Cleveland BSides 2011 Talk 5 Steve O

thank you Dave we're good awesome great job Dave okay our next speaker is steve-o so peck or goes by the name of know Steve his title and all this talk is thick neck it does more than Oracle steve-o spec is the director of security research at trustwave spiderlabs whereas in charge of keeping the Wireshark sped prior to spiderlabs Steve created knack based hallucination sold two Cowboys got stung by a scorpion and wandered out of Sales Engineer training now he's just trying to find his keys ladies and gentlemen steve-o cific so uh appreciate it actually having a bit of trouble here with my voice speaking bear with me I've had actually just came down with something a couple days for the talk

want to make sure I was here I did a lot for you guys I went and got a steroid shot today so in the morning so yeah yeah look what I do for you and actually I've been been on some medication as well throughout the day so if I kind of go out there a little bit if you bear with me just kind of bring me back to the fold oh go right along with you and actually yes speaking of medicine miss Ashley if I if you could when you have a second I could take you up on that I appreciate it thank you thank you great thank you so thick net does more than

Oracle I don't know how many of you guys have heard about thick net we talked about it at black hat Europe 2010 les last year we started me in the South a guy named Wendell Henry K started this tool man middle attack tool it's written in perl and it's uh oh okay that's good that's good man so no it's cool we will actually talk about that we might we might change that a little bit um so it's a it's a it's a man middle tool the whole idea is really to be able to take over the sessions and of course the reason I say it does more an Oracle very first thing we tackled was Oracle for

some reason was like the most ridiculously difficult protocol to tackle it turns out but a little bit about me and I've just known as that things are going ridiculous on some of these slides so if you bear with me directory security research at spire labs network pen tester used to say somewhere in that garbled mess it says pearl apologist and basically we're in charge fire labs trust expire lives thank you thank you appreciate it thank you Miss Ashley everyone stop spoilers researcher in charge of the new signatures for things like IDs IPS we have a mail system male called mail max if you spam filters with you all all sorts of things were kind of on the

cutting edge read full disclosure much to my chagrin most days but but we have to keep up with that stuff right spy labs as a whole that slide looks a lot better 2005 been around for six years we're kind of the advanced security team at trustwave we do all the penetration testing like to put the word fought leadership in there we're basically the the guys that go to the rest of the organization kind of give Trustwave an idea of what we should be looking at with a products and such um some just some numbers over 400 incidents we handled no nine and twenty ten believe it or not nearly 4,500 Penn tests we keep pretty busy oh it's a pen tester

for a while in the network pen test practice and speak at Def Con black hats and I waspy pretty much look around where we're all over the place now there's something about this presentation this is a new one for me because I usually like to go out to google images and grab all my pictures but the legal team talked to me and they said you can't do that anymore so I want to just let everyone to know the doing this presentation there's not going to be any of the usual suspects in the in the in the slide deck photo camera everything we created is created by ourselves it's either Microsoft clip art or of course my favorite thing is the

spray can and Microsoft Paint so with that being said you know let's get things kicked off right and I I want to let you know they are not drunk so what is it what does man what is this thing I almost said what it was what is it what is mitm what does it mean what's it about what do you need in order to do a mitm what does it stand for what do you have to do to pull off an attack like this okay so just stand for mamby pamby in the middle you think maybe baby no probably not probably not I'm a man hug in the middle think stands for man hug in the middle we're getting closer

we're getting a lot closer it's it's just you know this clip art clipart okay no theam it stands for man it's just a man man in the middle right this is about being the man in the middle ok this is what thick net was about thinking it was about I'd sit there on a pen test and look at at her cap use that her cab which great tool awesome tool to get in line to get in the middle of something on like an internal pen test and actually I'd be waiting I'd be praying that the guy who i'm watching it's talking to the database server would put in the right query so that i could see cardholder data and i'd say hi

gotcha take a screenshot put it in their pen test report and finish up but that seems kind of ridiculous right that doesn't sound like being the my am does not like being the man in the middle it sounds like I'm just kind of waiting around for stuff right so the thing is I should also say that yeah I don't offend anybody so I did some it could be much a woman middle so it that so so so I the thing is we want to take control this session right we don't just want to wait when it will be a spectator we want to take control the packets are going through us right the packets are coming

