SlideShare ist ein Scribd-Unternehmen logo

Gwc3

Als PPT, PDF herunterladen
Dan Kaminsky
Dan Kaminsky
Technologie
1 von 33
Gateway Cryptography Hacking Impossible Tunnels Through Improbable Networks with OpenSSH et al. By Dan Kaminsky, CISSP http://www.doxpara.com
Summary • This is not how to crack SSH. This is SSH on crack. • 1) How to get there from here • 2) What to do once you get there • 3) Making getting there easier
The Trinity Of Code • Useful – No reason to try • Usable – No reason to hurt • Well Written – No chance they’ll ever have it • If you want to know my theories on the superiority of userspace, ask me later.
The Basics • Bringing people up to speed – This is not another talk about the wonders of a simple local port forward • What OpenSSH does – Forwards a shell (w/ transparent X support) – Forwards a single command (with full stdio) – Forwards a single TCP port • “All SSH forwards are non-exclusive and non- transparent figments of userspace”
SSH under Windows • 1) Install Cygwin from www.cygwin.com • 2) Create a shortcut to rxvt – C:cygwinbinrxvt.exe -rv -sl 20000 -fn “Courier-12" -e /usr/bin/bash • bash doesn’t work under whistler yet, so use zsh if you want to retain your tab-completion sanity • 3) Finally enjoy a usable Unix environment under Win32 • Everything in this talk is cross platform, as long as you’ve made Windows cross to another platform
Forwarding Shells • ssh user@host • Encryption: 3DES/Blowfish/AES • Authentication: Password, RSA/DSA – Key Generation • ssh1: ssh-keygen • ssh2: ssh-keygen –t dsa – Key Authorization • ssh1: cat ~/.ssh/identity.pub | ssh user@host ‘umask 0600; mkdir .ssh; cat >> authorized_keys’ • ssh2: cat ~/.ssh/id_dsa.pub | ssh user@host ‘umask 0600; mkdir .ssh; cat >> authorized_keys2’
Forwarding Commands • ssh user@host ls ssh –t user@host top • Fully 8 bit clean for most commands, supports (unclean) TTYs for anything that wants to redraw screen (like top) using –t • Full STDIO(stdin/stdout/stderr) support – Allows pipelines across multiple systems
Command Forwarding: CD Burning Over SSH • mkisofs reads in files and spits out a burnable image • cdrecord burns the image. – Normal CD Burning mkisofs –JR files | cdrecord dev=#,#,# speed=# - – Remote CD Burning mkisofs –JR files | ssh user@host cdrecord dev=#,#,# speed=# - – Remote CD Burning From Windows mkisofs.exe –JR files | ssh.exe user@host cdrecord dev=#,#,# speed=# - – Remote CD Burning From Windows For Users • Right Click On Files/Directories, Click Send To, Click CDR. – Under development; trivial to write
Command Forwarding: File Transfer w/o SCP • # GET alicehost$ ssh alice@bobhost “cat file” > file # PUT falicehost$ cat file > ssh alice@bobhost “cat > file” # LIST alicehost$ ssh alice@bobhost “ls” # MGET alicehost$ ssh alice@bobhost “tar -cf - /etc” | tar -xf – # RESUME GET alicehost$ ssh alice@bobhost “tail –c 231244 file” >> file • Planning on implementing SFTP using nothing more than these commands • SCP is just annoying me more and more, though the syntax is temporarily more convenient
Forwarding Ports • ssh user@host -L8000:127.0.0.1:80 ssh user@host -R80:127.0.0.1:8000 • Separates into “listener” vs. “location” – If local listens, the destination is relative to the remote location – If remote listens, the destination is relative to the local location
Limitations on Port Forwards • By default, only the systems directly hosting the listener can connect to it – Local forwards can be made public using the –g option, but remote “gateway ports” must be enabled using GatewayPorts Yes • Destination locations are unrestricted
Accessing a Port Forward • Application Layer – Connect Directly to 127.0.0.1 or “localhost” • Operating System Layer (“systemspace”) – Pre-empt DNS lookup in hosts file • Unix: /etc/hosts • Win95: windowshosts • WinNT: WINNTsystem32driversetchosts • All forwards must be preannounced, and share the same IP (127.0.0.1)
Problem: Static Forwards Are Inflexible • Work decently only when: – Each port is only used once • Passes: – Mail(smtp, pop3, imap) – Simple Web(HTTP) • Fails: – Web Surfing Multiple Sites (HTTP) – P2P File Transfer(Napster, Gnutella), – Ports are predictable in advance • Fails miserably – FTP, both Active and Passive
