1 00:00:02,790 --> 00:00:07,500 thanks very much could it offer to 2 00:00:05,260 --> 00:00:10,570 everyone thanks it always was booked 3 00:00:07,500 --> 00:00:11,799 this is some of that was good just 4 00:00:10,570 --> 00:00:14,799 checking cool 5 00:00:11,799 --> 00:00:17,020 okay so as introduced the pups this talk 6 00:00:14,799 --> 00:00:20,230 is to discuss what happens when you 7 00:00:17,020 --> 00:00:23,560 joined a fan ad the way how they use 8 00:00:20,230 --> 00:00:24,220 network together so by way of an 9 00:00:23,560 --> 00:00:28,900 introduction 10 00:00:24,220 --> 00:00:29,080 I wrote this here they are explain Who I 11 00:00:28,900 --> 00:00:31,180 am 12 00:00:29,080 --> 00:00:33,730 final thought and then we'll break into 13 00:00:31,180 --> 00:00:37,839 the actual technical detail so the teal 14 00:00:33,730 --> 00:00:40,779 they are if she's researching progress 15 00:00:37,839 --> 00:00:42,070 it's about a year in now but I'll still 16 00:00:40,780 --> 00:00:43,420 what I care about it's different you can 17 00:00:42,070 --> 00:00:45,519 find in the event as I keep on finding 18 00:00:43,420 --> 00:00:49,659 new attack sizes I'd still find doing 19 00:00:45,519 --> 00:00:51,998 them it's not a bad idea 20 00:00:49,659 --> 00:00:54,789 well they clearly Amy plays a part net 21 00:00:51,999 --> 00:00:57,429 this is about what the attack surface ad 22 00:00:54,789 --> 00:00:59,289 George UNIX mistake looks like this is 23 00:00:57,429 --> 00:01:01,659 how if you get a shell program not only 24 00:00:59,289 --> 00:01:02,920 UNIX is still an enterprise network you 25 00:01:01,659 --> 00:01:03,429 won't find that you actually have more 26 00:01:02,920 --> 00:01:10,899 craters 27 00:01:03,429 --> 00:01:12,310 use them so Who am I some Tim I have a 28 00:01:10,899 --> 00:01:15,640 background working for financial 29 00:01:12,310 --> 00:01:18,280 services organizations and for the last 30 00:01:15,640 --> 00:01:18,939 15 years like I've been working in this 31 00:01:18,280 --> 00:01:22,420 tank 32 00:01:18,939 --> 00:01:24,880 use the word scram I spoke at a secure 33 00:01:22,420 --> 00:01:27,180 table field I spent three years ago 34 00:01:24,880 --> 00:01:30,009 looking up red tape and DevOps 35 00:01:27,180 --> 00:01:34,000 well yeah I like podcasting or offensive 36 00:01:30,009 --> 00:01:35,590 by nature that said the financial 37 00:01:34,000 --> 00:01:38,079 services stuff was an operational right 38 00:01:35,590 --> 00:01:40,270 I'm looking at security for a defensive 39 00:01:38,079 --> 00:01:42,699 perspective and probably for the last 40 00:01:40,270 --> 00:01:45,009 eight events or so I could focus impact 41 00:01:42,700 --> 00:01:47,079 on the defensive side so one of the key 42 00:01:45,009 --> 00:01:49,119 takeaways for this talk if you take 43 00:01:47,079 --> 00:01:50,500 anything away is that there are 44 00:01:49,119 --> 00:01:52,060 mitigations a lot of things you 45 00:01:50,500 --> 00:01:55,539 shouldn't do in to defend your units 46 00:01:52,060 --> 00:01:56,770 estates better and certainly some of the 47 00:01:55,539 --> 00:01:58,869 stuff has been published on to the back 48 00:01:56,770 --> 00:02:00,789 of this so far is very much geared at 49 00:01:58,869 --> 00:02:04,570 how you how you protect yourself not 50 00:02:00,789 --> 00:02:06,520 just how you attack so the plan for this 51 00:02:04,570 --> 00:02:08,139 talk I'm going to give a little bit 52 00:02:06,520 --> 00:02:10,299 background for those you that perhaps 53 00:02:08,139 --> 00:02:12,940 haven't have any familiarity with what I 54 00:02:10,300 --> 00:02:15,670 do is write look look I run through a 55 00:02:12,940 --> 00:02:18,739 theory it's a possible attack 56 00:02:15,670 --> 00:02:21,679 probably speaking wolof similar fact 57 00:02:18,739 --> 00:02:23,569 turns on Windows AVG own systems are 58 00:02:21,680 --> 00:02:26,209 very consumed designations and 59 00:02:23,569 --> 00:02:27,738 recommendations a little bit but then 60 00:02:26,209 --> 00:02:30,379 the response because the vendor response 61 00:02:27,739 --> 00:02:32,840 it's been interesting or finally 62 00:02:30,379 --> 00:02:34,040 reasonable conclusions probably a slight 63 00:02:32,840 --> 00:02:36,859 change from the last time I presented 64 00:02:34,040 --> 00:02:38,810 this the bonus material on this occasion 65 00:02:36,859 --> 00:02:41,180 will be more detailed look at 66 00:02:38,810 --> 00:02:42,950 recommendations and investigations I 67 00:02:41,180 --> 00:02:45,079 switch it up a little bit for this 68 00:02:42,950 --> 00:02:47,238 audience I understand a little more time 69 00:02:45,079 --> 00:02:48,590 looking at how I came so far these other 70 00:02:47,239 --> 00:02:50,329 both ways 71 00:02:48,590 --> 00:02:52,010 how I came to find this weakness is that 72 00:02:50,329 --> 00:02:54,859 all the factors of C just from doing 73 00:02:52,010 --> 00:02:56,090 research and on the last time on what 74 00:02:54,859 --> 00:02:57,889 you should do as a veteran or as an 75 00:02:56,090 --> 00:03:00,049 enterprise is I think in an audience 76 00:02:57,889 --> 00:03:02,030 like this there's a problem we'll be 77 00:03:00,049 --> 00:03:04,909 more interested in breaking things than 78 00:03:02,030 --> 00:03:06,109 the necessaries in defending that said 79 00:03:04,909 --> 00:03:11,870 when you got into the real world I think 80 00:03:06,109 --> 00:03:15,139 we need to say about both so the 81 00:03:11,870 --> 00:03:17,209 background well I started doing 82 00:03:15,139 --> 00:03:18,260 operational security on the UNIX estate 83 00:03:17,209 --> 00:03:20,359 20 years ago 84 00:03:18,260 --> 00:03:22,760 we were using Tivoli to essentially 85 00:03:20,359 --> 00:03:26,650 manage flat tax files essential parts of 86 00:03:22,760 --> 00:03:29,328 essential shadow etc security password 87 00:03:26,650 --> 00:03:31,159 little fire to detect finally an 88 00:03:29,329 --> 00:03:35,540 existent part we were simply managing 89 00:03:31,159 --> 00:03:37,429 nice fire rather horrific enterprise 90 00:03:35,540 --> 00:03:39,290 applications written by the likes of IBM 91 00:03:37,430 --> 00:03:41,569 and you essentially modified those files 92 00:03:39,290 --> 00:03:43,970 in real time actually made requests 93 00:03:41,569 --> 00:03:47,358 probably your graphical user interfaces 94 00:03:43,970 --> 00:03:49,790 as administrator these days a lot more 95 00:03:47,359 --> 00:03:51,979 systems are looking to the ad joint I 96 00:03:49,790 --> 00:03:53,569 had a conversation just this week I 97 00:03:51,979 --> 00:03:56,720 think this equipment workers at the 98 00:03:53,569 --> 00:03:58,369 moment are UK retailer 99 00:03:56,720 --> 00:04:00,440 building up their cloud infrastructure 100 00:03:58,370 --> 00:04:02,359 that it is yeah and they want this right 101 00:04:00,440 --> 00:04:04,099 yeah what do we do about the UNIX boxes 102 00:04:02,359 --> 00:04:06,109 we're going to have this cloud how do we 103 00:04:04,099 --> 00:04:07,909 manage the identity on there we started 104 00:04:06,109 --> 00:04:09,229 talking about well Haley is the right 105 00:04:07,909 --> 00:04:10,519 way to go in the sense you have 106 00:04:09,229 --> 00:04:13,190 centralized management you can applaud 107 00:04:10,519 --> 00:04:14,389 the policies all that good stuff but 108 00:04:13,190 --> 00:04:16,370 these are the things you need to think 109 00:04:14,389 --> 00:04:18,450 about because maybe your university 110 00:04:16,370 --> 00:04:21,390 administrators won't be familiar with 111 00:04:18,450 --> 00:04:24,570 is very heretic so that's a little bit 112 00:04:21,390 --> 00:04:30,539 about why let's look a specific 113 00:04:24,570 --> 00:04:33,780 implementation so then tell this is what 114 00:04:30,540 --> 00:04:36,120 we see a lot we see that possible my 115 00:04:33,780 --> 00:04:38,099 hand'd was probably on something that's 116 00:04:36,120 --> 00:04:39,240 called that directly Atlas was but is 117 00:04:38,100 --> 00:04:41,940 actually something that Cisco use 118 00:04:39,240 --> 00:04:43,650 internally for our network I'd say it's 119 00:04:41,940 --> 00:04:46,590 an obvious place to start but there are 120 00:04:43,650 --> 00:04:51,690 as a other implementations so why does 121 00:04:46,590 --> 00:04:55,169 it all myself look at it from a 122 00:04:51,690 --> 00:04:57,990 commercial standpoint we're expecting so 123 00:04:55,170 --> 00:04:59,340 they push the ITM below were expected to 124 00:04:57,990 --> 00:05:01,380 be able to tell our customers how secure 125 00:04:59,340 --> 00:05:04,169 their networks which beta versus your 126 00:05:01,380 --> 00:05:06,240 own networks from the perspective of the 127 00:05:04,170 --> 00:05:08,160 team oil price in that's even more true 128 00:05:06,240 --> 00:05:09,990 because we're directly out there 129 00:05:08,160 --> 00:05:11,310 consulting to customers I mentioned 130 00:05:09,990 --> 00:05:13,440 their customers doing this other stuff 131 00:05:11,310 --> 00:05:14,670 yeah if I can't be sensible answers to 132 00:05:13,440 --> 00:05:16,920 those questions when the password policy 133 00:05:14,670 --> 00:05:18,480 directly it's not my shoes and then you 134 00:05:16,920 --> 00:05:21,270 look at the bigger picture we protects a 135 00:05:18,480 --> 00:05:23,610 local area networks so yeah I like bugs 136 00:05:21,270 --> 00:05:25,710 the scale this is a bug that scales or 137 00:05:23,610 --> 00:05:29,780 it's a weakness and scales to be 138 00:05:25,710 --> 00:05:33,390 entirely fair face and vendors concerned 139 00:05:29,780 --> 00:05:37,500 so I mentioned I've been talking a bit 140 00:05:33,390 --> 00:05:40,289 more about how we went look at this the 141 00:05:37,500 --> 00:05:41,820 approach was pre iterative I started out 142 00:05:40,290 --> 00:05:44,550 by building out other environment I 143 00:05:41,820 --> 00:05:48,030 could test against I could research that 144 00:05:44,550 --> 00:05:51,180 I could evaluate specifically I saw that 145 00:05:48,030 --> 00:05:53,369 with fit up I will say influences and 146 00:05:51,180 --> 00:05:56,100 equivalent using red house open source 147 00:05:53,370 --> 00:05:58,260 ad integration solution had a couple of 148 00:05:56,100 --> 00:06:00,300 others