to us I mean go through our machine and back out on the wire and it just felt I felt very powerless before I had thick net to really do anything with it and I argue that if you if you're able to use thick net and able to use it to your cause you will be the envy of all of your friends apparently that was actually in Stockholm I didn't see that until I put the slide deck together I was like oh there's those dudes so kind of looking at me there so it's got interesting put on a show so let's talk a little bit about art poisoning okay this is going to be focused aren't poisoning the you know

all of these kind of attacks in information security they have some context around them they have some you know if then statements attached to them so in this whole talk you have to assume this this type of attack man the middle attack is all about the fact that you have access to like let's say in this case a layer to network but that's not the only way it happens sometimes you can do it wife you know screwing up dns entries sometimes you can do with dhcp servation although that's still L to either do it with a number of different ways but pretty much keep this you know keep everything we're doing today inside this context that this is a specific

situation this is a common situation in internal pentest this can also be a common situation in wireless networks where you get onto a hotspot or something in a public network it's pretty easy to set those up as well but this is this is really limited to that context as that you're able to somehow get in the middle and art poisoning is the most common way of doing this so here again we got the clip art here important people on the left and notice don't you like that lotus domino server I thought that was pretty creative so I IP address on the left is dot one dot 100 on the right it's 125 there's some mac addresses in there some generic

fictitious max and then you got the art cash now the arp cache is the thing that's going to map the IP address to the mac address so address resolution protocol all that is is saying i'm going to take an IP address i'm going to map it to a mac address that's all that is it's just making the correlation there because everything you know the end of the day it talks mac address to mac address on the link layer so now what I like to call editor cat editor cat comes into this into the game and says hey I'm going to screw around with this I'm gonna mess everything up so knows what all we have to do it's very simple ARP

is trusting it'll take it'll take what you're saying and and just go with it so we're going to update the ARB caches we're going to tell these important people that the domino server one not two months State I 125 is at editor cats address and the same on the right side that one dot 100 the important people are now also at in the middle so what happens now all the business critical emails they all go to a dork at and our cat gets to read them and do things to them and of course you know the important people have no idea they thinking about their golf swing and things go along and that's the whole

thing about this that makes it so nasty is that you can pull off one of these times of tax if you do it right you keep just send the stuff through nobody knows the difference okay so thick net history so I like I said earlier it's been around since last year as you can tell very good coding environment in the hotel of the of the conference in Barcelona with jet lag in my hand there i'm sure that's apple juice so this but basically this is wet and by the way that's my buddy Wendell over there this was an attempt to show that we could actually get in the middle of these Oracle sessions the proof of concept was

we don't need a spec the spec costs a lot of money Oracle wants to charge you like multi hundred thousands of dollars for this thing and the whole idea was well if you don't have the spec you can't really manipulate the protocol well that's wrong we can do that we can do it using something called sled base injection we can we also did some stuff called where we also did some downgrading of credentials but we would jump in the middle mess around with with the with the conversation make it so that the credentials were sent an old version and then we could track them offline now I see another another messed up slide coming up oh okay that one

looks alright well as alright as any of these do so we did it we manipulated net eight which is the nasty protocol that Oracle uses to send the stuff across the wire we're able to inject queries with it this is all history stuff and like I said we use something called sled base injection to do this and that the proof of concept was again that we just by sitting there and grabbing something when I talk about a sled I'm talking about we took a packet that was really close to what we wanted to insert on the wire took something that that looked like maybe it's a select query it's like a high C a select query I want to make my

own select query well let's use this as a template and then just change a couple things here and there and insert it on the wire that's what a sled is we'll talk about that a little bit more but the room for improvement thing right that thing I heard some boos and hisses about Pearl earlier that thing procedural it's mostly procedural pearl so it was its kind of hairy it would it would jump around a lot it was it was pretty Oracle's pretty ingrained in thick net at the time it was difficult to add modules it was Oracle only and those framework is always in quotation marks right so it's not it's not really that easy to add to now I got a surprise