Solution: Dynamic Forwarding w/ SOCKS • ssh user@host -D1080 • SOCKS4/5: An in-band protocol header, nothing more, that allows the client to very quickly tell a proxy server where its actual destination was • SOCKS4 is extraordinarily simple – ~9 bytes from Client, 8 byte response, and the client has informed the “proxy” where it actually wants to go! – “Library Preloads” are excessive • The idea: Run a trivial SOCKS daemon in the ssh client; use it to redirect the destination of each channel.
Dynamic Forwarding: Application Support • Most major Windows applications support SOCKS proxies directly – Internet Explorer, CuteFTP, IM Clients, P2P Clients(Napster, Gnutella) – Dialpad (Voice over IP to a telephone for free over SSH!) • SocksCap32 can be used to “Socksify” remaining apps on Windows – Outlook Express, LeechFTP, Media Player, etc. • Unix applications can be reasonably socksified too
Dynamic Forwarding: Faults In The Hack • No Network Isolation – Though this, of course, is “trusting the client”, there’s still value in a client itself volunteering to ignore all communications not through the VPN “solution”. • No Unified Configuration and Management Interface – Fixable, should this become popular.
Dynamic Forwarding: THE BIG PROBLEM • Server Freeze • Most SSH servers will temporarily block(lock up) if you attempt to open a channel to a host that either doesn’t exist or cannot be resolved • General purpose solutions to this get…ugly. – OpenSSH has fewer problems in this arena • OpenSSH has no inherent SOCKS client support – cannot easily connect to dynamic port forwards
ProxyCommand: Blind Proxying w/ SSH • ssh -o 'ProxyCommand arbitrary_tool proxy %u %h %p' user@10.1.0.1 • A ProxyCommand is an arbitrary tool that, after it finishes executing, leads to an 8 bit clean path to an SSH daemon – OpenSSH's excuse for SOCKS support :-) • Allows end-to-end crypto through any 8bit clean link – Like SSL over HTTP Connect
Wire Mode: Facilitating Self-Proxying SSH • ssh user@proxy -Whost:22 • ProxyCommand needs an 8 bit path • SSH exists to provide 8 bit paths – Correct Method: Open a local port forward, use glue code to directly connect it to ttyless stdio code – Cheap Hack Method: Translate –Whost:22 into “nc host 22”
Using netcat-based Wire Mode • ssh -o 'ProxyCommand ssh user@proxy "nc %h %p"' user@server • Completely unusable • Alternative Syntax Under Development – ssh –B proxy user@server – ssh proxy/user@server • Competes with: – ssh user@proxy proxy$ ssh user@server • The PROXY authenticates • The PROXY decrypts • The PROXY is Internet accessible • If the Proxy gets hacked, the network is toast.
No Internet Accessible Bastion Proxy: Now What? • proxy$ ssh user@client -R2022:127.0.0.1:22 client$ ssh user@127.0.0.1 -o "HostKeyAlias proxy" -L8000:www-internal:80 or (in upcoming builds, hopefully) client$ ssh user@proxy/2022 -L8000:www-internal:80 • Turns inability to trust into irrelevancy of trust – Negative: “You can’t trust the addresses of x, y, or z!” – Positive: “It doesn’t matter if you think you’re talking to the addresses of x, y, or z.” • MUST CHECK HOSTKEY – it’ll work even if you don’t
Cross-Connecting Mutually Firewalled Hosts • server$ ssh proxyuser@proxy -R10022:127.0.0.1:22 client$ ssh -o 'ProxyCommand ssh proxyuser2@proxy ‘nc 127.0.0.1 10022' user@server or in my syntax client$ ssh proxyuser2@proxy/10022 user@server • Again, as long as IP addresses cannot be trusted, it doesn’t matter that you’re talking to the proxy and connecting through one of its ports.
Fixing Port Forwards: Defaults • ssh -L143 -> ssh -L143:127.0.0.1:143 ssh -Lfoo -> ssh -L22:foo:22 ssh -R2022: -> ssh -R2022:127.0.0.1:22 • Begin with a default of 22:127.0.0.1:22, do some moderately painful string parsing in C, and actually end up with a decently compressed syntax • Would forwarding ranges be useful, i.e. ssh -L7000-7020 ?
Expanding Escape Syntax • noname# ~? Supported escape sequences: ~. - terminate connection ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice (Note that escapes are only recognized immediately after newline.) • Eventual goal: Port both ssh_config syntax and ssh command line syntax to the escape character mode – Allow on-demand things like activation of X forwarding
