Drawing blood from a Stone.. haroon meer | marco slaviero SensePost.
28
Drawing blood from a Stone.. haroon meer | marco slaviero SensePost
-
Upload
andrea-roberts -
Category
Documents
-
view
219 -
download
2
Transcript of Drawing blood from a Stone.. haroon meer | marco slaviero SensePost.
Drawing blood from a Stone..haroon meer | marco slaviero
SensePost
2
Agenda..• Introduction• What this talk is about• Complete control with:
– Outbound TCP Connections– IPS in the way ?– Outbound DNS Requests– Outbound *nothing*
• Lessons Learned• Questions ?
3
Introduction• Who we are
– SensePost– {haroon|marco} @ sensepost.com– (with extra case studies from {nick|bradleyj} @ sensepost.com)
4
What this talk is about?• Breaking into stuff!
What this talk is not about?• Canned demos of Metasploit vs. 2001
Why ?• For a small reality check..• To determine if we need to “sweat the small stuff”• Because its fun!
How ? • Case studies…
5
Arbitrary Outbound TCP is bad.. • Least privilege is hardly a new concept..• Limiting outbound TCP connections is a no brainer• Why?
– Because attackers need to call home..– Because we need our tools..– Because we want to be comfortable..– Because its your job to make sure we cant..
6
Case Study #1(plink)
7
8
9
10
11
12
13
14
Why your IPS isn’t a Panacea• IPS appears to be interfering with our recon.• All we want to do is an innocent little port-scan..• > 10 ports on one target -> shun source• > 10 targets in X seconds -> shun source• Vertical and Horizontal Scans -> shun source• Who does this stop ?
15
visio1
16
visio2
17
visio3
18
QuickTime™ and a decompressor
are needed to see this picture.
19
QuickTime™ and a decompressor
are needed to see this picture.
20
Case Study #2
21
I’m ok! I only allow outbound DNS• Outbound UDP 53 is common on Firewall Configs.• *shrug* we don’t know why!• If I get to run commands on your server.. Then
outbound DNS is my friend..• SQL Injection + DNS tunnels circa 2002..• SQL Injection + DNS tunnels circa today..
22
Case Study #3(poor mans DNS tunnel)
23
24
Case Study #4 (poor mans DNS tunnel)
25
Ok.. What if I..• Hardened my Web-server
– Apache running with limited privileges
• No outbound TCP• No outbound UDP• Teeny-Tiny reg-ex problem in my application.. (can you
spot it?)
26
Case Study #4
27
Lessons Learned…• Know your enemy? (who are you up against?)• Know the limits of your defenses..• Detection is an important piece of the puzzle.• Basics are still necessary!• There is no unbeatable security measure..
Thank YouQuestions?
![[SensePost – 2008] Pushing a Camel through the eye of the Needle! [Funneling Data in and out of Protected Networks] SensePost 2008.](https://static.fdocuments.net/doc/165x107/55164d6c550346c6758b5854/sensepost-2008-pushing-a-camel-through-the-eye-of-the-needle-funneling-data-in-and-out-of-protected-networks-sensepost-2008.jpg)
