Systems Applications Proxy Pwnage!
|
|
- Owen Benson
- 5 years ago
- Views:
Transcription
1 Systems Applications Proxy Pwnage!
2 about: us! Ian de Villiers!
3 What weʼre going to talk about! Why this Talk?! The history of decompressing SAP DIAG! Understanding the fundamentals! New Attacks! Conclusion!
4 Why this Talk?! SAP systems carry business critical data! Root is nice, but itʼs all about the data! Any numbers of attacks against SAP systems! This talk is not about them! Fundamental security shortcoming in the SAP GUI (DIAG) protocol! Unencrypted. By Default! Compressed! This is old news!
5 #include <Disclaimer.h>! SAP is a behemoth! Very little documentation out there! service.sap.com require user accounts! Documentation for DIAG protocol requires NDA (apparently)! Custom toolsets require development! SAP Basis version used is reasonably outdated..! Fine for protocol analysis! Some attack scenarios may not be applicable!
6 #include <Disclaimer.h>! SensePost Assessments! Covered a lot of ground! but virtually impossible to do a complete job on something as complex! Research has been on an as-time-allows approach between projects! Releasing tools and research as-is! Letʼs see some SAP 0-day in the next couple of months! Lack of documentation means analysis is probably not spot-on!
7 #include <Disclaimer.h>! Planned to present with SAP on second laptop! Some technical issues yesterday! Running SAP in a VM! Laptop is a dog in terms of speed at the moment!
8 What weʼre going to talk about! Why this Talk?! The history of decompressing SAP DIAG! Understanding the fundamentals! New Attacks! Conclusion!
9 The History! Sniffing SAP GUI Passwords! Andreas Baus && René Ledosquet from Securon! Published 6 th July, 2009! Dealt with playing back captured packets to SAP GUI! Decompressed data obtained from SAP GUI memory with debugger!
10 But wait Thereʼs more!
11 The History! Dennis Yurichev! Published 2 nd June, 2010! Discovered that similar compression method was employed in MaxDB! Open Source MaxDB code available! Wrote utility for decompressing SAP traffic! Required manual reassembly of data segments over multiple packets!
12 The History! Dennisʼ research required:! Identification of SAP compressed packets by magic! packet.data[17]! packet.data[18]! Stringing together of subsequent packets without magic at 17 and 18! Once complete message had been assembled, we could decompress the data! (Decompression wonʼt work until we have the complete stream)!
13 SAPDecompress In Pictures!
14 SAPDecompress In Pictures!
15 SAPDecompress In Pictures! 1f 9d == SAP Compressed Message Magic At packet.data[17] and packet.data[18]
16 SAPDecompress In Pictures!
17 SAPDecompress In Pictures!
18 SAPDecompress In Pictures!
19 SAPDecompress In Pictures!
20 SAPDecompress In Pictures!
21 SAPDecompress In Pictures! Compressed Message SAPDecompress.exe Decompressed Message
22 SAPDecompress In Pictures! Compressed Message SAPDecompress.exe Decompressed Message
23 The History! Dennis Yurichevʼs work is *awesome*! My work is based very much on his discovery!
24 What weʼre going to talk about! Why this Talk?! The history of decompressing SAP DIAG! Understanding the fundamentals! New Attacks! Conclusion!
25 The Fundamentals! Understand the compression! Understand the compressed protocol! Simplify the sniffing and decompression! Recompression! Understand the application protocol! What makes SAP GUI tick?! Identify SAP attack vectors not previously considered!
26 The Compression Algorithm! Variants of Lempel-Ziv! LZC! LZH! SAP Supports both (tried and tested)!
27 The Compression Algorithm! Variant of Lempel-Ziv! LZC! LZH! SAP Supports both (tried and tested)! Makes one believe that SAP and MaxDB share same compression code-base!.compression.decompression ==.Compression.Decompression
28 The Compression Algorithm! Variant of Lempel-Ziv! LZC! LZH! SAP Supports both (tried and tested)! Makes one believe that SAP and MaxDB share same compression code-base! Version used per message is determined by the Compression Header! This is described in a minute!
29 The Fundamentals! Understand the compression! Understand the compressed protocol! Simplify the sniffing and decompression! Recompression! Understand the application protocol! What makes SAP GUI tick?! Identify SAP attack vectors not previously considered!
30 The Core, Compressed Protocol! Easy to parse!
31 The Core, Compressed Protocol! Easy to parse! In the absence of documentation, Iʼve had to make my own names!
32 The Core, Compressed Protocol! Easy to parse! In the absence of documentation, Iʼve had to make my own names! SAP Header! Compression Header! Compressed Data!
