Embed Size (px)
DESCRIPTION
Given at OWASP NoVA - March 2013
Citation preview
Practical Exploitation
Timey Wimey WebAppy Styleby Mubix
Are we (the business) in the Wall Street Journal?
No? Then we aren't under attack.
Agenda
● What you do● What I do● What is "practical" exploitation?● Demos
We aren't going to talk about
● Stuff I assume you know○ SQLI○ Running your Database as root○ RFI/LFI○ etc○ etc○ OWASP TOP 10
● Stuff you should know○ Your {SECURITY BLINKY
LIGHTS} won't save you....
What you do?
● This is where I ask you awkward questions about what you do for a living
What I do?● Senior Red Teamer● Big Co● Break into mainframes, bank accounts,
SCADA systems, Windows, Linux, wireless, physical, web apps, UPSs, etc..
● Part of a team of highly skilled peeps
Primarily I'm a sorter of useful info
What is practical exploitation?
● The application of techniques, tactics, and procedures to accomplish objectives and sub-objectives within a targeted engagement
Also known as:"if it doesn't get me more, it's stupid"
What falls in the "Stupid" category
● SSLv2 Enabled● Traceroute Enabled● DNS Cache Poisoning● MD5 "collisions"
Oh ya, and every single public IE, Firefox, Chrome or Windows exploit. Why? Because their patch cycles are too fast for attackers.
Demo 1 - Linux Pivot to Windows
Tomcat -> MS08_067
Wellllllll..... I was going to patch those DMZ hosts, then........
How do I fix that!?
● Patch yo %#@$%@ $#%
Demo 2 - Windows
Rails vulnerability -> Cred Steal - Mimikatz
You use a web framework that protects you and you have really long passwords?
How do I fix that?
● Monitor the security community events, disable YAML or XML parsing.
● Microsoft has left you out to dry for Mimikatz. They believe if you have Administrator access then it's game over.
● Don't run your web server as SYSTEM or Administrator, keep UAC enabled on your DMZ hosts
Demo 3 - Windows Pivot to Linux
WinRM on IIS -> DistCC
What the..........
How do I fix that?
● Don't enable WinRM on DMZ hosts! Stupid.
● Firewall DistCC off to only required hosts.