for everybody i had a new protocol this one this one's pretty cool i think i'm pretty excited about it and so drumroll please we're going to do microsoft sequel today Microsoft sequel everybody so now thick neck can do microsoft sequel in addition to Oracle and that's a pretty exciting thing and actually in the process of doing this I found Microsoft sequel is a heck of a lot easier to do than then oracle net aid i actually started with absolutely the wrong thing by the way i have a giveaway just to keep things lively i'm going to be putting the new code out on github a couple days and I can you know get home and whatever and and get it get it up on

the on the site and organize the code a little better but i do have I didn't have any USB keys so it's really old fashioned I've got a I've got a CD okay I remember these remember these so I've got it and I signed it in case some day you know something weird happens to me and this is like we're something so so yeah it's whoever I figure this way whoever has the most fun that this presentation gets this and just in case you don't have a cd-rom anymore i've got a it's a DVD CD writer external USB thing so so contributions are welcomed the making of the net ms SQL so in the in the

synopsis for this talk i talked about how going to show you how to make your own module well it's going to be some code review we're going to get into Perl code you're going to wince and laugh at me but it's going to be okay we're going to get through it and what I'm what I'm going to try to do is kind of keep it high level so you get a feel for what goes into it and then we can you know later on if you want to talk with me offline or whatever about specifics if you have an idea for protocol would encourage that whole idea is to try to get more people working on thick net

adding more protocols so we can have more stuff to play with so like I said microphones equals ways you're in that eighth it's implemented using this wonderful thing called tabular data stream protocol which really is just taking the actual request that you put in the command line and throwing it into the packet that's all it is if you look at that if you look at the microsoft sequel packets it's really anything you type in in the packet that's all it is it's it's just a direct correlation it's beautiful it's in ucs-2 that's the only thing that's weird about it but a lot of Microsoft protocols are like that it's got like the four byte per per character

encryptions available and then microsoft sequel it's not enforced by default if you walk away from this talk and you don't care about thick net and you don't want to do play around with this stuff and you want it you want to get something productive out of this hour then go back and say you know if we have Microsoft sequel if we have any database protocols we have any encrypted protocols we really need to turn on encryption because encryption is going to screw this all up for us ok this is encryption is is is there it's just very rarely do we ever see it implemented in the field obviously it's oh go ahead and yes question great question question is

does the encryption available much less equal and authenticate the host in the client or is it just one way I believe you can do with certificates I believe I'm not can't you should check me on that I believe it is and you can use IPSec as another is another good example that absolutely ipsec would do it absolutely so uh specs publicly available that's the greatest thing about this is you can go to Microsoft's I you don't even have to register you know put your email in or anything you just grab the spec it's there it tells you how all this stuff works it's really wonderful it's also a grey starting point if you want to make thick

net modules ninety percent of the work that I did for this talk and getting all this stuff ready was actually in the new framework you notice the word frameworks not in quotes anymore I think it's actually a real framework now it's a little bit better okay I can say that with certainty but but you do have to be prepared to do some copy and paste it's not of course what I'm saying there is it's not as it's not where I want it to be it's a work in progress but I'll tell you it's a lot easier and we'll look at that a little bit so the architecture I've broken it up I actually have something that looks like a some sort of

computer science thing in here so look I've got three different layers pcap there's a pcap module or there's a pcap yes pcap object i should say object oriented p skype object so p camera object uuu crete one of those you set your pcat filter that's the thing that grabs all the packets off the wire it in turn creates new packet objects then you have the packet layer so now so now when we're watching the stuff we're pulling all this stuff that's coming off the the wire we have a packet objects and parcel each of those packets going to do something with it okay and in this case it could respond it could respond to a

packet or or it might it might actually increment a value or whatever and so on the packet level and then the highest level that's that thick net nose is a session level session is an established session it's a communication stream okay that two machines actually talking together injection downgrade whatever other actions you want to do in session gathering sleds do it'll handle sequence and acknowledgement training because as you'll see we actually have to sort of be like stack to pull this off so let's just kind of go through the code review here real quick and then we can get into the demo which is a lot of fun so some basic concepts ok this is this is all