but as I started building it out 149 00:05:58,260 --> 00:06:02,580 then I start to think about the threat 150 00:06:00,300 --> 00:06:03,930 level look like is that when I had some 151 00:06:02,580 --> 00:06:06,240 understanding what would likely go 152 00:06:03,930 --> 00:06:08,700 Gaylords assistance then I started 153 00:06:06,240 --> 00:06:10,680 looking at what that meant as 154 00:06:08,700 --> 00:06:12,770 implication so system somewhat worthy 155 00:06:10,680 --> 00:06:14,790 attack service is a change locally on 156 00:06:12,770 --> 00:06:15,510 reviews from the configuration files 157 00:06:14,790 --> 00:06:18,090 around it 158 00:06:15,510 --> 00:06:19,980 then landed on the idea that perhaps I 159 00:06:18,090 --> 00:06:23,070 needed a fossilized components yet a 160 00:06:19,980 --> 00:06:24,660 open source implementations are great or 161 00:06:23,070 --> 00:06:25,890 certainly the closest implementations 162 00:06:24,660 --> 00:06:27,510 you know they get very far 163 00:06:25,890 --> 00:06:28,940 merely looking at it from the file 164 00:06:27,510 --> 00:06:31,550 respective and looking at 165 00:06:28,940 --> 00:06:34,580 racial perspective reverse engineering 166 00:06:31,550 --> 00:06:36,020 because I'll talk about the facts that 167 00:06:34,580 --> 00:06:37,430 this is something that's probably fairly 168 00:06:36,020 --> 00:06:39,770 similar says the week this is your file 169 00:06:37,430 --> 00:06:40,820 in Windows the cryptographic slightest 170 00:06:39,770 --> 00:06:43,760 things look definitely similar than we 171 00:06:40,820 --> 00:06:46,400 do to reverse engineer development more 172 00:06:43,760 --> 00:06:47,900 fussing yeah you can see the pattern I 173 00:06:46,400 --> 00:06:50,419 went through a palace and say it was 174 00:06:47,900 --> 00:06:51,620 easier to follow this amount map so the 175 00:06:50,420 --> 00:06:53,360 theory of what we were actually doing 176 00:06:51,620 --> 00:06:58,760 those theory of what I was actually 177 00:06:53,360 --> 00:07:01,370 doing was about exactly this so that's 178 00:06:58,760 --> 00:07:04,280 what bread hats implementation sss d 179 00:07:01,370 --> 00:07:06,170 looks like our typical unix similar 180 00:07:04,280 --> 00:07:08,479 structures typically an exhibit of 181 00:07:06,170 --> 00:07:10,490 judges the director so you've 182 00:07:08,480 --> 00:07:12,950 essentially got small sent occasionally 183 00:07:10,490 --> 00:07:14,780 identity you've got some policies and 184 00:07:12,950 --> 00:07:17,080 essentially it's not dissimilar from the 185 00:07:14,780 --> 00:07:20,059 bubbling will follow with most obviously 186 00:07:17,080 --> 00:07:21,859 authority provides a little dns is also 187 00:07:20,060 --> 00:07:24,470 provide me LDAP based on see the central 188 00:07:21,860 --> 00:07:25,160 rather than the Kerberos SSD if you want 189 00:07:24,470 --> 00:07:27,260 a normality 190 00:07:25,160 --> 00:07:30,470 it's performing a similar role to else 191 00:07:27,260 --> 00:07:32,180 else us our window system and it's 192 00:07:30,470 --> 00:07:35,060 essentially some compactness and falsity 193 00:07:32,180 --> 00:07:37,400 active directory making requests 194 00:07:35,060 --> 00:07:39,890 invalidate users getting Kerberos 195 00:07:37,400 --> 00:07:41,900 information back applying that to the 196 00:07:39,890 --> 00:07:43,760 users profile and the system they've 197 00:07:41,900 --> 00:07:45,140 logged into yada-yada-yada 198 00:07:43,760 --> 00:07:46,490 you can see where the attack surface 199 00:07:45,140 --> 00:07:49,219 more at this is there are some 200 00:07:46,490 --> 00:07:54,230 differences so what do they attack 201 00:07:49,220 --> 00:07:55,550 change looks like well I said I 202 00:07:54,230 --> 00:07:57,320 installed in and I was going to do some 203 00:07:55,550 --> 00:07:58,690 threatening so actually I will apply it 204 00:07:57,320 --> 00:08:00,950 so it will did it properly 205 00:07:58,690 --> 00:08:03,350 Cisco have a threatened or mental reason 206 00:08:00,950 --> 00:08:05,330 certainly but I also use months of 207 00:08:03,350 --> 00:08:06,860 stride methodology and like sort of 208 00:08:05,330 --> 00:08:08,140 certain tools give myself so this is 209 00:08:06,860 --> 00:08:10,460 like possibly share with other people 210 00:08:08,140 --> 00:08:12,440 and essentially in the end loader 211 00:08:10,460 --> 00:08:14,690 building out big spreadsheet a big big 212 00:08:12,440 --> 00:08:16,280 spreadsheet as I went through issue of 213 00:08:14,690 --> 00:08:17,840 civilly and every time I found something 214 00:08:16,280 --> 00:08:19,760 long tended I have thought was kind of 215 00:08:17,840 --> 00:08:20,840 interesting i maked night event to make 216 00:08:19,760 --> 00:08:22,280 sure I went a little what other than 217 00:08:20,840 --> 00:08:24,409 isn't don't what's and so it's the same 218 00:08:22,280 --> 00:08:25,609 design problem and the spreadsheet at 219 00:08:24,410 --> 00:08:28,040 some stage rather would be something I'd 220 00:08:25,610 --> 00:08:30,350 like to share because I think as an 221 00:08:28,040 --> 00:08:32,030 approach it's quite useful to show how 222 00:08:30,350 --> 00:08:33,770 you go about doing this but I actually 223 00:08:32,030 --> 00:08:35,390 think there are other implementations I 224 00:08:33,770 --> 00:08:37,309 won't get a chance to look at it will be 225 00:08:35,390 --> 00:08:38,838 quite quite cool to see all of the time 226 00:08:37,309 --> 00:08:40,039 limitations get a similar level of 227 00:08:38,839 --> 00:08:44,110 exposure 228 00:08:40,039 --> 00:08:46,969 so VIN teller I said I threat model day 229 00:08:44,110 --> 00:08:48,920 that's Francisco straight water tool on 230 00:08:46,970 --> 00:08:50,690 each of those components has a set of 231 00:08:48,920 --> 00:08:52,490 attributes that define a threat trap 232 00:08:50,690 --> 00:08:55,730 models the attack services essentially 233 00:08:52,490 --> 00:08:57,950 based we're broadly speaking just as on 234 00:08:55,730 --> 00:09:02,030 Windows you have a user that comes in 235 00:08:57,950 --> 00:09:05,510 over the network across a generic trust 236 00:09:02,030 --> 00:09:07,339 line boundary in this case SSH windows 237 00:09:05,510 --> 00:09:10,250 it'll probably be our DP SMB something 238 00:09:07,340 --> 00:09:12,920 like that and then login and in the case 239 00:09:10,250 --> 00:09:17,180 of Linux you'll appear through a process 240 00:09:12,920 --> 00:09:18,530 that hosts a Pam library SSH and he 241 00:09:17,180 --> 00:09:20,719 makes a library calls down into the 242 00:09:18,530 --> 00:09:23,930 power infrastructure the power 243 00:09:20,720 --> 00:09:25,940 infrastructure in the case of AD in the 244 00:09:23,930 --> 00:09:27,469 case of business this isn't some talent 245 00:09:25,940 --> 00:09:29,960 but also an SSD and the other 246 00:09:27,470 --> 00:09:32,930 implementations typically use a UNIX 247 00:09:29,960 --> 00:09:35,600 socket to call out to the host process 248 00:09:32,930 --> 00:09:40,520 for the integration so I've been telling 249 00:09:35,600 --> 00:09:42,890 you is feisty sss uses s SSD others we 250 00:09:40,520 --> 00:09:45,740 use different process than video you get 251 00:09:42,890 --> 00:09:48,220 that one that UNIX socket allows crown 252 00:09:45,740 --> 00:09:51,020 to talk to it and of course fast service 253 00:09:48,220 --> 00:09:54,320 component then does the integration 254 00:09:51,020 --> 00:09:56,569 piece back into ad so in the case of an 255 00:09:54,320 --> 00:09:59,920 authentication request it might make use 256 00:09:56,570 --> 00:10:02,660 of all that it may make use of Kerberos 257 00:09:59,920 --> 00:10:04,430 cached credentials is an interesting one 258 00:10:02,660 --> 00:10:06,170 so mean by this is a bubble auditory 259 00:10:04,430 --> 00:10:08,390 history of cache productions being a 260 00:10:06,170 --> 00:10:09,949 source of weakness year he compromised 261 00:10:08,390 --> 00:10:12,319 approach we don't know promoters you can 262 00:10:09,950 --> 00:10:15,740 use either edge of those men absolutely 263 00:10:12,320 --> 00:10:17,630 the same miss with faster with with SSS 264 00:10:15,740 --> 00:10:20,570 date a lot of importations 265 00:10:17,630 --> 00:10:22,010 in the case of Intel 266 00:10:20,570 --> 00:10:23,060 yeah there's a whole bunch of things of 267 00:10:22,010 --> 00:10:25,420 the file system which are quite 268 00:10:23,060 --> 00:10:28,040 interesting clean the secret base base 269 00:10:25,420 --> 00:10:31,099 allocation in the back sequel a database 270 00:10:28,040 --> 00:10:33,890 that contains provisions of interest so 271 00:10:31,100 --> 00:10:35,570 that's that's only speaking what it 272 00:10:33,890 --> 00:10:38,900 looks like and like I said if you look 273 00:10:35,570 --> 00:10:40,910 at it systemic most layers attack 274 00:10:38,900 --> 00:10:42,290 surfaces have analogy for its limit 275 00:10:40,910 --> 00:10:44,270 Windows or Linux 276 00:10:42,290 --> 00:10:48,980 yeah you can you could take the same 277 00:10:44,270 --> 00:10:51,460 approaches and of course other vendors 278 00:10:48,980 --> 00:10:51,460 do exist 279 00:10:52,240 --> 00:10:55,910 the reason it's interesting is because 280 00:10:54,530 --> 00:10:58,430 on UNIX 281 00:10:55,910 --> 00:11:00,319 we're probably 15-20 years behind the 282 00:10:58,430 --> 00:11:02,060 times I say that somebody that spent 283 00:11:00,320 --> 00:11:04,580 their entire life work with UNIX and try 284 00:11:02,060 --> 00:11:07,849 to secure as a platform but we also need 285 00:11:04,580 --> 00:11:09,950 20 years behind the times you IDs and 286 00:11:07,850 --> 00:11:12,140 Yogi's are pretty much the young before 287 00:11:09,950 --> 00:11:14,990 security barrier that really exists and 288 00:11:12,140 --> 00:11:17,930 they people like to say that SELinux our 289 00:11:14,990 --> 00:11:19,820 backup and such have improve sight in 290 00:11:17,930 --> 00:11:21,290 the face a homely system you actually 291 00:11:19,820 --> 00:11:23,390 see in the real ones that have been 292 00:11:21,290 --> 00:11:26,329 effectively configured and deployed our 293 00:11:23,390 --> 00:11:27,920 very best to likely to see if you're 294 00:11:26,330 --> 00:11:31,130 