Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[Defcon] You Spent All That Money And You Still Got Owned…

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

  • Firewalls are commonplace (perimeter and host based)
  • Anti-virus is smarter
  • Intrusion Detection / Prevention systems are hard to detect, let alone bypass
  • NAC Solutions are making their way into networks
  • IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

  • Server Header
  • Time/Date

Use DNS queries and Netcraft.com

Tools to do this

  • Load Balancer Detection – lbd.sh
  • Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.


DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit


  • Written in Perl, but still good.
  • Great from going from SQLi to shell


  • Written in Python
  • Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu


  • Smoketest
    • check your encoding and bypass techniques
    • find something that will bypass a lot of the rules


  • Also now offers a smoketest
  • Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions


  • Use Static

DHCP MAC Address REservations

  • Find a system, steal MAC

Port Security

  • Find a printer….

NAC Solutions

  • Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

  • net commands on Windows are great for finding network information
  • Script output and find the Administrators
  • Escalate to SYSTEM/Administrator
  • Run commands using psexec, pskill, …
  • Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!


One response to “[Defcon] You Spent All That Money And You Still Got Owned…

  1. Pingback: Tweets that mention [Defcon] You Spent All That Money And You Still Got Owned… « ©атсн²² (in)sесuяitу -- Topsy.com

%d bloggers like this: