Custom Penetration Testing

Size: px
Start display at page:

Download "Custom Penetration Testing"

Transcription

1 Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing SANS 1

2 Objectives Penetration Testing Precompiled Tools Targeting TFTP Testing a TFTP Server for Bugs Discovering the Bug Exploiting the TFTP Server Advanced Concepts Advanced Penetration Testing SANS 2

3 What is Penetration Testing? Process of testing a target environment for weaknesses More thorough than vulnerability scanning alone Validates findings by exploiting flaws Allows you to think like an attacker Various levels of interaction/depth Advanced Penetration Testing SANS 3

4 Types of Penetration Testing Black-Box Penetration Testing No access to source code No access provided to OS, architecture, etc More like an outsider attack scenario More time consuming Crystal-Box Penetration Testing Tester given source code, system & network architecture and/or privileged system access More thorough than black-box testing Cost effective Advanced Penetration Testing SANS 4

5 Precompiled Tools Pros Can quickly be used Customer support Broad user community Often allow custom scripts or modules Cons Limited in scope Only discover and test known vulnerabilities Skilled attackers are not relying solely on them Precompiled tools offer a sense of complacency Do not perform code coverage or do deep fuzzing Advanced Penetration Testing SANS 5

6 Targeting General Steps 1. Determine Target Application and Operating System 2. Obtain a Copy of the Application 3. Analyze RFC and Communications Protocols 4. Discover and Record a Crash Condition 5. Analyze Crash Condition for Exploitation Opportunities Advanced Penetration Testing SANS 6

7 1) Determine Target Application and Operating System What application/service are you analyzing? What OS is it available for? Which one(s) are you interested in? What services does the application start up? There may be several Scanning may help Analyze documentation and code if possible Are the services proprietary or standards-based? Proprietary often offer a lot of new opportunities Advanced Penetration Testing SANS 7

8 2) Obtain a Copy of the Application Create a lab environment and install the application Use the OS you are targeting Utilize Virtual Machines Create snapshots prior to installation Install monitoring tools Attempt to obtain the source code Code analysis is often more complex than behavioral analysis, but valuable Advanced Penetration Testing SANS 8

9 3) Analyze RFC and Communications Protocols Is documentation available? Programmers should follow RFC s Search RFC for potential options and fields that may contain opportunities to cause a fault Understand each aspect of the protocols used by the application and relative behavior Is architectural documentation available? Advanced Penetration Testing SANS 9

10 4) Discover and Record a Crash Condition Are you properly monitoring? Sniffers to record packets sent to the application Wireshark/Tshark, tcpdump, etc Packets can be recorded and replayed Debuggers to record application behavior while receiving/handling data OllyDbg, Immunity Debugger, WinDbg OS monitoring tools to monitor health ProcMon, RegMon, FileMon, RegShot, etc The condition must be repeatable Advanced Penetration Testing SANS 10

11 5) Analyze Crash Condition for Exploitation Opportunities What is happening during the crash? Analyze the status of each register Are registers holding or pointing to strange values? e.g. 0x if inputting A s Is the Return Pointer or SEH chain being overwritten? Analyze the stack segment and monitor ESP/EBP Are heap pointers being overwritten? Analyze dynamic memory allocations and behavior There s way more to analyze, but this is a start! Advanced Penetration Testing SANS 11

12 Targeting (2) Our goal is to discover and exploit a Windows Program vulnerability! The techniques we ll cover is applicable with any target or service We re targeting a TFTP service Must understand how the protocol works Developers should follow RFC s We can leverage the RFC as well Could use fuzzing to automate bug discovery Advanced Penetration Testing SANS 12

13 Our TFTP Target Quick TFTP Server Pro Version 2.1 Vulnerable to a stack-based buffer overflow Can exploit by overwriting the Structured Exception Handling (SEH) chain Allows for DoS or code execution as System TFTP Server Published by TallSoft Vulnerability discovered in 2008 by Mati Aharoni of Offensive Security Advanced Penetration Testing SANS 13

14 TFTP Trivial File Transfer Protocol (TFTP) Simple protocol for transferring files over a network Clear-text protocol using UDP port 69 Used for transferring files by network devices, VOIP phones and other client-server programs Advanced Penetration Testing SANS 14

15 TFTP Behavior Connection request is combined with either a read or write request Blocks of data are sent in a fixed 512 byte size Each block must be acknowledged for error control A block less than 512 bytes indicates the end of the stream Advanced Penetration Testing SANS 15

16 TFTP Behavior (2) The first two bytes of a TFTP header indicates the request type and format \x00\x01 indicates a read request \x00\x02 indicates a write request \x00\x03 indicates the data block \x00\x04 is an acknowledgement \x00\x05 indicates an error \x00\x06 is an optional acknowledgement Advanced Penetration Testing SANS 16

17 TFTP Behavior (3) Read and Write request format: \x00\x01 for read \x00\x02 for write File Name Null byte - \x00 Mode Binary, ASCII or Mail Null byte - \x00 Example Request Type File Name Null Mode Null Read \x00\x01 file1.txt 0 Octet 0 Advanced Penetration Testing SANS 17

18 Hacking Quick TFTP Server Quick TFTP Server Version 2.1 Install tftpserver_setup.exe onto a Windows XP Virtual Machine Use the TFTP information just covered to help with the investigation Attempt to crash the TFTP server while running in a debugger Create a custom script to start the testing Validate findings Attempt code execution Advanced Penetration Testing SANS 18

19 Tools We Need Programming/Scripting Language Python, Perl, Ruby, C Debugger and Disassembler OllyDbg, Immunity Debugger, IDAPro Shellcode Metasploit, Milw0rm, Custom An open mind! Knowledge of OS controls, Opcodes, Tricks Advanced Penetration Testing SANS 19

20 Python Object-oriented, High-level Programming Language Very Intuitive Very Modular No Manual Compilation Plays well with other languages C, C++, Jython, IronPython (.NET) Good Debugging Advanced Penetration Testing SANS 20

21 Tool: OllyDbg Software Debugger for Windows Author: Oleh Yuschuk Shareware! Binary Code Analysis Register Contents, Procedures, API Calls, Patching, memory searching and more! Advanced Penetration Testing SANS 21

22 Hacking TFTP Hint #1 Consider the format of TFTP requests for your script We covered the order a few slides ago Read & Write requests are often the easiest to attack as they have variable fields They start with \x00\x01 & \x00\x02 The header format must be correct to trigger a valid response Command line scripting not always the best option You may want to write a script Advanced Penetration Testing SANS 22

23 Hacking TFTP Hint #2 Where could a buffer overflow condition exist? Try the request type field, file name and/or the mode Don t forget the nulls to terminate! Make sure you re watching the right thread in OllyDbg Processes have multiple threads on Windows Advanced Penetration Testing SANS 23

24 Hacking TFTP Hint #3 The easiest way is to use Python or Perl to open a socket and send your script import socket import sys target = IP ADDRESS #Enter the right IP here port = 69 #Port for TFTP s = socket.socket(socket.af_inet, socket.sock_dgram) cmd = "A"*10 #Enter the number of A's to send data = "\x00\x01"+ cmd #Modify this line to format your packet s.sendto(data, (target, port)) Advanced Penetration Testing SANS 24

25 Quick TFTP Walk-Through Start Quick TFTP Server with Olly Ignore entry point messages Press F9 once loaded Click OK on the demo pop-up Advanced Penetration Testing SANS 25

26 Quick TFTP Walk-Through (2) This may be possible via command line, but We need a script! Don t forget the formatting of TFTP read and write requests: Request Type File Name Null Mode Null Read \x00\x01 file1.txt 0 Octet 0 The overflow is in the mode section! Advanced Penetration Testing SANS 26

27 Quick TFTP Walk-Through (3) Write a python script that connects to the TFTP server with 1000 A s No Crash in Olly Advanced Penetration Testing SANS 27

28 Quick TFTP Walk-Through (4) 1060 A s EIP is Success! Olly has paused Advanced Penetration Testing SANS 28

29 Quick TFTP Walk-Through (5) What are we overwriting? We overwrote the SEH Chain! Lets do some math to see where the overflow is occurring Advanced Penetration Testing SANS 29

30 Quick TFTP Walk-Through (6) Subtracting 41 A s should take us to the SEH handler Lets give it a try by setting: cmd = "A"*1023+"\xde\xc0\xad\xde" We control EIP at 1023 bytes! Advanced Penetration Testing SANS 30

