we participate in many zero trust experiences and all the the security processes airport security processes are consisting a great example of zero trust implementation strategy so to begin with i will start with the basics we are always verifying the person that requests access in the airport the context of the request in a
more generic i.t perspective the risk that this request may have and then we are granting access required we require nowadays more than one piece of identification and evidence to authenticate the user and in the case of the airport we use the passport in order to say who to state who we say we are and we are boarding also we are using the boarding pass to board the right place uh going to the correct destination in many places actually now they are starting using gold to some kind of biometrics for a second factor of authentication and generally authentication could be any combination of of course as you know something you know like a password something you have like a verification
sms and something that you are like a biometric users and another principle i think it's very important is that as we said you will you would never automatically trust anything and in our example this means that we are passing the gate we have zoned uh we have uh uh yes showcased our boarding pass but still you're not quite there you still have to sew your luggage and this is because even when uh there is nothing wrong with passenger with you of course we have identified you but there is a strict protocol in the airport that yes we have to check what um you may cover in these languages that you don't even know that uh people are doing mistakes
uh they sometimes carry the dangerous things on the handles without knowing that and the same is uh we would say with the employees in our organization uh there's someone that is really trusted he has passed the door in the morning skunk his car came in the office but he's also carrying his laptop we know who he said who he says he is he's also his own but on the other hand we don't know what this device may bring into the organization it could be the mobile the laptop whatever and uh easily it could be carrying uh malware on it uh with the danger of infecting the whole network so principle number three for the zero
trust is that you have to monitor and audit everything you can protect what you can see that it is known so you have to monitor every activity something that uh usually usually checked by security officers to quickly uh uh understand and react on something that seems suspicious and uh this should be of course real time and visibility is especially important for users who have administrative rights due to their serious scope of their access permission the sensitivity of the data that they can reach uh so we need to say also that uh by doing so and by building uh in a security architecture around these principles what it should uh definitely succeed in is that it should have zero false
positives false positives zero false negatives and it should be usually seamless for uh the user i mean everything we described so far in the airport example it was generally speaking quite intuitive for the user it required almost a little experience and awareness of the process and it is very important we always say that that for cyber security to be to be consumed it also has to be well understood that easily for the user easy for the user and on the other hand of course it should be simple but it should be preventive meaning that we should also take always take the right decision when there is a suspicious uh incident and it should be blocked
and um it should be efficient meaning both for the users as we said but also for the administrators of the infrastructure it should be complete it should implement all the principles of zero trust model uh it should increase operational security efficiency overall and of course it should be protective for uh for the organization against cyber attacks with real-time threat prevention so we're talking about zero trust people uh zero trust people's zero trust passengers in our example zero trust devices languages syrian trust workloads uh in this case could be ai belgian zero thrust networks and zero trust data we're going to go into that a little fast so what we have to do in needs uh
of this pillar so for zero thrust architecture when we are talking about zero trust network of course we have to identify data and assets that are valuable for the organization we should classify the level of sensitivity for its asset we should map all data flows that are happening happening in our organization east west north south everything and northbound and we should also group uh assets with similar functionalities and sensitivity levels into this uh the same microsegment for example all the resources that the r d is using the source code and the ticket management system it would be nice to be in the same microsegment and another thing it uh it would be nice to deploy a segmentation gateway whether
it's physical or virtual in the network and uh last but not least we should also define a least privileged access policy to each of these assets for example uh the r d group should access only their own team's source code not the next uh the colleagues that although he's also a an engineer he belongs to another group so everyone should access the the things that he's enlisted tool so zero trust people uh we are talking about uh people a lot and they're involved in cyber security and uh the thing is that uh we have of course to authenticate user identities on the network level and not if possible of the application meaning that uh you don't allow
authenticating users closer to a security gateway on the network level will block hackers uh from getting too close to the system and dramatically minimize the this way the attack service of course you should do and use sso which simplifies the process of authentication uh reassuring how identities with the multi-factor authentication is a must and also you should set context aware policies uh meaning uh narrowing down the definition of authorized connections by adding multiple conditions regarding the context of the connection for example you may think that this resource should be accessed by this partner that connects from greece only nine to five and is something that should be implemented on the network firewall and of course we are talking
also a lot about that uh detecting anomalies uh compare connections with the baseline that we have and for example identify unsuccessful logins unusual times and location more and be able to act on this event zero trans devices also uh when we're talking about that is uh to take a mean a practical approach to minimize the attack surface that comes from the devices uh for all workstations and mobile devices of course no matter no matter if they are corporate or uh also personal it should carry some security controls by the corporation in case it touches corporate data so it should have some kind of protection against the zero day malware run somewhere we should have protection
against uh zero fishing and all the stuff that we are currently doing at the endpoint and of course we should block uh corporate access to the devices that are infected so poster management and condition conditional access should be also a solution of zero thrust devices and of course the first thing we are talking about segmentation it's always a good idea i t iot ot whatever you have in the network it should be segmented on another useful uh on its practical side um when we are talking now about zero trans data we want uh to enforce encryption on the portable media we want to provide secure access for the remote users we want to apply dlp also dlp rules for
our users and the classification of the data that is being used and um a nice tip here is that in order to raise the employees awareness of the data use policies that you have we know that they can be very hard to implement in in your organization you can release some self remediation dlp policies that will allow to notify the user for improper data handling that he's making in real time and and have the option for him to send this card or review the the issue it's a kind of training uh of training technique that it's accommodated in main solution many build these solutions and uh actually now the other part is about uh zero truss
workloads and now we are talking about again some application workloads things that are sitting on the private cloud and public cloud and here of course you have to identify all the cloud assets that need to be protected every every all at table point that needs to be organization with similar protection and with unified policies and uh we should identify everything that is related to the cloud would could have a database everything connects to today to the cloud through internet of course it should be also listed and have the uh the correct way of communication and um defined internal segmentation based on list privilege we said that before i think it's very very important visibility and analytics and i think
that i'm slowly coming to an end of uh this uh wrap up of the zero trust model visibility and analytics is very is a key i think uh in everywhere in order to simplify all these solutions are there they are technical solutions but also we are talking here there is also a framework so we are talking about processes but overall we should have in place some ways to easily check our effective measures to check what we have implemented and to have our logs and to revisit them in order to daily and in real time of course to understand the uh anomalies and uh whenever you can of course you can leverage the credit intelligence services in order to have indicators
real-time threat indicators that are aggregated in order to share to have useful information that they said among all your enforcement points and finally i think that um uh wrapping it up with zero trust is something that uh needs to be discussed it needs to take the right approach see what they control but i think it's more about the mindset about how what we can do and all this uh never trust always verify i think it's very important so it's a serious trust is here to keep us safe uh the implementation is a big practical and physical to consume we want to be effective and uh better security always matters and i think in the future will
uh be all an even bigger concern so it's nice that we act practically so stay safe trust no one i know that this is uh sounding a little strange but this is it when we're talking about cyber attacks uh i have listed here some useful links maybe you can also revisit and that was it thank you very much enjoy the conference bye
hello everyone uh i'm really excited to be here with you guys reporting here from 12 sec at this year's besides event my name is ignatius and today we want to talk to you about challenges we had in one of our still seeing engagements with one of our partners uh for having to shift the penetration testing which in our case was actually the in an api driven application the api security testing uh earlier in the life cycle of a process of the sdlc process so we want to share with you our experience what ideas we have how we came up with the solution and of course since this is also ongoing for us and we're going to see how it's
going to progress over the next couple months also we want to hear your feedback and get the conversation going on what will you do in your engagements in terms of processes tools and the life so for anyone who doesn't know us to help secure cyber security a consultancy film we offer all kinds of consultancy services you name it we do it from red team engagements penetration tests stlc engagements and the like so moving on to the next slide let me give you just a little bit of information so that you know who is talking to you i'm a a software engineer for uh four years uh and i have been application security engineer for seven months since i made
this transition and that's when 12 sec uh since then i have been involved in main bastilles engagement as well as some infrastructure configuration knowledge and i am also a cssp credential holder and the cloud practitioner from amazon now starting my journey to the cloud the cloud security certification path so let me give you like a little information about what we're going to see in the next slide so that you can have a clear map of what we're going to present to you uh so i will talk a little bit about the engagement and the activities that we're running the requirements that we're having some architectural characteristics of the application at hand which will be a source of input for
us for the solution that we have to make and the factors that we have to consider in order to choose the right processes and tools to do the job effectively so this is an still see engagement we are all quite bunch of activities here we're on risk assessment well risk assessment not exactly in the face of an agile sprint like in weak sprint where we run it every time but more like an inception like a report but it always comes handy because you need to go back to this report to refer the general risk overview or policies or classifications in terms of confidentiality degree and availability of the data that your system processes and it also relates to the