you can say just to get a feel for the flow please do feel free to email me get in touch Twitter whatever if you need more help with any of this I'm glad to help you out here's a peek a bob ject ok now we're getting now we're getting into it so if you look try it like you know try not to get too overwhelmed by half the stuff don't worry I understand most of it either but the I wrote it right so but the but the MS SQL p camp filter part the part that's in bold there the TCP and port 1433 that line that line is very very important if you look at that what is it

saying it's saying well I want stuff that's TCP I want stuff is going to port 443 three because this is the Microsoft one and then it says ether dest is my mac and IP dest is not my IP what does that tell you what what packets would meet that criteria the stuff that is what it's coming to our Mac but it's not going to r.i.p that stuff that stuff that's that we're man the middle right that stuff that's not actually intended for us but we've told the world that it should come to us because we're we're screwing around right so that that line there is basically looking for the packets we need now there's some other

stuff about the the pcap handler down here I put in bold there's a callback beautiful pearl construct there i'd say it's a what's that a reference your dereferencing a this is a subroutine you're sending it to a subroutine so so what's happening is every time uses something called any event to do the no because there's a lot of different stuff going on it once any events really cool what's happening is pcap dispatch is running on a timer every point zero one second basically and then it's saying throw the packet you get over to ms SQL packet okay and let's take a look at that thing so here's our subroutine here's our pcap object so here's here's

what's going to take that packet now we've pulled it off the wire it's getting sent to this guy says thick net packet and SQL new packet so it's just going to take the packet it's going to create a new a new packet object and then down here the other important thing to look at is there's three phases 3 general phases here preprocess process and post process the only thing you really have to do is process the middle one the middle one is you when you make a module the other two are there you can augment them if you want you you can extend them whatever you want to do but the main thing is the one in the

middle now we got the packet object okay this is where we're going to grab a sled this is where we're looking for candidates right we're looking for candidates and sled and you know I'm going to try to switch over because the code here it is helpful but I'm going to see if I can yeah okay it smeared it smeared that's good okay let me pull up the actual code that I think this is going to work better i also want to show you something about the lengthy how much how much code we're actually talking about let me i'm like 640 by 480 here or something so bear with me let's say here i think this is going to be more helpful

so here's let me just show you this real quick when you're talking about making a thick net module this is this is it here you're talking about about this much code which is let me look at the little slider bar to give you an idea how much that is so that's about how much that is it's you know it's some it's a decent my work but it's not outside of the expectation of making like let's say something from metasploit or something like that it's not there's not a lot there and then the same with the session so there's two there's two separate but there's two separate files I had to create to make ms equal work here's the

other one here's the session object okay so let me show you on the packet let's go back to the packet object let me show you what I'm talking about when I'm talking about the sled what I'm doing is I'm looking the sky is talking through me all these you know you're basically doing a man the middle attack people are talking through you and and you're waiting to see right here this is a good part you're waiting to see you're waiting to that you're actually looking for a packet that is a good candidate to use as a template think of the sled as a template so I'm saying if the sled and will notice there's a lot of comments I

put a lot of comments in here test packets until you find one if you sled isn't set only perform this check for client to server Direction equals one so if I see something going for the client to the server I'm going to look at it i'm going to scrutinize it until I set the sled that I'm not going to do this anymore so what I'm doing is I'm saying in this case I'm going to wait for a packet with one at the front to denote tds I know it's very generic basic check but on port 1433 that that's probably good enough actually in this case you probably use any data packet but I'm scrutinizing a little bit for an actual

TDS query so this is the statement here this is basically pearl speak for grab the first grab the substring so grab the first bite out of data if it's equal to this value then go ahead and use it and in that case what I'm doing you notice some very pearl object oriented things going on self session sled packet equals that right this is the kind of the detriment of project Orion get pretty verbose and how you call these different objects but but this actually sets it up we're actually creating the sled at that point then from there we're going to go to look at the session object real quick actually I'm just going to stay here and

I want to mess around that right now let's go over the session object so this is the Microsoft sequel session object to believe yeah so now this is this is where we have to implement sort of the the actual interesting things about them I croissants equal implementation so we've got something here for injection injection what's it going to do well all it's doing is do this comment here again follow the comments it gets a copy of the sled and then it says I'm going to going to create some things I p object and tcp object it's doing a decode on it again you know copy and paste your are good here and then this is me creating a

packet that looks like tds all this is this looks really like how did you come up with this this is just me being a copycat that's all this is this isn't that fancy you can look at the speck I mean it looks really awesome because I have all this hex writing them all on my code but it's not awesome it's just me being like I'm just copying what they did that's all that is I just looked at a packet that was a query pack and I said I'm just going to make one of those and inject it in the stream so notice what it's doing it's just all this stuff is basically a TD this is actually a TDS

packet and then this is the length the length is going to be figured out by the string that in this is the other part I was talking about in the case of a Microsoft sequel we have to encode it using something called UTS too that's a little endian that's just an implementation detail for this protocol then at the end its encoding it and sending it on its way okay so try not to freak out take a look at it sit down it's not as bad as it seems it just takes some time to to actually get your head around it but there's a lot of this you can reuse there's a lot of it you can copy and

paste and keep in mind the only things you really have to do are the session and the session object in the baguette object so let's see if this works here there we go but we we had another booboo here let me see if I can oh I see no no it's still messed up okay so anyway I we talked about this session object based session class handles acts so that's the other thing to keep in mind is that once we take over once we start injecting and we can do asynchronous that's what's beautiful we'll see this in a minute we start doing an asynchronous injection we can take over the session we don't have to wait for the the victim to start

typing things we can actually just start injecting stuff and take over as if we're sitting in front of the computer but we need at that point we need to be smart enough to manage our own sequence acknowledgement numbers which which it pretty much takes care for you so the demo now what I did was I brought I'd like to show you this without knocking over my drink let me see here so what's it that dude now he's just he's just on barbiturates so so here's so so these two here these two check this out this is awesome this is awesome if you ever heard of the via RT goes the V 0 RT goes are these cool little boxes these

actually have 64-bit processors in them they run about three to four hundred depending on what you get specked out they have little wireless modules and stuff somebody the other day showed me the plug computers to me so I'm kind of like a little bit crestfallen about that but but still this is pretty neat because a 64-bit proc its Intel compatible and it's running both of these are running win7 pro so for a form factor that size micro ATX called the vsc some people writing it down it's called the via RT go a 1100 is this model they're very cool little boxes why do I need these well I can't show you a demo of man the middle

without real boxes I can't I don't have the luxury of pulling up VMs because it's not going to work the same inside of like the own little virtual router or whatever they give you at least not that I found so I actually brought three machines with me one is my laptop the other two are these one is they're both run a pro 17 pro one is a SQL has the SQL management studio on it the other one has an SQL Server on it so here in a second I'm going to connect to that and we'll give this whole thing a shot and see if I can do it without screwing it up so any questions so far while I'm

firing that up got really really quiet in here let's see oh you know i'm doing i'm not typing in the IP

yes please if somebody could do that that would be awesome haha there we go that did it right there Oh some certificates okay cool yeah so let's do see a full screen looks like there we are is it looks good okay cool so let's give this a shot I've got that set up and they all bear with me here

ok ok this is this is our Linux box here it's a vm running on my mac and then there's a better way to do this some having it i also need like an assistant or something hang on yeah yeah that kind of makes sense hang on let me switch over here that's right can you hear me ok uh yeah yeah that's good that's good much better technology so ah yeah let's do that and let's do this ok here we are now we're going to poison these guys vamp PL that's the thick net program that's included part of the package gives you it's going to jump in the middle it's kind of like your own little

art or poison or thing what I like about vamp that makes it a little better than like ARP spoof and editor cap it's great as those things are is that it's stateful so what's really fun about it is if you poison a whole subnet and not everybody's come into work yet as they come into work they'll get poison too and they can join the fun so you can at it actually will keep track of everybody everybody on there and as new things show up it's it's it's stateful enough to to jump jump in there but ok so now we're going to start this off okay good that's working she knows it's it's saying request request it's telling