31 Quick TFTP Walk-Through (7) We now need to find a valid pop/pop/ret instruction Use the findjmp tool and experiment 0x77ec9cac is one I chose from kernel32.dll for XP SP1 Remember that you must compensate for SafeSEH if hacking XP SP2/SP3 Also remember that not every pop/pop/ret address will work. You gotta dig Advanced Penetration Testing SANS 31

32 Quick TFTP Walk-Through (8) Finalizing our script cmd = "A"*1019+"\xeb\x06\x90\x90"+"\xac\x9c\xec\x77"+"\x90"*4+sc data = "\x00\x01" + "blah" + "\x00"+cmd+"\x00 Our jmp and pointer Our NOP s and shellcode Advanced Penetration Testing SANS 32

33 Advanced Concepts Depending on the OS Version, a number of controls have been added SafeSEH Protects SEH pointers against overwrites ASLR Randomizes locations of libraries and memory segments DEP Prevents code execution on the stack and heap Security Cookies Pushes unique values onto the stack and heap during allocations which are checked upon exit or free Every byte in memory is a potential full or partial opcode As long as the segment is executable Advanced Penetration Testing SANS 33

34 More Information Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield Preventing the Exploitation of SEH Overwrites by Skape Matt Miller SEH Overwrites Simplified v1.01 by Aelphaeis Mangaraehttp://www.milw0rm.com/papers/187 Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass by Alexander Anisimov Reliable Windows Heap Exploits by Matt Conover & Oded Horovitz Third Generation Exploitation by Halvar Flake 02/halvarflake-winsec02.ppt Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by David Litchfield Heap Feng Shui in JavaScript by Alexander Sotirov sotirov-apr19.pdf Understanding Windows Shellcode by Skape shellcode.pdf Advanced Penetration Testing SANS 34

35 End Questions? SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers Advanced Penetration Testing SANS 35

Bypassing Memory Protections: The Future of Exploitation

Bypassing Memory Protections: The Future of Exploitation Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript

More information

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits

More information

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic

More information

Bypassing Browser Memory Protections in Windows Vista

Bypassing Browser Memory Protections in Windows Vista Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction

More information

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com 風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program

More information

Vulnerability Assessment and Penetration Testing

Vulnerability Assessment and Penetration Testing Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration

More information

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in

More information

Hotpatching and the Rise of Third-Party Patches

Hotpatching and the Rise of Third-Party Patches Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments

More information

Reverse Engineering and Computer Security

Reverse Engineering and Computer Security Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and

More information

The Advantages of Block-Based Protocol Analysis for Security Testing

The Advantages of Block-Based Protocol Analysis for Security Testing The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008 Automated Penetration Testing with the Metasploit Framework NEO Information Security Forum March 19, 2008 Topics What makes a good penetration testing framework? Frameworks available What is the Metasploit

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or

More information

Defense in Depth: Protecting Against Zero-Day Attacks

Defense in Depth: Protecting Against Zero-Day Attacks Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth

More information

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K About the speaker Wrote the Social-Engineer Toolkit (SET),

More information

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access The Best First for Beginners who want to become Penetration Testers PTSv2 in pills: Self-paced, online, flexible access 900+ interactive slides and 3 hours of video material Interactive and guided learning

More information

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough

More information

WHITEPAPER. Nessus Exploit Integration

WHITEPAPER. Nessus Exploit Integration Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information

More information

Penetration Testing. What Is a Penetration Testing?

Penetration Testing. What Is a Penetration Testing? Penetration Testing 1 What Is a Penetration Testing? Testing the security of systems and architectures from the point of view of an attacker (hacker, cracker ) A simulated attack with a predetermined goal

More information

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. http://bechtsoudis.com abechtsoudis (at) ieee.