prioritization of the cases that you want to implement in a test suit so that you can have the most measurable outcome in the most the return of investment on the test cases you do in your security automation as well as other activities of course we do requirements analysis this is a sprint-based activity when we solicit we define security requirements of course in addition to the requirements we have and if they are not needed a specific business specific security requirements related to the business cases at hand and of course these requirements will also relate to how we will define our test cases of course with other requirements we're going to show in the next slide which will be our general application
security requirements framework then we have here the architects review we mostly do actually we exclusively do a svs on this uh we run ltria for critical applications and we do also thread modeling using an automated tool called terrus risk uh not automated in the sense that you don't have to do anything but automate it uh in a way that it's not like in a word document where you have like hundreds of pages where you have to what to do your threat model and it can get really it can get really messy and huge quite fast but it can offer like a good view of your risk status and generate controls based on specification that you
provide and this of course is the main the main source for us in regards to the business logic has an attack surface which we want to cover in our security automation suit then we have source code review uh we do this manually uh sometimes not so often we have guidelines um specific to the platform where we are testing we're also using a static analysis plus specific set of rules which are signature based of course to identify vulnerabilities in the code as soon as the developer writes the code and we also have composition analysis for the our third party libraries then moving on after this after after the normal tests are on we also run an uh dynamic application
security testing tool we runs up to identify common vulnerabilities or web application misconfigurations we do this it has come out handy from time to time though now it's where the things are more mature and a lot of security controls have been implemented uh there are not so much there is not so much to to go on from this but uh this also is the main reason where we want uh to have is that this is does not cover the actual business logic we want to test on this application which has a bunch of functionality areas with many different business flows consisting of multiple steps integration with external system and this this release the attack surface we want to
to cover moving on we have the penetration testing then if attracts audits infrastructure audits are done are conducted against the cloud-based environments now the penetration testing is the only actual uh in the highest level of security assurance as a verification activity in terms of this attack surface where trying to to have covered early in the life cycle uh it offers the best we can i it offers the best assurance as possible but it's not conducted on a spring basis and that's what that's what we're going to tackle in in our initiative to move this a little bit uh earlier in the life cycle so that we can leverage from this assurance the penetration testing only
can provide uh we also have the requirements we have asvs i mean like we have specific chapters that are applicable to the problem we have at hand and will actually be a mapping from the for the solution we chose and these special like specific chapters in asps like uh secure file uploads api architecture access control and other and others as well uh we also have some regarding some i will have the goal of this act of this initiative we took with security automation to reach maturity level 3 which is actually which actually mandates to have integrated security testing as part of your pipeline so uh moving on to the architecture we are basically learning a single page uh this
is about a single page application running at nuclear front-end we have a couple rest apis implemented in uh in java in the back end for our authentication architecture we use open ids the standard flows of the open id of the auth specification for our authorization architecture we mainly like in the high level we have a role based access control consisting of multiple roles and hundreds of permissions for different functionality areas and we also have facts on level x control implementing authorization checks at the function level trying to mitigate the violations that could occur if we were only taking the role into an account in such cases and our accountability architecture which is often overlooked we want to highlight it
and because it's important from a compliance point of view having to log the right stuff with the right way taking care of the privacy of what you log and of course the sensitivity of the data you log and keeping an audit rail and keeping people accountable for what they do in case of a for ethnic investigation or what not and be able to cover this and provide the information that will be needed in those circumstances so going to the problem at hand the first problem we had is regarding our sourcing and when i'm saying sort when i say sourcing i basically mean how we're going to source our test cases i mean how what will be associated for defining
those cases so we had a couple options here the first one was to crawl into the application i mean i have this have like a tool like burp uh intercept the traffic and give all this valuable information such tools can provide and from there based on the information that we get in the endpoint identification begin writing cases this this would be really fast although we didn't like the fact that we have to consider the application behavior and the responses we got as the single source of truth for defining the what was meant to be the correct thing to do which we didn't like because something might have been implemented wrong now the other the other option was to do
a source code review uh we could do like a regular expression on the source code because because we have access to the source code identify all end points and from there reading with the code which would take significant resources of course but uh it would be a more white based approach to do this and have like a really good coverage but it would also miss the documentation and the and misses the opportunity to leverage all previous activities done in the life cycle so that we can have them all so that we can have like cases directly derived and collaborate collaboratively decided between security architecture as well as a business analyst from the clients and of course
the other option which seemed also more more natural to do is the documentation which we already had in a way i mean not like always updated not in a perfect state all the time but the best possible place to really identify the peace and slaughter flows which we are most interested in because this is the attack surface that is most hit by the bad guys we want to keep out is the business logic of the of our applications and we wanted to really uh have this attack surface covered and documentation seemed like the best option so the solution to that was to create an access control matrix now lux control matrix we did not have at the time but
we liked the the value it offered us in terms of visibility because we already have such some of this information scattered all around the user stories use cases uh we had like some authorization permissions in uh where where they were applicable in some user stories but now what we have is a single confluent conference page well it could be in other formats as well but most important thing is that we have a single source of truth regarding the authorization schema of the application as a whole that could be also be used as a basis to also engage um developers and architecture team ideally to a review to keep this on track to have this on the
explains on there or the definition of done or their workflow and have these actions implemented there even from the analysis or from uh or leverage those actions in the test cases as i will show you in a minute on how we do those uh cross reference so this cross reference is actually having to [Music] being able to track what the test cases are and where they come from so that when you go maintain this test suit of security apis you know that this test relates to this functionality and you can check what exactly lies beneath right and this of course has to do with business loads which is our primary which is our primary focus here and we
want to identify those flows and this will help us do it more effectively now the second problem we had is how we want to structure our test of course one very like a natural way to go is to go using the endpoint paths now the endpoint paths i mean it is quite what it sounds like like having the url uh in a subresource way for urls including an endpoint and then structure your tests based on that which would achieve a greatest a a good amount of coverage i guess but it lacked the security side focused of things because we wanted our structure to be specified so that it can help the tester or the developer who is writing a test to think
about those key areas that we want to have security security wise covered so the other option was to go with specification and of course the solution was to use the os project api security which has insufficient categorization it's community-based and it's open source and uh i mean it pretty much does what we like and of course the thing is that there is no other a non-structured alternative as well but regardless this is what it is and it does what we want and really gives you like the basic uh backbone of mindset to write test cases upon for modern api driven applications right um so the next problem uh what tool are we going to use
here we really care about ci integration capabilities we care about what apis we support and of course we care about the learning curve the developers would have to familiarize in an ideal scenario where they also engage in this actively and make this part of the experience and we also want to make this more easy to them to choose a tool that will be familiar as well solution is postman postman accomplishes exactly that because developers already used network purpose not like security focused testing but they told you to test their apis in some way or another we'll have dedicated documentation sections which we really like and we highly leverage uh to both refer to our access control matrix
so that we can have this tracking that i talked about before but also to include our test data uh which the specific test case refers to we also have flow support and this is about what we were talking before actually on the uh on the business logic identifications transaction based flaws which we highly want to cover and we cover only on the manual penetration tests on big milestones but now we want them covered as soon as possible now postman has a seamless integration with changes not like in form plugin that can see the condition continuous integration server we use and we can use it as a build step i have ready to use a docker monster
now the other problem we had is uh how we're going to track our data so for a test suit to run you need a couple data you have test data scripts being responsible to create all this data you need for a specific environment we don't have the scripts at this point uh we're in the process of creating them but we had couple options to do a confluence page which would be a nice choice because confluence has this better link in history we also would call like a more sophisticated to tackle issues that would come up in the future if this got big and wouldn't be so easy to scale in the confluence page but uh the test data
management solution is not what we could suffice with right now so we could go also with an all-time classic excel sheet which would be really fast to do and this is what we chose in terms of being straightforward in terms of being fast and of course we know that it won't scale but uh we have this uh we have this truck and we can co we can start our way low and see how this whole thing progresses and what i want to really note about here is that even though you're using an excel sheet it's always important to keep the documentation documentation guys like really important makes things so much more maintainable like even in a simple
sit that i'm going to show you like in a little bit we can you can have like a documentation tab where you document your columns specify some common convention to use and there you got it you have something that can be more easy to write and maintain and assume some common format on this so you don't have discrepancies and inconsistencies so uh thank you all uh for uh for watching this here from 12 sec we wish you all the best and uh moving on we hope to you found something useful a lot of this to do in your engagements or give you give us some feedback uh regarding what you would like uh what what you think should be best in terms
of approach in terms of processes or tools so moving on to the video peace so hello again everyone moving on to the video unfortunately we had some problems setting up the environment that we have configured jenkins run or this test shoot on uh alternatively we're going to run the test suit only one of our dedicated environments for verification purposes that we hold in our premises but still i'm going to be able to show you a lot of the stuff that we discussed on during the conversation regarding uh regarding postman and its features and how we elaborate on the cross referencing catalog so as you can see here in the collection we have the collection structured as per the
