We have implemented a tool that performs these steps to create a man-in-the-middle that prints the data passing through the pipes. As you can see in the following demonstration video, among other things we are able to see clipboard data. This can be images, files or text that might contain personal data or sensitive data such as passwords, which is often the case in RDP sessions.
Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data. In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice.
How often does someone find your secret bugs? The Vulnerability Equities Process (VEP) helps determine if a software vulnerability known to the U.S. government will be disclosed or kept secret. A key part of that calculation is the likelihood that some other party may have found the same vulnerability. Yet, for years there has been little to no good analysis to say how often two parties independently discover the same vulnerability. Suddenly in 2017, two studies which addressed this question were released within days of each other with different findings. Join us for a discussion with the lead authors and several luminaries in the security space as we pick apart the key findings from these reports and their implications for the policy community.
Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years. In this presentation, I'll show how to use malformed requests and esoteric headers to coax these systems into revealing themselves and opening gateways into our victim's networks. I'll share how by combining these techniques with a little Bash I was able to thoroughly perforate DoD networks, trivially earn over $30k in vulnerability bounties, and accidentally exploit my own ISP. While deconstructing the damage, I'll also showcase several hidden systems it unveiled, including not only covert request interception by the UK's largest ISP, but a substantially more suspicious Columbian ISP, a confused Tor backend, and a system that enabled reflected XSS to be escalated into SSRF. You'll also learn strategies to unblinker blind SSRF using exploit chains and caching mechanisms. Finally, to further drag these systems out into the light, I'll release Collaborator Everywhere - an open source Burp Suite extension which augments your web traffic with a selection of the best techniques to harvest leads from cooperative websites.
Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe. If one looks at the many APT reports that have been released over the years, some clear patterns start to emerge. A small number of Remote Administration Tools (RATs) are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Korplug/Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted. Although the material in this talk will provide tools for launching an offensive against attackers, this talk is not intended to be an instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk. The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.
Enterprises often require that their IT teams have no access to data kept inside the machines they administer, a separation that is crucial for compliance, privacy and defense in depth. To this end, industries use VMWare's rich security model to separate the infrastructure domain from the guest machine domain. For example, most companies allow their IT teams to create, modify, backup and delete guest machines, but deny them guest machine operation functions such as file manipulation and console interaction. The VMWare VIX API allows users with the required vSphere permissions to automate guest operations functions across VMWare platform products. Using VIX to interact with a virtual machine requires the administrator to go through two distinct security domains: 1) The vSphere host; 2) The guest operating system. With this two step authentication, even high vSphere permissions wouldn't necessarily allow interaction with guest machines. VIX contains an undocumented functionality that breaks this security model, enabling a malicious user to bypass the guest domain authentication. To leverage this functionality an attacker would have to be able to modify the guest machine configuration in a way that will allow sending arbitrary commands to the guest machines and run them at root permissions. This method can be executed remotely, using an easy to use, well documented API, unlike other host-to-guest techniques which require high privileged access to the host. In this session, we will provide real world examples of VMWare networks that are exposed to this security design flaw. We will demonstrate the ease at which an attacker can move from configuring a virtual machine to running commands with root permissions inside the guest machine. We will also showcase a tool that will allow you to test which users are capable of taking over guest machines.