https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/

1、容器安全

https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence.pdf

https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf

 Developers are the new Targets

 New Attacks: Host Rebinding & Shadow Container

 Protect your PIPE: Scan images & Monitor Containers inRuntime

2、WEB安全

a) WEB缓存欺骗攻击

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf

POC:

1. The attacker lures a logged-on user to accesshttps://www.bank.com/account.do/logo.png.

2. The victim's browser requests https://www.bank.com/account.do/logo.png.

3. The request arrives to the proxy, which is not familiar with this file, and thereforeasks the web server for it.

4. The web server returns the content of the victim's account page with a 200 OKresponse, meaning the URL stays the same.

5. The caching mechanism receives the file and identifies that the URL ends with astatic extension (.png). Because the mechanism is configured to cache all static filesand disregard any caching headers, the imposter .png file is cached. A new directorynamed account.do is created in the cache directory, and the file is cached with thename logo.png.

6. The user receives his account page.

7. The attacker accesses https://www.bank.com/account.do/logo.png. The requestarrives to the proxy server, which directly returns the victim’s cached account pageto the attacker's browser.

Exploit(Paypal中招):

https://www.youtube.com/watch?v=e_jYtALsqFs

b)应用安全成熟度模型

https://www.blackhat.com/docs/us-17/wednesday/us-17-Valtman-The-Art-Of-Securing-100-Products.pdf

3、 Ransomeware

a)Tracking desktopransomware payments

https://www.blackhat.com/docs/us-17/wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf

Only 37% of users backup their data

Since 2016 “ransomware” search queries increased by 877%

Life of a ransomware infection

  • Victim gets infected
  • Victim is shown ransom note
  • Victim visits payment site via Tor
  • Victim buys bitcoin at exchange
Why Bitcoin
Pseudonymous
No need to show ID card to create wallets
Fully Automatable
Allows scalable payment processing
Fungible
Bitcoins are easily converted into cash
Irrefutable
Transactions can’t be reverted
Life of a ransom payment
  • 1. Victim buysbitcoins at exchange
  • 2. Ransom movesacross multiplewallets
  • 3. Criminal accumulatesbitcoins then sells themfor currency at exchange
4、漏洞利用
a) Google P0 ECMAScript How Standards Drive Bugs in Script Engines
https://www.blackhat.com/docs/us-17/thursday/us-17-Silvanovich-The-Origin-Of-Array-Symbol-Species.pdf
ECMASCRIPT实现:
● Chakra (Edge)
● V8 (Chrome)
● Spider Monkey (Firefox)
● JSC (WebKit/Safari)
● AVM (Flash)

漏洞:

CVE-2017-0290

CVE-2016-7240

CVE-2016-7200

CVE-2017-5030

5、渗透测试

a) Microsoft The Industrial Revolution of Lateral Movement

https://www.blackhat.com/docs/us-17/thursday/us-17-Beery-The-Industrial-Revolution-Of-Lateral-Movement.pdf

当黑客团体的CEO必须要把黑客业务进行创新,并且快速增长;还需要开拓和扩展黑客业务;

Cyber Kill Chain从技术层面的攻击转向Cyber Value Chain价值链黑客需要的是数据而不是原材料被攻击者的信息;

自动化的横向移动将会成为新的热点,包括WMI,PSEXEC,WINRM,ATEXEC等等
出现过的工具:
Gofetch(https://github.com/GoFetchAD/GoFetch)

DeathStar(https://github.com/byt3bl33d3r/DeathStar/blob/master/DeathStar.py)

Invoke-GoFetct

BloodHound(https://github.com/BloodHoundAD/BloodHound)

防御工具

https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

6、AV相关

a) SafeBreach Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox

https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf

https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

Lots and lots of research on exfiltration techniques,

• “Covert Channels in TCP\IP Protocol Stack” by Aleksandra Mileva and Boris Panajotov

• “A survey of covert channels and countermeasures in computer network protocols” bySebastian Zander, Grenville Armitage and Philip Branch

• “Covert timing channels using HTTP Catch Headers” by Dennis Kolegov, OlegBroslavsky and Nikita Oleksov

• “LED-it-GO Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED” byMordechai Guri, Boris Zadov, Eran Atias and Yuval Elovici

• “Diskfiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard DriveNoise” by Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici• “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using ThermalManipulations” by Mordechai Guri, Matan Monitz, Yisroel Mirski and Yuval Elovici