33 The Core, Compressed Protocol! Easy to parse! Consist of:! SAP Header! Compression Header! Compressed Data! SAP Header
34 The Core, Compressed Protocol! Easy to parse! Consist of:! SAP Header! Compression Header! Compressed Data! SAP Header Compression Header
35 The Core, Compressed Protocol! Easy to parse! Consist of:! SAP Header! Compression Header! Compressed Data! SAP Header Compression Header Compressed Data
36 The SAP Header! Bytes [0] [11]!
37 The SAP Header! Bytes [0] [11]! Bytes [0] Bytes [3]! Len(Sheader) + Len(Cheader) + Len(Cdata) - 4!
38 The SAP Header! Bytes [0] [11]! Bytes [0] Bytes [3]! Len(Sheader) + Len(Cheader) + Len(Cdata) 4! 0x == bytes 4 bytes == 312 bytes
39 The SAP Header! Bytes [0] [11]! Bytes [0] Bytes [3]! Len(Sheader) + Len(Cheader) + Len(Cdata) 4! 0x == bytes 4 bytes == 312 bytes Bytes [4] Bytes [11]! Unknown (Tampering makes *no* difference)!
40 The Compression Header! Bytes [12] [19]!
41 The Compression Header! Bytes [12] [19]! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian!
42 The Compression Header! Bytes [12] [19]! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431
43 The Compression Header! Bytes [12] [19]! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431
44 The Compression Header! Bytes [12] [19]! Bytes [16]! Version of compression (LZH / LZC)! LZC == byte & 0x0f = 0x00! LZH == byte & 0x0f = 0x02!
45 The Compression Header! Bytes [12] [19]! Bytes [16]! Version of compression (LZH / LZC)! LZC == byte & 0x0f = 0x00! MZH == byte & 0x0f = 0x02!
46 The Compression Header! Bytes [12] [19]! Bytes [17] Bytes [18]! Compression Magic! Always 1f 9d!
47 The Compression Header! Bytes [12] [19]! Bytes [19]! MaxBits!
48 Compressed Data! Bytes [20] [N]! The compressed stream!
49 As an Aside! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431 Field is user-controlled, but programmatic type is SAP_INT! Signed integer! What if the original length was 0xffffff?! (thanks Behrang Fouladi)!
50 As an Aside! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431 User input is user-controlled, but programmatic type is SAP_INT! What if the original length was 0xffffff?!
51 As an Aside! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431 User input is user-controlled, but programmatic type is SAP_INT! What if the original length was 0xffffff?!
52 As an Aside! Bytes [12] Bytes [15]! Length of decompressed stream! Little-Endian! 0x00001af == 431 User input is user-controlled, but programmatic type is SAP_INT! What if the original length was 0xffffff?!
53 Sniffing SAP Traffic! SAP traffic does not lend itself very well to WireShark dissectors! Answer was to write a custom protocol analysis tool in Java! Used 3 rd Party pcap JNI interface! Allows us to use standard pcap filters / dump files! Use custom built JNI interface built from MaxDB code!
54 SApCap!
55 SApCap! Jpcap! JNI interface for pcap! Responsible for reading packets! pcap dump files! Sniffing! Filtering packets using standard pcap filters! Saving information as pcap dump files!
56 SApCap! SApCap! Java! Responsible for:! Parsing packet data! Decompressing messages! Queue management!
57 SApCap! SapCompress! JNI interface! Implements MaxDB functions for decompression! int[] dodecompress(int[])!
58 Demo: SApCap!
59 The Fundamentals! Understand the compression! Understand the compressed protocol! Simplify the sniffing and decompression! Recompression! Understand the application protocol! What makes SAP GUI tick?! Identify SAP attack vectors not previously considered!
60 Recompression?! Core decompression functions are defined in vpa105csobjint.cpp! CsDecompr()!
61 Recompression?! But vpa105csobjint.cpp also contains function for what would appear to be compression! CsCompr()!
62 Recompression?! We modify our JNI library to make use of MaxDB code! docompress()! dodecompress()!
63 Recompression?! We now have programmatic interface to:! Decompress SAP traffic! dodecompress()! Useful for interception and sniffing! Compress SAP traffic! docompress()! Useful for MiTM attacks! Useful for assessment of SAP Gui Applications!
64 The Fundamentals! Understand the compression! Understand the compressed protocol! Simplify the sniffing and decompression! Recompression! Understand the application protocol! What makes SAP GUI tick?! Identify SAP attack vectors not previously considered!
