Texas Cyber Summit II

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

• What is Server-Side Request Forgery (SSRF)?
• What can you do with it?
• How do you prevent it?
• SSRF via URI Schemes
• JIRA CVE SSRF (CVE-2017-9506)
• Jenkins SSRF (CVE-2018-1000600)
• SSRF via Javascript (XSS)
• SSRF via Styling
• SSRF using <link rel="attachment"> (PDF Gen ‘0day’)
• SSRF via DNS Rebinding
• Bonus: RCE via ERB Template Injection
• SSRFTest (Tool)

This talk is focused on red teaming techniques and tools against MacOS hosts in enterprise environments. Below is the outline of topics that will be discussed:

-Intro
-Agenda
-A Look at MacOS Enterprise Deployments (Common technologies, Remote management, Local admin rights, Misconfigurations)
-Phishing techniques (Payload types, Credential harvesting techniques)
-Gatekeeper (What is it?, How does it work?, Ways around it/limitations)
-Post Exploitation Methods and Examples
-Common patterns/detection techniques (Parent-child processes, Command line arguments, Network connections)
-Migrating to API Calls (How?, Why This is Harder to Detect, Examples)
-Defensive Recommendations (Host-based, Network-based)
-Q&A

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.
Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.