specification move or expressed api security which mainly is security focus and highlights the key areas that we would like to test as part of for security api testing next we have the documentation section where we outline basic stuff regarding how we write and maintain our test cases as well as some information on the references we have on test cases themselves as you can see specifically here we have the source the associated action from which is actually the identifier of the action in the action control matrix as i'm about to show you in a few seconds and the identifier from the test data that are needed to run this specific test case so as you can
see the identifier here it is c68 we can see the respective action here and the url that it's going to link to the analysis for this specific action outlining requirements and the early business logic scenarios that we highly want to test and that way give the tester or developer that's writing the case or maintaining it a very good idea on what this case is about so moving on you can see here the test data test that i will simply as we said tracking in the uh in the test here i just having this test data and tracking them and having some documentation on how these how these columns are are used and some common conventions on using in this
sheet moving on to the [Music] to the postman i want to show you some features that we might come handy for various use cases for example flows which is a very good feature of postman that can send multiple http requests but also you can do whatever else you can imagine pretty much because it can go like from logical testing to expat evaluations encodings decoding parsing of various output that can occur and also another very interesting that we'll find about this delays delays can be used like for example in our case where we have external system integration and we must wait for some for some time interval before we invoke an endpoint we're going to use delays for this
transaction transaction-based complex flows and then again we have the environment variables environment variables we can use to share and not use the same the same data all the time in the test cases as we do in our base url environment variable here but also among us i'm about to show you in uh the integers configuration we're going to use the environment variable argument of the container of human we're going to set up to pass this variable at the end time container where this suit is going to run these variables are also can also be defined as secret as you can see here you can select the type this way we can mask it to prevent any
information disclosure one other interesting feature of postman is the attachments uh because you're gonna have like some multi-part requests of course which is going to include upload then attachments to test the uh upload endpoints post months through the settings gives us the capability to define a directory now don't mind my own this is an absolute director with my machine but postman gives you the possibility to define a directory where it can be referenced by multiple machines so that you don't have file uh file resolution resolutioners uh i will also show you how this the outcome from the actual uh test should running postman is going to look like and i also want to highlight like
specific methods that you can use so that you can have like more clarity in what your test uh test actually uh tries to verify of course going also to be covered in more depth in the reference to the ax control matrix itself now moving on to the to uh to jenkins as you can see here we have some basic configuration ready or with the newman container ready to use documents we specify the directory we want to have inside inside inside the container specify the collection to fetch from a github ripple we have in the previous step also this is environment variable passing as i told you before so that we can affect the run time
runtime behavior of the collection and also some report outputs that may come handy in various use cases on how you want to process the output from the test cases so uh this is only thank you very much for watching this and please share any feedback you might have or any questions thank you again
foreign [Music]
[Music] good
[Music] oh
[Music]
[Music]
hello hello again welcome back i hope you enjoyed the talks up to this point we're very pleased that we had some engaging discussions over discord please do engage with us on twitter as well and we also have this instagram page we would post some of your pictures that you send later on yes we were having a hot heated discussion back here regarding international renowned hackers greek and foreign obviously and the idea is that give us your recommendations let us know who would you like to see in athens next year the idea is that you post the names we reach out to them we're gonna put it on twitter as well to engage with more people um whatever
list of names we end up with we're gonna create a poll and i think uh the top five i guess depending how the big the list is uh i'll make sure that i reach out to them and um get them on get them in athens next year i think that will be really nice interactive version of doing things not that we haven't brought very famous people over the years and besides since uh year number one um you can go back to our previous events and check them out nicos yeah well uh yeah it's it's it's a hot discussion i hope i will next year will not have all these covet restrictions and will be physical and people like to
travel i mean besides athens can be one of the best we have the whole packets we have great weather good food good people here and the community can get together and enjoy enjoy the event i also enjoyed your [Music] pictures that you send in discord then you you're seen as live in uh your screens uh with popcorn and so that's for me yeah and uh yeah it's not only about hackers obviously like if you want to see any particular professionals like in 2020 i think when we were planning to have the next physical event or the keynote speaker was the group ceso of urbas like and he was planning to come over and everything was ready and then covet hit
and he had to do the talk remotely so he's also um very much willing to come to athens whenever we do a physical event so anyone else that you believe you want to see in athens but they have just a phone call away for us so let's um let us know and we'll we'll get it done okay moving on to our next talk enjoy and we will back we'll be back very very soon take care
hi guys this is rg and today we're going to talk about vulnerability i'll start with a few words about myself i'm the business development director and chief information security officer for a major greek integrator and managed service provider and i'm the membership chair of the halloween chapter of physics square i'm also a published poet and a retired handheld combat instructor now the agenda which i'll try to follow is going to include the significance of vulnerability management a few words about human firewall which is excessively important and a small episode of uh work-life balance story or better life work balance as it ought to be now starting from the vulnerability um in them in a more generic way only abilities the
quality or state of being exposed to the possibility of being attacked or harmed either physically or emotionally you should stick to the emotional part when we're talking about a system it's a any floor weakness in the system's core procedure control design or implementation that can be exploited so the security posture the security policy of its system can be violated when we're talking about systems of course i'm referring to any server workstation network device i have a camera telephony thing or anything that has an ap and can be reached by a potential intruder now i'll start off something pretty common i'm i'm talking to a besides crowd in any case the i can see the intrusion kill
chain you know i interact with a lot of customers and i when i'm talking to d or c level executives i i give them a glimpse of it stating that you see that vulnerability the world vulnerability and it's like vulnerable here it's referred in the step four the exploitation part but if we do something about it the the absolute truth is that we're going to impact the very step one the reconnaissance so you see here it says research identify and select of targets what i'm stressing is that having a controlled vulnerability posturing keeping your vulnerability simple words as low as possible in significance and in numbers will prevent like an attacker which is a random or a
semi-random attack to harm you so the aggressor will find a a weaker potential victim it's the same as bullying but even if something is really targeted uh again we're gonna make um the life and uh uh the effort of the aggression very very difficult by having uh a you know a nice neat public footprint so moving from the iksc we see that this effort to have everything in control is actually a life cycle i mean that's no news that everything in ict and cyber security is not a straight line from a to z it's not a one one time thing but it's a recurring part so we really need i mean in simple words here we're we're seeing six notes but in
simple words we need to assess report and do something to remediate to fix either permanently or not the uh the vulnerabilities that uh that we have we say remediate but i mean compensate as well so maybe there is a zero day that is out in the world for a few hours there is no patch from the vendors yet but still maybe we can harden our ips policy or put an extra access listener border firewall or maybe apologies for that put a web application firewall as well anything that one can do to to mitigate uh to mitigate an issue and again this is a process based action like uh we need to verify this cover and again
around the drill from from start so the the main thing is that we need to do it consistently the key here is to fix the important uh part consistently when talking about consistency of course there is a maturity model and then many of you should already know the cmm so this is a cmm approach to the vulnerability management uh i won't spend much of the time here so we really need to be proactive the you know the photograph is not optimal but the key here is proactive so we'll start from step three as a baseline we need to have something really defined and then it needs to get you know as optimized as possible now
step four the optimization is again another life cycle approach so there are levels of optimization and so on as as you see uh as the aggressor they are and they they become more and more agile and more dynamic the same needs to happen to your to your vulnerability management strategy and of course code cannot be excluded i mean i have a i have a few customers running software development companies and they say rg i mean we have outsourced everything to our cloud providers to uh azure or aws or google and or maybe we have a a few of them around like the inter cloud approach so the the provider takes care of everything because we're we're buying we're
utilizing a buying uh platform as a service but in a vast majority unfortunately they're not incorporating security controls in their sdlc so they end up identifying a few issues even even if not following the waterfall mode model and their agile they state that they're agile they run some tests at the end so they end up accepting uh an enormous residual risk or spending a lot of money and effort and money again to to fix some things before they go live so for me o wasp is out there for 15 or more years there is the asvaes uh version 4 now it's the application security verification standard we should all target for level 2 as a
baseline and you know guys if your if your application uses critical data like uh financial data or personal information or sensitive information you should really target for level three even if it's not easy to fulfill the 286 controls um at the moment i've seen out there a lot of very nice apps i mean people spend enormous money in the ux and ui and for marketing purposes oh my god i mean to convert customers and then they get hacked by uh by somebody because the application is not uh is poor it's fully written security wise and that's the same now um this is a human firewall it's a big commodity it's sorry it's a big buzzword
out there you know it's something that as a term started a couple of years ago but it's it's true it's fundamental you can spend crazy money on next generation and next next generation things and then you have your user uh plugging in a usb device or click on a link and that's it you're pretty much [ __ ] apologize for the for the language but it is highly essential to train your users and as i stress and i don't stress enough sometimes and your security team i mean okay they're i.t guys or infosec guys and they they know how to hopefully they know how to to to check if a an email is uh is a
fraud or not or they don't use uh uh their personal usb stick at the office but uh you need to have an instant response plan i mean even if you're not uh abiding a framework like iso 27001 nist bimco or imo for shipping you need to have some processes around and you need to check them with along with the other stakeholders uh a few times per year and then when something happens because inevitably inevitably something will happen that's good that it wouldn't be something serious they need to reach out to the management to to marketing to legal and engage all the stakeholders so everyone involved needs to be uh trained um now uh this is a photograph