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. http://bechtsoudis.com abechtsoudis (at) ieee. Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING Anestis Bechtsoudis http://bechtsoudis.com abechtsoudis (at) ieee.org Athena Summer School 2011 Course Goals Highlight modern

More information

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder. CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files

More information

Linux exploit development part 2 (rev 2) - Real app demo (part 2)

Linux exploit development part 2 (rev 2) - Real app demo (part 2) Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques

More information

Peach Fuzzer Platform

Peach Fuzzer Platform Fuzzing is a software testing technique that introduces invalid, malformed, or random data to parts of a computer system, such as files, network packets, environment variables, or memory. How the tested

More information

Using fuzzing to detect security vulnerabilities

Using fuzzing to detect security vulnerabilities Using fuzzing to detect security vulnerabilities INFIGO-TD-01-04-2006 25-04-2006 Leon Juranić Leon.Juranic@infigo.hr Infigo IS. All rights reserved. This document contains information, which is protected

More information

Turn the Page: Why now is the time to migrate off Windows Server 2003

Turn the Page: Why now is the time to migrate off Windows Server 2003 Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need

More information

ERNW Newsletter 51 / September 2015

ERNW Newsletter 51 / September 2015 ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents Contents MWR InfoSecurity Advisory Interwoven Worksite ActiveX Control Remote Code Execution 10 th March 2008 2008-03-10 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5

More information

Integrating Tools Into the SDLC

Integrating Tools Into the SDLC Integrating Tools Into the SDLC FIRST Conference 2007 The problem Too many organizations have either: Failed to try software security tools at all Tried tools, but became overwhelmed Tools relegated to

More information

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Ivan Medvedev Principal Security Development Lead Microsoft Corporation Ivan Medvedev Principal Security Development Lead Microsoft Corporation Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Modern Binary Exploitation Course Syllabus

Modern Binary Exploitation Course Syllabus Modern Binary Exploitation Course Syllabus Course Information Course Title: Modern Binary Exploitation Course Number: CSCI 4968 Credit Hours: 4 Semester / Year: Spring 2015 Meeting Days: Tuesday/Friday

More information

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting nginx chunked overflow bug, the undisclosed attack vector Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked

More information

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

MQ Jumping... Or, move to the front of the queue, pass go and collect 200 MQ Jumping.... Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue

More information

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration

More information

Stop that Big Hack Attack Protecting Your Network from Hackers. www.lauraknapp.com

Stop that Big Hack Attack Protecting Your Network from Hackers. www.lauraknapp.com Stop that Big Hack Attack Protecting Your Network from Hackers Laura Jeanne Knapp Technical Evangelist 1-919-224-2205 laura@lauraknapp.com www.lauraknapp.com NetSec_ 010 Agenda Components of security threats

More information

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

ASL IT Security Advanced Web Exploitation Kung Fu V2.0 ASL IT Security Advanced Web Exploitation Kung Fu V2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: There is a lot more in modern day web exploitation than the good old alert( xss ) and union

More information

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled.

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled. The exploit consists

More information

0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com

0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com 0days: How hacking really works V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com Who am I? NSA->@stake->Immunity CEO of Immunity, Inc. Consulting (product assessments) Immunity CANVAS Immunity Partner's

More information

Microsoft Windows: A lower Total Cost of 0wnership

Microsoft Windows: A lower Total Cost of 0wnership Microsoft Windows: A lower Total Cost of 0wnership August 12, 2004 Table of Contents Introduction...3 Executive Summary...3 Immunity's Methodology...4 Vulnerability Detection...4 Portability of common

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

Memory management in C: The heap and the stack

Memory management in C: The heap and the stack Memory management in C: The heap and the stack Leo Ferres Department of Computer Science Universidad de Concepción leo@inf.udec.cl October 7, 2010 1 Introduction When a program is loaded into memory, it

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Advanced IBM AIX Heap Exploitation Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Introduction Our society has become dependent on computers and network systems.

More information

04/08/2011. Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com

04/08/2011. Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com 04/08/2011 Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Agenda

More information

Penetration Testing Using The Kill Chain Methodology

Penetration Testing Using The Kill Chain Methodology Penetration Testing Using The Kill Chain Methodology Presented by: Rupert Edwards This course is intended for a technically astute audience.this course is 98% hands on.the attendee should have some basic

More information

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security 560.2. Sans Mentor: Daryl Fallin

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security 560.2. Sans Mentor: Daryl Fallin Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing SANS Security 560.2 Sans Mentor: Daryl Fallin http://www.sans.org/info/55868 Copyright 2010, All Rights Reserved Version 4Q10

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101 Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY

More information

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division

More information

Implementing and testing tftp

Implementing and testing tftp CSE123 Spring 2013 Term Project Implementing and testing tftp Project Description Checkpoint: May 10, 2013 Due: May 29, 2013 For this project you will program a client/server network application in C on

More information

david d. rude Affiliated Computer Services Penetration Tester www.acs-inc.com Develop Codes for stuff www.metasploit.

david d. rude Affiliated Computer Services Penetration Tester www.acs-inc.com <bannedit0 [ at ] gmail.com> Develop Codes for stuff www.metasploit. david d. rude Affiliated Computer Services Penetration Tester www.acs-inc.com Metasploit Develop Codes for stuff www.metasploit.com 2 Definition Command injection is an attack

More information

Jonathan Worthington Scarborough Linux User Group

Jonathan Worthington Scarborough Linux User Group Jonathan Worthington Scarborough Linux User Group Introduction What does a Virtual Machine do? Hides away the details of the hardware platform and operating system. Defines a common set of instructions.

More information

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military

More information

Unix Security Technologies. Pete Markowsky

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu> Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make

More information

Database's Security Paradise. Joxean Koret

Database's Security Paradise. Joxean Koret Database's Security Paradise Joxean Koret Security in Databases Many people still believe databases are hard to audit/hack. Name it as you prefer... Many people consider database software as too big products

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security

More information

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015 CS168 Computer Networks Jannotti Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015 Contents 1 Introduction 1 2 Components 1 2.1 Creating the tunnel..................................... 2 2.2 Using the

More information

Testing for Security

Testing for Security Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is

More information

Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005

Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005 Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005 Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005... 1

More information

Network Working Group Request for Comments: 840 April 1983. Official Protocols

Network Working Group Request for Comments: 840 April 1983. Official Protocols Network Working Group Request for Comments: 840 J. Postel ISI April 1983 This RFC identifies the documents specifying the official protocols used in the Internet. Annotations identify any revisions or

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Firewalls and Software Updates

Firewalls and Software Updates Firewalls and Software Updates License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General

More information

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE: PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration

More information

Software Vulnerabilities

Software Vulnerabilities Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in

More information

Sample Report. Security Test Plan. Prepared by Security Innovation

Sample Report. Security Test Plan. Prepared by Security Innovation Sample Report Security Test Plan Prepared by Security Innovation Table of Contents 1.0 Executive Summary... 3 2.0 Introduction... 3 3.0 Strategy... 4 4.0 Deliverables... 4 5.0 Test Cases... 5 Automation...

More information

The Nexpose Expert System

The Nexpose Expert System Technical Paper The Nexpose Expert System Using an Expert System for Deeper Vulnerability Scanning Executive Summary This paper explains how Rapid7 Nexpose uses an expert system to achieve better results

More information

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Vulnerability-Focused Threat Detection: Protect Against the Unknown Vulnerability-Focused Threat Detection: Protect Against the Unknown Vulnerabilities and threats are being discovered at a pace that traditional exploit-based attack detection technology cannot meet. Vulnerability-focused

More information

Copyright 2009-2010 Lenny Zeltser 1

Copyright 2009-2010 Lenny Zeltser 1 My popular SANS Institute malware analysis course has helped IT administrators, security professionals, and malware specialists fight malicious code in their organizations. In this briefing, I introduce

More information

Ethical Hacking and Attack Tools

Ethical Hacking and Attack Tools Ethical Hacking and Attack Tools Kenneth Ingham September 29, 2009 1 Course overview Attackers have at their disposal a large collection of tools that aid their exploiting systems. If you plan to defend

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015 NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps

More information

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Professional Penetration Testing Techniques and Vulnerability Assessment ... Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment

More information

Bromium Labs Research Brief. Endpoint Exploitation Trends H1 2014

Bromium Labs Research Brief. Endpoint Exploitation Trends H1 2014 Bromium Labs Research Brief Endpoint Exploitation Trends H1 2014 1 Table of Contents Executive Brief... 3 and exploit trends H1, 2014... 3 Zero day trends... 3 Internet Explorer release to patch timeline...