Secure SU: The Battle Against Direct Root • Most “security gurus” will decry direct root login – Holdover from the battle against admins doing everything as root – SU is a painless enough context switch • If it hurts to switch, people will just do it all as root – Advantages to being forced to switch accounts • Inertia • Emotion – significance of the action is emphasized • Accounting – logs show who used root – Even though it essentially reduces the security of the root account to the security of the Alice account, even OpenBSD (2.7, at least) still exhorts users not to ssh directly to root, and instead to use SU.
Secure SU: The Near-Perfect Compromise • alicehost$ ssh alice@bobhost -t “su –l root” or in my syntax ssh alice+root@bobhost • SSHD creates a secure execution environment when commands are explicitly specified – Shell configuration files not loaded – su, as a setuid app, can’t generally be traced by ordinary users • User logs in as normal, is safely prompted for the root password, gets a root shell without having to “slum” in through insecure space
Secure SU: Developing: Individuated Root • Individual Public Keys For Root Access – Nobody learns root password • authorized_keys contains list of identities allowed to connect as root to the system – SSHD modified to log who connected to root – Scales to multiple security-critical accounts • Root can modify its own authorized_keys, but other accounts could have root owned, root readable authorized_keys files. • Individual Root Accounts – Multiple accounts all set to same UID, but with different passwords • Alice_Root, Bob_Root, etc. – Really only works for root
SLIRP/PPTP over SSH: Starting with PPPD • PPPD: Standard Unix PPP Server – Generally creates an interface on its host called ppp# – Sets up a bidirectional route—works as an infrastructure-level datapath – Addressing can be manually or automatically negotiated – Standard Dialup Protocol • Command Forwarding allows remote PPPD to cleanly talk to local PPPD, thus creating a Host- To-Host VPN between two hosts – Requires root on both – “PPP over SSH”
SLIRP/PPTP over SSH: SLIRPing a way • SLIRP: User Mode NAT – Written around 1995 – Amazingly useful to this day—doesn’t require root! – Converts any 8 bit clean shell into a PPP server, NATs the incoming TCP/UDP/ICMP and opens the necessary sockets on the shell server – Command Forwarding SLIRP instead of PPPD into local PPPD requires root on only one host, but only the host running PPPD gets an OS-level route • Useful, but dangerous--but you’re trusting the server not to replace SLIRP with a hacked version that gives them a path back through your ready-and-willing PPPD.
SLIRP/PPTP over SSH: PPP over PPTP • PPTP: Point to Point Protocol – Encapsulates PPP(Layer 2) inside of a GRE(Layer 3) Tunnel, allowing TCP/UDP/ICMP(Layer 4) traffic to pass • Try not to wrap your brain around this – Created by Microsoft as a VPN Solution • Version one was…infamously flawed. Version two is somewhat better, but not widely trusted. • Client ships with and is integrated into Windows 98/Me/2000 – Stable Interface – Network Isolation – Good UI – SSH cannot forward GRE internally
SLIRP/PPTP over SSH: PoPToP Puts It Together • PoPToP: Unix PPTP Daemon – Implements GRE encapsulation only • Doesn’t re-implement PPP! • Executes PPPD or SLIRP inside of GRE • Who says the daemon needs to be local? • End Result – Windows 98 connects to user bastion host using PPTP – PoPToP strips GRE header, goes to execute PPP daemon – SSH cleanly forwards a SLIRP command run as a user on a remote bastion host into PoPToP – Windows 98 isolates itself and experiences remote
SLIRP/PPTP over SSH: HowTo • The really lazy way – Used when source is closed but the binary app shells out to some external binary – Really really lazy for PoPToP because it’s open source – mv /usr/bin/slirp slirp_binary echo ‘#!/bin/sh’ >> /usr/bin/slirp echo ‘ssh user@host slirp_binary’ >> /usr/bin/slirp; • The less lazy way – Modify PoPToP to execute ‘ssh user@host slirp’ instead of ‘slirp’; • Should be noted that there’s *no* authentication to this link inside the PPTP network
Conclusion • ssh is powerful • ssh is flexible • ssh is fun. • any questions? any requests?