likely to happen a state that I said to 295 00:11:27,920 --> 00:11:32,360 you will on policy breaches it's very 296 00:11:31,130 --> 00:11:34,220 rare that you'll happens slowly 297 00:11:32,360 --> 00:11:35,990 enforcing because if you fully enforce 298 00:11:34,220 --> 00:11:42,530 then you have a whole additional moment 299 00:11:35,990 --> 00:11:44,150 overhead comparatively windows have 300 00:11:42,530 --> 00:11:46,730 restricted accurate way from being paid 301 00:11:44,150 --> 00:11:51,140 as come as a protection it has protected 302 00:11:46,730 --> 00:11:53,140 users security groups that has TPM only 303 00:11:51,140 --> 00:11:56,330 no surprises and morph as LS a 304 00:11:53,140 --> 00:11:58,790 credential isolation so Windows 10 the 305 00:11:56,330 --> 00:12:01,400 emphasized process the equivalent of a 306 00:11:58,790 --> 00:12:03,980 State Department of s SSD is actually 307 00:12:01,400 --> 00:12:08,030 virtualized away in a separate instances 308 00:12:03,980 --> 00:12:10,880 the OS so you have a very final set of 309 00:12:08,030 --> 00:12:14,300 API tools that you can leverage as a 310 00:12:10,880 --> 00:12:16,520 normal user to talk to Alice asked to 311 00:12:14,300 --> 00:12:18,140 make an authentication request or to or 312 00:12:16,520 --> 00:12:23,240 some day to gain access to your taken 313 00:12:18,140 --> 00:12:26,060 you really are quite limited so the full 314 00:12:23,240 --> 00:12:29,090 question was what if I can get into UNIX 315 00:12:26,060 --> 00:12:31,189 boxes what can I do and how do I 316 00:12:29,090 --> 00:12:34,070 determine whether I can recycle any of 317 00:12:31,190 --> 00:12:36,200 the ID infrastructure by getting in in a 318 00:12:34,070 --> 00:12:39,170 huge array of tilting out there and in 319 00:12:36,200 --> 00:12:40,970 fact I think it's fair to say there's no 320 00:12:39,170 --> 00:12:43,339 useful tool amount there so from a 321 00:12:40,970 --> 00:12:44,950 fantasy perspective there's a few five 322 00:12:43,340 --> 00:12:48,230 abilities have been polished for someone 323 00:12:44,950 --> 00:12:49,640 implementations X SSD in particular has 324 00:12:48,230 --> 00:12:51,410 a bit of a checkered history around it's 325 00:12:49,640 --> 00:12:54,260 like PC but there's not a huge amount 326 00:12:51,410 --> 00:12:57,199 out there so the school crisis would 327 00:12:54,260 --> 00:12:59,210 went a little bit like this people log 328 00:12:57,200 --> 00:12:59,630 into UNIX boxes they submit their ID for 329 00:12:59,210 --> 00:13:01,550 dentures 330 00:12:59,630 --> 00:13:02,930 I think Isis they boxes are quite 331 00:13:01,550 --> 00:13:04,790 interesting for our own sake 332 00:13:02,930 --> 00:13:07,130 that's all the works at a sacrament 333 00:13:04,790 --> 00:13:09,620 illustrator has interesting privileges 334 00:13:07,130 --> 00:13:11,120 recycle effective just by logging in but 335 00:13:09,620 --> 00:13:12,529 there's a hell of a lot of interesting 336 00:13:11,120 --> 00:13:15,230 privileges they may have low network 337 00:13:12,529 --> 00:13:17,899 yeah it's all about the system that is 338 00:13:15,230 --> 00:13:19,160 used to for example host an application 339 00:13:17,899 --> 00:13:20,959 and an application was developed 340 00:13:19,160 --> 00:13:23,149 in-house does that mean attending have 341 00:13:20,959 --> 00:13:25,160 access to their to their get rings so 342 00:13:23,149 --> 00:13:27,350 their internal CIA LCD infrastructure 343 00:13:25,160 --> 00:13:30,140 doesn't mean we get access to they might 344 00:13:27,350 --> 00:13:31,850 not find out you know what I could 345 00:13:30,140 --> 00:13:33,949 evolve their their colleagues and get 346 00:13:31,850 --> 00:13:36,050 access the Louis is it's a whole raft of 347 00:13:33,950 --> 00:13:37,730 different ways you can gain and most of 348 00:13:36,050 --> 00:13:40,399 those people are in various actors at 349 00:13:37,730 --> 00:13:42,050 windows of opportunities to attack with 350 00:13:40,399 --> 00:13:48,589 from from the UNIX like that just just 351 00:13:42,050 --> 00:13:52,399 as prevalent say some practicing plus 352 00:13:48,589 --> 00:13:54,950 hacks so I've great wonderful saying X 353 00:13:52,399 --> 00:13:57,830 SSD Intelli authentication services are 354 00:13:54,950 --> 00:14:00,050 around the 80 integration president 355 00:13:57,830 --> 00:14:02,089 three ways automatically color brush 356 00:14:00,050 --> 00:14:04,430 I've called out something as well so 357 00:14:02,089 --> 00:14:06,200 they can be seen as part of an ID 358 00:14:04,430 --> 00:14:09,050 integration solution you will also see 359 00:14:06,200 --> 00:14:11,020 them into isolation the canonical page 360 00:14:09,050 --> 00:14:13,040 is probably something like a web app 361 00:14:11,020 --> 00:14:14,420 Enterprise pencil web apples their 362 00:14:13,040 --> 00:14:16,250 infrastructure and they like they gauge 363 00:14:14,420 --> 00:14:18,050 you know we taught most of the issuer 364 00:14:16,250 --> 00:14:20,029 accounts individually for this system 365 00:14:18,050 --> 00:14:20,920 will perfect figure on that and what 366 00:14:20,029 --> 00:14:25,959 does that mean 367 00:14:20,920 --> 00:14:28,370 so Red Hat so so first a siphon source 368 00:14:25,959 --> 00:14:29,300 potential attacks look like stealing her 369 00:14:28,370 --> 00:14:32,709 she's from the files 370 00:14:29,300 --> 00:14:35,209 stealing hashes of plaintext or memory 371 00:14:32,709 --> 00:14:37,430 from a blue team perspective each 372 00:14:35,209 --> 00:14:39,079 relatively well hardened I say that in 373 00:14:37,430 --> 00:14:41,900 the sense that what compiler perspective 374 00:14:39,080 --> 00:14:43,670 api's of ApS that are well used our 375 00:14:41,900 --> 00:14:45,650 business degree of Kampala hardening 376 00:14:43,670 --> 00:14:46,240 around fit the sack protection etcetera 377 00:14:45,650 --> 00:14:48,410 ah 378 00:14:46,240 --> 00:14:53,660 notable would have interesting it does 379 00:14:48,410 --> 00:14:55,939 well as the root user others I 380 00:14:53,660 --> 00:14:58,100 immediately it has a bit of actually 381 00:14:55,940 --> 00:15:00,350 track records were my PC standpoint and 382 00:14:58,100 --> 00:15:03,170 don't think there's any public pic2 383 00:15:00,350 --> 00:15:04,700 around most of this but that cached 384 00:15:03,170 --> 00:15:07,399 credentials well in the minimal 385 00:15:04,700 --> 00:15:10,670 is actually relatively trivial to a 386 00:15:07,399 --> 00:15:12,020 point you can probably look at the patch 387 00:15:10,670 --> 00:15:13,250 that's available for absolutely 388 00:15:12,020 --> 00:15:15,769 vulnerabilities and figure out the 389 00:15:13,250 --> 00:15:17,929 trigger it and whilst you know 390 00:15:15,769 --> 00:15:20,449 think that all UNIX boxes are a well 391 00:15:17,929 --> 00:15:24,769 practical up to date that's not always 392 00:15:20,449 --> 00:15:26,118 the case how about the public PhD for 393 00:15:24,769 --> 00:15:30,050 that proved might happen at the SD that 394 00:15:26,119 --> 00:15:31,399 works for them it's just as important 395 00:15:30,050 --> 00:15:34,609 principle be able to be able to remember 396 00:15:31,399 --> 00:15:40,610 the fact that the resultant work out so 397 00:15:34,610 --> 00:15:41,749 it digest I set up an approach so that's 398 00:15:40,610 --> 00:15:43,579 what the approach looks like with the 399 00:15:41,749 --> 00:15:45,259 audit level what I really wanted to do 400 00:15:43,579 --> 00:15:48,290 was understand what the attack surface 401 00:15:45,259 --> 00:15:50,269 was that was introduced by the software 402 00:15:48,290 --> 00:15:51,980 so I was looking at the file locations 403 00:15:50,269 --> 00:15:56,149 the file permissions the contents of the 404 00:15:51,980 --> 00:15:58,819 files processes sockets SDLC compliance 405 00:15:56,149 --> 00:16:01,129 capacities the SSD slide I showed a 406 00:15:58,819 --> 00:16:03,349 couple of slides back which useful to 407 00:16:01,129 --> 00:16:06,199 know if vendors are probably things in a 408 00:16:03,350 --> 00:16:07,749 safe fashion in telephone solution they 409 00:16:06,199 --> 00:16:09,709 haven't been opposite the kitchen of 410 00:16:07,749 --> 00:16:11,829 compiling that it was pretty much 411 00:16:09,709 --> 00:16:15,290 compiled with spot DC settings from 412 00:16:11,829 --> 00:16:16,878 probably 20 years ago probably part of 413 00:16:15,290 --> 00:16:18,829 the reason I'd posit for that is the 414 00:16:16,879 --> 00:16:23,059 fact that is available for a lot wider 415 00:16:18,829 --> 00:16:26,739 so units is signed many of those 416 00:16:23,059 --> 00:16:30,259 settings don't necessary have a direct 417 00:16:26,740 --> 00:16:33,110 equivalence formula if you've got it my 418 00:16:30,259 --> 00:16:34,850 ex temple - or a accessible one yet and 419 00:16:33,110 --> 00:16:36,319 you're running us that's the idea 420 00:16:34,850 --> 00:16:38,179 compiler you've probably thought might 421 00:16:36,319 --> 00:16:40,729 have that emotional nature sets 422 00:16:38,179 --> 00:16:41,929 sound probably the view also put the 423 00:16:40,730 --> 00:16:44,629 something that compiled everywhere 424 00:16:41,929 --> 00:16:45,920 didn't do too much work around improving 425 00:16:44,629 --> 00:16:48,319 that make faster that it's and so you 426 00:16:45,920 --> 00:16:55,490 end up with a situation where you're as 427 00:16:48,319 --> 00:16:57,920 good as the worst case I want somebody 428 00:16:55,490 --> 00:16:59,059 to review what it look like my review 429 00:16:57,920 --> 00:17:01,819 what is understanding what the 430 00:16:59,059 --> 00:17:03,649 difference between why this is still 431 00:17:01,819 --> 00:17:05,240 like normally would look like so that 432 00:17:03,649 --> 00:17:09,799 meant looking at the learn page little 433 00:17:05,240 --> 00:17:11,569 bigger issues amongst tuning that loss 434 00:17:09,799 --> 00:17:13,699 and I'm actual really helped in the case 435 00:17:11,569 --> 00:17:15,678 of Intel as an example 436 00:17:13,699 --> 00:17:17,539 didn't help from a security standpoint 437 00:17:15,679 --> 00:17:19,039 in the sense we don't invent the product 438 00:17:17,539 --> 00:17:20,569 and it will secure but when it didn't as 439 00:17:19,039 --> 00:17:22,520 I have full access to certain as did I 440 00:17:20,569 --> 00:17:24,049 can see traffic that was going there 441 00:17:22,520 --> 00:17:26,029 that I really saw fit 442 00:17:24,049 --> 00:17:27,408 you turned lot longer than my TV they 443 00:17:26,029 --> 00:17:29,600 fill that sort of thing 444 00:17:27,409 --> 00:17:33,970 great respond to it by positive cases 445 00:17:29,600 --> 00:17:41,840 this has real-world valid protocol 446 00:17:33,970 --> 00:17:44,570 limitations to work from so that's the 447 00:17:41,840 --> 00:17:47,330 kind of artifacts you file your SSST 448 00:17:44,570 --> 00:17:49,730 they range from - purchase through 449 00:17:47,330 --> 00:17:51,259 porosity cases right down to 450 00:17:49,730 --> 00:17:54,799 configuration files contain the 451 00:17:51,259 --> 00:17:56,840 territory uses of information the bits 452 00:17:54,799 --> 00:18:00,279 that are in italic you can't get to 453 00:17:56,840 --> 00:18:04,999 unless you revisit the fairly common 454 00:18:00,279 --> 00:18:07,279 with misconception is because that's no 455 00:18:04,999 --> 00:18:09,440 different for Windows you can't you 456 00:18:07,279 --> 00:18:11,299 can't accrue other peoples Kerberos 457 00:18:09,440 --> 00:18:13,820 tickets or accrue other people's 458 00:18:11,299 --> 00:18:15,980 password hashes or the Windows system of 459 00:18:13,820 --> 00:18:17,840 market administrator relation rumor the 460 00:18:15,980 --> 00:18:19,100 purposes this is this research wasn't 461 00:18:17,840 --> 00:18:21,289 without the UNIX system that I have 462 00:18:19,100 --> 00:18:22,639 access to it was to figure out how I eat 463 00:18:21,289 --> 00:18:24,590 existed they're kind of tight on those 464 00:18:22,639 --> 00:18:26,809 to the right of it look so the point is 465 00:18:24,590 --> 00:18:28,939 if you get rid of a single development 466 00:18:26,809 --> 00:18:30,350 instance of X AP does that mean you've 467 00:18:28,940 --> 00:18:32,570 actually got a whole stack and 468 00:18:30,350 --> 00:18:33,859 privileges that are associated with 469 00:18:32,570 --> 00:18:42,049 other systems on the network that 470 00:18:33,859 --> 00:18:43,850 problem the ultimately is contrasting as 471 00:18:42,049 --> 00:18:47,059 I said in Tara's proprietor 472 00:18:43,850 --> 00:18:48,949 multi-platform again you get Russia's 473 00:18:47,059 --> 00:18:51,249 again you can still plantation that way 474 00:18:48,950 --> 00:18:54,440 and even mess with the IPC 475 00:18:51,249 --> 00:18:55,669 the IPC is more robust in a sense that 476 00:18:54,440 --> 00:18:57,440 there's no public vulnerabilities 477 00:18:55,669 --> 00:19:00,529 available for it on how the song 478 00:18:57,440 --> 00:19:02,840 research that I did indicated probably 479 00:19:00,529 --> 00:19:05,690 explorable conditions in the 480 00:19:02,840 --> 00:19:08,059 implementation I wanna say probably I 481 00:19:05,690 --> 00:19:09,950 worked with the vendor Levin I received 482 00:19:08,059 --> 00:19:12,230 my first kite my first Katie's public 483 00:19:09,950 --> 00:19:14,600 I'm not suggesting that the referring 484 00:19:12,230 --> 00:19:16,340 other places out there but when the 485 00:19:14,600 --> 00:19:18,019 vendor has chosen to run more fast test 486 00:19:16,340 --> 00:19:20,449 cases through their entire 487 00:19:18,019 --> 00:19:22,570 infrastructure repeatedly to clean out 488 00:19:20,450 --> 00:19:25,399 all the places and bottom problems 489 00:19:22,570 --> 00:19:26,779 that's ultimately their decision they 490 00:19:25,399 --> 00:19:30,139 were pretty good in my summer at God's 491 00:19:26,779 --> 00:19:33,289 and instead they probably did by 492 00:19:30,139 --> 00:19:35,899 comparison with SSST it runs as a daily 493 00:19:33,289 --> 00:19:37,020 user but it doesn't work with you our D 494 00:19:35,899 --> 00:19:39,300 0 means if you 495 00:19:37,020 --> 00:19:41,070 code execution you attention to have the 496 00:19:39,300 --> 00:19:43,080 ability to pivot back this is a very 497 00:19:41,070 --> 00:19:45,750 user so the use case would be there 498 00:19:43,080 --> 00:19:48,600 emerged it is something terrible VAR IPC 499 00:19:45,750 --> 00:19:50,490 I can still potentially get massively on 500 00:19:48,600 --> 00:19:52,199 as I said because he runs on lots of 501 00:19:50,490 --> 00:19:54,480 platforms it doesn't have the same depth 502 00:19:52,200 --> 00:19:57,900 of hardening panicles doesn't have any 503 00:19:54,480 --> 00:20:00,570 direct integration SELinux didn't tell a 504 00:19:57,900 --> 00:20:02,310 half fix that last point are in the 505 00:20:00,570 --> 00:20:04,260 sense of the life provided messy linux 506 00:20:02,310 --> 00:20:06,090 policy that's appropriate for it the end 507 00:20:04,260 --> 00:20:07,740 of tiny basics in github it's all a 508 00:20:06,090 --> 00:20:09,780 personal repaint that works for the 509 00:20:07,740 --> 00:20:12,000 company and so therefore you only likely 510 00:20:09,780 --> 00:20:13,080 to find it it's not actually asking them 511 00:20:12,000 --> 00:20:19,790 and telling them that they don't have 512 00:20:13,080 --> 00:20:22,320 one site attack so if they say 513 00:20:19,790 --> 00:20:25,050 essentially we're clarity was david 514 00:20:22,320 --> 00:20:26,820 morrissey site again with some connected 515 00:20:25,050 --> 00:20:28,620 interest again we've got some 516 00:20:26,820 --> 00:20:31,649 hesitations and configuration again with 517 00:20:28,620 --> 00:20:33,719 light you see that my piece can't quite 518 00:20:31,650 --> 00:20:37,050 interesting because it uses exposed to 519 00:20:33,720 --> 00:20:38,970 Louise's there's a level of security 520 00:20:37,050 --> 00:20:41,250 control that's applied to it in the 521 00:20:38,970 --> 00:20:44,880 sense that essentially when you connect 522 00:20:41,250 --> 00:20:46,770 to it you pass in a file descriptor the 523 00:20:44,880 --> 00:20:50,120 Arthurian files is the Urd energy ideas 524 00:20:46,770 --> 00:20:53,040 the process is the file descriptor will 525 00:20:50,120 --> 00:20:54,929 selectively allow operations of the IPS 526 00:20:53,040 --> 00:20:57,899 at sea level depending on the UID and 527 00:20:54,930 --> 00:21:00,810 GID of the Cajun music ah that looks 528 00:20:57,900 --> 00:21:03,290 pretty effective in a sense that we 529 00:21:00,810 --> 00:21:05,940 reduce the attack surface total producer 530 00:21:03,290 --> 00:21:08,040 this IV functions that were exposed it 531 00:21:05,940 --> 00:21:10,800 would be of interest that we do reduce 532 00:21:08,040 --> 00:21:12,510 access and then of course we have the 533 00:21:10,800 --> 00:21:14,250 Kerberos tickets ah 534 00:21:12,510 --> 00:21:16,650 just by way of its all the different 535 00:21:14,250 --> 00:21:20,120 knowing about how those things don't 536 00:21:16,650 --> 00:21:20,120 really know Akash flashes 537 00:21:20,540 --> 00:21:27,450 anyone not like overseas I can say Cobra 538 00:21:26,250 --> 00:21:30,870 sticking through my I'm essentially 539 00:21:27,450 --> 00:21:32,820 holding on access to one system to my 540 00:21:30,870 --> 00:21:35,129 density such that when you try access 541 00:21:32,820 --> 00:21:36,210 sort of businesses workflow system and 542 00:21:35,130 --> 00:21:37,950 you don't have to go through a full 543 00:21:36,210 --> 00:21:39,810 version without a facial you essentially 544 00:21:37,950 --> 00:21:43,020 numbers at total absolutely associative 545 00:21:39,810 --> 00:21:44,909 that says the the ID infrastructures are 546 00:21:43,020 --> 00:21:46,830 elevated the identity of issues on 547 00:21:44,910 --> 00:21:49,230 please continue to trust as usual is 548 00:21:46,830 --> 00:21:49,800 fashion so being out of steal the 549 00:21:49,230 --> 00:21:52,290 Proform 550 00:21:49,800 --> 00:21:53,909 music by daily privileges with 551 00:21:52,290 --> 00:21:58,770 substantially which other assistant 552 00:21:53,910 --> 00:22:03,810 assistant those the visa so that's been 553 00:21:58,770 --> 00:22:05,790 telling held up again we can still 554 00:22:03,810 --> 00:22:07,320 prevention summary that she really 555 00:22:05,790 --> 00:22:10,770 shouldn't really do that used anymore 556 00:22:07,320 --> 00:22:12,780 but it sometimes is the middle point 557 00:22:10,770 --> 00:22:14,250 Scully quite entertaining the number of 558 00:22:12,780 --> 00:22:16,290 times you'll see web applications that 559 00:22:14,250 --> 00:22:17,460 have SSL Italy and in addition to the 560 00:22:16,290 --> 00:22:19,770 interface on the on the user interface 561 00:22:17,460 --> 00:22:21,570 for accessing and then you're gonna 562 00:22:19,770 --> 00:22:23,190 figure a shoe that's used to do the 563 00:22:21,570 --> 00:22:25,530 syndication checks to the funds that is 564 00:22:23,190 --> 00:22:27,330 not SS over the way through so if you 565 00:22:25,530 --> 00:22:29,160 into certainly outbound it outlines one 566 00:22:27,330 --> 00:22:30,449 of her own October is there's a 567 00:22:29,160 --> 00:22:33,410 reasonable chance you might catch those 568 00:22:30,450 --> 00:22:37,980 critters in across the line in it in it 569 00:22:33,410 --> 00:22:40,700 we usable form best mates describe it 570 00:22:37,980 --> 00:22:44,370 and again as with every application 571 00:22:40,700 --> 00:22:50,610 where this look to t4 injection you will 572 00:22:44,370 --> 00:22:52,350 find additional essentially at the 573 00:22:50,610 --> 00:22:54,629 fundamental level curve office isn't 574 00:22:52,350 --> 00:22:56,459 unique so active directory sign 575 00:22:54,630 --> 00:22:59,880 interpreter says the worst you may we'll 576 00:22:56,460 --> 00:23:03,060 follow prospectors antisocial aspect if 577 00:22:59,880 --> 00:23:09,210 you look slightly look this way they 578 00:23:03,060 --> 00:23:12,389 can't actually do as I said you need to 579 00:23:09,210 --> 00:23:14,220 be privileged to use it as I said these 580 00:23:12,390 --> 00:23:16,500 attacks are pretty long known and 581 00:23:14,220 --> 00:23:18,420 windows world but from my perspective I 582 00:23:16,500 --> 00:23:20,790 want to see more likely the same thing 583 00:23:18,420 --> 00:23:22,080 on UNIX captures plaintext and say he's 584 00:23:20,790 --> 00:23:23,790 also created 585 