we're gonna be staying in the in the human asset part uh this is a photograph that i uh i chose uh the last minute to include it's nice because it start from the comfort zone as something that we were in the past and and that's true and um it refers to the stretch zone you know i i usually wake up quite early for multiple reasons and i used to to listen to all this motivational speaking and how to become a the best entrepreneur the best executive and they often refer to the straight zone you need to fight and fight and fight and become better and that's true but uh there are limits to it and nobody really
refers to the panic zone which is what comes if you if you haven't sent your boundaries so the ultimate truth is that human assets and i'm referring to actual people they can also be vulnerable and suspect to breaches which means that uh no matter how they look outside i mean they can be very functional they can laugh they kind of work with you they uh they can it's okay they can go out with uh for a bear with you or you know and you think that they have a a perfect life they can still be vulnerable and they can they can feel bad and when i'm saying they feel bad i'm talking about anxiety this is
mr miss anxiety uh they can be stressed they can feel like shite and that's a very important thing because then your next generation firewall looks something like this this is your edr and this is your web application firewall all your dlp so but these are just tools just instruments they are compensative measures but they don't really really remediate the problem so there are things that we should do this is a picture of myself a few years ago uh unfortunately this is something that i'm sure that it looks familiar to uh to a lot of you when you look yourself in the mirror every every morning and it doesn't matter you don't have to be an
executive to feel like that or to be like that but hey there is a there there are ways to to turn this around so i'm gonna talk about your remediation plan here we need to learn to say no and believe me it does have to do with poor management time management skills there are people there are people there are things that and people that we need to to say no to so that's a that's important again established boundaries it might [Music] you know it might look the same but it's not uh there are some lines that we should never cross regarding our uh uh our well-being or you know the the life work balance as i said in the start
so yeah maybe don't work um 16 hours 16 hours every day for for many many years just to you know to buy a brand new car or something it does worth it we should ask for help and i mean professional help yeah you can talk to your to your parents or to your better household to a friend of yours and that's fine but professionals are out there it's the same reason people hire us to to do a professional presentation test or vulnerability assessment or something and they don't reach out to uh for a freebie out there and very important try to build a positive relationship with your boss as long as it can happen if not maybe you can
change your boss you know now is a good time to refer to the footer of the presentation it says the first time is a mistake second time and obviously every other time on top of it is a choice so uh reaching to the end thank you everyone stay safe security wise and mentally sane and i'll talk to you when i see you around thanks emily [Music]
foreign [Music] so [Music]
so
[Music]
[Music]
[Music]
[Music]
hello hello hello um hope you're joining up to now we are supposed to go into a coffee break at the moment so there we will make a small change to the schedule we will move to the next talk instead of going to the coffee break now and we will go into the coffee break after this talk the reason being is because we are arranging for a last minute surprise which we want to do during the coffee break so we need a few more minutes to see if we can make it so please enjoy the the next talk and after that when we go for a coffee break we're we hope we'll have something ready for you to also enjoy
yeah it's a it's all about hiking so stay tuned
hi everyone pleasure to connect to all of you today my name is ceo of sikho blink so in today's session we were going to talk about the future of application security and what are the key challenges which are placed by the organizations so let's start with the agenda so we'll be covering up the topics which are related to what is application security why the application security is important the type of application security the common application security flaws and what are the application security tools which has been used by an and what organizat the key challenges which are still in organizations are facing in terms of application security and the best approach the application like us for the application security the
current and the future one so let's first start with the what is application security so application security is a process of developing adding and testing the security features within the application to minimize the security vulnerabilities so it is just like that we are adding the multiple layers to an application so that we can make it uh proof like we can make it like cyclone from all the external attacks and whenever like a hacker will going to try to penetrate those application they need to pass through the multiple security layers so this is how we are improving uh the overall security of an application and this process is known as an application security so where we are like identifying the
early stage of vulnerabilities and then we are reducing and we are eliminating those vulnerabilities with uh the approaches and with the different kind of like uh the products and the tools that um we're going to use so what happens in security is important so uh let's start with uh some couple of sets that we have captured mainly from the flex data micro focus and dividend security which says that the 60 60.5 percent of the applications vulnerabilities are remotely exploitable 42 percent organizations experience an external attack due to an application security clause 79 percent of the organization either regularly or occasionally so this is like mainly taken care by other organizations which are like early stage or which are like
in the medium stage because those uh in those organizations they don't have any security means that maximum of the development deployment work is taken care by only the developers and if they by mistake push the any kind of vulnerabilities which are associated and that is their code and if they put it in the production environment automatically it is making them more vulnerable of getting a cyber attack then 42 percent of the vulnerabilities in the applications are actually indexed in others because even in today's times a lot of enterprises applications and for medium business applications are using the previous tags so they are more prone of getting uh the sql injection attacks and 83 percent of the
applications are still formed to remain vulnerable after the install it can simply like if we start with the initial kind of scale because scanning is just not the one process it just have like a very basic process which uh the company an
and 50 organization of the apps on an average like they found vulnerable because they they didn't have adopted their stack of approaches so this is a trend like uh a graph that we have created from 2009 to 2020 and uh which says that uh shows the rapid increase in the vulnerability lower source vulnerability and if you can see like from 2019 2020 there is a drastic change that we have got because in today's time the organizations are including a lot of third-party libraries in order to make their applications more robust and to provide the best user experience to their customers and in order to do that they are basically following up uh with a lot of third-party libraries and which
is automatically making them more and more vulnerable of getting a cyber attack so the top security flaws that uh we have captured which has been uh covered by uh reported by the veracore and uh cwemitry so victory is a framework which is like followed by all the enterprises and it says that in the common clause if we talk about these are the popular common flaws which have been found in the application it starts with the information leakage which is coming up like at 64 percent and the cryptographical abnormalities which is like 62 percent then cross injections the core qualities insufficient input validation cross-site scripting attack directory trans transversal then credential management and if we go for
the top 10 like the top 10 uh cve which is being given by the victory for this year for 2021 which starts with the outer bound right which has the thread score of like 65.93 then cross side scripting which is like 46.84 then out of boundary which is 24.9 then the improper input validation that is 20.47 then was command injection that is 19.55 nesquik injection 19.54 then use after free part trans transversal then the cross side is scripting uh probably and unrestricted of your profile and then dangerous type so all of these detail like if you wanted to know what these terms mean so that is like widely available over the cb inventory websites and you can just go
there and you can just uh search about these thumbs to get more detail about it because here we can't like cover all her topics at once so i'm just giving an outline of like the top secret application security clause which has been followed by uh which has been like experienced by the in today's uh organizations then moving to the next we are talking about the type of application security so the application security is mainly divided up into the five types which starts with the critical infrastructure and security where we are talking about the applications which has been used in the critical infrastructure mainly with the power grid with the electricity uh segments and with uh the nuclear reactors so all of
these critical applications they are again like the cybersecurity is required in that because they are handling those critical infrastructure then moving to the next then we have the mobile application securities which is related to all the mobile applications applications that has been used the the network securities uh again the network security displays a very important role because this is the first contact the first enter entry point for a hacker and if we get anyhow the credentials of the network which is the user enterprise organization they can definitely enter into their database then the cloud securities are there which uh which is being like in today's maximum of the applications are getting deployed over the cloud so they need to
follow the various kind of approaches to adopt uh those securities then the iot security is there for all the iot devices so what are the application security challenges uh which the companies are facing in today's time starts with the inherited vulnerabilities like some of the code that they are using and using it so the vulnerabilities are getting edited from the previous quotes okay but from some like uh the third party libraries which are again making them more and more vulnerable of getting a fabulous and the second we have the third party and open source vulnerabilities and that boards and software supply chain attacks which have been recently experienced by a lot of big organizations may be based
out of us like if you talk about the colonial pipeline it will talk about the other hacks which has been taking place in at least 10 months so they are all like affected by the software supply chain only which is the one of the highest challenge for an organization then the volatility directions are there because still the organization doesn't have the robust solution in order to protect the vulnerability in the runtime environment and the idea security is that again is a very important role because different uh end organization which are publicly available and if they don't uh like deploying any sort of a securities and points then automatically like the hiker can easily access those
customer data sets so what are the application security tools so these are the popular tools which is which has been used by an organization which starts with the static application security testing and dynamic application security testing then interactive wrapping specifically testing these three approaches are mainly followed by all the kind testers and they start with application testing but while following these three approaches so then we have like the software composition analysis this is something a bit new because here we are analyzing the all the components objects of that software and we are lifting up and finding out the vulnerabilities which are associated to a very core level of an application then the new approach like a lot of tools have been offered by
an organizers which are basically providing up the application security testing other servers so the application security trends uh so basically the rays that we have seen postcode like uh in the new normal the organizations are now moving towards the cloud like they are not at all going forward with the on-premises uh servers which has been followed by the previous approaches uh and the post-pandemic uh time now the p-file like uh they have adopted a hybrid model or working from home so definitely they need to move their applications to the cloud so the rapid movement of an application and the rapid cloud adoption of an uh of an organization will automatically like uh at that scale which is which we have