65 The Application Protocol! Multiplexed! Single connection per-user per-location perhost!
66 The Application Protocol! Multiplexed! Single connection per-user per-location perhost! Initial hand-shake is uncompressed!
67 The Application Protocol! Multiplexed! Single connection per-user per-location perhost! Initial hand-shake is uncompressed! Server response is compressed!
68 The Application Protocol! Multiplexed! Single connection per-user per-location perhost! Initial hand-shake is uncompressed! Server response is compressed! Uncompressed component is static! Terminal name! Options change depending on capabilities of SAP GUI (support bits)!
69 The Application Protocol! Multiplexed! Single connection per-user per-location perhost! Initial hand-shake is uncompressed! Server response is compressed! Hand shake is static (apart from terminal name )!
70 Message Types! Two basic Types of Messages! Simple Messages! Complex Messages! Message structures differ in terms of direction! GUI -> Server! Server -> GUI!
71 Simple Messages : GUI -> SAP! Header! OK Code! Character Encoding! GUI Version! Data! Input values! XML Stream defining screen metrics!
72 Simple Messages : GUI -> SAP! Header! OK Code! Character Encoding! GUI Version! Data! Input values! XML Stream defining screen metrics!
73 Simple Messages : SAP -> GUI! Header! Data! TH!
74 Simple Messages : SAP -> GUI! Header! Encoding!
75 Simple Messages : SAP -> GUI! Header! Encoding! Transaction ID!
76 Simple Messages : SAP -> GUI! Header! Encoding! Transaction ID! System & Hostname!
77 Simple Messages : SAP -> GUI! Header! Encoding! Transaction ID! System Name! Host name! Theme!
78 Simple Messages : SAP -> GUI! Data! SAP Program Context & SAP Screen!
79 Simple Messages : SAP -> GUI! Data! SAP Program Context & SAP Screen! Menus & Keyboard Accelerators!
80 Simple Messages : SAP -> GUI! Data! SAP Program Context & SAP Screen! Menus & Keyboard Accelerators! Input dialogs!
81 Simple Messages : SAP -> GUI! Data! SAP Program Context & SAP Screen! Menus & Keyboard Accelerators! Input dialogs! Screen Data!
82 Simple Messages : SAP -> GUI! TH! System Name! Transaction! Transaction ID!
83 Dialogs! All input fields accept strings! No client-side validation! Data is validated on the server! Input field lengths can be manipulated!
84 Dialogs! All input fields accept strings! No client-side validation! Data is validated on the server! Input field lengths can be manipulated!
85 Dialogs! All input fields accept strings! No client-side validation! Data is validated on the server! Input field lengths can be manipulated!
86 Dialogs! All input fields accept strings! No client-side validation! Data is validated on the server! Input field lengths can be manipulated!
87 Dialogs! All input fields accept strings! No client-side validation! Data is validated on the server! Input field lengths can be manipulated!
88 Dialogs! Length of submitted strings can be adjusted in a similar fashion!
89 Dialogs! Length of submitted strings can be adjusted in a similar fashion!
90 Complex Messages! Contain the same structures as simple messages!
91 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>!
92 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>!
93 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS!
94 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS!
95 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE!
96 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE!
97 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE! VERBS!
98 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE! VERBS!
99 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE! VERBS! VARS!
100 Complex Messages! Contain the same structures as simple messages! But include XML structure:! <SVARS>! Include compressed streams:! PARAMS! RFC_QUEUE! VERBS! VARS!
101 PARAMS, VARS and VERBS! Work in conjunction! Define actions to be performed on / by objects on the GUI / Server! Lists of indexed data are decompressed and parsed by ABAP to various fixedlength data structures!
102 PARAMS, VARS and VERBS! Decompressed, they look as follows:! PARAMS:!
103 PARAMS, VARS and VERBS! Decompressed, they look as follows:! PARAMS:! VERBS:!
104 PARAMS, VARS and VERBS! Decompressed, they look as follows:! PARAMS:! VERBS:! VARS:!
105 PARAMS, VARS and VERBS! Parsed by ABAP into structured variables! CASE ABAP PARAM-TYP.! WHEN ʻSʼ:! Set Value Of! WHEN ʻGʼ:! Get Value Of! WHEN ʻCʼ:! Call Method Of! Thoughts of eval() spring to mind!
106 PARAMS, VARS and VERBS! Graphic example:!
107 PARAMS, VARS and VERBS! Graphic example:!
108 PARAMS, VARS and VERBS! Graphic example:!
109 PARAMS, VARS and VERBS! Graphic example:!
110 PARAMS, VARS and VERBS! Details on these structures can be found in ABAP code! Refer to ABAP Structures && where used:! OLE_PA! OLE_VERBS! SWCBCONT!