00:23:22,080 --> 00:23:27,439 find get any of those three things that 586 00:23:23,790 --> 00:23:32,250 I can probably do things were intended 587 00:23:27,440 --> 00:23:34,350 so happens if you fall around mimic 588 00:23:32,250 --> 00:23:36,180 house on typical Windows box you're 589 00:23:34,350 --> 00:23:39,300 likely to get caught by mg on you're 590 00:23:36,180 --> 00:23:41,370 likely to get caught by Ivy do likely to 591 00:23:39,300 --> 00:23:43,139 be put in some fashion or rather I can 592 00:23:41,370 --> 00:23:46,199 indeed you're it introducing any baggage 593 00:23:43,140 --> 00:23:47,270 the system in order to do it in the case 594 00:23:46,200 --> 00:23:50,250 of UNIX 595 00:23:47,270 --> 00:23:52,590 perhaps she's there found this the 596 00:23:50,250 --> 00:23:55,020 tickets that class but in this 597 00:23:52,590 --> 00:23:57,030 particular hashes and was interested in 598 00:23:55,020 --> 00:23:58,980 so the year I detect the allowed to take 599 00:23:57,030 --> 00:24:00,410 the hashes title of one to your heart's 600 00:23:58,980 --> 00:24:03,020 content 601 00:24:00,410 --> 00:24:06,050 anyway but that's not quite as easy as 602 00:24:03,020 --> 00:24:08,000 it may seem we probably guys did a 603 00:24:06,050 --> 00:24:09,830 little bit reversing set ultimate being 604 00:24:08,000 --> 00:24:11,540 iterative at this point in time I was 605 00:24:09,830 --> 00:24:13,399 not smart I realized that I needed to 606 00:24:11,540 --> 00:24:16,070 put a pass on the one reason I was 607 00:24:13,400 --> 00:24:17,420 looking at class they always know what 608 00:24:16,070 --> 00:24:18,919 it was doing with my dessert with the 609 00:24:17,420 --> 00:24:21,050 traffic adventures they received a lot 610 00:24:18,920 --> 00:24:22,340 database I'll do that but you look at 611 00:24:21,050 --> 00:24:23,780 the time when you're going lacks a lot 612 00:24:22,340 --> 00:24:26,689 of plain text possible what is age 613 00:24:23,780 --> 00:24:27,980 northern Indiana often lazy so there's a 614 00:24:26,690 --> 00:24:29,600 little bit of adversity to do that 615 00:24:27,980 --> 00:24:32,270 finding the functions 616 00:24:29,600 --> 00:24:34,340 I will try still held trace of the next 617 00:24:32,270 --> 00:24:37,610 race if you will not solve you this 618 00:24:34,340 --> 00:24:41,720 intimately comfortable to wear on gdb I 619 00:24:37,610 --> 00:24:42,409 da le Frank's an education really good 620 00:24:41,720 --> 00:24:45,170 place to start 621 00:24:42,410 --> 00:24:46,790 so ash trace will essentially consistent 622 00:24:45,170 --> 00:24:49,880 definite visibility of what process is 623 00:24:46,790 --> 00:24:52,159 doing and traced us inside the library 624 00:24:49,880 --> 00:24:53,750 level so the way to think about it is L 625 00:24:52,160 --> 00:24:56,660 traces essentially your deed literacy 626 00:24:53,750 --> 00:24:59,000 your individual life was promised about 627 00:24:56,660 --> 00:25:01,550 application and traces what the the 628 00:24:59,000 --> 00:25:04,070 kernel is doing in your spaces as well 629 00:25:01,550 --> 00:25:06,139 as my vehicles that you make an 630 00:25:04,070 --> 00:25:07,850 ultimately if you will in particular 631 00:25:06,140 --> 00:25:08,660 perspective of how their Gators is 632 00:25:07,850 --> 00:25:11,629 easily 633 00:25:08,660 --> 00:25:13,880 hoppers a great place to spot ID is I've 634 00:25:11,630 --> 00:25:17,180 seen the reference group and excitement 635 00:25:13,880 --> 00:25:20,540 releases more astounding but offer is 636 00:25:17,180 --> 00:25:22,460 pretty cheap accessible unfunctional 637 00:25:20,540 --> 00:25:27,379 certainly for them for the major powers 638 00:25:22,460 --> 00:25:29,210 you know i us RS x windows linux you can 639 00:25:27,380 --> 00:25:31,310 you're going to better get home peoples 640 00:25:29,210 --> 00:25:34,430 of the way we're just so that's how to 641 00:25:31,310 --> 00:25:36,860 look at that and for me I used to be my 642 00:25:34,430 --> 00:25:38,870 nice guys with do more reversing Box 643 00:25:36,860 --> 00:25:40,820 dumping a binary essentially having a 644 00:25:38,870 --> 00:25:41,870 text file in associate that was facing 645 00:25:40,820 --> 00:25:43,730 this X mob 646 00:25:41,870 --> 00:25:45,649 the fact that my main interest which was 647 00:25:43,730 --> 00:25:48,680 why he's the batsman so that that 648 00:25:45,650 --> 00:25:50,300 something any way to do it he's his 649 00:25:48,680 --> 00:25:51,950 talent but essentially but they didn't 650 00:25:50,300 --> 00:25:55,340 just sit mr. hopper ever since there is 651 00:25:51,950 --> 00:25:57,950 relatively cheap to get and it is a 652 00:25:55,340 --> 00:26:01,399 greater perspective the difference 653 00:25:57,950 --> 00:26:05,420 between the tape is flat was intended to 654 00:26:01,400 --> 00:26:08,270 be wrong and bothering injures is meant 655 00:26:05,420 --> 00:26:15,360 to be more forceful illnesses 656 00:26:08,270 --> 00:26:18,418 so anyway breaking the hashes SSST 657 00:26:15,360 --> 00:26:19,850 it's as simple as that so if you look in 658 00:26:18,419 --> 00:26:22,110 the top left alone 659 00:26:19,850 --> 00:26:24,240 right I'll hold it away a little bit 660 00:26:22,110 --> 00:26:25,678 from the base base platform at first 661 00:26:24,240 --> 00:26:28,110 base base is the same as soundless 662 00:26:25,679 --> 00:26:31,380 essentially a standard implementation of 663 00:26:28,110 --> 00:26:34,949 our authentication for their interests 664 00:26:31,380 --> 00:26:37,530 and see 500 different ecosystems SSD a 665 00:26:34,950 --> 00:26:39,059 zone they take when I said you can dump 666 00:26:37,530 --> 00:26:45,840 them but they say there isn't honest 667 00:26:39,059 --> 00:26:50,399 Explorer - Sean 512 can be be dumped 668 00:26:45,840 --> 00:26:52,470 they're lying - cool that is John the 669 00:26:50,400 --> 00:26:54,480 Ripper knows about that format so 670 00:26:52,470 --> 00:26:55,919 relatively easy ash even with assuming 671 00:26:54,480 --> 00:26:57,780 that you've got any passwords in there 672 00:26:55,919 --> 00:27:01,190 you've got a good dictionary for this 673 00:26:57,780 --> 00:27:03,690 philosophy again after there soon as I 674 00:27:01,190 --> 00:27:06,059 tell her then tell them is a bit more 675 00:27:03,690 --> 00:27:08,640 difficult so I mentioned I have a sequin 676 00:27:06,059 --> 00:27:11,220 like database and I said mr. piss plane 677 00:27:08,640 --> 00:27:13,320 crash miracles the good news is when I 678 00:27:11,220 --> 00:27:15,570 started to dive into the language into 679 00:27:13,320 --> 00:27:16,830 the binary Steve Harvey symbols go past 680 00:27:15,570 --> 00:27:19,200 this point about they're not passing 681 00:27:16,830 --> 00:27:20,939 while so practice as defending their 682 00:27:19,200 --> 00:27:23,520 their intellectual property and 683 00:27:20,940 --> 00:27:27,750 defending their their attack surface we 684 00:27:23,520 --> 00:27:29,220 have sins which meant that I can start 685 00:27:27,750 --> 00:27:31,650 to figure out what the risk by capturing 686 00:27:29,220 --> 00:27:33,120 algorithms look like the legacy one I 687 00:27:31,650 --> 00:27:36,179 never found it in the wall so I haven't 688 00:27:33,120 --> 00:27:38,668 got a huge agree on it about sha-256 or 689 00:27:36,179 --> 00:27:40,620 sha-1 depends whether the lease the 690 00:27:38,669 --> 00:27:44,910 moment attained or whether he believes 691 00:27:40,620 --> 00:27:46,409 the implementation is sha-256 is 692 00:27:44,910 --> 00:27:48,150 possible to reverse that militant 693 00:27:46,410 --> 00:27:50,130 reasoning the fact we've done that we 694 00:27:48,150 --> 00:27:51,840 made the Taylor bubbles do that based 695 00:27:50,130 --> 00:27:54,840 the German grip that stuff and so 696 00:27:51,840 --> 00:27:57,260 there's stuff to do the extraction I in 697 00:27:54,840 --> 00:27:59,820 terms of timelines 698 00:27:57,260 --> 00:28:03,780 it didn't take a huge around the side 699 00:27:59,820 --> 00:28:07,020 pretty much a day so what does it look 700 00:28:03,780 --> 00:28:09,030 like so that's more or less the 701 00:28:07,020 --> 00:28:11,549 implementations use that caching caches 702 00:28:09,030 --> 00:28:14,910 for for bintang and it's essentially a 703 00:28:11,549 --> 00:28:17,940 case of hash the Irrawaddy - the 704 00:28:14,910 --> 00:28:20,970 password and then essentially you shall 705 00:28:17,940 --> 00:28:24,659 back and then you base64 it and 706 00:28:20,970 --> 00:28:27,059 the sequel of Davis's interestingly that 707 00:28:24,659 --> 00:28:29,669 potential guys in both directions how 708 00:28:27,059 --> 00:28:30,928 much you see were funded that depends on 709 00:28:29,669 --> 00:28:32,669 whether you can find other ways of 710 00:28:30,929 --> 00:28:35,429 getting to theta into the database 711 00:28:32,669 --> 00:28:36,809 tables obviously the standard way is to 712 00:28:35,429 --> 00:28:39,030 move in as a given user 713 00:28:36,809 --> 00:28:42,299 and if fertile to find the most of the 714 00:28:39,030 --> 00:28:44,639 IPC laughs to inject berries 715 00:28:42,299 --> 00:28:45,750 hypothetically there maybe you could 716 00:28:44,640 --> 00:28:50,640 like the hashes of the opposite 717 00:28:45,750 --> 00:28:53,450 direction to maybe press so I taught 718 00:28:50,640 --> 00:28:55,919 binary ninjas 719 00:28:53,450 --> 00:28:57,480 don't bring the ability to annotate this 720 00:28:55,919 --> 00:28:58,799 is probably the best way this one so 721 00:28:57,480 --> 00:29:01,260 yeah and ask me essentially aliceparish 722 00:28:58,799 --> 00:29:02,970 fighting SMB for using binary dinger 723 00:29:01,260 --> 00:29:05,580 you'll see this essentially I've got a 724 00:29:02,970 --> 00:29:08,159 fully functional groups and the perhaps 725 00:29:05,580 --> 00:29:11,908 values has been passed in next to each 726 00:29:08,159 --> 00:29:14,280 of the assembly instructions so that 727 00:29:11,909 --> 00:29:17,760 gave me an understanding pit is actually 728 00:29:14,280 --> 00:29:20,549 happening but it's not standard 729 00:29:17,760 --> 00:29:21,960 implementation so I had to go and I have 730 00:29:20,549 --> 00:29:22,789 to figure out how scheduled ready to 731 00:29:21,960 --> 00:29:25,260 crack it 732 00:29:22,789 --> 00:29:28,440 those rules are not a public remember 733 00:29:25,260 --> 00:29:31,470 will then teach over it one of the 734 00:29:28,440 --> 00:29:33,510 things at the end of this deck is a food 735 00:29:31,470 --> 00:29:35,190 writer but how you stopped my potions 736 00:29:33,510 --> 00:29:38,490 because they're not necessary as 737 00:29:35,190 --> 00:29:41,010 transparent but from my height I don't 738 00:29:38,490 --> 00:29:43,679 necessarily know why we're at guest 739 00:29:41,010 --> 00:29:45,809 house when I was top pushes a good price 740 00:29:43,679 --> 00:29:48,150 out there and silent designer if you get 741 00:29:45,809 --> 00:29:50,100 to talk to is pretty helpful tape person 742 00:29:48,150 --> 00:29:51,990 to the initiative notices we've got a 743 00:29:50,100 --> 00:29:55,709 bit of the software the services we 744 00:29:51,990 --> 00:29:59,130 defined will be you title within the 69 745 00:29:55,710 --> 00:30:01,789 acres 69 already existed there's an 746 00:29:59,130 --> 00:30:04,530 expression acid essentially my wife I 747 00:30:01,789 --> 00:30:07,049 was telling anyone was calling it which 748 00:30:04,530 --> 00:30:08,460 which function definition 69 so actually 749 00:30:07,049 --> 00:30:11,780 uses its age and therefore through 750 00:30:08,460 --> 00:30:14,580 usability relative efficacy absurd 751 00:30:11,780 --> 00:30:16,320 e-tron chromatic values and definition 752 00:30:14,580 --> 00:30:18,689 and then essentially you have some 753 00:30:16,320 --> 00:30:22,200 definition it's also you have only if in 754 00:30:18,690 --> 00:30:23,970 that 32 price which is a flagons in have 755 00:30:22,200 --> 00:30:26,460 a lot of flight which is the news lonely 756 00:30:23,970 --> 00:30:28,649 the saltiest waffles that essentially 757 00:30:26,460 --> 00:30:32,009 says this is how I'm expecting to 758 00:30:28,649 --> 00:30:32,969 construct the plaintext value for which 759 00:30:32,009 --> 00:30:34,860 actions of Bill 760 00:30:32,970 --> 00:30:36,629 I then define a couple of constants 761 00:30:34,860 --> 00:30:38,610 that's because that's part of the 762 00:30:36,629 --> 00:30:40,649 plaintext value design actions will - in 763 00:30:38,610 --> 00:30:43,709 there and I said that the first of the 764 00:30:40,649 --> 00:30:45,360 soul mates is 36 then on the right-hand 765 00:30:43,710 --> 00:30:47,639 side you only have the function calls 766 00:30:45,360 --> 00:30:49,199 that you are stronger it for when it's 767 00:30:47,639 --> 00:30:50,939 taken a plain text item either for this 768 00:30:49,200 --> 00:30:53,580 dictionary this brute force in a 769 00:30:50,940 --> 00:30:56,070 location and applying basic solver so 770 00:30:53,580 --> 00:30:58,129 you see it starts off like that so 771 00:30:56,070 --> 00:31:00,600 clearly you your dear this instance 772 00:30:58,129 --> 00:31:03,029 thing in front of the plane takes value 773 00:31:00,600 --> 00:31:04,500 that's the key and then you do the 774 00:31:03,029 --> 00:31:06,809 functionality plastic scribbler 775 00:31:04,500 --> 00:31:09,269 operation and there's a test case that 776 00:31:06,809 --> 00:31:11,009 was the most simply said that maintainer 777 00:31:09,269 --> 00:31:14,909 career professionals were deliberately 778 00:31:11,009 --> 00:31:17,759 ruleset geysell's environment that says 779 00:31:14,909 --> 00:31:20,779 it bus is really actually still does so 780 00:31:17,759 --> 00:31:21,990 they change the implementation of the 781 00:31:20,779 --> 00:31:25,379 sha-256 782 00:31:21,990 --> 00:31:32,970 crypt final operation we will know that 783 00:31:25,379 --> 00:31:34,408 this is still pops and curtain aside if 784 00:31:32,970 --> 00:31:36,720 intel is a bit more interest to your 785 00:31:34,409 --> 00:31:39,149 terms of plain text every SSD I didn't 786 00:31:36,720 --> 00:31:41,370 find anything particularly one Boeing 787 00:31:39,149 --> 00:31:43,289 the case of in town on the service of 788 00:31:41,370 --> 00:31:45,090 sponsors you doing that the plain text 789 00:31:43,289 --> 00:31:47,009 values being left in referral parrots on 790 00:31:45,090 --> 00:31:49,830 so essentially if you could dump the 791 00:31:47,009 --> 00:31:51,779 vasty procession impossible to which 792 00:31:49,830 --> 00:31:54,418 used to login or the password so the 793 00:31:51,779 --> 00:31:56,639 easily locate turns out that's because 794 00:31:54,419 --> 00:31:59,370 essentially the memory management 795 00:31:56,639 --> 00:32:00,539 routine was set the thread only runs on 796 00:31:59,370 --> 00:32:03,539 a certain conditions it's not 797 00:32:00,539 --> 00:32:07,740 essentially continuously running thread 798 00:32:03,539 --> 00:32:10,679 it happens when the entire thinks that a 799 00:32:07,740 --> 00:32:12,629 user has successfully logged in because 800 00:32:10,679 --> 00:32:14,370 he holds that password so that if you 801 00:32:12,629 --> 00:32:16,889 need to do a password reset because 802 00:32:14,370 --> 00:32:17,610 you're demanding and also possible to 803 00:32:16,889 --> 00:32:20,039 subscribe 804 00:32:17,610 --> 00:32:22,668 instant youth rather than the password 805 00:32:20,039 --> 00:32:24,840 enabled and do that initially school 806 00:32:22,669 --> 00:32:27,240 consequently we can get plant X values 807 00:32:24,840 --> 00:32:31,139 out instead easy D chord appealing the 808 00:32:27,240 --> 00:32:33,899 string which I've done so that's why 809 00:32:31,139 --> 00:32:34,949 it's worth like because if we don't look 810 00:32:33,899 --> 00:32:37,449 at those kinds of things 811 00:32:34,950 --> 00:32:42,029 we'll miss Martin true that we 812 00:32:37,450 --> 00:32:47,200 three thousand saya 813 00:32:42,029 --> 00:32:49,240 thank you thank you so fun so if you 814 00:32:47,200 --> 00:32:51,159 guys think it as essential as far as it 815 00:32:49,240 --> 00:32:54,340 is on the TMP you should probably answer 816 00:32:51,159 --> 00:32:57,220 your survey artifact is identity based 817 00:32:54,340 --> 00:32:59,799 on a possible network variety of ways to 818 00:32:57,220 --> 00:33:01,659 do that the most reliable I found was 819 00:32:59,799 --> 00:33:04,149 SMB client a lot you sleep last 820 00:33:01,659 --> 00:33:06,730 assignment notation a figure like we 821 00:33:04,149 --> 00:33:08,739 working this as ideas restructure don't 822 00:33:06,730 --> 00:33:10,090 base huddle think they actually 823 00:33:08,740 --> 00:33:11,260 performed the first of all I will 824 00:33:10,090 --> 00:33:14,110 attacks against them the cryptographic 825 00:33:11,260 --> 00:33:17,950 weaknesses in in an active Irish in in 826 00:33:14,110 --> 00:33:20,649 ntlm armed memory house works quite 827 00:33:17,950 --> 00:33:22,510 nicely if you if you can take that the 828 00:33:20,649 --> 00:33:24,549 sake you fall off the UNIX system of the 829 00:33:22,510 --> 00:33:27,870 window system ukulele in the newest 830 00:33:24,549 --> 00:33:32,559 processor useless listen to that like 831 00:33:27,870 --> 00:33:34,389 SSH is kind of that so in principle if 832 00:33:32,559 --> 00:33:35,918 you put a Kerberos ticket you can you 833 00:33:34,389 --> 00:33:37,990 can look at all the human systems tape 834 00:33:35,919 --> 00:33:39,850 using the paragraph taking the problem 835 00:33:37,990 --> 00:33:42,220 is most of those live recitations notion 836 00:33:39,850 --> 00:33:43,719 configure to use coalescence atoll which 837 00:33:42,220 --> 00:33:45,370 actually makes the Russian why is that 838 00:33:43,720 --> 00:33:47,799 why you've actually issued Kerberos 839 00:33:45,370 --> 00:33:50,289 tickets why you ask you the authority 840 00:33:47,799 --> 00:33:51,970 tiny seeds in issue you care what 841 00:33:50,289 --> 00:33:53,860 stickers doing in ways because you're 842 00:33:51,970 --> 00:33:56,710 never ever a useful tool under community 843 00:33:53,860 --> 00:33:59,049 box which I only told you would ever use 844 00:33:56,710 --> 00:34:00,730 them if you were either connected to all 845 00:33:59,049 --> 00:34:02,799 the boxes that supported addresses age 846 00:34:00,730 --> 00:34:06,279 the configuration is rarely switched on 847 00:34:02,799 --> 00:34:09,159 or if you were connecting back to ntlm 848 00:34:06,279 --> 00:34:10,960 kerberos enabled web applications 849 00:34:09,159 --> 00:34:13,389 well the chances if you open up the 850 00:34:10,960 --> 00:34:17,230 browser source at the option environment 851 00:34:13,389 --> 00:34:20,169 is your face while sharks kind of quite 852 00:34:17,230 --> 00:34:22,179 fun so if you get the tickets and you've 853 00:34:20,168 --> 00:34:23,918 not the ability to be the traffic for 854 00:34:22,179 --> 00:34:25,750 Wireshark folks if you agree on the 855 00:34:23,918 --> 00:34:27,549 system and one thing you can send to 856 00:34:25,750 --> 00:34:28,329 start decrypting traffic's that won't be 857 00:34:27,550 --> 00:34:30,369 of interest you 858 00:34:28,329 --> 00:34:31,690 the modern deeper deeper attractive 859 00:34:30,369 --> 00:34:34,780 other system state 860 00:34:31,690 --> 00:34:38,639 Hannibal's fact if you more options it's 861 00:34:34,780 --> 00:34:41,669 a plus extra LEP 862 00:34:38,639 --> 00:34:44,230 depending on which blocking and you read 863 00:34:41,668 --> 00:34:46,540 RDP the sports curb or so it doesn't 864 00:34:44,230 --> 00:34:49,199 some suggest it's associates just that 865 00:34:46,540 --> 00:34:51,418 identify identification of 866 00:34:49,199 --> 00:34:53,819 distant whoosh effective visible system 867 00:34:51,418 --> 00:34:57,690 suggestion versus rooted for syndication 868 00:34:53,820 --> 00:35:03,390 I've never been it working while I since 869 00:34:57,690 --> 00:35:05,490 I might spend more time so Ross tickets 870 00:35:03,390 --> 00:35:08,879 that's how easy it is to change identity 871 00:35:05,490 --> 00:35:11,640 if you get on the ice so in this in the 872 00:35:08,880 --> 00:35:13,290 left-hand side of I've logged on to see 873 00:35:11,640 --> 00:35:19,049 that missionary so I've got a secret 874 00:35:13,290 --> 00:35:21,690 registration and great right hand side 875 00:35:19,050 --> 00:35:23,310 I've got very made it up through a 876 00:35:21,690 --> 00:35:25,920 vulnerability in an application maybe 877 00:35:23,310 --> 00:35:27,420 this because I have seen you access use 878 00:35:25,920 --> 00:35:30,089 it whenever I've got I've got access 879 00:35:27,420 --> 00:35:32,910 those properly so I've copied the the 880 00:35:30,089 --> 00:35:35,670 administrators ticket I then become a 881 00:35:32,910 --> 00:35:39,839 lot another privileged user so in this 882 00:35:35,670 --> 00:35:43,859 case user lnx I don't have to set the 883 00:35:39,839 --> 00:35:46,710 appropriate variable to the thinking 884 00:35:43,859 --> 00:35:48,930 about just stolen and I want a list on 885 00:35:46,710 --> 00:35:51,540 the Senate administrator so that means 886 00:35:48,930 --> 00:35:53,730 that any whether that ticket like a DC 887 00:35:51,540 --> 00:35:55,440 that ideas and Tatian trusts the 888 00:35:53,730 --> 00:35:57,839 identity was because the services 889 00:35:55,440 --> 00:35:58,440 reoccur was nothing silent into the 890 00:35:57,839 --> 00:36:05,490 administrator 891 00:35:58,440 --> 00:36:07,079 Atholton learn about to he explores so 892 00:36:05,490 --> 00:36:09,180 the purpose and then it can manage to 893 00:36:07,079 --> 00:36:14,099 recognize this and make it an effective 894 00:36:09,180 --> 00:36:15,419 tool from a tax perspective on what it 895 00:36:14,099 --> 00:36:18,180 essentially does is harvest those 896 00:36:15,420 --> 00:36:20,430 different credential sources so harvests 897 00:36:18,180 --> 00:36:23,089 leave the hashes it has harvested a case 898 00:36:20,430 --> 00:36:25,279 it halts the plaintext memory and 899 00:36:23,089 --> 00:36:28,230 essentially means that you end up with 900 00:36:25,280 --> 00:36:31,589 something that you want take 15-20 901 00:36:28,230 --> 00:36:33,810 minutes to do otherwise taking two or 902 00:36:31,589 --> 00:36:35,310 three minutes I'm potentially being 903 00:36:33,810 --> 00:36:37,440 something you could do is if you don't 904 00:36:35,310 --> 00:36:43,500 have a full shell addiction to it so 905 00:36:37,440 --> 00:36:45,270 this is a new tact I didn't really want 906 00:36:43,500 --> 00:36:47,490 to stop there because that only works if 907 00:36:45,270 --> 00:36:49,619 you put a shell of some description and 908 00:36:47,490 --> 00:36:53,609 it was slightly work to see if we did 909 00:36:49,619 --> 00:36:57,390 get because they show us what executed 910 00:36:53,609 --> 00:36:59,940 later run lots of times when we break 911 00:36:57,390 --> 00:37:01,140 into UNIX systems or systems in general 912 00:36:59,940 --> 00:37:02,690 we actually end up with probably a 913 00:37:01,140 --> 00:37:07,460 message for that 914 00:37:02,690 --> 00:37:09,270 so I figured as Carlos sá presider's 915 00:37:07,460 --> 00:37:11,580 then I thought you know I've written 916 00:37:09,270 --> 00:37:14,009 I've written that reverse-engineer the 917 00:37:11,580 --> 00:37:16,770 price goes up reverse-engineer the 918 00:37:14,010 --> 00:37:18,660 hashes would because to like those 919 00:37:16,770 --> 00:37:20,730 publicly available so if people dump the 920 00:37:18,660 --> 00:37:22,440 hashes then I ask use them so the 921 00:37:20,730 --> 00:37:25,020 written rules are so valuable now 922 00:37:22,440 --> 00:37:26,430 thought you know what I'm not just going 923 00:37:25,020 --> 00:37:28,110 to put this out on a sign up it gets 924 00:37:26,430 --> 00:37:30,270 give you these guys a chance to defend 925 00:37:28,110 --> 00:37:32,610 themselves so other people's 926 00:37:30,270 --> 00:37:34,950 instabilities defend against this 927 00:37:32,610 --> 00:37:37,260 ability or even to detect this will 928 00:37:34,950 --> 00:37:38,970 really happen I mean I thought wow I 929 00:37:37,260 --> 00:37:41,910 probably meant putting out the research 930 00:37:38,970 --> 00:37:44,370 notes and fathers and said track and we 931 00:37:41,910 --> 00:37:48,299 are currently getting there so that's 932 00:37:44,370 --> 00:37:50,990 the real face of data that's what it 933 00:37:48,300 --> 00:37:54,030 currently contains a step up from that 934 00:37:50,990 --> 00:37:56,700 the mythical framework stuff is going 935 00:37:54,030 --> 00:37:59,670 through the whole process to go into 936 00:37:56,700 --> 00:38:01,830 this world the big sticking point at the 937 00:37:59,670 --> 00:38:04,470 moment is the best most beautiful idea 938 00:38:01,830 --> 00:38:06,990 environment that they can reliably test 939 00:38:04,470 --> 00:38:09,450 the mentors I've written and I cut I 940 00:38:06,990 --> 00:38:11,339 said I've done one work of others in 941 00:38:09,450 --> 00:38:13,049 celebration don't really want to spend 942 00:38:11,340 --> 00:38:14,070 my summer administrative messes was that 943 00:38:13,050 --> 00:38:16,410 good bad really 944 00:38:14,070 --> 00:38:18,030 um so then they're busy building some 945 00:38:16,410 --> 00:38:19,589 test cases so that they can they can 946 00:38:18,030 --> 00:38:22,500 reliably test this and then it would be 947 00:38:19,590 --> 00:38:24,210 a mess but my month all your doctor was 948 00:38:22,500 --> 00:38:26,910 a nice little 2d stuff it's probably 949 00:38:24,210 --> 00:38:31,140 easy to look at from a wider perspective 950 00:38:26,910 --> 00:38:32,759 I can see remnants of those positions in 951 00:38:31,140 --> 00:38:35,069 the partial attacks out before we came 952 00:38:32,760 --> 00:38:35,610 but actually if you administer a UNIX 953 00:38:35,070 --> 00:38:37,140 box 954 00:38:35,610 --> 00:38:40,170 and you know where your crouches alone 955 00:38:37,140 --> 00:38:42,529 needs to look like no matter what the 956 00:38:40,170 --> 00:38:42,530 deal was 957 00:38:42,590 --> 00:38:48,510 and the patron of tools very little star 958 00:38:46,140 --> 00:38:50,790 attraction constrain some of them this 959 00:38:48,510 --> 00:38:51,660 ones I've been working on I will discuss 960 00:38:50,790 --> 00:38:55,560 that a little bit 961 00:38:51,660 --> 00:38:57,870 so what the mitigations look like so 962 00:38:55,560 --> 00:38:59,820 you've got generic hardening you've got 963 00:38:57,870 --> 00:39:02,880 the restriction of UID 0 and that we 964 00:38:59,820 --> 00:39:04,560 will you can you can log out and P trace 965 00:39:02,880 --> 00:39:07,200 a number of different ways you can do 966 00:39:04,560 --> 00:39:09,600 that you can protect the resources with 967 00:39:07,200 --> 00:39:11,189 selinux and you can apply additional 968 00:39:09,600 --> 00:39:13,410 asleep read the manual 969 00:39:11,190 --> 00:39:15,310 I sent through some finest material each 970 00:39:13,410 --> 00:39:17,859 of us has a slightly sign 971 00:39:15,310 --> 00:39:19,660 by this by this section of the day but 972 00:39:17,860 --> 00:39:21,690 instead of that let's move on to 973 00:39:19,660 --> 00:39:26,980 recommendations or I'll show you why 974 00:39:21,690 --> 00:39:28,810 so recommendations this is the 975 00:39:26,980 --> 00:39:32,230 developers as much as anything please 976 00:39:28,810 --> 00:39:34,360 hold me up wineries permissions for the 977 00:39:32,230 --> 00:39:36,340 most part permissions all the stuff I 978 00:39:34,360 --> 00:39:38,950 was looking at was pretty good but my 979 00:39:36,340 --> 00:39:41,220 IPC interfaces so they really need every 980 00:39:38,950 --> 00:39:43,810 user to care to have access to them and 981 00:39:41,220 --> 00:39:45,220 to they necessarily need people have 982 00:39:43,810 --> 00:39:48,580 access to increase in Essex price 983 00:39:45,220 --> 00:39:50,649 through the memory management funds even 984 00:39:48,580 --> 00:39:54,390 the faculty practice and prices actually 985 00:39:50,650 --> 00:39:56,620 might be interesting with furthest to do 986 00:39:54,390 --> 00:39:58,990 make sure we know memory management 987 00:39:56,620 --> 00:40:02,650 share hot if you live I see a hunt and 988 00:39:58,990 --> 00:40:04,750 cryptography ah the VIN teller cars were 989 00:40:02,650 --> 00:40:07,140 really good survival he ripped out that 990 00:40:04,750 --> 00:40:11,170 passion implementations I reversed my 991 00:40:07,140 --> 00:40:14,440 stick with the Shelf be pitch solution 992 00:40:11,170 --> 00:40:17,050 ah but if you're gonna choose a solution 993 00:40:14,440 --> 00:40:19,630 to store sensitive information use the 994 00:40:17,050 --> 00:40:21,160 right solution for the job strange man 995 00:40:19,630 --> 00:40:23,140 carrot with reason why in this 996 00:40:21,160 --> 00:40:29,649 validation k the errors or something 997 00:40:23,140 --> 00:40:31,390 like that into the polymer girth so I 998 00:40:29,650 --> 00:40:35,080 speak the responses Mashable thin 999 00:40:31,390 --> 00:40:36,819 talented ironically by the time they 1000 00:40:35,080 --> 00:40:38,920 sent me their IPC failure I've already 1001 00:40:36,820 --> 00:40:42,670 figured out that I was black isn't 1002 00:40:38,920 --> 00:40:44,080 making things do all of them today but I 1003 00:40:42,670 --> 00:40:45,310 actually shared their internal SD 1004 00:40:44,080 --> 00:40:46,900 Congress that's pretty sweet 1005 00:40:45,310 --> 00:40:49,299 there's very few vendors out there that 1006 00:40:46,900 --> 00:40:51,100 guys are fought in extending an olive 1007 00:40:49,300 --> 00:40:53,410 branch with a security researcher comes 1008 00:40:51,100 --> 00:40:56,470 and says Harold's focus was what you've 1009 00:40:53,410 --> 00:40:58,259 been doing thinking thank you and come 1010 00:40:56,470 --> 00:41:02,319 listen to how she ran for their cash 1011 00:40:58,260 --> 00:41:04,570 infrastructure ah they acknowledge the 1012 00:41:02,320 --> 00:41:06,280 fact that plaintext memory was a problem 1013 00:41:04,570 --> 00:41:10,690 I've been working on that let me assume 1014 00:41:06,280 --> 00:41:12,940 that the native fashion their view is 1015 00:41:10,690 --> 00:41:14,440 essentially that the the memory would 1016 00:41:12,940 --> 00:41:16,960 only get cleared 1017 00:41:14,440 --> 00:41:18,670 waiting or freight my life acknowledges 1018 00:41:16,960 --> 00:41:21,640 some other certain additions that wasn't 1019 00:41:18,670 --> 00:41:23,320 things that I gave actually and they 1020 00:41:21,640 --> 00:41:24,430 pointed me their SELinux policies I 1021 00:41:23,320 --> 00:41:26,620 wonder how many vendors out there 1022 00:41:24,430 --> 00:41:27,669 