 Alright as usual just like last year. I can't believe people actually come to watch me talk Last year it was what 10 in the morning on Sunday, and I figured like fuck. I'm hungover who's Gonna be here to watch me and then Sunday at 4. I'm like fuck dude I I wanted to fly home today who you know, but hey for everybody who did come out. Thanks I really appreciate it and just like last year and every year you know I've been coming to Def Con. I fucking love this man. So I really appreciate everybody who came out All right, so this year's talk is you spent all that money and you still got owned so I've been doing a lot of pen testing and I'm going all over to all these different countries and pen testing and I'm running up against all these different defensive things, you know application firewalls Waffs and IPSs and knack solutions and we're still giving them the beat down like pretty freaking bad and then in a lot of cases I roll out and I get into the middle of the pen test and that shit turns into incident response. It's like dude. You're already fucking owned Fuck you know, so that was kind of the topic of this so let's do it So who am I network application pen tester dude trainer aka the black guy at security conferences Everybody who always wants to know I'm like dude. That's me Yes, that's me All right, and then how do I do my thing man? I hack I curse I drink the order changes but It's all the same if you know, so if you don't like people who say the word fuck you might want to get up and leave Okay. All right, so I always do this because you know, it's that nostalgia especially since I'm here at Def Con now Let me take you back. All right, so this is 10 years I've been doing this Def Con thing man and for me back in the old days man pen testing was easy So we would just tell the customer. Hey, dude, we're security people and the customer be like, oh, okay Well, damn the security people are here and then like we would break out our open source tools like Nessus Who remembers when Nessus was free? Shit So we would break out our shit man, and it would be like yo They're coming in here with in map and Nessus and all this open source stuff and then we would go out Hit our websites like Rootshell dot be packet storm anybody who's with me That's what I'm talking about right the good old fucking days when you would just yank down your shit Fucking compile it and be like yo fuck. I need these libraries from over here And you know then dot slash the fucking planet and just like dropped shells every fucking where so then we will like take Screenshots and be like yo man. We gave your network the fucking beat down Here's the report And then after that it was like this Remember that shit remember that shit your network fucking sucks pay me Well today man everybody's the CISSP and then like does he do you guys go through this like the dude who hires you thinks He knows more than you and like sometimes he actually does but like fuck. Why'd you hire me then? So he's like well, you know, we're doing this we're doing this. We've got the ideas. We got the IPS We got the Mac. We got the WAF. We got the this we got the that so I'm rolling out there, and I'm like this is some bullshit So let me let me walk you through a little story now anybody who does my talks knows that I always got a story So story I'm good testing this client About a year and a half ago. I get out there and the customer is like, okay, Joe Well, you're already been auditing these subnets. Can I get you to go over to this subnet and do a VLAN ACL audit? Okay, now Have any of you ever done a VLAN ACL audit? Okay, well you guys are smarter than me because I had never done one so I'm back there. I'm like What exactly do you want me to audit? He's like well audit the VLANs So all right, I go over and I look at the config and I'm sitting with the network admin and they've got for 300 users 90 VLANs Now I'm having a moment. I'm like, how the fuck you got 90 you ain't even got So I'm like, all right cool. I'll tell you why let's get a little piece of paper And I just walked from person to person. I was like, hey man. Do you need this VLAN? But you know, do you need this VLAN? How about this one? So I went through this VLAN ACL audit and then I go through all these VLANs that aren't being used I'm like, okay, you're not using this one. You're not using this one You're not using this one. You're not using this one. And this is like a big big fucking company So we go through and we audit all these VLANs. We do some network resegregation shit move some shit around and now I Audit one of their DMZ's companies got four DMZ's. So I audit one of the DMZ's I'm like, yo man these boxes. You got a couple of boxes out here. They're like really need some patch updates So I go over and I tell the deputy CIO. I'm like, yeah Well, you got these boxes that need to be patched, you know, you missing some minus QL patches You're missing some PHP patches got a lot of stuff that needs to be cleaned up So they have a meeting because everything's a fucking meeting they have a meeting and then One of the developers stands up and goes. Oh, no, no, no, no. We can't patch those Those are our development servers and I'm like, is this shit passing the common sense test? You got your fucking dev servers in the DMZ like it gets better So I'm out there and I'm working with the client a little bit more and I