• Covert Communications Despite Traffic Data Retention” by George Danezis –N/A since IP ID is no longer implemented as a global counter

• Piggybacking UDP source port/payload (with spoofed source IP) e.g. DNS – egress filtering will kill it• “In Plain Sight: The Perfect Exfiltration” by Amit Klein and Itzik Kotler – AV services/SW updatedon’t have regular HTTP cache layer

“AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing” by Jeremy Blackthorne,Alexei Bulazel, Andrew Fasano, Patrick Biernat and Bülent Yener

• “Your sandbox is blinded: Impact of decoy injection to public malware analysis systems” byKatsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii and Tsutomu Matsumoto

• “Enter Sandbox – part 8: All those… host names… will be lost, in time, like tears… in… rain”by Hexacorn Ltd.

“Sandbox detection: leak, abuse, test” by Zoltan Balazs

• “Art of Anti Detection 1 – Introduction to AV & Detection Techniques” by Ege Balci

• Google's Project Zero entry “Comodo: Comodo Antivirus Forwards Emulated API callsto the Real API during scans” by Tavis Ormandy

猥琐的案例:

Rocket

The Rocket is the main attacker malware, responsible for sensitive datacollection (which becomes the payload for exfiltration). The Rocketcontains a "vanilla" copy of another malware executable, called Satellite.

Satellite

The Satellite is the secondary malware executable, which triggers the AVagent and later conducts the actual exfiltration.

步骤:

0. The Attacker infects the endpoint with the Rocket

1. The Rocket collects sensitive data from the endpoint andembeds it into the Satellite

2. The Rocket writes the Satellite to disk and executes it

3. The Satellite triggers the AV agent

4. The AV agent sends the Satellite to the AV cloud servicefor further inspection

5. The AV cloud service executes the Satellite in a sandbox

6. The Satellite sends the collected data over the internet to theattacker

Exfiltration demonstrated possible with:

• Google VirusTotal (www.virustotal.com)

• Joe Security Joe Sandbox Cloud (www.file-analyzer.net) – only DNS, limited to 10 queries

• Payload Security Hybrid Analysis (www.reverse.it)

参考资料:

https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf

b) Getting-Past-The-Hype-Of-Endpoint-Security-Solutions

https://www.blackhat.com/docs/us-17/thursday/us-17-Giuliano-Lies-And-Damn-Lies-Getting-Past-The-Hype-Of-Endpoint-Security-Solutions.pdf

https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/

https://www.mcafee.com/de/resources/solution-briefs/sb-indicators-of-attack.pdf

目前终端安全解决方案:

7、C&C

a)AD Botnet

https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf

• What if the C2 servers exist inside your internal network?

• What if the C2 servers exist as a part of your critical infrastructure?

• What if the C2 servers use your production services for communication?

• What if the C2 servers can bypass your internal firewalls and networksegmentation to communicate with all hosts?

• What if the C2 servers can communicate with remote attackers using yourproduction cloud?

AD C2 channel的好处

• AD is a central authentication and access control point for organizations

• All end user devices need connectivity to AD for authentication

• All servers (or most) need connectivity to AD for authentication

• This means that AD is a central connectivity point for all systems

• This introduces the capability to bypass all network-layer security using AD

• All users can (by default) write data into their own account attributes

• When AD integrates with Azure AD, then direct remote controls is possible

8、虚拟化安全

a) FireEYE发布RVMI

https://www.blackhat.com/docs/us-17/thursday/us-17-Pfoh-rVMI-A-New-Paradigm-For-Full-System-Analysis.pdf

https://github.com/fireeye/rvmi

9、Powershell

a) Mandiant Powershell混淆

https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf

https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

https://github.com/Invoke-IR/Uproot

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

Powershell混淆工具:

veil:https://github.com/Veil-Framework/Veil-Evasion

Powersploit:https://github.com/PowerShellMafia/PowerSploit

Empire:https://github.com/EmpireProject/Empire

10、信息安全

a) Protecting-Visual-Assets-Digital-Image-Counter-Forensics

https://www.blackhat.com/docs/us-17/wednesday/us-17-Mazurov-Brown-Protecting-Visual-Assets-Digital-Image-Counter-Forensics.pdf

