 Moj je Pjord Dus infection in to tomatoes about active defencing practice I go quiet rapidly through this life because I've got a lot of them so how keep it shus on and okay, let's start. So basically, shorthy about me, I'm a security consultant trust with small labs. Basically I enjoy security and among other things but so naredilskih kratkov. Zelo, kako je vse izgleda, da včešljeste izgleda na pravno pravno proprimovite, zelo, da je izgleda, da tega da začnevajte, da je tega zprimovati, da je zdaj, da bi naredil na pristom proprimovati, da je začnil, da se je ješljenje, da je začnil na pravno pravno pravno pravno pravno, zelo, da je začnila, da pa je začnila, da je začnila, da bi je začnila, system, in priživamo nekaj informacij, da je tudi nekaj poslednji. Četko je izglednje, da imamo nekaj nekaj nekaj atakov za softver, da imamo na internet. To je softver, da je vzglednje za skanje in izglednje svoje system. V svoj delu zelo je da je počet, če je počet na nekaj početnah, katero je bilo počet, počet nekaj počet. Tko zelo je, tko je počet na rekonesenju. Zelo vse rekonesenje je počet. Zelo sem održetilo na mnoj nabunu, z battlesh, because as we know is the most popular tool. So basically it's quite possible that somebody will be using to scan your system. Here we have a typical example where somebody is trying to scan the system and he gets a lot of information. And it is not exactly what you would like to share with our offenders. Basically, this information can be used as as in other steps to carry out some more sophisticated attacks. So, I thought, what would be the worst case scenario for a person scanning or trying to get a view of your running services on your system. So basically, what if, for example, all of the ports were open, and what if on every port, there was actually a valid, or it appears to be valid, a valid service listening. And your attacker has to basically as usual get a view of all running valid services on your remote system. So basically, I wrote this tool, which is proof of concept and still work in progress that basically implements that idea. So when you want to get a full view of the remote system, go through all of the ports, try to get all of the services identified, your attacker will need a lot of patience, because as I've seen, basically, as I've tested, all of the ports will be open, he will have to send about 120 megabytes of data, and scan will take approximately... Stop talking. So we have a tradition at DEF CON. First time speakers need to do a shot on stage. Let's give them a round of applause for getting selected. Cheers everyone, thanks for that. Now we have to see if you can pick up where he left off in the technical talk. So, you guys judge how well he does. I'm from Poland, come on, it's just one shot. So, coming back here, so basically, our attackers get nice juicy output, 65,000 or more valid services identified by NMAP. Of course, I focused on NMAP, but basically, it can be any other ports camera, but since it's so popular, so why not that too. If you go through the listing, you can see different services, like telnet, there's even a bug door if you can see. So basically, among that, there's some, probably your service running, which is valid and could be possibly exploited. But yeah, try to find it, it's not so easy, I guess. And somewhere in the, when the attackers go through your service scan, they can find a hidden message. So basically, you can put any ask yard there. Also, the all identification results are a bit strange. For example, you can see that the real operating system is actually Linux 3.2. Here you have like, unsure results plus, you know, Unix, Windows, Linux, Solaris, yeah, you don't know what it is. Additionally, which is actually the part, the second part of the presentation, you can also control certain fields, which can help you with the exploitation of a particular software. So yeah, NMAP, there are similar results, all of the ports are open, some of them are identified. Yeah, so what are the conclusions? Basically, the style scans are no longer helpful with this technique, because if all of the ports are open, then basically you can make a connection. If there is an open port, then there is a service running, all of them are open. So yeah, all side identification is a bit more challenging. Yeah, it also forces your attackers to generate huge amount of traffic, so basically you can easily detect them, or easier. It's easier. Yeah, for service probes, and of course it adds some frustration to your vendors. Some might say that it's a security by obscurity, but as far as if only it works, you know, it's the point. I don't know if you can see the fish there, but it's there. Yeah, so, but I'm sure that also we are thinking like, okay, fine, but I'm sure I can find some kind of bypass. So for that, there's also the way I was thinking, so basically answering maybe some of your questions. There's no trivial way to detect false signatures, apart from using some kind of protocol probes. IP fragmentation and other network activation techniques will not work, because it goes through the kernel to the user space program that I've written, so basically you can use fragmentation for any layer that you want. It will anyhow be assembled at the end. The only thing that will work is actually the full-connect PCB loss, but it's not a mistake in the ID. It's just that every software is actually vulnerable to this. I've made some tests. You can always try to mitigate this by using some of the stool parameters, or just try to use IP tables with traffic shaper. Also, if you have any ID issues for the bypass, send them to the mailing list. I'll try to fix the software, or I don't know, implement your ID. Yeah, just shortly about the port. It's a user space software. It doesn't require any root privileges, no kernel modules, just binds to one port per instance, and then later just configures through IP tables by redirecting some of the ports that you want to, and then spoof, to local host. Yeah, okay. Let's go to the good part, which is a practical exploitation of your offenders toolbox. I