start to do my little pin test thing I drop a couple shells. I'm like, oh man This network is fucked up because it's too easy to drop shells clients is well How come our ideas didn't catch you and I was like there's an ideas So he goes, yeah, we're being monitored by I can't say the name because some of y'all probably work for him So the the company had hired another company to outsource their ideas right to do the management reports and all that kind of bullshit So we go over and we go look at the box. I'm like, well, yeah, man Do I have creds on the box? I mind if I just take a quick look so to give me creds on the box I try to log into this fucking thing and this thing takes like fucking two minutes to log in Over SSH I'm like, what the fuck so I log in And I'm like this bitch is slow as hell So I run check root kit this motherfuckers got four root kits on Pintesting at its finest Okay, so what do I do when I'm up against these big companies people like dude You audit all these fucking banks you audit all these big fucking companies and really I just asked Google to help me That's it. So first thing I do is I do a bunch of quick Google Dorks. I look for SQL errors. I look for remote file includes Anything that's gonna give me a quick shell. Okay, always go for the quick shell Go for the fucking jugular when you're on a pentest dude. Don't do all that bitch scanning shit. Go for the fucking jugular Okay, so I always look for SQL injection always look for RFIs always look for cross-site scripting You know try to find that stuff right away then after that start trying to do your passive recon stuff So I try to figure out like okay. Well, what's subnets through they have? Where's all their stuff located? I use this fucking unbelievable tool called Firefox Fucking unbelievable man, you would be amazed at what it can do So passive recon is one of the tools that I use something you really got to try out I'm sure most of you guys are already using it definitely got to try that out Maltigo definitely the shit definitely got to use that and Then the next thing I do is go look for load balancers. I run into load balancers on probably 30% of my pen test now. It's getting real common Okay, so biggest deal for me figure out if the box is load balanced figure out if it's DNS or HTTP load balancing Because like I said if you're shooting packets at it and then you know the fucking load balancer is sending your packets every which way Well, it kind of makes the testing a little hard So definitely got to figure that out first and then once again, we have that amazing tool called Firefox That helps us find that out So throw on live HTTP headers and make some generic requests to the web server See if anything within the HTTP header changes So if your first packet you send when you get the response it comes back and says IIS 5 You send another packet to the same box it comes back and it says IIS 6 dude It's probably load balanced Same thing with the dig command and Netcraft netcraft is freaking awesome You'll often see stuff will tell you right there and it you know F5 big IP and all of that And you can also get the IP address of the load balancer itself So that's been a real big deal for me on I'm pen testing load balancer detection is a shell script that does it Halbert is a Python script that does the same thing Okay, so these are some real good things to help you figure out What is the real IP of the hose that you're trying to attack if it's behind a load balancer? All right next thing I run into is IPS is so it seems like everybody has an IPS However, the overwhelming majority of my customers have it in IDS mode Anybody else have this issue where you're like begging it turn the fucking thing on dude. Let's block some traffic Really, but we'll see what happens Who's of the belief that if we block some legitimate traffic will make note of it and Then we'll allow that so fuck it. Let's block all the rest of the shit. Who's with me? Okay, I'm just making sure that I'm not the only one who thinks this shit right so okay So when I'm trying to figure out if I'm up against an IPS I do some real simple things Okay, I'm a Linux guy. I'm using Windows right now, and I feel a little dirty. So please bear with me Okay, so the first thing I break out is I break out curl and you see that I go for a winnt system 32 cmd.exe Now guys this attack has not worked since Jesus was walking the earth Let me inform you if you do not know Okay, the only reason that you're doing this is you're just trying to see if something blocks your IP address or Sends you reset packets to your connection. So if this thing sends you a reset packet when you ask for cmd.exe Well, it's probably an IPS if it blocks your IP address It's probably an IPS. It's like unbelievable deductive reasoning here, right? So some guys from pure hacking comm came up with a tool that does this active filter detection the Aussie's in the house So they got this figured out really good tool Working on some stuff in Python to kind of change it up and enhance it a little bit So, you know for those of you guys who support Python fuck Ruby any of you guys support Python Come holla at me. We're working on some shit. Yeah, fuck Ruby By the way, did I mention I curse Okay, so oftentimes I do run into IPS is what I generally do is I just shoot You know for three or four IPS So I shoot from a couple of different