y'all that you values its using and now it's doing the poison thing and you'll see this it just gives you some debug saying it's poisoning connection so at this point in time that 30 which is the client about 40 which is the server all that stuff's going through us now we're going to run thick net all we have to do is give it a interface and it'll put us into a little interactive mode here interfaces ok it's needs some work but you can do some you can't do the ? and get a list of like what you can do there and the LS is going to show us all the sessions so where did yeah this guy ok

cool let's fire this up actually I want to spam I don't want spam us let's just rip that off until I do this there we are okay so let's get let's get everything set up your first mm-hmm SQL Server management studio dot 40 I'm going to connect as the super secure SI user maybe hopefully

seems to be taking a long time top 40 oh I know why why did this way i know how did I screw this up what did I do I screwed it all up how did I do it what is what's it I know what I did I missed it all up here's what I did here's what I did actually this proves that this proves were poisoning this proves we're doing a man-in-the-middle be why can't why can't 30 talk to 40 I killed thick net I killed thick net think that's the thing that passes the traffic through a few man-in-the-middle attacks somebody you better be ready to pass the traffic through because otherwise it's coming to

this machine and the Machine just drops it on the floor see what I did is I killed thick net and then I didn't kill vamp if you use vamp you sent a bunch of packets to your debt you to your machine you don't pass them along think that's the thing that actually passes them along so you got to have that running so that's what I did to screw that up so let's see if I can fix that so now that I'm not doing any of that baloney should work Connect connect object explorer I guess that sounds yeah that's the one no I can fail that's better that's a better thing so let's try this that's good okay

alright cool so we're connected let's go to one of our databases employee I'm going to do like a new query and the employee database get all set up to do that let's make sure it's working select star from dbo list I think it called it yeah so execute that make sure it's working there I am there's no Steve janitor that works so try again let's start doing our band the middle and remember this is this is all well and good but we have to run thick net or other it's not going to work so thinking that's now think that's running let's if our connections still up ok now that thing that's running this should work

yes it did so the check marked out at the bottom let's do this a few times because sometimes it uses cashiers also fun you know let's just say so that scenario is we're in a pen test somebody's playing around the database server we're in the middle we're watching them i execute select queries whatever kind of queries we want to take over that session we don't care about their credentials we don't know we don't care we just want their connection here are the connections I did LS thick net showing me the connections i'm going to use magic copy and paste to put this in here yes i know the interface needs to be much easier but there you go so

examine x is for exam and examine this the session ok we're in examined mode let's give this a try i'm going to go into inject inject is going to say I'm blocking now I'm taking over I basically say this other guy forget them it's me now talk to me so without knowing credentials without doing any of that stuff I'm going to do select star where my cursor go from there it is dbo list hey check it out i got a response than that awesome now the response doesn't look so great hang on i'm going to make this look a lot better because we're at some kind of primordial resolution here let's try that again can you guys yeah

yeah that's readable right looks ok select star from dbo list cool check it out we actually get a packet back that means that the server buys it the server says yes indeed we think that you are si we think you're the same guy it doesn't know that we just injected in the session it doesn't know we've taken it over so now let's do something a little bit more fun ok since I know that I'm logged in as si just because i know it i mean you can always try this I you don't know maybe you can do some queries to find out who you're logged in as but in this case we know that we're logged in

as SI or as it's this admin so let's let's create something here create login be sides with password equal to let's put CLE rocks about that that in there cool that looks promising it's number five no fives good now we put create user I have to use my cheat sheet besides for login b-sides and we create a user for the login that's the way crazy Microsoft's equal works so now we go over here and say okay did it actually work let's find out this would be really nice if it did if not there's a door right there I've marked that out ahead of time so let's see haha Avast man Oh where's the stupid thing as

security of course users look at that we gotta besides user all right all right now here's the thing right we want to be able to do more stuff than we want to be able to do more stuff than just be a regular user and actually strangely enough I'm not seeing the usual thing that pops up and shows me the server roles and I think I'm in the wrong place i'm under some under users i need to be under logins hang on a second guys feel free to jump in anytime there we are i'm looking the wrong object this is where server roles are they're attached to log in and what do we see we got public

access well that's no good no we want to have sysadmin I think so let's go fix that so exec it's just isn't that exciting it's almost like sitting down at this computer and just typing in stuff as if we are the right person as if we are actually the administrator it's almost like I could show you the same demo using like SQL command or something but the exciting thing is that we're doing all of this without any credentials