don't know if you have noticed maybe the output here is not very clear, but with Nmap you can control certain fields, like for example the version fields, host fields. That gives you basically a nice attack vector possibilities. So it went to the internet, looked for Google, we've googled for some software that could be exploited with that. And basically the first example is, okay, it's still anonymous because the outer haven't responded to me. Basically if you set up on port spoof, a particle payload, like on any port, and somebody will use Nmap to scan your system, then generate a report, and basically you are able to inject some of the javascript coded into his browser, let's say context, when he'll be browsing the report on his computer. There's actually a nice thing about it because for example if he launches a Safari and goes through the results, and basically same origin policy doesn't apply for file ure handlers, this actually my friend Mikael Auro told me this one. So there's a simple exploitation vector for this one, like port 17, you can have one of them. The next example is like non-Nmap, so we don't stick to Nmap all the time, it's just a proof of concept. You can basically exploit for example the McAfee super scan, it was fixed a few days ago, but basically if anyone would scan your system with this particle tool, and later generate a report, then you would be able also to inject javascript code into his browser context. Later you can for example use B for any other tool to do some post-exploitation, it really depends on you what we are going to do. Yeah, this is actually a real exploit from the internet. So I don't know if you can see the exact vulnerable line, but it's here. Basically we control the content of the storage file, which actually is retrieved from one of the ports. So what happens here is if we set up a payload, for example Huemi on port 80, which is actually the, which port that exploit will connect, well, if somebody will launch the exploit against your system, he will get an additional context, which is root, so basically you are able to execute or to do aus command injection in somebody's shell, if somebody is launching for example an exploit against your system, it's nice about this. You can also create for example a weaponized version of this payload, but I won't go through all of the details here because I mean for example, if you want to exploit this particular line that you have a evaluation of the file content, and basically you have to go around some issues like you cannot use spaces, you can't use apostrof, so basically this should be in the conference materials if you want to use it later, but the result is that basically if you set up such payload on one of your ports, yeah, next time when somebody will launch the exploit against your system, he won't only get Huemi output, but you'll be able to, for example, download his whole root directory. Another example is taken from the auto-pwn script, which is nice because auto-pwn scripts go usually for all of the ports, they try to exploit all of the possibilities, so basically if you have different payloads on every port, some of them might hit that particle vulnerability and you will be able to exploit your attackers too. In this case, we have again, and this is a real line of code, I don't know if you see the vulnerability, it's rather pretty obvious, yeah, and again, what's the surprise? Huemi will work, which will result in oscom interjection again. What you can do with this and what are the conclusions for the current state of the security tools because from what I've seen on the internet in different tools, different scanning software, most of them, not all, but most of them are exploitable with simple payloads, like for example, Huemi or any other escaping sequences, especially auto-pwn tools used by script kitties or I don't know who, but yeah, if they launch the type of script against your system, then basically you can also try to create an, I named it an aggressive honey pod because you can create different payloads for every pod with different escaping sequences, then it's up to you which command you will inject. And if you want to find, for example, more vulnerable software, just go to Google, use your Google Juts skills, the ones that I found is actually a top of a mountain, ice mountain, I mean many, many scripts are vulnerable, you can use just your imagination while creating some payloads. So, in this case, I'm sure you'll find something. Yeah, in the end, I wanted to show you a nice proof of concept demo for NMAP official NSC script, which again proves the concept, it's not nothing against the tool itself. Okay, let's... Can you see it? Yeah, in front here, you can see it. Yeah, okay, then I'll tell you. So, basically, first screen, you might not see, we set up a port spoof tool along with a metropeter. Second one, we scanned the remote system, we want to check actually what's on port 80. We can see that there is an Apache HTTB, IBM Lotus Domino in the old version that's exploitable. So, basically, what we can do. So, yeah, here is a reverse handler on a metasploid. This is the latest NMAP version, 6.25. So, if you have that, it's still vulnerable. And this is the exact HTTB Domino and password script, which basically will result in a remote arbitrary file plot. So, if you launch that against, for example, the system running port spoof, you'll be able to upload an arbitrary file, overwrite any file that's accessible with NMAP privileges. In this case, I have written the script itself. So, next time, because someone might think that it's strange that there are some strange results in the NMAP output. So, next time somebody will launch that particular script with the same parameters. Yeah, he will get points. He will get a remote reverse matter per ter. I know the quality is a bit low, but if you want to just go to the main website, you can view it online. I'll change, I'll upload it in a second. Sorry for this, I thought it would be visible. At the end, yep. So, yeah, thank you for your time and for coming. Hope you enjoyed it.