Exif Viewer —https://addons.mozilla.org/firefox/addon/exif-viewer/

Stand-alone: ExifTool —https://www.sno.phy.queensu.ca/~phil/exiftool/

Meta信息删除

exiftool filename.jpg -overwrite_original -all=

GPS伪造

exiftool IMG_1270.jpg -GPSLatitude="36 deg 05', 18.4"" -GPSLongitude="115 deg 10', 40.2"" -GPSLongitudeRef=W -overwrite_original

Dheera Venkatraman, “Why blurring sensitive information is a bad idea” https://dheera.net/projects/blur

11、DEVSECOPS

a) Defending-Web-Applications-in-the-Age-of-DevOps

https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-of-DevOps.pdf

https://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization

The long and perilous journey of Dev->QA->Security->Dev- >Sysops->Production becomes just Dev->Production

Developer Training

– Threat Modeling

– Design Reviews

– Static Analysis

– Dynamic Scanning

– Pentesting

– Security Visibility

– Feedback

– Continuous Feedback

经验之谈:

1.Ability to detect attackers as early as possible in the attack chain

You want to know when the attacker discovers the vulnerability, long before the database goes out thedoor

2.Ability to continuously test and refine your vulnerability triage/response

The beauty of DevOps is that you can actually move faster than your attackers for the first time, especially the more you empower development / DevOps teams

3.Ability to continuously test and refine your incident response/DFIR/SecOps process

b)Orange-Is-The-New-Purple

https://www.blackhat.com/docs/us-17/wednesday/us-17-Wright-Orange-Is-The-New-Purple.pdf

Security's goals?create it securely,maintain it properly,prove it’s secure,plan for sunsetting;

Builder's goals?time to market,correctness,optimization,minimal defects;

-- SANS: 2016 State of Application Security: Closing the Gap

Blue Team provides feedback for Yellow Team, either via gained insight from PurpleTeam, or threat modeling, giving requirements and discussing solutions for:

- DFIR output- Log Generation & Activities- Capability for introspectiono Reference: http://gauss.ececs.uc.edu/Courses/c6056/pdf/logging.pdf

- Log content/events

- Log generationo Something as simple as timezone sync

- Change Management

- Integrity Monitoring

- Anti-V, Anti-M

- Full coverage monitoring

Red Team - Offensive security or “ethical hacking” of any type that has been authorizedby the organization (penetration testing, physical hacks, black-box testing, compliancetesting, social engineering, web app scanning, etc). “The Breakers”

Blue Team - Defensive security, traditionally protection, damage control, and IncidentResponse (IR). Can also include operational security, threat hunters. Data Forensics(DF). “The Defenders”

Purple Team – Common term for activities combining Red and Blue Teams. Thesejoint activities improve the security posture of a testing scope by building betterdefenses based on discovered weaknesses. Primary goal is to maximize the results ofRed Team activities and improve Blue Team capability.

White Team – All-knowing, neutral, third-party, set the rules of engagement, makes aplan, organizes the other teams, and monitors progress. This could include elements ofCompliance, Management, Analysts, and/or logistics (this is where my role mostlyoperates in the ecosystem). “The Game Masters”

Yellow Team - Individuals who practice the art of creating code, programmers,application developers, software engineers and software architects. “The Builders”.This is an entirely new concept being introduced via this paper.

c) AMAZON WEB SERVICES KILL CHAIN PENTEST

https://www.youtube.com/watch?v=fm4CqlxqQfs

12.机器学习

Endgame 在OPENAI基础上做的

https://github.com/endgameinc/gym-malware

13.内核Fuzzing

github.com/kernelslacker/trinity

https://github.com/intelpt

14.攻击Printer

https://github.com/RUB-NDS/PRET

15. 欺骗C&C

欺骗C&C,针对一些通用的C&C方式进行主动入侵防御和阻断;

https://github.com/countercept/doublepulsar-detection-script

16. ServerLess Pentest

https://gist.github.com/andrewkrug/3d3012eb045d996e5ab4ee0d7cd5214c

17. VMWARE API

利用VMWARE API在HOST对Guest进行代码执行漏洞;

https://github.com/guardicore/vmware_guest_auth_bypass

18. JAVA漏洞

JSON漏洞

https://github.com/mbechler/marshalsec

JdbcRowSetImpl.setAutoCommit Gadget

Defcon

1、COM C&C

https://github.com/zerosum0x0/koadic

2、攻击持续集成

https://github.com/spaceB0x/cider

Blackhat 2017Defcon 25学习笔记相关推荐

  1. 2022.07.25 学习笔记

    学习笔记 使用in查询效率慢 当使用sql进行查询的时候,某些时候使用in,即使in的集合元素数量比较少,数据库中数据较少,但是查询的速度还是很慢,如下: SELECTcreatetTimer,ip, ...