I think that worked okay let's take a look just to make sure we're we're seeing the right thing here hey I think that's pretty cool I think they're so any questions about English about the demo oh hey something something else kind of neat watch this watch this is really neat so let's say you don't know how to do this right let's say when do you like create user for let's see you create let's just you create user stuff and let's leave the let's leave the tick off the side there or yeah for login I'm just butcher this thing you know something doesn't make any sense I love this they're so wonderful and that they tell you how to fix the command you just

inject it so it says unclosed quotation mark after the character string stuff for log and stuff so they're they're really there to help you okay if you if you don't know you can kind of play around and figure it out you know you can you can just put it put in pretty much anything it'll treat you nice the other thing that I like about this the way the way that it's actually much better with Microsoft's equal at least in the case of server management studio is that certain management studio is all about keeping the connection up so when we blocked it we actually screwed that connection up for server management studio that connections blocked and dead

and and doesn't work anymore because we started blocking it but check this out i can do execute it still works if no idea why is that because server management studio is built to be transparent it just opened up another connection this all day so it does so if i go back here and i say i'm gonna i think it's mmm yes double ! for get out of inject mode and i say go back yes you have to type the word back i know and then you say list sessions again whoa i got lots more sessions to play with all of a sudden it's kind of cool so there's a lot of fun stuff you can do with this um okay

back to the demo worked that was that was a big deal let's go back to this oh

no another one okay well what the I think it's the first slide after I go into this mode seems to get corrupted so I'll tell you i remember those bullets so the bullet says that encryptions a good thing okay the top one says encryption is a good thing and it's encrypted she can't read it and then the second one says second one says that you should keep actually I thought that was segment but keep the traffic and site protected network so I don't remember what the other one said I think it said something about yeah I think actually those two bullets at the bottom of this I like cheating bullets yeah that's that's it so to keep this type traffic

and site protected networks in some pen test we were able to like get into the dev environment and then start men meddling the dev environment stuff and people playing with management studio whatnot we could actually you know take over those sessions and things like that so so something to be aware of is that these these unencrypted sessions if for whatever reason you have to keep this stuff and encrypted please try to limit the exposure of those that you can see from this presentation take nothing else away from this remember that this is dangerous stuff if it's unencrypted and network access control address resolution protocol in a management there's switches that actually allow you to sort of fight our man are poisoning

also network access control can help with that so next steps and this is this is this is important stuff so more refinement easier to use object model I think this is a huge step I think you'll agree if you looked at the code before and after besides which thing you know it really forced me to take a good look at this and make it better so appreciate that I think you'll agree it's much better than it was it's actually pretty usable now but there's there's always more room for better stuff we could make it a lot easier to use we might even think about doing a description language you know how snore and the wave stuff like well store it in

like modsecurity that's one of our projects as fire labs they have like a description languages like electro language and how you specify what you want to do with that with that tool maybe there's a man the middle description language maybe we should create something like that to make it easier so you don't have to open up pearl or your editor you just make something like that plug it into a thick net and it just does it more protocols right that's what I'm looking at everybody here for if you're interested email me I promise I'll make a big deal on the bull on the blog and and Twitter and then everything if you make one it's

going to be a really cool thing more more cool tricks I have some more ideas hoping to flesh those out before black hat DEFCON some stuff that'd be really neat and so a little vote right the the b-sides Cleveland thick neck design committee okay we have to decide this is important pearl the thing about Pearl object-oriented parole is it hurts me because you have to do a lot of this kind of baloney and I actually got for the first time I got language envy the Ruby guys there's some other stuff like when you clone a very complex object you have to do stuff like very unnatural I'd even mess with it a you'll see in the