IPS to try and see if I get reset packets or if I get my IP blocked So once I know I'm up against an IPS the next thing I try to do is see if the IPS can handle SSL so Again, it's why we use Linux Just go ahead and create an X and ID X. I meant D file. I call it SSL test So you see that I open it up on port 8888 and then any data that I pipe into local host 8888 goes into this little shell script. You see it's server SSL proxy dot sh now here You can see my mad mad shell scripting capability. Look at that one-liner shell script, baby. What? So the traffic goes straight into open SSL and then makes the connection to the target and then sends all that same active filter detection or You know C and D.exe again trying to see if my IP gets blocked Okay, the overwhelming majority of clients that I have that do deploy an IPS and do deploy it in blocking mode Do not decrypt the SSL traffic prior to it passing the IDS or IPS So that's one of the things that I really look for if you guys are running into that try to get your client to spend the money Hey, man get an SSL accelerator Terminate the SSL in front of the IPS and then let's actually start trying to decrypt it Okay attack through tour I do this a lot So a fire up tour push all my stuff through tour and pre-boxy And then that same thing where I just push all my attacks to local host and it pipes out through tour Same thing. So for this one the recommendation is get your clients to block tour exit nodes Okay, most companies don't have a valid reason for needing people to connect to them through privacy Sorry, I know we give a shit about privacy, but fucking companies don't so tell everybody blocks or exit nodes That's the big thing that I'm doing with a lot of my customers I don't have a glip proxies in here because the hangover was really affecting my ability to do slides this morning Okay, and then the last thing that I've been running into is WAFs web application firewalls So because I do a lot of PCI pen testing and some genius over at the PCI council figured that hey If you have a web application vulnerability and you don't want to fix it and you deploy a WAF You are somehow now PCI compliant For some reason I'm pen testing a lot of WAFs now. So things with the WAFs They're actually not that difficult to identify Pretty much just throw any frickin character at it and this thing fucking gives up the bit. She's like, yo, okay. I'm a laugh Really fucking difficult to figure out if you're attacking a host that's behind a laugh So you send it any special character and then the thing fucking like gives you all kinds of weird things So if you request cmd.exe and You get a method 501 instead of a 404 file not found you're probably up against Apache mod security Now newer versions of this have newer versions of mod have changed this But who the fuck really upgrades their WAF really? So I run into this a lot still Also another one that I run into Actronics Web Knight you see that in the HTTP response header. It gives a response code of 9999 and No hacking So I run into this If you're seeing that you're not up against one You know just start adding things to it to see what it does and see if it gives you a 404 for a file that it should not have you know I request Joe dot exe and then I request netcat dot exe NC dot exe and I just look at the differences between them I mean that's it if you send a good request that gives you a 200 Okay, you send a bad request for file that doesn't exist and then it gives you a 404 And then all of a sudden you insert something for cross-site scripting and it gives you a completely different error You're up against some sort of defensive mechanism make sense All right, so Based on that start playing the encoding game. So if you figure that you're up against a WAF see if this thing handles Hex see if it handles UTF 7 UTF 8 UTF 16 base 64 or mixing of them See how it handles the multiple encodings most WAFs cannot handle encoding very well Okay, especially if you start mixing the encodings together Okay, so it's a good way to try and see if you could get by the WAF Okay, good buddy of mine Sanjo Gachi and Wendell They wrote a tool called WAF roof and I started contributing to it last year. I think it's the shit and it's in Python so The cool thing that we're doing here is we're fingerprinting the HTTP response headers and we're identifying web application firewalls And I fucking love it. So right now. We've got a pretty good list about 10 or 12 laughs and the list is getting bigger and bigger The next thing that we're working on is called WAF fun where we're gonna work on a tool that actually brute forces web application firewall rule sets and it's in Python So I'm real excited about that guys. I really wish that we had made more progress with it But you know working drinking working and drinking it was kind of hard to get the tool done So that I could have a working demo, but hopefully you know the next couple of conferences and next year We'll have a working demo of WAF fun so you can see the brute force in WAF rule sets I think that's gonna be the shit Okay. All right, so quick thing that I use Gary O'Leary steel He wrote a tool called Unicode fun and it's great for it's Ruby. I know but fuck Ruby so We're gonna get this it moved over to Python and in my tool. It's gonna be in Python So we're putting that in Python and we'll do the different encoding We want to make a tool specifically for web application attacks That's gonna be part of the Wafit framework Wafit framework will include WAF fun and a WAF move and we'll specifically be working on multiple encodings and Proxy awareness so that it can jump on tour and it can jump on glip proxies while it's doing all these different different things So that's really what we're looking for Okay, we already talked about attacking websites through tour. I talked about this a little bit last year I don't know if anybody here works for a dotnet defender or whatever fucking company makes that net defender We we found that their ability to defend against SQL injection. How do I articulate this fucking sucked? So If you throw like right here, this is a generic cross-site scripting attack So it says script alert XSS and the fucking thing is like danger will Robinson danger you we've run into cross-site scripting And then it gives you this big message that says dude. We fucking blocked you So now Here I'm trying SQL injection with no encoding at all and Dotnet defender doesn't care so They block some SQL injection specific statements like the word select This is the height of IDS and WAF technology, right? I'm going to block the word select So if you encode it in unicode you walk right by it So they decided to fix this last year But they didn't fix any other encoding So if you use any other encoding you still walk by the thing Does anybody work for this company if you do please all right me like when I get off stage because that that's I don't get it, dude Okay, and yeah, that's still me dump in the admin password hash with no encoding at all Against a dotnet defender. Sorry, dude fix your shit Okay, so biggest things that I'm doing now getting into the getting into the land from the web. It's getting harder It's getting harder, but it's still possible. So SQL ninja the dude ice surfer who wrote this tool. It's in pearl, but I'm not hating him for that Because I was a pearl monkey, but I've seen the light that which is Python 3. I Am gone. I'm gone. I'm gone, but his tool works really well. You can upload netcat and interpreter DNS tunnel Great great great support for that. So I really think that's a good project and then he just released an upgrade not too long ago Okay, SQL map especially since it's in Python fucking rocks Okay, it allows you to upload Interpreter shell and it has its own as OS shell that you can fucking drop freakin awesome So you can just you know go right at it and it drops to where it says OS shell and you can just do your operating system commands You know IP config netstat or whatever or you can go straight to a interpreter shell. I use this a lot still works Okay, all right We have to focus on the important stuff The important stuff is not getting caught. Okay, we're officially gonna title this section of the talk. Don't be a tiger The goal when you're doing this is not to get caught. I don't know who thinks tigers a punk Tigers a fucking punk Okay, help me here If I'm worth a billion dollars And you're a porn star You fucking know I'm gonna have some people kill you if you talk, right? I'm just making sure who's what raise your hand if you would She ain't fucking talking all right So biggest things that I run into filter evasion You have a lot of people who try to do all types of things So the first thing is client-side filtering. This is bad. This is bad. This is bad. This is bad Did I say that this is bad? This is bad do not use javascript or vbscript or anything client-side to try to filter input to your critical application Or if you're using a framework like J2E where your frameworks create this javascript for you You're gonna have to write server-side code that checks to verify What's coming in from the client? Okay, you just got a freaking deal with it man Anything that's happening on the client's machine is his so I have to do these little lessons for developers I'm like, okay developer. I want you to think about this You're gonna put all the security on the hackers laptop What do you think? Right so guys don't use client-side filtering do not use client-side filtering. Okay All right restrictive blacklist often times run into people who now restrict special characters Well, you can't send an equal sign can't send a greater than sign less than sign or something like that But especially with SQL syntax, you don't necessarily have to say that one equals one because isn't one kind of like one to kind of like to Ramen coke kind of like ramen coke just the thought So SQL injection actually does work without special characters in a lot of cases Okay, and then the ideas now. How many of you have this as your mousepad? Come on. I'm with the nerds. I'm with the nerds. I'm with the nerds So you got to have your ASCII decimal chart hex chart Break it out as your mousepad or what I just learned the other night while Unbelievably drunk dropped to a shell and type man ASCII That shit fucking worked Drop to a shell and type man ASCII and the shit is right there. Fuck dude. That's cool. So When dealing with the ideas Okay, so we've got alert TCP any IP coming from any port going to our web servers on our web server ports We're looking for specifically tick or one equals one Okay, how many hackers are we really going to catch with this one? So let's think about it. Um This two equal to 40 ounce equal 40 ounce No, most