111 RFC_QUEUE! Contains META and internal table data in use by the current application / screen! Only ever seems to appear in SAP responses! This assumption may be incorrect!
112 RFC_QUEUE! Contains META and internal table data in use by the current application / screen! Only ever seems to appear in SAP responses! This assumption may be incorrect!
113 The Fundamentals! Understand the compression! Understand the compressed protocol! Simplify the sniffing and decompression! Recompression! Understand the application protocol! What makes SAP Gui tick?! Identify SAP attack vectors not previously considered!
114 SAPProx!
115 SAPProx! SapCompress! JNI interface! Implements MaxDB functions for decompression && compression! int[] dodecompress(int[])! Int[] docompress(int[])!
116 SAPProx! SAPProx! Java! Responsible for:! Parsing packet data! Decompressing messages! Interception! Compressing modified messages! Queue management!
117 Demo: SAPProx!
118 Attack API! Users can write their own exploits! In a scripting language of their choice! Jython! Groovy! Jruby! *! Script locations specified in configuration! Allow for canned exploits! (thanks Willem Mouton)!
119 Demo: Attacks / Scripting!
120 What weʼre going to talk about! Why this Talk?! The history of decompressing SAP DIAG! Understanding the fundamentals! New Attacks! Conclusion!
121 New (Old) Attacks?! We now have a proxy for SAP GUI! WebScarab for SAP! For what I believe is the first time, we get an unprecedented view into SAP GUI applications! and we know where that left us with web applications!
122 New (Old) Attacks?! Authorisation! Authentication!
123 Demo: Auth*!
124 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic!
125 Demo: State & Business Logic!
126 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic! Validation!
127 Demo: Validation!
128 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic! Validation! Replay!
129 Demo: Replay!
130 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic! Validation! Replay! Client-Side attacks!
131 Client-Side Attacks! Many business cases require the execution of applications on the client.! Provided for by ABAP! Deprecated: GUI_RUN or WS_EXECUTE! Current: cl_gui_frontend_services! Newer clients still support old methods! Backwards compatibility! Do prompt when applications execute! (thanks Steve Lord)!
132 Client-Side Attacks! WS_EXECUTE / GUI_RUN!
133 Client-Side Attacks! WS_EXECUTE / GUI_RUN!
134 Demo: Client-Side Attacks!
135 Client-Side Attacks! cl_gui_frontend_services! Makes use of OLE!
136 Client-Side Attacks! cl_gui_frontend_services! Makes use of OLE!
137 Client-Side Attacks! SAP GUI provides number of COM libraries with potentially exploitable functions! Saved by the fact that the controls are not marked Safe for Scripting!
138 Client-Side Attacks! SAP GUI provides number of COM libraries with potentially exploitable functions! Saved by the fact that the controls are not marked Safe for Scripting!
139 Client-Side Attacks! SAP GUI provides number of COM libraries with potentially exploitable functions! Saved by the fact that the controls are not marked Safe for Scripting! With SAPProxy we can potentially instantiate diverse COM objects!
140 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic! Validation! Replay! Client-Side attacks! DoS!
141 Demo: DoS!
142 New (Old) Attacks?! Authorisation! Authentication! State Management! Business Logic! Validation! Replay! Client-Side attacks! DoS! *!
143 What weʼre going to talk about! Why this Talk?! The history of decompressing SAP DIAG! Understanding the fundamentals! New Attacks! Conclusion!
144 Conclusion! A couple of factors have been common security knowledge for years! Plain-text communication == #fail! Security by obscurity == #fail! We now have a toolset and programmatic interface into SAP DIAG protocol! Game Changer! Change the way we look at ABAP! Happy Haxoring!
145 Conclusion! SAP provides encryption for client components in the form of Secure Network Communications! Provided by 3 rd Parties! Provided by SAP! SAP Clients should ensure the use of SNC is enabled and enforced!