Empfohlen

Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 
Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Nate Lawson
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 

Empfohlen

Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 
Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Nate Lawson
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
111214 node conf
111214 node conf111214 node conf
111214 node confKensaku Komatsu
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production OverviewDelve Labs
 
Building fast,scalable game server in node.js
Building fast,scalable game server in node.jsBuilding fast,scalable game server in node.js
Building fast,scalable game server in node.jsXie ChengChao
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production OverviewDelve Labs
 
Building fast,scalable game server in node.js
Building fast,scalable game server in node.jsBuilding fast,scalable game server in node.js
Building fast,scalable game server in node.jsXie ChengChao
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 

Was ist angesagt? (20)

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
111214 node conf
111214 node conf111214 node conf
111214 node conf
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Building fast,scalable game server in node.js
Building fast,scalable game server in node.jsBuilding fast,scalable game server in node.js
Building fast,scalable game server in node.js
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 

Ähnlich wie Gwc3

Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowNovell
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Dssh @ Confidence, Prague 2010
Dssh @ Confidence, Prague 2010Dssh @ Confidence, Prague 2010
Dssh @ Confidence, Prague 2010Juraj Bednar
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testersE D Williams
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSHJuraj Bednar
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Ssh
SshSsh
Sshgh02
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Systems administration for coders presentation
Systems administration for coders presentationSystems administration for coders presentation
Systems administration for coders presentationMatt Willsher
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Growing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteGrowing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteJAmes Atwill
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 

Ähnlich wie Gwc3 (20)

Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Dssh @ Confidence, Prague 2010
Dssh @ Confidence, Prague 2010Dssh @ Confidence, Prague 2010
Dssh @ Confidence, Prague 2010
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSH
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Ssh
SshSsh
Ssh
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Systems administration for coders presentation
Systems administration for coders presentationSystems administration for coders presentation
Systems administration for coders presentation
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Growing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteGrowing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at Hootsuite
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 

Mehr von Dan Kaminsky

Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't RandomDan Kaminsky
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix ThingsDan Kaminsky
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetDan Kaminsky
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenDan Kaminsky
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Dan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defenseDan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 

Mehr von Dan Kaminsky (20)

Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't Random
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Chicken
ChickenChicken
Chicken
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * Internet
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken Chicken
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On Bitcoin
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
Confidence web
Confidence webConfidence web
Confidence web
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 

