1 / 28

Drawing Blood from a Stone - Complete Control Outbound

Explore gaining control with outbound TCP and DNS connections, lessons learned, and defense strategies in this informative talk by haroon.meer and marco.slaviero for SensePost Agenda.

sammiet
Download Presentation

Drawing Blood from a Stone - Complete Control Outbound

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Drawing blood from a Stone.. haroon meer | marco slaviero SensePost

  2. Agenda.. • Introduction • What this talk is about • Complete control with: • Outbound TCP Connections • IPS in the way ? • Outbound DNS Requests • Outbound *nothing* • Lessons Learned • Questions ?

  3. Introduction • Who we are • SensePost • {haroon|marco} @ sensepost.com • (with extra case studies from {nick|bradleyj} @ sensepost.com)

  4. What this talk is about? • Breaking into stuff! What this talk is not about? • Canned demos of Metasploit vs. 2001 Why ? • For a small reality check.. • To determine if we need to “sweat the small stuff” • Because its fun! How ? • Case studies…

  5. Arbitrary Outbound TCP is bad.. • Least privilege is hardly a new concept.. • Limiting outbound TCP connections is a no brainer • Why? • Because attackers need to call home.. • Because we need our tools.. • Because we want to be comfortable.. • Because its your job to make sure we cant..

  6. Case Study #1(plink)

  7. Why your IPS isn’t a Panacea • IPS appears to be interfering with our recon. • All we want to do is an innocent little port-scan.. • > 10 ports on one target -> shun source • > 10 targets in X seconds -> shun source • Vertical and Horizontal Scans -> shun source • Who does this stop ?

  8. visio1

  9. visio2

  10. visio3

  11. Case Study #2

  12. I’m ok! I only allow outbound DNS • Outbound UDP 53 is common on Firewall Configs. • *shrug* we don’t know why! • If I get to run commands on your server.. Then outbound DNS is my friend.. • SQL Injection + DNS tunnels circa 2002.. • SQL Injection + DNS tunnels circa today..

  13. Case Study #3(poor mans DNS tunnel)

  14. Case Study #4 (poor mans DNS tunnel)

  15. Ok.. What if I.. • Hardened my Web-server • Apache running with limited privileges • No outbound TCP • No outbound UDP • Teeny-Tiny reg-ex problem in my application.. (can you spot it?)

  16. Case Study #4

  17. Lessons Learned… • Know your enemy? (who are you up against?) • Know the limits of your defenses.. • Detection is an important piece of the puzzle. • Basics are still necessary! • There is no unbeatable security measure..

  18. Thank You Questions?

More Related