146 Questions?!
Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol
Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture
More informationIntercepting SNC-protected traffic
Intercepting SNC-protected traffic Martin Gallo Penetration Testing SME March 2017 Agenda Introduction Problem SAP Protocols SAP SNC (Secure Network Connections) Attack vectors Vulnerable scenarios Demo
More informationTextbook Charles Petzold, Programming Windows, 5th edition, Microsoft Press. References - other textbooks or materials none
CS351 Systems Programming Last Updated - 03/01/02 Course Manager Dr. Phil Dickens, Assistant Professor 3 credit hours; required for CS & CPE; 100 min. lecture & 100 min. lab each week Current Catalog Description
More informationWhen the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft
When the Lights go out Hacking Cisco EnergyWise Version: 1.0 Date: 7/1/14 Classification: Author(s): Public Ayhan Koca, Matthias Luft TABLE OF CONTENT 1 HANDLING... 5 1.1 DOCUMENT STATUS AND OWNER... 5
More informationFuzzing proprietary SCADA protocols
Fuzzing proprietary SCADA protocols Sergey Bratus Black Hat 2008 INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Cyber Security and Trust Research & Development http:// Fuzzing SCADA Ganesh Devarajan (TippingPoint)
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationMoving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas
Moving Targets: Assessing the Security of Mobile Devices March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas Conflict of Interest Kevin Johnson Has no real or apparent conflicts of interest to report. Kevin
More informationGPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,
GPRS Intercept: Wardriving your country Karsten Nohl, nohl@srlabs.de Luca Melette, luca@srlabs.de Executive summary Do not send sensitive data over GPRS GPRS/EDGE networks provide the data backbone of
More informationPost exploit goodness on a Mainframe
Post exploit goodness on a Mainframe SPECIAL is the new root Ayoub ELAASSAL @ayoul3 Github.com/ayoul3 What I picture when talking about Mainframes What people picture when I talk about Mainframes In 2017
More informationFRACTAL COMPRESSION USAGE FOR I FRAMES IN MPEG4 I MPEG4
FRACTAL COMPRESSION USAGE FOR I FRAMES IN MPEG4 I MPEG4 Angel Radanov Kanchev FKTT, Technical University of Sofia, Todor Alexandrov bvd 14, 1303 Sofia, Bulgaria, phone: +3592 9306413, e-mail: angel_kanchev@mail.bg
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationCOMP 2000 W 2012 Lab no. 3 Page 1 of 11
COMP 2000 W 2012 Lab no. 3 Page 1 of 11 Lab Introduction Background The Internet is based on packet-switched protocols. Information is carried in packets (it is divided into packets), which can be imagined
More informationConfiguring Vulnerability Assessment Devices
CHAPTER 10 Revised: November 10, 2007 Vulnerability assessment (VA) devices provide MARS with valuable information about many of the possible targets of attacks and threats. They provide information useful
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationFuzzing the easy way, using Zulu
An NCC Group Publication Fuzzing the easy way, using Zulu Prepared by: Andy Davis Research Director andy.davis at nccgroup dot com Contents 1 Introduction... 3 2 Tutorial One: Zulu basics... 4 3 Tutorial
More informationCTF Workshop. Crim Synopsys, Inc. 1
CTF Workshop Crim2018 31.10.2018 2018 Synopsys, Inc. 1 CTF (Capture the Flag) Capture the Flag (CTF) is a computer security competition. CTF are usually designed test and teach computer security skills.
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationAuthenticatr. Two-factor authentication made simple for Windows network environments. Version 0.9 USER GUIDE
Authenticatr Two-factor authentication made simple for Windows network environments Version 0.9 USER GUIDE Authenticatr Page 1 Contents Contents... 2 Legal Stuff... 3 About Authenticatr... 4 Installation
More informationMQ Jumping... Or, move to the front of the queue, pass go and collect 200
MQ Jumping.... Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue
More informationSecurity in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren
Security in a Mainframe Emulator Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren October 25, 2017 Table of Contents Introduction... 2 About this paper...
More informationWhen providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS
When providing a native mobile app ruins the security of your existing web solution CyberSec Conference 2015 05/11/2015 Jérémy MATOS whois securingapps Developer background Spent last 10 years working
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationVirtually Pwned Pentesting Virtualization. Claudio
Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it Claudio Criscione /me The need for security Breaking virtualization means hacking the underlying
More informationWireless Security Algorithms
(NOTE: If you are using a virtual lab to run your attacks you will need an external Wi Fi attachment. The other option is to have a direct install on your computer. Virtual labs cannot access your wireless
More informationHacking Wireless Networks by data
Hacking Wireless Networks by data -disclaimer- The sole purpose of this article is so that you may be informed about how your neighbor may be able to take a laptop, crack your wep/wpa key to your router
More informationJonathan Wald and Jason Zigelbaum (A project report written under the guidance of Prof.