code if you look at it I kind of worked around that and and I asked a buddy might of work I said what he would you do in Ruby and he says I you just put the name of the objects dot dupe or something like that it was something very simple and like a man that kills me so I'm thinking about switching languages it's either Ruby or fourth maybe you know bedded fourth or something like that I was thinking so what no no no all right all right Rex Rex is the one yeah that's the one sure the Python Python how many people in here like the vectored soon parole is pearl like hey we ok I got at least one

who else who else who else likes pearl says pearls just great the way it is I know how to use it I like the Larry wall book okay I think I saw like two two hands and then they looked around and they're like oh um how about how about Ruby about like Ruby more there's a couple late not that many I guess just now I you know any any other ideas any other you python how many Python really really wow wow well you're really selling me on it man so Python no kidding why anybody just cuz it's cool because you know it cuz you like white space to have meaning are you kidding me yeah tab and it's like the

end of the world alright alright man alright alright well the the you know the crowd has spoken crowd has spoken that's cool alright well I'll take that back to the overlords for sure but these are your links it's going up on github until then the only person who will have it is the person that it's been the most interactive so far and and they can you can go to them and shin and they can hopefully share share it with you of it but it's going to be up there very soon others fire labs tools trustwave accomplished by labs tools PHP it's a site that has like kind of introduction for all this stuff it's a lot of this

isn't get help now as well there's also the blog check out the blog will be putting a blog about this about the you know basically the new thick net version up there very soon on twitter follow me if you can i don't have a lot i just kind of started on twitter a few months ago i'm like a total newbie so i'm trying to get more followers and then i put i put messages in all caps about things that my kids did in my computers so it's really high quality content and of course follow spiderlabs this thank you window and rig a Tim malla tech actually another guy as fire labs who I wanna thank he he was kind of the first

guy to come to me and say hey I think I want Microsoft's equal to be the next thick net thing it gave me some peak apps that help me out logic supply they're the ones that made this whole live actual real demo I had a video in case it blew up but I actually had an army on one of these but they comped the the shipping and they were very easy to work what they got it here in time I told him I was going to Cleveland speaking to a lot of dignitaries about things and so they they stepped up CJ really hooked me up at logic supplied and recommend that if you want the look at the little

computers besides Cleveland man I'll tell you what this is uh you know this is a cool this is a cool conference i'll tell you hey I got you know what school I got in my car and I drove here there's a conference security conference in Cleveland I didn't have to get on a plane got to bum a ride and I had to hitchhike actually just come on up to Cleveland that's awesome so nice nice work and of course the Microsoft clipart models I want you to know that that is not a violent they're dancing they're dancing they're okay so any any uh any questions about any of this I know how am I on time by the way okay a real easy

one somebody on Twitter was asking with with this stuff from lodging supply think it's a particular model number anything like that because a lot of people seem to want to go out and get those oh there's those little thing the little guys okay little thing shows the RT goes uh what about was the question as a weird way to get them what do you get them yeah this guy that in the in this slide logic supply large number anything like that what's it a model model number RT go a 1100 is the one I have a 1100 there's also an a 2000 just kind of cool I take I think it's better than the a100 i would guess 1100 our

guests for the number any other questions yeah I got a question try I don't know is a perfectly acceptable answer does Oracle have an analog to Microsoft's equals xpeke man shell the Oracle have an analog to Microsoft's XP command show or you mean like the the SQL command sqlcmd okay okay yeah yeah we use that actually and thick net um yes they do I'm trying to member the name of the thing and give with you after its escaping its escaping me right now it's like no it's sqlplus sqlplus yeah OS interaction oh can you execute Oh stored procedures XP command shell XP underscores commands lbs the stored procedure one okay not that I'm aware of

yeah not that I'm aware of but there is a lot of research in that area that works around that and there are things you can do to talk to the base to the to the OS yes there are some things you can do and I shouldn't even say I that on that there is and I think there probably is something like that I if Wendell was here Wendell would take that question make me look smart but it's a I know there have been a lot there's a lot of a lot of talks about that about actually breaking in and doing things to the to the base OS from from Oracle but but I think you have to do sort of more of a

roundabout thing like writing out to a file and then getting that file into somewhere and in executing code that way so it's not as straightforward I can tell you that it's a nice straight forward any other questions okay guys thank you you be available