seen in the past couple of months then the runtime application self protection this is also again being followed by uh in the terms of trains in the application security then we have the runtime uh application self protection rasp this is one of the most popular approach which has been followed by the recent cso cios and the security analyst then the backend as a services where we are like companies are following a very robust approach in today's time where they are giving uh they are created a back end as a server so they are deploying the microservices there and they are utilizing uh those services in the secure environment which is much more secure practice comparatively to the
traditional approach of deploying a monolithic architecture then we have the monitoring tools which are available mainly for the public and private clouds every local companies have those monitoring tools available if it goes from aws from bcp from microsoft affair everyone have the monitoring tools available and even like a lot of other third party companies are also offering which we can directly connect with those cloud providers and we can monitor all the traffic and bound and outbound traffic of an application then the web application firewalls they are basically the previous approach which is mainly like followed by an organization they just deploy the firewalls and then the function as a service is again it's a serverless model which has been
followed by an organizers and application of computer protection this is pretty much new uh because in today's time even what the hackers are doing they are basically like uh uh using uh the memory that they are creating like deploying the memory based kind of attacks which are very difficult to figure out or to detect by the traditional application security scanners and this thing we can like easily uh detect if yeah if an organization is using any sort of tool which is based out of like workload protection so then uh in the last we will be talking about all the uh approaches the current approaches and the future approaches which has been taken by an organizations for the application
security so the current approach if we talk about is like uh they are adopting the advanced uh application security frameworks they are creating uh the code the secure code they are monitoring the complete code and they are thinking like whether it is like not coming up from any sort of from the third party uh popular forums then implementing the security as a design this is like one of the most recommended approach which uh even i do recommend for mind and which the organization need to follow whenever they are designing or developing any any kind of a product they need to implement the security as a design so that at every stage it should uh get into those security layers and
which automatically will make the hacker works pretty much harder then integrating a security into the development the software development stages where we are like deploying testing the cipd pipeline that we are talking about so we are integrating the security in that part also then using the latest lab technology so it is basically like uh organizations need to adopt all the latest technologies which for developing up their application whether it is mobile iot or auba applications try avoiding the previous uh techniques or the previous technologies which are not getting any frequent updates because those uh frameworks and uh approaches are more getting more uh vulnerable of getting a sample attack then regularly they need to update their
softwares with the recent patches and the recent updates that are being ruled out by an organization because they are very important and they contain a very important security critical threat critical like updates then the future approaches also arrange and prioritize the application this is this is going to come up in the future approach where we are prioritizing that which application and is more important in an organization which is handling the more critical data then data should be encrypted we need to verify all the third party libraries that has been used in an application then we need to use some more advanced artificial intelligence-based tools in order to find the zero-day vulnerabilities because this kind of
vulnerabilities are like maximum of organizations are getting affected of these vulnerabilities and it's like give them a very less time to just revert or to take any kind of action against it and report to that only like the hackers do their work and they just take their complete that data or whether they just uh start within somewhere kind of attack or after doing their encryptions then securing all the upgrade apis that have been used in that applications and using the automated remediation approach which are automatically making an applications uh more uh better in terms of sample data than the application security testing and orchestration this is like one of the newest approach which the organizations
they seems like they will be definitely adopting it in the coming futures so these are the some couple of ways uh the previous ways and the new ways which organizations are following and either like definitely you can uh somehow you can like make your applications less prone of getting a cyber attack so that's all from my side and if you have any questions you can connect us connect me me over the linkedin or the twitter uh my username is appending and i will be happy to take any further questions thank you and thank you american digital week
so hi there hi hi uh well um we changed our schedule for a little so because we have a last-minute surprise from some spaniard he's one of the developers of wasp net hunter net attacker yes so this project is a wasp project that is totally written in python and we have a talk that he has sent us that is yes so netac is a hacking tool it's an owasp project it's been developed by the community over the years it was firstly presented in 2018. i was happy enough to be part of this presentation at blackhead with with sam and sam has created a presentation as part of owasp for in california recently and what we want to do is
we're still setting the streaming app we need about 30 seconds in real time and we will as we go into the coffee break at the same time we will let you enjoy a nice hiking tool talk and we definitely believe for those who are not familiar with an attacker and they love infrastructure pen testing you are going to find it very very useful it's amazing and [ __ ] when it comes to scanning way way faster than other tools so give us uh we're going to go through the cinematic and hopefully um after that you will start seeing during the coffee break uh some presentation on nataka yeah and you will enjoy also your coffee
will you jump [Music]
[Music]
so
[Music] relationship [Music]
[Music]
[Music]
hi everyone my name is sam stepanyan i'm a noah's chapter leader and owas nadaka project co-leader i work in london in the financial services sector as an application security consultant today i'm going to talk to you about the owasp attacker project so um a few more words about me uh apart from being a noaa's london chapter leader i also lead the owas chat chapter committee where we help all of us chapters to succeed to be healthy to be active i originally come from the software development background i'm an application developer and i'm an application security guy and i am a defender so why am i presenting a talk about a tool which consists of two words
network and attacker well i am a defender and an application security guy i had a bit of a history with um uh obasan attacker because i didn't know about this tool until i was pinged by the original uh netaka project leaders in 2018 where they asked me and um oh was london chapter co-leader dr greg fracos to go to black cat europe 2018 conference and present this project because the netaca project leaders were unable to travel to london at that time so myself and dr greg krakos we had to learn this tool overnight uh on a zoom session and we absolutely absolutely loved it we knew very very little about this tool because it was a brand new tool back
then uh we saw it appearing on the list of os projects but we didn't really know what it is and once we learned what it is we were really really happy to go and present it at uh black cat europe um 2018 in london and then suddenly this happened we had huge crowds of season penetration testers software developers security engineers um even some information security managers gathering around our stand at the black cat europe arsenal booth watching the presentation of the tool so we said okay this is good people like the tool so um i became a co-leader of august attacker project and proposed that it would be also presented the following year in 2019
and then suddenly this happened even bigger crowds gathered around watching this tool and absolutely everybody loved this tool but why what is it about obasa attacker that um everybody um is so uh intrigued about so oh was an attacker first of all is an open source software tool just like all of us projects and os the attacker's goal is to assist with penetration testing by automating uh tasks such as information gathering and vulnerability scanning because this tool is written in 100 python it doesn't require any external tools to be present in the operating system and it can be run on windows linux or mac os very important thing to mention about austin attacker that it is actually
written and it has by students who participated in initiative called google summer of code and if you don't know what google summer of code is it is a great initiative by google which is running every year and that is essentially a paid internship for students to select an open source project of their liking and apply to work on that project during the summer break and this is how we had always benefited by having students to help us to enhance the tool and actually it's not just the overall attacker there are many other os um projects um like osap for example or orwas jew shop which benefited from google summer of code and it's not just
oas which participates many other open source organizations do as well so if you're a student watching this or you know any students who you think might be interested in spending their summer break working on open source and gathering some real experience please do check out google summer of code it usually runs from march every year until the end of august so what is ova's attacker you can think of ovas attacker as a swiss army knife kind of tool because just like a swiss army knife it is a collection of tools it has a modular structure it's relatively easy to create your own modules we recently changed how you write your modules from python to yaml i
will talk about this a little bit later it is a fast performing tool because it's using multi-threading which you can control it's using python's multi-threading model important thing is that it has customizable profiles which are bundles of modules focused on a specific task so if you can imagine you can pull out several blades out of your swiss army knife uh to perform a specific task to make it uh quicker or more efficient and of course the most important thing is automation because you can automate and run this tool from the command line so um a few other bits about osne attacker that it is not an officially released tool yet it's not even in beta it's
still in research and development phase so the current versions are zero zero two and zero zero three uh and we're always looking for more contributors i will tell you how to contribute to the project at the end of my presentation however what is great about uh ovata that it is usable right now and it is a great tool which already has a command line interface web user interface an api report generator it also has multigo transform so people use multigo which is a great investigation tool available for example in kali linux and netaka currently has over 70 modules so you can find owasn attacker on the main owasp.org website under projects this is the url
where you can learn about the project and see some quick demonstration there important bit about documentation that we use the wiki part on the github so if you would like to read the documentation please click on the wiki button once you visit the osn attacker on github and there is an installation section there where you can learn how to install it you can install an attacker relatively simply and it will run on anything so i prefer uh using it for preferred using it in kali linux but you can use it on any platform there are several requirements for installation so please do follow the installation instructions because there's some dependencies that you need to install however if you are using
black arch linux distribution which is a linux distribution specifically targeting uh penetration testing um engagements you will find out that recently netaka was included in black arch and you can see it's uh currently being listed under the black arch automation tools and the version zero zero two is actually built into black arch which is absolutely great and we're very thankful to the black arch linux team which included our tool in the linux distribution so um in order for you to understand what orwas attacker is and how it compares with other scanners that you might know for example with scanners such as burp suite of or or wasp zap so scandals like burp or owasp they usually would scan one website for
many web application vulnerabilities and that's whatever the scanner is able to find so these tools will go and crawl one website to discover all urls all parameters all all forms you know all the buttons will try to click on all the links and then it will try to see uh if there are any vulnerabilities or was an attacker doesn't work like that it doesn't scan just one website it scans one or many and that can be hundreds or thousands of ip addresses networks or subdomains and what is it scanning them for for open ports or one or more specific vulnerabilities listed by the user and these are basically what our modules are and you can bundle the