1 of 12 Jonathan Wald jwald@wustl.edu and Jason Zigelbaum jczigelb@wustl.edu (A project report written under the guidance of Prof. Raj Jain) Download Table of Content: 1. Introduction 1.1 What is OpenPacketPro
More informationPreliminary steps before starting the experiment: 1) Click the Launch button to start the experiment. 2) Click OK to create a new session
Preliminary steps before starting the experiment: 1) Click the Launch button to start the experiment. 2) Click OK to create a new session 3) Click the Screen Sharing option and click connect to establish
More informationSecure Communications Over a Network
Secure Communications Over a Network Course: MITS:5400G Proffessor: Dr. Xiaodong Lin By: Geoff Vaughan 100309160 March 20th 2012 Abstract The purpose of this experiment is to transmit an encrypted message
More informationDeveloper & maintainer of BtleJuice. Having fun with Nordic's nrf51822
YOU'D BETTER SECURE YOUR BLE DEVICES OR WE'LL KICK YOUR BUTTS! @virtualabs DEF CON 26, Aug. 12th 2018 WHO AM I? Head of R&D @ Econocom Digital Security Studying Bluetooth Low Energy for 3 years Developer
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationJHDF5 (HDF5 for Java) 14.12
JHDF5 (HDF5 for Java) 14.12 Introduction HDF5 is an efficient, well-documented, non-proprietary binary data format and library developed and maintained by the HDF Group. The library provided by the HDF
More informationDesign of a Simple, Distributed Network Access Control System
1 Design of a Simple, Distributed Network Access Control System By David Boen, Daniel Dent, Victor Chan, Andrew Tjia Abstract Network access control describes the measures used to control network nodes
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationCSCD433/533 Advanced Networks Winter 2017 Lecture 13. Raw vs. Cooked Sockets
CSCD433/533 Advanced Networks Winter 2017 Lecture 13 Raw vs. Cooked Sockets Introduction Better Understand the Protocol Stack Use Raw Sockets So far, sockets in Java either TCP or UDP based In fact, Java
More informationA Security Microcosm Attacking and Defending Shiva
A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun Clowes Presented by Shaun Clowes shaun@securereality.com.au What is Shiva? Shiva is an executable encryptor Encrypted
More informationPolishing your cache with Varnish
Polishing your cache with Varnish David Smalley, Co-Founder of Litmus I m David Smalley - co-founder of Litmus Talking about our newest site, Doctype. http://doctype.com Doctype is the newest project from
More information(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.
CS140 Winter 2006 Final Exam Solutions (1) In class we talked about the link count in the inode of the Unix file system being incorrect after a crash. The reference count can either be either too high
More informationQ.1. (a) [4 marks] List and briefly explain four reasons why resource sharing is beneficial.
Q.1. (a) [4 marks] List and briefly explain four reasons why resource sharing is beneficial. Reduces cost by allowing a single resource for a number of users, rather than a identical resource for each
More informationCase Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University
Case Studies, Lessons Learned Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University Case Study Overview 3 different types of cases Troubleshooting We have systems
More informationWebGoat& WebScarab. What is computer security for $1000 Alex?
WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack
More informationWireless Attacks and Countermeasures
Wireless Attacks and Countermeasures Wireless Network Technology Wireless network refers to any type of computer network which is wireless, and is commonly associated with a network whose interconnections
More informationSecuring Wireless Networks by By Joe Klemencic Mon. Apr
http://www.cymru.com/ Securing Wireless Networks by By Joe Klemencic (faz@home.com) Mon. Apr 30 2001 Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 642-541 Title : VPN and Security Cisco SAFE Implementation Exam (CSI) Vendors : Cisco
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationAssignment 2: Getting to know yanc and Mininet
ECEN 5023/CSCI 7000-0005: Advanced Networking Spring 2014 Assignment 2: Getting to know yanc and Mininet Due Fri 2/28/2014 In this assignment, we ll get some exposure to Floodlight and Mininet. I encourage
More informationChapter 1 Getting Started
Chapter 1 Getting Started The C# class Just like all object oriented programming languages, C# supports the concept of a class. A class is a little like a data structure in that it aggregates different
More informationOpen Software Tools for Reproducible Computational Geophysics Workshop Houston June SeaSeis A simple seismic processing system
Open Software Tools for Reproducible Computational Geophysics Workshop Houston 16-17 June 2011 SeaSeis A simple seismic processing system Bjorn Olofsson Outline SeaSeis batch processing system Background
More informationSecurity Assessment Report
Security Assessment Report Client Sigma Designs Project Name Project Code Security 2 Command Class Protocol Review SP02508 Date 2017-08-18 TABLE OF CONTENTS 1.1 Assessment Overview... 3 1.2 Motivation
More informationWebGoat Lab session overview
WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationNotice! Updated presentation materials are available online at: Rain Forest Puppy / Wiretrip.