definitions of Okay, so a lot of what I'm running into when you actually take the time to sit down and read a lot of these ideas rules You're like good. God man. So yes, this is my opinion of ideas Okay, and you're starting to see that it really doesn't matter I mean, you know as people do like this and and or and they're looking for still one equals one or nine Equals nine or you know anything like that you're gonna find that man It's just a loo. It's a losing cause and thank God Sql map does all this obfuscation that I'm showing you up here by default and it's in Python Okay, so the same thing that I'm showing you here where I did my or one or excuse me or two and select user We're in this case. I put the entire thing in hex. Okay, you can do this in unicode You can do it in utf 7 utf 8 utf 16 all these different, you know encode into doesn't matter base 64 It doesn't matter. Okay, this stuff works. It works to get in by a lot of ideases and laughs Okay, last thing The one product in the PHP space that I think is absolutely the shit is PHP ideas I think it's fucking coolest shit now They've got something on their website. So if you go to demo dot PHP ideas net They've got a smoke test where with the smoke test You can put in all of your SQL injection cross-site scripting or web application attacks and it shows you what signatures it flags So you can keep practicing your kung fu right here like okay? Well, I tried it this way it got flagged I tried it this way the number of signatures it flagged was less And you just keep working and keep working and keep working until that bad boy finally tells you Okay, that's what you got to do So you just keep working on your kung fu and working on your kung fu until you find something that's going to bypass most of the Rules now mod security has teamed up with PHP ideas and they've got their own smoke test and again I was a little hungover so I didn't add it to my slides But they've got their own smoke test where it actually loads the mod security CRS core rule set and PHP ideas and snort rules all In one web interface so you just keep throwing it in there until it bypasses all of those and Fucking smooth sailing All right, so signature ideas fucking joke IPS and WAF to fucking joke and then at least what I'm running into I Don't really have clients who really look at it anyway, so they bought it but Looking at it. That's a different story now for those of you who are ideas analyst and WAF people where you actually mend the Thing all fucking day. I know I talk a lot of shit But I feel your pain because I used to do your job and there's not enough alcohol in the world for the job that you do all right, so Right now the overwhelming majority of stuff that I'm doing is what I just showed you getting in through the web So like I said, you deal with the ideas you deal with the IPS and then pretty much it's web shit remote file include Warfile upload who's been given JBoss to beat down with the Warfile upload that shit fucking rocks So Warfile uploads with JBoss SQL injection just encoding some sort of way so that can get into it That usually gives me a shell either in the land or in the DMZ and I try to work from there after that I do the unbelievable thing and send the client email Because it fucking works so I send the client email, you know client side with Metasploits beautiful So you just choose whatever the latest browser PDF ActiveX or file format exploit is make sure it's Reverse TCP shell and now the Metasploit has reverse HTTPS Frickin beautiful the only bad thing about it is it's fucking written in really Okay, so our Python tool is Set so to me set is some next level shit. I think man relic is doing some unbelievable shit with set So guys for me round of applause to relic. This is what we need This is what we need so that we can illustrate the point of what's going on the hacker community does not port scan your networks any More and if they are port scanning your networks, those are fucking busters anyway They're probably not going to get a real shell. Okay real hackers are you know pushing everything with you know These drive-by downloads and you know fricking Email type stuff. This is where it's going so setting up fake websites spearfishing and all that kind of stuff That's the kind of thing that we've got to get clients to understand needs to happen in your pen test Okay, if you deal with the same client that I had who just stood up and says Joe Well, I'm not going to pay you to tell me I need user training Okay, no man. No you have to replicate the real threat. This is what hackers are doing We have to replicate that threat. So clients I've been testing is where it needs to go Okay pivoting into the land well Since since the overwhelming majority of my attacks are client side after my web stuff pivoting into the land is important So Metasploits supports the pivot if not I have a whole cab file upload thing where I upload some cab files that have all of my executables Statically compiled so there's no install and I just use that as my workshop to pivot into the land So jump right into the land and start moving around from there next thing that I look for is common land security solutions so Things that I run into no DHCP DHCP Mac reservations port security and NAC So can't get on the network and I'm kind of tying this together So you've pivoted into the land via client