modules in a profile to search for specific things so nettacker consists of three types of modules modules of type scan for example port scan modules of type bone these are the modules which are looking for a specific vulnerability for example apache struts valve module will look for apache strats vulnerability and it has modules of type brood for brute forcing so for example an ssh brute module we will perform brute forcing on over the ssh protocol so that's essentially what the module types are and that what makes this tool great because it combines three different types of activities scanning for in information gathering scanning for specific vulnerability and brute forcing so how do you run the
attacker in order to run the attacker from the command line you need to define two parameters you need to define the target what do you want to scan and the module which module do you want to use to scan it with and you do it with the dash i command line switch where you define your target and m for your module so for example if i want to perform a port scan on ip address 192168 i will call an attacker with dash i and the ip address and dash m with the module or the port scan you can also scan not just one ip address but the whole network for example if you provide 192.168.1.1
you will scan the entire class c network or 255 ip addresses and actually an attacker has more targets available you can scan a single ip address as i've just shown you before you can also scan an ip address range by providing a starting ip address and an ending ip address you can also scan a network by providing the cidr bits notation but what is also very interesting that you can scan a domain for example oasp.org and you can also scan urls using http or https protocol so these are the various types of networker targets but that is not all because if you are if you work for a larger organization that means you will have a multitude of
networks you will have several domain names and lots of ip addresses so what you can do you can actually create a text file which lists all the uh targets that you want to scan uh one target per uh line in the text file and then just load the list of targets using the l parameters so that is another way of running the attacker and again for example if you want to run a specific module for example a port scan on all your networks all your domains and subdomains that is what you can do and this is what is making net tucker so great so let me now do a quick live demo let me just switch
to my kali linux installation here where i already have net tucker installed and again a reminder if you want to uh learn how to install an attacker just check out documentation on github under the github wiki uh so because an attacker is a tool written in python i'm going to use python to run it so if i run nettacker with no parameters what is going to happen it's just going to return a usage instructions you can see there's a lots of information being displayed on the screen which can be quite confusing this is why please do check out the documentation where you will be able to find out about all the modules available what they do and
any additional parameters that you might need to use but um here and in my first example let me actually try to run net tucker on an ip address and perform a port scan actually i want to scan this particular ip address now so this is what i need to specify i just need to provide the ip address and then port scan as the module of course many of you probably using tools such as nmap for port scanning and um usually people will have like a love and hate relationship with nmap and in attacker what is great about port scanning that it is actually quite simple very powerful and it is written in python so you don't even need to
install nmap on your system all you need to do is just to have python installed so there you go you can see how quickly an attacker scanned it and returned us the results where you can see all the port numbers which were open and also you can see in the description column here it tries to identify what they are and you can see that it was telnet ssh sunrpc but for example you can see on ports 1884 and 1890 on this particular target it thinks that it is actually running http which is very important because as you can see people can run things like web service or ssh servers on some obscure ports and attacker can
actually identify what is running there you can see that the attacker after it completed the scan it displays the information in its tabular format and it also stores the data in html file as you can see here and the database so the database bit is actually quite important because it's not like other tools which complete the scan and then that's it and they have to do something with it no attacker actually stores everything in database and again that is a very uh good feature because you can actually search the database and i'll talk about this a little bit later now we have seen how to use that tucker for port scanning but let me show you some other ways how
you can use an attacker by using multiple modules and how you can use it on a domain name so for example if i want to scan obasp.org domain and i want to perform a subdomain scan right i can uh run this command and uh attacker now is going to go and discover all the sub-domains of oas.org and give us the list you can see how quickly this was done however what netaka has it has a unique feature which allows you to combine sub-domain scan with any other module available so for example there is a module which is called uh server version phone and server version vuln is a module which is trying to detect if the web server in question is
returning or leaking the type of the web server in the response headers in the server header and we can see if we run it on ovals.org that os.org is actually leaking that it's server header and it says that it's running cloudflare so okay great now we know what the obas.org is running on but this is not all because what we can also do we can add another module so i can change for example x powered by vulnerability and that will return another header which is the x powered by header and we you can also see any extra information provided by the x powered by header of that web server and uh that is not all you can see this is all
on os.org website um and we can see that the attacker actually discovered um open ports port 80.443 and told us in this information gathering session what type of the server and technologies are being run on ours.org but what is great as i mentioned you can actually add subdomain scan to this and by adding s parameter and what's going to happen now is attacker is actually going to go and discover all the subdomains of os.org and it's going to run the these two modules that i listed on every single sub domain and as a result as you can see it is very quick and literally within a few seconds now we have information about all the
sub-domains of os.org and everything that they are running so this is absolutely great feature and what you can do after this because obviously how do you consume the results you can check out the report so you can see for example here the report is stored in the html file so let's see if we can open this html file with a web browser so i have a firefox here let's see if we can open this file and see what is shown in this html file you can see a great feature in attacker here called penetration testing graph and you can see that the attacker started it attack and started connecting to various subdomains of owas.org and we
can see that on every single target here uh the server version vulnerability index powered by vulnerability modules they return a result and you can see uh what was actually running on them and why the graph is important because by looking at the shape of the graph you can see that and spot some patterns for example you can see that one of the subdomains of oauth.org did not have x power by vulnerability returning anything because that header was not present you can see it was just server version one and we can see in this case this was nginx and if you scroll down of this report you will find the results in the same familiar tabular
format you will see all the hosts which will be either the subdomain or a specific ip address if you scan your network the username and password columns which are currently blank they are used for brute forcing so if you try to run a brute forcing attack uh for example to discover if there are any uh service on your network which are using default credentials such as admin admin or uh whatever default credentials you are looking for they will be displayed here in this username and password columns uh if there is a match you can see the port number you can see the type of the module which was in use and you can see the description column there's a bit of
a visual effect so if i want to focus your attention on a particular line in this table i can just hover over the row of data and you can see that this particular host for example was running nginx so that is the results in html format however an attacker has ability to run some other reports as well and again what makes it great is that apart from the the graphs it can also output results in uh csv and json formats and why is it important because we with using json people can actually consume these results for integration with other tools because json is structured data and after you run attacker on your networks you can take
that json file and feed it into any other tool which can consume it and for example provide you a different reporting analytics or perhaps say further vulnerability scanning and why is it important to have csv it's because you get results in a spreadsheet format and this is probably what is so great about obasan attacker it's probably the only tool i know which is free and open source and that allows you to scan your network uh discover all the open ports all the service all the vulnerabilities and they give you results in excel spreadsheet format which is fantastic and everybody gets a spreadsheet everybody loves the spreadsheet you can easily of course filter that spreadsheet filter the data
search for whatever is needed and it is absolutely fantastic for companies to basically run this free and open source tool and get the list of all the assets open ports and vulnerabilities in one very convenient spreadsheet format so this is a unique feature of an attacker which uh i think probably one of the best features of this little tool so what netaka is solving by storing the results in the database format and giving you the spreadsheet it's it's uh solving something called owasp a0 if you don't know what osp0 is it's um something that jeremiah grossman the veteran of our application security industry suggested a few years ago when we were due to release obas top 10 2017 and the
top suggestion from jeremiah was to include a0 or asset inventory because these days the biggest application security risk are websites that you don't know you own why because if you don't know what you own you cannot possibly secure it an attacker solves this challenge for you because it allows you to um to create your asset inventory by scanning your network and scanning your assets and of course uh the recommended way of using the attacker is to use it on your own network but you can also use it for penetration testing engagements or for bug bounty work where you can attack somebody else's network but of course always make sure that you have permission to do that so some of the
attacker use cases you can use it for asset discovery so you can scan your network for open ports you can you can scan networks for new hosts you can scan network for default credentials for example admin admin if you use brute forcing you can uh quickly scan the network and find out uh if there are any service with default credentials configured on it you can scan your network for a specific vulnerability for example a big vulnerability this year has been microsoft exchange ssrf cve which affected thousands and thousands of organizations worldwide and we have a free and open source tool called oas netaka with a module which actually allows you to scan all your networks and
discover vulnerable service you can also discover sub domains and open ports on them you can discover things like expired ssl certificates and your ip ranges why is it important because if you have service with expired ssl sets that means that the server is probably abandoned and probably not patched you can also find subdomains hosting vulnerable versions of content management systems such as wordpress drupal and joomla and of course what is important that you can run any netaca modules on all sub-domains of a specific domain you can automate an attacker using the command line and you get results using csv json and html format you can use it in docker in your organization when you spin it up in docker it will actually
use the web ui or the api mode and you can search for previous scan results and discovered assets in the database that's what makes it great i have a slide here which shows quickly what the os web ui looks like it's quite simple and you can see different colors because different modules are color coded and you can see that the brute forcing modules are orange the vulnerability scanning modules are red and the scanning modules are green so when you select a particular profile for example all vulnerability scanning modules selected here they will all will be ticked and they will all be used important thing about the modules is that in the latest version of an