Notice! Updated presentation materials are available online at: http://www.wiretrip.net/rfp/blackhat-asia/ Assessing the web A look at the tools used to secure online applications Rain Forest Puppy rfp@wiretrip.net
More informationLab Configure Basic AP security through GUI
Lab 8.3.1.1 Configure Basic AP security through GUI Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, the student will learn the following objectives:
More informationDeveloper Resources: PIN2
Administrative Technology Services Technology and Data Services Developer Resources: PIN2 Contents Introduction... 2 Registering an Application... 2 Information Required for Registration... 3 Information
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationIt Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban
It Just (Net)works The Truth About ios' Multipeer Connectivity Framework Alban Diquet! @nabla_c0d3 About me ios Security Researcher at Data Theorem Before: Principal Security Consultant at isec Partners
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationComposer Help. Web Request Common Block
Composer Help Web Request Common Block 7/4/2018 Web Request Common Block Contents 1 Web Request Common Block 1.1 Name Property 1.2 Block Notes Property 1.3 Exceptions Property 1.4 Request Method Property
More informationInternetworking Models The OSI Reference Model
Internetworking Models When networks first came into being, computers could typically communicate only with computers from the same manufacturer. In the late 1970s, the Open Systems Interconnection (OSI)
More informationIgniting QuantLib on a Zeppelin
Igniting QuantLib on a Zeppelin Andreas Pfadler, d-fine GmbH QuantLib UserMeeting, Düsseldorf, 7.12.2016 d-fine d-fine All rights All rights reserved reserved 0 Welcome Back!» An early stage of this work
More informationFlare-On 3: Challenge 1 Solution
Flare-On 3: Challenge 1 Solution Challenge Author: Alex Rich When running challenge1.exe we are presented with a password prompt, for which the program will respond to an incorrect response with Wrong
More informationExtended Search Administration
IBM Lotus Extended Search Extended Search Administration Version 4 Release 0.1 SC27-1404-02 IBM Lotus Extended Search Extended Search Administration Version 4 Release 0.1 SC27-1404-02 Note! Before using
More informationInstituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities
Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security Lab guide: Traffic analysis and TCP/IP Vulnerabilities Revised on 2016-10-18 Alpha version: This is an early version and
More informationProduct Security Briefing
Product Security Briefing Performed on: Adobe ColdFusion 8 Information Risk Management Plc 8th Floor Kings Building Smith Square London SW1 P3JJ UK T +44 (0)20 7808 6420 F +44 (0)20 7808 6421 Info@irmplc.com
More informationEverything You Wanted To Know About USB Embossers* *but were afraid to ask
Braille2000, LLC 6801 Southfork Cir, Lincoln, NE 68516 Phone: (402) 423-4782, Fax: (402) 423-5154 http://www.braille2000.com Everything You Wanted To Know About USB Embossers* *but were afraid to ask This
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationPaper Presentation: A Model and Framework for Visualization Exploration
Paper Presentation: A Model and Framework for Visualization Exploration Written By T.J. Jankun-Kelly et el. Presented by Michael Shah September 26, 2012 Duration ~10-15 minutes What is Visualization Exploration?
More informationAttacking Highspeed Ethernet Links
Issued by: ERNW GmbH Enno Rey Breslauer Strasse 28 D-69124 Heidelberg www.ernw.de Page: 2 of 7 Content 1 Introduction... 3 1.1 Prerequisites... 3 2 Tackling the Problem... 4 2.1 Tool pcap_extractor...
More informationCisco Wide Area Application Services Software Legacy Common Internet File System (CIFS) Migration
White Paper Cisco Wide Area Application Services Software Legacy Common Internet File System (CIFS) Migration What You Will Learn Since the release of Cisco Wide Area Application Services (WAAS) Software
More informationFixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering
Fixed Internetworking Protocols and Networks IP mobility Rune Hylsberg Jacobsen Aarhus School of Engineering rhj@iha.dk 1 2011 ITIFN Mobile computing Vision Seamless, ubiquitous network access for mobile
More informationSILWOOD TECHNOLOGY LTD. Safyr Metadata Discovery Software. Safyr Getting Started Guide
SILWOOD TECHNOLOGY LTD Safyr Metadata Discovery Software Safyr Getting Started Guide S I L W O O D T E C H N O L O G Y L I M I T E D Safyr Getting Started Guide Safyr 7.1 This product is subject to the
More informationCoding Intro to APIs and REST
DEVNET-3607 Coding 1001 - Intro to APIs and REST Matthew DeNapoli DevNet Developer Evangelist Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationA manual for understanding and using the Impex Control Center. SYSCTL AB - version 1.5
A manual for understanding and using the Impex Control Center SYSCTL AB - version 1.5 CONTENTS Contents Introduction 4 History....................................................... 4 Components.....................................................