More information

Stealth Measurements for Cheat Detection in On-line Games. Ed Kaiser Wu-chang Feng Travis Schluessler

Stealth Measurements for Cheat Detection in On-line Games. Ed Kaiser Wu-chang Feng Travis Schluessler Stealth Measurements for Cheat Detection in On-line Games Ed Kaiser Wu-chang Feng Travis Schluessler Cheating Affects On-line Games Frustrates legitimate players not fun to play against cheaters can't

More information

HackSim: An Automation of Penetration Testing for Remote Buffer Overflow Vulnerabilities

HackSim: An Automation of Penetration Testing for Remote Buffer Overflow Vulnerabilities HackSim: An Automation of Penetration Testing for Remote Buffer Overflow Vulnerabilities O-Hoon Kwon 1, Seung Min Lee 1, Heejo Lee 2,JongKim 1, Sang Cheon Kim 3,GunWooNam 3,andJoongGilPark 3 1 Dept. of

More information

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem Google Apps Engine G-Jacking AppEngine-based applications Presented 30/05/2014 For HITB 2014 By Nicolas Collignon and Samir Megueddem Introduction to GAE G-Jacking The code The infrastructure The sandbox

More information

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led Course Description This class will immerse the student into an interactive environment where they will

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges

More information

CSCI E 98: Managed Environments for the Execution of Programs

CSCI E 98: Managed Environments for the Execution of Programs CSCI E 98: Managed Environments for the Execution of Programs Draft Syllabus Instructor Phil McGachey, PhD Class Time: Mondays beginning Sept. 8, 5:30-7:30 pm Location: 1 Story Street, Room 304. Office

More information

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation Software Vulnerability Exploitation Trends Exploring the impact of software mitigations on patterns of vulnerability exploitation Software Vulnerability Exploitation Trends This document is for informational

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Exploiting Transparent User Identification Systems

Exploiting Transparent User Identification Systems Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background

More information

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed

More information

Chapter 3.2 C++, Java, and Scripting Languages. The major programming languages used in game development.

Chapter 3.2 C++, Java, and Scripting Languages. The major programming languages used in game development. Chapter 3.2 C++, Java, and Scripting Languages The major programming languages used in game development. C++ C used to be the most popular language for games Today, C++ is the language of choice for game

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem

More information

Improving Software Security at the. Source

Improving Software Security at the. Source Improving Software Security at the Source Greg Snyder Privacy & Security RIT January 28, 2006 Abstract While computer security has become a major focus of information technology professionals due to patching

More information

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts

More information

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application

More information

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2) Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2) Course number: CFED Length: 5 days Certification Exam This course will help you prepare for the following exams: CCE --

More information

Security & Exploitation

Security & Exploitation Security & Exploitation Operating Systems Spring 2015 RPISEC - 05/11/2015 OS Security 1 whoami Markus Gaasedelen B.S. Computer Science 15 Security Enthusiast I like to hack things President of RPISEC http://rpis.ec

More information

FRONT FLYLEAF PAGE. This page has been intentionally left blank

FRONT FLYLEAF PAGE. This page has been intentionally left blank FRONT FLYLEAF PAGE This page has been intentionally left blank Abstract The research performed under this publication will combine virtualization technology with current kernel debugging techniques to

More information

Metasploit Beginners

Metasploit Beginners Metasploit Beginners #.. # # _/ \ _ \ _/ # # / \ \\ \ / // \/ /_\ \ / / \ # # / /_/ / \ \/ \ /\ \ \ # # \/ \/ \/ # # # # _/ \ \_/ \ \/ \/ / # # \ \ \/\ /\ / # # \

More information

Developing ASP.NET MVC 4 Web Applications MOC 20486

Developing ASP.NET MVC 4 Web Applications MOC 20486 Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies

More information

158.738. Implementation & Management of Systems Security. Amavax Project. Ethical Hacking Challenge. Group Project By

158.738. Implementation & Management of Systems Security. Amavax Project. Ethical Hacking Challenge. Group Project By 158.738 Implementation & Management of Systems Security Amavax Project Ethical Hacking Challenge Group Project By Nawed Rajeh Mansour Kavin Khan Al Gamdi Al Harthi Palanavel The Amavax project required

More information

Certified Ethical Hacker (CEH)

Certified Ethical Hacker (CEH) Certified Ethical Hacker (CEH) Course Number: CEH Length: 5 Day(s) Certification Exam This course will help you prepare for the following exams: Exam 312 50: Certified Ethical Hacker Course Overview The

More information