attacker zero zero three the modules are written in yaml which means that it is very simple to write new modules and contribute new modules please definitely do check out this new feature the latest version is a bit unstable yet so we're still working on it but the fact that it's using yaml actually will allow us will allow the project to respond quickly to the new vulnerabilities and release new modules allowing you to scan for these vulnerabilities in your network just like all of us projects it is open source so we welcome contributions if you want to contribute please do check out the developer wiki which is available on the documentation page do read and follow the contributor
guidelines and if you know python you can of course help us with uh coding if you know yaml you can help us with the vulnerability modules we can also help us with translations and documentation if you want to contribute a non in a non-technical way so um that's it about the tucker please uh use it to attack your own network before the real attackers do um i'm now ready to take any questions uh and um as you have heard from the moderators uh we're taking questions today in oas slab channel and the current was slack channel for this track is 20th anniversary temporal you can also contact me via email or via twitter at secure step 9. thank you
hello hello welcome back to our regular schedule i really hope you enjoyed this surprise guest talk by some about netaka it's a very very interesting tool if you don't have it in your arsenal i definitely recommend giving it a try it might be helpful in many cases it's it tends to be way much faster when you want to scan large c-class networks or wide range of ip addresses we are moving on with our regular schedule to our next talk we will also open soon before the end of the conference our form b for those who need to sign for getting the certificate of attendance so enjoy the next talk keep any discussions in the discord
channel or if you have any questions let the speakers know and we take it from there enjoy the next talk
hello everyone my name is pat sykis and i'm here together with my good student and friend just can adjust in order to present you our work on fishing with our work entitled fishing with is a hacker creation or an old attack on more or less new mediums and with more attack vectors george hello my name is joshua i am a student of the professional battalis i also work right now in the security industry and this is a previous work of ours during my stay at the athena research center
so as george stated before this is a previous work that uh finished a few months ago practically on april 2022 uh it's mainly funded by two eu project cybersec europe and lockhart uh this uh what we point out here is just our personal views on these matters have nothing to do with either the commission or any current employers of the people who were in the research excellent so let's describe the main motivation and more or less the idea of what we are doing here so practically as many of you might know there was a famous security incident that was made from someone who coined the the name finesse fisher uh practically what he did what he did
is that he created a zero day exploits for some services from some service scan the internet in order to find which are let's say the available and vulnerable endpoints that use this service and try to penetrate them during this course he managed to penetrate a web bank from cayman cayman islands and hiking his way in and he provided all the details of what he did how he did it the very concept is that practically we have the details from the attacker's side not for the analysis of uh how a financial institution is actually viewed in the eyes of the intelligence and nevertheless this is rather old what we wanted to do is that given the
current threat landscape is to try to find ways to create this experiment in terms of new city servers in terms of new attacking metals however also to try to stress test the defensive mechanisms that current critical infrastructural current let's say financial institution would use next uh prior to continuing it's worth noting that uh in this case we will try to instead of using an external facing asset like the sonicwall vpn that finasteries are used and exploit for we will move to more realistic things as we will see later and also that in a malware testing lab it's not always effective simulating uh user uh activity which will give an attacker places to hide things to hijack and also
a false positive rate so which he can blend with so this is something we can keep in mind that in the malware testing lab malware will always stand out and give the defenses some kind of advantage so so practically uh as we said we were trying to recreate the environment uh so-called serwood that finesse officer actually detailed in a more let's say recent environment here in the diagram you can see more or less the network setup that we used it's all recreated using vms uh practically you can see that we have a pf sense in order to more or less provide some segmentation to the network you can see that in the end points we have used 71 and 40 adr
and the idea here is that we try to create a heterogeneous environment where different machines are protected with different security mechanisms so that it's more difficult for one [Music] for an attacker to hope from one machine to the other so [Music] the idea is that we have positioned a citrix server in a restricted zone to allow access only to the job server more or less to recreate how things would be in a bank's secure zone george so yes we use the hyper-v server to host everything here you can see more or less the zones the work zone the secure zone which contained the citrix xenapp and the jump server we tried to make things look uh
as realistic as possible network wise we would have to go from here to the jump zone to the citrix server and also we use some things like clam av on squid to filter basic network traffic blah blah so it's just we focus more on the endpoints to this extent so uh let me present to you the offensive capabilities we had as we if you read the articles of finesse fisher you will see that he was mainly using things like martial empire meterpreter things that are out there so uh modern uh apts and offenders in general will use some kind of command and control means uh things will not always uh there are scenarios where you can use
like already existing assets but you will always need some kind of malware to ease your way in and do things and so we chose five diverse yet uh highly promising malware uh that are used but are not uh that are private and proprietary not out there for everyone so we will start uh by presenting nighthook it's the work of mdsec one of the top security firms at this moment uh it's a hardcore red team toolkit for from hardcore redeemers for having red teamers uh stealth configurability and feature richness is in mind but the main point that makes always stand out is basically there are two points private research that is applied uh by the people at mdsec and as features and
also the malleability this means that this is a highly uh um a malware that can use highly diverse techniques to evade detection you can always attribute the specific pattern to it because there are many ways in it to do uh things uh there are some techniques that are some of them are being slowly published by the team some are kept in private you can spoof things like atw ti uh instrumentation which takes place in takes place in ntos journal which it's very hard to avoid and spoofing strategies for mini filter callbacks which is also driver related technology avs use the basic driver technology avs will use they will have a mini filter with kernel callbacks to monitor uh operating system
events so uh some of the features that we actually used and had the chance to test and do our work with was the rope based system called unhooking and later full dll unhooking stealth feature and other stealth features it will make the operator's life easier by cleansing the process and uh reducing uh api based [Music] iocs that will occur from tools uran because we need to separate iocs that are related to the c2 and those that are related to the tools if i run uh let's say safety cards this will have all the iss of loading mimic ads and also accessing elsa's regardless of my c2 and this will get caught so there are things that you will try to do
this applies to user mode protections mostly there is also thread stuck spoofing trying to evade uh thread analysis and what the threat did and in memory hiding uh while sleeping trying to disguise in memory nighthawk so that it will evade scanners there are some customized process injection methods and some process injection methods that you can use but are like a opsec boosted let's say in some cases uh so that as we will see later we want to blend in uh and also network and callback related uh features for undercover beaconing you can use teams you can use like custom templates you can use many means of transfer so we will now talk about brutal lc4 it was
created by dark vortex and more specifically an experienced operator uh it's a low-cost alternative to kabul strike and it's supposed to be lesser known more effective and more stealthy some of the features include customized reflective loaders some both files vehicle object files that will execute after some memory allocation that will execute in memory uh held up sentinel for enumeration easily configurable ttps through the malleable profiles of it and the settings uh thing is uh this product was not the most stable we have seen we had several issues with it there the delivery methods were limited so when you load something dynamically there are more chances of it to get caught especially in the case of those
specific two edrs we had that have some very intriguing let's say methods to target shellcode itself and uh we tried to spoof that in some cases it worked in some cases it didn't but uh and we will see that this c2 uh visitors function will be highly dependent on the environment and the endpoint for example if there is an in process client because we had things like sometimes an infinite loop or we had like we tried to turn the solution into passive mode and see what gets caught and when and where in general we had some functionality issues but the main idea is that basic tasks can't be performed however even though we got a
foothold the way in some cases things were performed it would trigger the adrs on post exploitation and this is something we need to keep in mind that okay we got a foothold what do we do next how do we do it what is our context and how are we secure did we raise the score for some reason etc so we need unfortunately uh we didn't manage to complete the scenario with this one and uh we saw we learned things uh because we had diverse ways we had like uh many ways the adrs would detect uh for different things of this tool and on access in some cases or as i told you after some post exploitation tasks but
we need to keep in mind that we need adaptability a holistic approach towards opsec and kill chains and uh stability this is something an operator good enough wouldn't be able to afford to lose in a real bank or raising the alarm as we will see later which could mess the operation so uh global strike the most well-known many much work done from the community many features now we the latest uh version at the experiments time was 4.4 now kabul strike we have to say that they do some great work on pushing updates and also some things were changed in general in help system so uh we see a lot of potential to becoming again the top but it's still the norm for uh
threat actors and the red teamers out there however we wanted to break the norm by exploring alternatives in this case we have now user-defined reflective loaders both reflective dlls we have various kits which we didn't use to a great extent because as you will see later the basically uh on touch on access kabul strike was killed by many traps of the adrs either format wise because of the shell code either behavior-wise uh it was not something it's something that the companies invested a lot into and there are many ways to do this behaviorally uh from emulation many things memory inspection [Music] and we tried other adrs apart from the two we tested above and we saw that if we
didn't do much work on our own or we didn't use some kind of stage zero or we didn't use some uh very uh specific configuration or loader specific uh uh methods and have a good opsec wise logic uh we would get caught by things by uh other edrs as well that uh are not so known some of them based on network stuff like uh network inspection and becoming patterns like many things like memory scanning uh behavior such as loading dlls etc so uh as you can see uh we can try to avoid some iocs but it's mostly up to the operator and in this case we will see a research from sophos in 2021 and kabul strike out of
405 tools observed it was it represented the uh seven percent of it so it's rather uh a rather interesting uh statistic to this one so uh no this is not a blue screen uh in our case um [Music] those features of cobblestrike like the kids etc were not very helpful but uh i already described uh what we wanted but uh what i have to say is that global strike is also much uh let's say uh configurable and if you decide there was an interesting article out there showing that if you sideload kabul strike into teams and also make the network behavior look similar to teams you would be able to evade some kind of inspection