More informationDesigning Spring Applications
Designing Spring Applications Previous lectures provided you with a basic understanding of what the Spring framework is and how it is used. This lecture, we ll show how to go about designing a system that
More informationAtrium Webinar- What's new in ADDM Version 10
Atrium Webinar- What's new in ADDM Version 10 This document provides question and answers discussed during following webinar session: Atrium Webinar- What's new in ADDM Version 10 on May 8th, 2014 Q: Hi,
More informationTCP Selective Acknowledgement
SharkFest 18 ASIA TCP Selective Acknowledgement correctly interpreting this field can help you be a better performance troubleshooter John Pittle Global Architect, Performance Management Services Riverbed
More informationFRAUD DETECTION IN ONLINE BANKING. The recent shift in security model at Landsbankinn
FRAUD DETECTION IN ONLINE BANKING The recent shift in security model at Landsbankinn What shift? In the last year we did a significant alteration of our security model in the Personal Online Bank. When
More informationSo Many Ways to Slap a YoHo: Hacking Facebook & YoVille
Tom Stracener Strace, Contract Engineer MITRE EvilAdamSmith, Sr. Security Consultant Sean Barnum, Cybersecurity Principal MITRE So Many Ways to Slap a YoHo: Hacking Facebook & YoVille Misclaneous Disclaimers
More informationADVANCED ATTACK SURFACE DISCOVERY AND EXPLOITATION
SESSION ID: SBX1-R3 ADVANCED ATTACK SURFACE DISCOVERY AND EXPLOITATION Adrian Bednarek Security Analyst/Researcher Independent Security Evaluators @ISEsecurity Obligatory who is this guy? Adrian Bednarek
More informationSelf-driving Datacenter: Analytics
Self-driving Datacenter: Analytics George Boulescu Consulting Systems Engineer 19/10/2016 Alvin Toffler is a former associate editor of Fortune magazine, known for his works discussing the digital revolution,
More informationVariables and Data Representation
You will recall that a computer program is a set of instructions that tell a computer how to transform a given set of input into a specific output. Any program, procedural, event driven or object oriented
More informationPrzechwytywanie ruchu w niestandardowych protokołach sieciowych. Sławomir Jasek Jakub Kałużny
Przechwytywanie ruchu w niestandardowych protokołach sieciowych Sławomir Jasek Jakub Kałużny Who are we Sławomir Jasek Jakub Kałużny Pentesters @ SecuRing Security assessments of applications, networks,
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationOn the Internet, nobody knows you re a dog.
On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing
More informationCompTIA CAS-003. CompTIA Advanced Security Practitioner (CASP)
CompTIA CAS-003 CompTIA Advanced Security Practitioner (CASP) http://killexams.com/pass4sure/exam-detail/cas-003 DEMO Find some pages taken from full version Killexams CAS-003 questions and answers are
More informationHow to Configure Authentication and Access Control (AAA)
How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual
More informationWIBU protection knuth20 implementation analysis
WIBU protection knuth20 implementation analysis by anonymous 15.09.2006. Intro Couple of weeks ago, I faced WIBU dongle protection. Before that, I had no expirience with it. The first thing I've checked
More informationMEAP Edition Manning Early Access Program WebAssembly in Action Version 1
MEAP Edition Manning Early Access Program WebAssembly in Action Version 1 Copyright 2018 Manning Publications For more information on this and other Manning titles go to www.manning.com welcome Thank you
More informationVirtually Pwned Pentesting VMware. Claudio
Virtually Pwned Pentesting VMware Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing
More informationWhite Paper. Deploying CKMS Within a Business
White Paper Deploying CKMS Within a Business 1 Introduction The Cryptomathic Crypto Key Management System (CKMS) is a market-leading lifecycle key management product that can manage cryptographic keys
More informationCCNA Exploration Network Fundamentals. Chapter 03 Application Functionality and Protocols
CCNA Exploration Network Fundamentals Chapter 03 Application Functionality and Protocols Updated: 27/04/2008 1 3.1 Applications: The Interface Between Human and Networks Applications provide the means
More informationSPDY - A Web Protocol. Mike Belshe Velocity, Dec 2009
SPDY - A Web Protocol Mike Belshe Velocity, Dec 2009 What is SPDY? Concept SPDY is an application layer protocol for transporting content over the web with reduced latency. Basic Features 1. Multiplexed
More informationDistributed Systems. Lecture 14: Security. Distributed Systems 1
06-06798 Distributed Systems Lecture 14: Security Distributed Systems 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More information