side or you're on the internal assessment and you have to try and get on the land so My kids taught me these because they're unbelievably ineffective So static IP addresses I hope you don't have a client who actually says they're going to stop people by using Static IPs so we all know steal the MAC address we get on right DHCP Mac reservations We know that we're going to steal a valid Mac and get on the network right port security You know that we're going to steal a valid Mac and get on the network now Who does what I do where you walk by and you like lift up the computer and you read the MAC address? You're like cool and now I'll go get on the network, right? Okay, Mac solutions the biggest thing that I've been doing is look for 802 dot 1x exceptions Okay, things that can't support 802 dot 1x like printers copiers CD-ROM towers all that kind of stuff is generally Excluded from the NAC solution and voice over IP phones can't hint wink wink nudge nudge So for me that really works. We're getting by this stuff Voice over IP is to me The best I'm running into a lot of clients especially since I used to work for a switching company I'm running to a lot of clients who use automatic provisioning where they plug in a VoIP phone and then based on the Mac address and VLAN tag that automatically migrate the phone into the voice VLAN So you can make your Linux box Look like a voice over IP phone and get bumped into the voice VLAN So this is great for getting past NAC solutions and then generally, you know Since most of your clients all of your phones need to talk to the call manager You can talk straight into the internal DMZ where all the servers are because the call managers write with all the other servers It works beautifully. Okay, there's a tool called VoIP hopper that automates this So if you guys are liking that just jump right on VoIP hopper VoIP hopper dot source forge dot net jump you're right into the LAN All right, once I'm on the LAN things that I generally do I need to figure out who's the domain admin Remember we go for the fucking jugular, right? Figure out who's the domain admin. So that's what all these net commands are so see my environment variables That's the sets for and then I do the net view net view domain Net user and that local groups figure out who's in what groups within the network So that we can try to attack his machine now if we're able to get local admin or local system That's even better because the next thing that I do is I look around the network for that specific user on that machine So you just script all these different things to look around the network to figure out where that domain admins box is Especially if you've already got local admin or local system So you find where his box is and then jump on his box once you jump on his box You can also use psx shell. So once you jump on his box, that's when I start looking to escalate privileges So escalating privileges is one of the things that I think is really hot on Windows XP The old at trick still works even up through service pack three who uses that at slash interactive CMD day So that works and I ran into this on a bank pentest so you're seeing that I had to kill McAfee I had to turn off the hips turn off intercept agent turn off Fire PM and then I had to use all this ps kill to unhook all of this other stuff. That's running Last thing that I didn't get on my slide Someone asked me about because they were like well when you do that with McAfee The first thing you need to do is escalate to system right same thing works for semantic endpoint protection You have to escalate to system so that you can start trying to kill all this stuff off so you kill all this stuff off and After a while it restarts So you'll have to unhook the DLLs that are in memory to stop that and I didn't put that in my slide But if you holler at me later, I'll give you the syntax to do that Okay, another trick that I just learned about McAfee was there are Names of excluded files specifically by name not by hash or anything like that a files that are Excluded from a cafe antivirus so they won't be protected by the buffer overflow protection and the whole bit I thought that was pretty beautiful, man. I can't wait to use that So holler at me if you guys want that because I thought that was fucking sweet Okay, so killing the hips as system with metasploit now. They've got something called get system Fucking rocks so you can just write a metasploit say get system And it'll pop you straight to system using one of the four methods that name pipe token duplication or kit wrap pod Okay, and then the last thing that for me has just been the best is owning the domain So as soon as I can get to the admins box Then I'll use that token stealing and just try to take his credits So impersonate the domain admin and then you'll see me create a user group and add them to the domain admins group So for me that's been working great Okay, defense. All right, so everything I talked about today I've got these like one page or two page walkthroughs of how to do the attack and how to defend against it So if you guys want that just holler at me, I'll give you that a lot of customers have been asking me for a lot of that Kind of stuff. Just let me know it's too easy I'll hook you up with that and then if you want to get in touch with me holler at me Okay, that's all I got anybody have any questions