so kabul shark is a high quality product but unfortunately at this time uh it wasn't what we wanted and what we needed and uh and sometimes about the tools that are there there are very skill coders very still redeemers but in our case uh sometimes tools out there are not developed full-time by a company so this is something to keep in mind so uh havoc was created by a personal friend of mine it represents the other or unknown threats and uh in my opinion uh it's a very ambitious and very well designed code wise attempt we had some generic issues because this solution was created for the most of the adrs and not our niche
threat landscape we managed we helped paul as a team uh we assisted in the development process and we created some generic uh edr uh and obsex safety related features and we were able although the communications were limited now they're not because uh new uh listen new beaconing options were added but at the time it was still at beta same went for nighthawk and we tried as much as we could to make this solution adaptable and we managed actually to use a solution that's like you've seen the movies a young person with a hoodie coding in the dark et cetera this is this managed to work really well and we managed to complete although with some more effort and some more trial and
error and digging into the internals of stuff uh we managed to operate and this is some of the very interesting points of this research so oyaband was a stage zero what this means is that it will make just some basic recon and execution tasks there was like uh ngrok integration go native reversal it used tcp dialer and uh goes way to execute system commands which was very helpful key logging and discovery features it's not 100 percent stable always but that because it's a new product as well but the team tries as much as possible and they we have had like a a significant amount of effort and growth in terms of product and product i mean as
technology and improvement and learning uh with a team so it's a very interesting product uh they try to make it more and more stable they will change the code base soon from what i know thing is it's just a static and staged binary it may be limiting at some points you can turn it into shell code if you like with some kind of recreation of bootstrap reflective loader but this will be unrelated at this moment uh we managed due to this nature to do things and we will proceed to the next slide professor
professor we can't hear you sorry a nice casualties that we have from streaming and from online meetings so there are several differences compared to let's say casual engagements first we have to note that we have two different solutions that are working rather differently so the case of unhooking is not always an option in order to evade the defense mechanisms so for example fortinet is based on memory patterns and kernel based filtering so practically uncooking is not that easy and in the case of sentinel one like it also has some generic [Music] sorry cooking mechanism for uh in the kernel nevertheless it also tries to find low-hanging fruits in the case of typical bypasses that an adversary would
try to make but also let's say through the star rooms that it has twice to find many bypasses here in the environment that we have recreated it is worth it to note that one mistake is enough in order to showcase that an attack is being has been launched the idea is that currently with all these mechanisms which are monitoring all these system requests all these system calls the network traffic etc operating in an opensec way is not that easy nevertheless it's mandatory because it will immediately show that the attacker is doing something malicious as uh as i noted earlier the environment that we have created is very diverse meaning that its host has a different
endpoint security mechanism so practically this means that whatever works in host a it doesn't necessarily mean that we work on host b so practically this means that in every hope that you make inside the network you need more you need to be more cautious because you need different tools and different methods something that was not pointed out is that as we said the experiments finished on april nevertheless they took several months in order to to be made and the main reason is that we had engagement with several of these vendors in order to report issues in order to report bugs so that they will be passed and not make more or less a red or not a red team
but uh yeah exactly more or less a guideline of what to do when you are facing a financial institution and how to penetrate no that was not the case so we responsibly disclose issues that we found so that the whole ecosystem is secure it's worth noting that the traps of both solutions are quite innovative because in the case of sentinel 1 there is a drop to cover it up to cover a drop and we had the chance to beta test many of those traps in during this scenario before they were ready for production and also in the case of 40dr we were we had the chance to also check stuff and see how the real-time memory
structure inspection works and it's not like casual scanning it's how uh shellcode for example would be different than a valid pe and if there would be like uh no normal normal behaviors so
from how they look in memory from those there's a difference of how things will look in memory and this is how to avoid so some of the basic ttps are some excel files uh dll files with a specific icon which is very tempting to click and a specific expert that will launch specific code customize injections like uh dll hollowing which will patch the address of entry point with some kind of shell code or we will try to uh like um uh blend uh several injection techniques or objects safety techniques like uh where we inject and what we inject and how do we do this msi files are well known installer files we can add actions
that will include persistence like adding registry keys services blah blah whatever this could mean execute commands run our binaries use it for dll side loading which we will mention later whether it's a loader or a static binder it's a good way to blend in with an application so privileged driver based loading and vulnerable drive abuse we tried to abuse other exploitable drivers that may expose for example an isctl that we can take advantage of and do our execute our code through this driver or impair the defenses an example are anti-root key tools which you can use for example to load the driver do whatever you want to some extent uh in the system from the
general level disable the av uh maybe some shadowing uh as there are in internet cafes you can use such tools to evade shadowing and see the coin miners the employees have planted on the pcs this is how i get my free coffee when i go to the internet so i i never uh told anything about this snitches get stitches but in any case uh we tried to use customized vendor specific spoofing and bug abuse techniques that we would things we would do from the architecture of the solution itself to turn it around and make the edr hit itself so credential theft we could use drivers again like wintmem to dump the physical memory and parse it and get credentials
reflective loading and loading of tools including clr and ps power cell tools and reflection are things that we tried to see how they would behave in such a scenario where without the clr what's the process if it's excel through an xll for example it's easier because uh excel will be will make network connection which is which is better for coverage and also uh it has the clr loaded by default so this is a quick meter mapping professor yes so practically we try to map here what we consider we that has already been in made by the attacker in green and more or less in red we highlight what are the capabilities that we have developed
in terms of resource development in asia execution et cetera i hope that this is readable because it's far too many things that are listed here okay yes uh i will proceed so this is the offensive scenario review you can see some of the screenshots and proof of concepts this is sentinel one's timelines uh which are pretty cool i guess same goes for fortinet uh forensics they give you queries and you can attribute things to an actor but in depth like what did you find what kind of attack did you find how if you find this kind of ioc notify me about this so here we can see a casual process injection with a new thread creation
uh we can see execution of tools through knight hook we can see how the panel worked and how we managed to do some credential theft through keylogging and credential theft techniques in general how we execute tools and how we disabled the adr so here clr becomes for example well loaded in processes that indeed use such technology this is a good we need to take into account topsec so if i want to beacon through win http uh i will use a browser for example to eject into because it would be abnormal loading this uh this tool for example this dll inside another uh whatever process so we need to be careful how we look both on the endpoint and on the network
there's diverse tooling we use diverse tools to achieve the same things we try to use the kernel as much as possible and do things like impairing the defenses so we could then launch launch cobble strike or use a driver to uh and exploit also a navy solution to through a privileged scenario to inject into processes uh into the installing like a 3av from the internet whatever you will find many and injecting into that protected process and try to avoid some of the traps this way of uh and some of the monitoring by other tools and the antennas the response is like uh things like uh in-memory masking of uh uh the nighthawk presence and things you
will see that you will not always be able to find it through tools like moneta pc or even some commercial tools so this is the attack timeline we got initial access very quickly uh from via mail from a categorized domain we had uh we tried to use msi exec combined with around dll32 we used excel we used site loading into whatsapp and injecting into that free av we also then dropped a shortcut which would trigger an authentication to our farmer webdav server to steal credentials then we would impersonate the user do gpo abuse uh use tools like standing then make our user and not mean try do all these sorts of active directory casual things casual exploitation things
so then we try to laterally move through socks proxies and we tried to execute the payload from a share or like launching the payload in some way uh we uh extract credentials with the wimpy mmm as i told you before we used casual things like serp exec wmi or winrm to move through boxes uh we tried the internal monologue without the registry modifications foreign downgrade this comes to the things we need to do when we want to avoid some certain footprint and we want to control the actual uh footprint of our attacks and tools so again we tried to jump on the final server we used the hand now fixed vendor specific bug which would blind the
specific context of processes for the solution we didn't have to face fa however there are recent articles and older articles even in finance feature you can see that you can steal the authentication tokens and bypass this and there are also tools you could use for something like fishing for that like modlis cup it's not something that's undoable but 2fa is always a good option to have this control is out of scope so what's next professor so practically we have contacted both senegal one and fortinet teams in order to notify them of let's say the important issues that we have found in the resolution whether this has to do with architectural misses whether this has to do with bugs or
issues that we found misses in their detection or let's say gaps in the storyline that they created practically both teams have been quite responsive in patching their systems and providing patches to their customers so that they are more secure so [Music] in few days i believe that if not already because we are currently discussing with sentiment one in terms of providing a documentation of these experiments online there will be an article yeah exactly a court or the article from me and george regarding this experiment and will be hosted on their blog there is also the possibility of finding a similar article from fortinet however we are waiting for the response from the marketing team so
a big thanks to all the team from mdsec and to dominic peter modexville and matthew george and of course my friends paul lungur he has a great future ahead and the red code labs team thank you for your patience these are our contact details and we hope to hear from you soon uh have a nice day
hi there and welcome thank you all for having me here at besides athens as virtual as it is i hope that next year we'll be able to do this in person so i'm dave lewis and my talk today is security debt and running with scissors and we'll get into what that means in just a second so i've been in security now for the better part of 30 years and i have done pretty much every role along the way up to and including being a cso for a power company and i have always been of a hacker mind when i got started back in 1983 i hate that i can say that um i was really
having a good time you know duping video games telling the kids in school that sort of fun stuff and well time has skipped ahead on us as
Related talks
37:13
16:00
24:37
28:18
12:24
13:12