couldn't even tell you about Nestle in 1023 00:41:26,620 --> 00:41:29,830 default and I like 1024 00:41:27,670 --> 00:41:31,870 right the very stuff in fact it wasn't 1025 00:41:29,830 --> 00:41:40,620 easy to fun but however these written 1026 00:41:31,870 --> 00:41:43,120 one all the vendors have been reasonable 1027 00:41:40,620 --> 00:41:47,920 when I write this deck before Christmas 1028 00:41:43,120 --> 00:41:51,520 they've had no issue for toddlers 30 40 1029 00:41:47,920 --> 00:41:53,710 days I didn't feel sad to mention how 1030 00:41:51,520 --> 00:41:55,660 she heard very much for since Christmas 1031 00:41:53,710 --> 00:41:57,010 so they're like it may well be that I 1032 00:41:55,660 --> 00:42:00,009 might be slightly more critical if 1033 00:41:57,010 --> 00:42:01,600 everyone missed it but for the most part 1034 00:42:00,010 --> 00:42:04,330 they've acknowledged the problem it's 1035 00:42:01,600 --> 00:42:09,540 it's one much I think of education as is 1036 00:42:04,330 --> 00:42:11,620 necessary of the implementations you've 1037 00:42:09,540 --> 00:42:15,610 husband has the people that are writing 1038 00:42:11,620 --> 00:42:18,870 the entire excess SD ultimately hole due 1039 00:42:15,610 --> 00:42:21,460 to the architectures is given to you I 1040 00:42:18,870 --> 00:42:24,250 talked about family knows it mostly 1041 00:42:21,460 --> 00:42:27,030 shrines to harden their one to make it 1042 00:42:24,250 --> 00:42:29,620 far harder for you to attack else us 1043 00:42:27,030 --> 00:42:32,140 realistically no ticket about those 1044 00:42:29,620 --> 00:42:34,540 kinds of changes other than Scoble hugs 1045 00:42:32,140 --> 00:42:35,710 the fact that was a pirate little 1046 00:42:34,540 --> 00:42:37,540 station one hat was a lot of the other 1047 00:42:35,710 --> 00:42:39,570 vendors was later say well actually do 1048 00:42:37,540 --> 00:42:41,830 think we can do similar things to what 1049 00:42:39,570 --> 00:42:44,170 whatever windows I said or Mishnah 1050 00:42:41,830 --> 00:42:47,110 Stickley yet if you could if you could 1051 00:42:44,170 --> 00:42:49,710 influence curb design not not likely to 1052 00:42:47,110 --> 00:42:49,710 happen unfortunately 1053 00:42:50,640 --> 00:42:59,049 so I conclusions we learn what are the 1054 00:42:56,560 --> 00:43:00,100 next steps will thanks and the next day 1055 00:42:59,050 --> 00:43:01,630 to me I think is kind of quite 1056 00:43:00,100 --> 00:43:07,839 interesting if you might apply all over 1057 00:43:01,630 --> 00:43:09,520 home at least say what we learn if you 1058 00:43:07,840 --> 00:43:11,200 get onto a UNIX box the might be ways 1059 00:43:09,520 --> 00:43:13,600 for you to get access directed direction 1060 00:43:11,200 --> 00:43:15,580 it well hospitals and hatchets need to 1061 00:43:13,600 --> 00:43:16,900 be protected wherever their stores more 1062 00:43:15,580 --> 00:43:19,630 just in the places that people are 1063 00:43:16,900 --> 00:43:22,240 versatile us ah a lot of noise trance 1064 00:43:19,630 --> 00:43:23,860 relationships just because the UNIX part 1065 00:43:22,240 --> 00:43:25,660 doesn't necessarily understands 1066 00:43:23,860 --> 00:43:28,150 active very doesn't make it any more 1067 00:43:25,660 --> 00:43:30,129 forgiving when they ventured under the 1068 00:43:28,150 --> 00:43:33,220 breach I'm probably at some stage rather 1069 00:43:30,130 --> 00:43:35,200 wondering yeah I seen say the rest box 1070 00:43:33,220 --> 00:43:37,779 is being used as words pivot internet 1071 00:43:35,200 --> 00:43:40,460 works so it's not beyond the realms 1072 00:43:37,780 --> 00:43:44,480 possibilities and Linux box will be 1073 00:43:40,460 --> 00:43:47,630 um if you're going to use Active 1074 00:43:44,480 --> 00:43:49,520 Directory please read the manual please 1075 00:43:47,630 --> 00:43:50,930 understand what your switchable they're 1076 00:43:49,520 --> 00:43:52,790 catching attaches is a good example 1077 00:43:50,930 --> 00:43:55,270 windows allows you to turn it off 1078 00:43:52,790 --> 00:43:59,750 actually say that the vendors of SSD 1079 00:43:55,270 --> 00:44:05,810 that Nutella pasty it's just not the 1080 00:43:59,750 --> 00:44:08,060 default next step I kind of want to keep 1081 00:44:05,810 --> 00:44:11,600 from kicking the IPC is I'm pretty sure 1082 00:44:08,060 --> 00:44:13,310 this winter's do pulses about it really 1083 00:44:11,600 --> 00:44:16,549 people the trunk continue working with 1084 00:44:13,310 --> 00:44:18,560 the vendors and I'd like to do some 1085 00:44:16,550 --> 00:44:20,660 focus research with these other things 1086 00:44:18,560 --> 00:44:24,710 because they commissioned the very start 1087 00:44:20,660 --> 00:44:26,420 of CID fiber if your policy to eat it 1088 00:44:24,710 --> 00:44:28,070 focuses you go be doing a series on 1089 00:44:26,420 --> 00:44:29,300 whether the orchestration our 1090 00:44:28,070 --> 00:44:31,070 illustrations will necessarily be 1091 00:44:29,300 --> 00:44:34,460 something that we should have some fun 1092 00:44:31,070 --> 00:44:37,580 with improving the best server to high 1093 00:44:34,460 --> 00:44:39,560 civilization modules that's improvement 1094 00:44:37,580 --> 00:44:41,960 pointers it's really shocking that 1095 00:44:39,560 --> 00:44:44,140 meterpreter mm how include mechanisms 1096 00:44:41,960 --> 00:44:46,880 the pumpkin process memory the Linux 1097 00:44:44,140 --> 00:44:47,540 UNIX infrastructure if you want a song 1098 00:44:46,880 --> 00:44:49,520 on projects 1099 00:44:47,540 --> 00:44:51,890 attentive messes for a day their solar 1100 00:44:49,520 --> 00:44:54,200 pipe this year but if you want some 1101 00:44:51,890 --> 00:44:55,879 apology if you all that project you want 1102 00:44:54,200 --> 00:44:58,339 some hair to do it easily switch it 1103 00:44:55,880 --> 00:45:03,890 board that would be a really sleek ultra 1104 00:44:58,340 --> 00:45:06,590 patient in their voice not as far as 1105 00:45:03,890 --> 00:45:10,279 next steps if you do fancy pile Intelli 1106 00:45:06,590 --> 00:45:13,220 or SSS be I'm gradually started bionic 1107 00:45:10,280 --> 00:45:15,050 eye toward only to do that ah DX softly 1108 00:45:13,220 --> 00:45:16,730 sort of things those pieces of the 1109 00:45:15,050 --> 00:45:19,250 publicly available that happen from 1110 00:45:16,730 --> 00:45:22,940 available for a while use sonic scare 1111 00:45:19,250 --> 00:45:26,540 that's okay but they didn't work 1112 00:45:22,940 --> 00:45:28,760 particularly well for this so you end up 1113 00:45:26,540 --> 00:45:30,200 developing stuff safe at the entire 1114 00:45:28,760 --> 00:45:32,560 there's a whole bunch of fossils that 1115 00:45:30,200 --> 00:45:35,390 saving science they get hot rate like 1116 00:45:32,560 --> 00:45:37,090 suggest that he found something they 1117 00:45:35,390 --> 00:45:39,589 might be a good place to start 1118 00:45:37,090 --> 00:45:44,240 broadly speaking the appreciate it was 1119 00:45:39,590 --> 00:45:46,610 to pump out the IPC practice from what 1120 00:45:44,240 --> 00:45:50,359 we see by mail in the locking and then 1121 00:45:46,610 --> 00:45:51,360 use that to craft a course of messages 1122 00:45:50,360 --> 00:45:54,690 and then 1123 00:45:51,360 --> 00:45:56,580 is secret so friendly they dip like 1124 00:45:54,690 --> 00:45:58,290 those messages and how many of you we 1125 00:45:56,580 --> 00:46:01,410 have a tiny bit of an associate is bum 1126 00:45:58,290 --> 00:46:04,470 foster 13 which is essentially for a 1127 00:46:01,410 --> 00:46:06,960 random percentage of of whites you 1128 00:46:04,470 --> 00:46:09,600 change that by by a particular operation 1129 00:46:06,960 --> 00:46:11,370 in my case I think I'll go fax or an 1130 00:46:09,600 --> 00:46:13,230 essential mineral packets that are 1131 00:46:11,370 --> 00:46:15,660 largely comply with the original 1132 00:46:13,230 --> 00:46:18,180 specification by have some minor tweaks 1133 00:46:15,660 --> 00:46:20,430 and I just read about the blackest or 1134 00:46:18,180 --> 00:46:29,490 crashed and things they crash and other 1135 00:46:20,430 --> 00:46:31,620 things did happen isn't very fun so 1136 00:46:29,490 --> 00:46:34,770 broader point perhaps if you're gonna 1137 00:46:31,620 --> 00:46:36,240 fluff stuff term I think really does 1138 00:46:34,770 --> 00:46:39,690 help you figure out what's actually I 1139 00:46:36,240 --> 00:46:42,000 don't if you can try to like a text on 1140 00:46:39,690 --> 00:46:43,980 filter for the phrase publish it of your 1141 00:46:42,000 --> 00:46:47,250 faucet great place to start 1142 00:46:43,980 --> 00:46:51,030 simply if you're lazy and Charlie 1143 00:46:47,250 --> 00:46:53,640 Melancon approach yeah I hope does a 1144 00:46:51,030 --> 00:46:55,890 wonderful job but you really don't need 1145 00:46:53,640 --> 00:46:58,500 to do the develop machine the shading 1146 00:46:55,890 --> 00:47:05,009 that has been done in some cases to get 1147 00:46:58,500 --> 00:47:06,480 over results that's commonly output from 1148 00:47:05,010 --> 00:47:08,340 the development side of things so 1149 00:47:06,480 --> 00:47:10,350 license if you are they to get involved 1150 00:47:08,340 --> 00:47:12,900 go to the under 30 would to start 1151 00:47:10,350 --> 00:47:14,970 looking at thanks 1152 00:47:12,900 --> 00:47:17,340 just a few of the people that help this 1153 00:47:14,970 --> 00:47:20,370 research silent design most probably a 1154 00:47:17,340 --> 00:47:23,640 good place to start without him John 1155 00:47:20,370 --> 00:47:24,900 would exist as a project many of things 1156 00:47:23,640 --> 00:47:28,259 other people have other thoughts and 1157 00:47:24,900 --> 00:47:30,720 things for our missing fingers because 1158 00:47:28,260 --> 00:47:35,460 able to get a meeting with Iraq in 1159 00:47:30,720 --> 00:47:38,220 terror identity folks with about 1160 00:47:35,460 --> 00:47:44,970 this without this I wouldn't you know 1161 00:47:38,220 --> 00:47:48,209 psych finally some useful links and I 1162 00:47:44,970 --> 00:47:53,990 think only I'm painting you guys are a 1163 00:47:48,210 --> 00:47:59,570 source or questions or you're not 1164 00:47:53,990 --> 00:47:59,569 working off scot-free sweet 1165 00:48:00,240 --> 00:48:02,299 you