  2. 4.25学习笔记 哈希表

    1.找元素速度快,但可能发生哈希冲突 一般哈希表都是用来快速判断一个元素是否出现集合里. 哈希冲突的解决? 2.Multimap和map的操作类似,唯一区别multimap键值可重复 multiset ...

  3. 影像组学视频学习笔记(25)-查看准确度、灵敏度、特异度及混淆矩阵、Li‘s have a solution and plan.

    本笔记来源于B站Up主: 有Li 的影像组学系列教学视频 本节(25)主要讲解: 通过sklearn包输出准确度.灵敏度.特异度及混淆矩阵 基本概念 代码实现 from sklearn.metrics ...

  4. 深度学习笔记(25) 池化层

    深度学习笔记(25) 池化层 1. max pooling 2. mean pooling 3. pooling 超参 1. max pooling 除了卷积层,卷积网络也经常使用池化层来缩减模型的大 ...

  5. 公众号内容拓展学习笔记(2021.3.25)

    公众号内容拓展学习笔记(2021.3.25)

  6. javascript从入门到跑路-----小文的js学习笔记(25)------运动框架----匀速运动、缓冲运动、多物体运动、链式运动

    ** javascript从入门到跑路-----小文的js学习笔记(1)---------script.alert.document.write() 和 console.log 标签 javascri ...

  7. STM32CubeMX学习笔记(25)——FatFs文件系统使用(操作SPI Flash)

    一.FatFs简介 FatFs 是面向小型嵌入式系统的一种通用的 FAT 文件系统.它完全是由 ANSI C 语言编写并且完全独立于底层的 I/O 介质.因此它可以很容易地不加修改地移植到其他的处理器 ...

  8. opencv学习笔记02

    原创博文地址:opencv学习笔记02 OpenCV-Python教程:11.图片阈值 https://www.jianshu.com/p/267a32ad0a23 cv2阈值处理:https://b ...

  9. opencv-python基础知识学习笔记

    opencv-python基础知识学习笔记 原博地址:https://www.cnblogs.com/silence-cho/p/10926248.html 目录: opencv-python基础知识 ...

最新文章

  1. 若依项目linux部署
  2. php模拟表单提交登录,PHP模拟表单的post请求实现登录
  3. php orm 链式,关于php:雄辩的ORM中的交叉和分页
  4. 精雕道路怎么遍弧形_有网友私信我问郑州融信奥体世纪这个楼盘怎么样他今天来...
  5. Mysql 存储过程基本语法
  6. 计算机组组内培训记录,计算机教研组活动记录
  7. 发一个招聘软件开发人员的帖子
  8. FreeCAD快速开始
  9. 为什么你的问题总是得不到博主回复?一文教你如何高效和博主进行沟通!
  10. python如何计算等额本息还款_等额本息还款方式计算
  11. ps换背景操作,巨简单
  12. 周末闲暇用javascript写个网页“斗兽棋”小游戏
  13. 夜曲编程PPT,EXCEL课(侵删)
  14. kuka机器人焊接编程入门教程_焊接机器人操作编程与应用教学.pptx
  15. css聊天气派,css如何实现小尖角聊天对话框带尖角的说话泡泡效果
  16. 阿里云ca证书申请和安装(Nginx)
  17. air dots 配对_我告诉你airdots怎么连两只
  18. 开发环境搭建---数据库环境搭建
  19. 大二计算机跟老师做项目,在大学里,要不要和老师一起合作做项目?过来人说出实情...
  20. Vivado使用技巧(1):综合策略与设置的选择

热门文章

  1. 织梦dedecms模板安装过程的那点事儿
  2. 美国计算机科学本科录取人数,美国加州大学圣地亚哥分校计算机科学本科录取条件.pdf...
  3. 调度生产过程的思路、原则、方法
  4. 微信互动营销有哪些方式?
  5. 易支付程序对接固码支付
  6. 再见笨重的ELK!这套轻量级日志收集方案要火!
  7. Apache Curator客户端的使用
  8. 【速记】Android让View的显示超出父容器
  9. 编写一个简单Java程序,计算银行年存款的本息
  10. 以太网接口与地平面设计3种方案