Kürzlich hochgeladen

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Kürzlich hochgeladen (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Gwc3

  • 1. Gateway Cryptography Hacking Impossible Tunnels Through Improbable Networks with OpenSSH et al. By Dan Kaminsky, CISSP http://www.doxpara.com
  • 2. Summary • This is not how to crack SSH. This is SSH on crack. • 1) How to get there from here • 2) What to do once you get there • 3) Making getting there easier
  • 3. The Trinity Of Code • Useful – No reason to try • Usable – No reason to hurt • Well Written – No chance they’ll ever have it • If you want to know my theories on the superiority of userspace, ask me later.
  • 4. The Basics • Bringing people up to speed – This is not another talk about the wonders of a simple local port forward • What OpenSSH does – Forwards a shell (w/ transparent X support) – Forwards a single command (with full stdio) – Forwards a single TCP port • “All SSH forwards are non-exclusive and non- transparent figments of userspace”
  • 5. SSH under Windows • 1) Install Cygwin from www.cygwin.com • 2) Create a shortcut to rxvt – C:cygwinbinrxvt.exe -rv -sl 20000 -fn “Courier-12" -e /usr/bin/bash • bash doesn’t work under whistler yet, so use zsh if you want to retain your tab-completion sanity • 3) Finally enjoy a usable Unix environment under Win32 • Everything in this talk is cross platform, as long as you’ve made Windows cross to another platform
  • 6. Forwarding Shells • ssh user@host • Encryption: 3DES/Blowfish/AES • Authentication: Password, RSA/DSA – Key Generation • ssh1: ssh-keygen • ssh2: ssh-keygen –t dsa – Key Authorization • ssh1: cat ~/.ssh/identity.pub | ssh user@host ‘umask 0600; mkdir .ssh; cat >> authorized_keys’ • ssh2: cat ~/.ssh/id_dsa.pub | ssh user@host ‘umask 0600; mkdir .ssh; cat >> authorized_keys2’
  • 7. Forwarding Commands • ssh user@host ls ssh –t user@host top • Fully 8 bit clean for most commands, supports (unclean) TTYs for anything that wants to redraw screen (like top) using –t • Full STDIO(stdin/stdout/stderr) support – Allows pipelines across multiple systems
  • 8. Command Forwarding: CD Burning Over SSH • mkisofs reads in files and spits out a burnable image • cdrecord burns the image. – Normal CD Burning mkisofs –JR files | cdrecord dev=#,#,# speed=# - – Remote CD Burning mkisofs –JR files | ssh user@host cdrecord dev=#,#,# speed=# - – Remote CD Burning From Windows mkisofs.exe –JR files | ssh.exe user@host cdrecord dev=#,#,# speed=# - – Remote CD Burning From Windows For Users • Right Click On Files/Directories, Click Send To, Click CDR. – Under development; trivial to write
  • 9. Command Forwarding: File Transfer w/o SCP • # GET alicehost$ ssh alice@bobhost “cat file” > file # PUT falicehost$ cat file > ssh alice@bobhost “cat > file” # LIST alicehost$ ssh alice@bobhost “ls” # MGET alicehost$ ssh alice@bobhost “tar -cf - /etc” | tar -xf – # RESUME GET alicehost$ ssh alice@bobhost “tail –c 231244 file” >> file • Planning on implementing SFTP using nothing more than these commands • SCP is just annoying me more and more, though the syntax is temporarily more convenient
  • 10. Forwarding Ports • ssh user@host -L8000:127.0.0.1:80 ssh user@host -R80:127.0.0.1:8000 • Separates into “listener” vs. “location” – If local listens, the destination is relative to the remote location – If remote listens, the destination is relative to the local location
  • 11. Limitations on Port Forwards • By default, only the systems directly hosting the listener can connect to it – Local forwards can be made public using the –g option, but remote “gateway ports” must be enabled using GatewayPorts Yes • Destination locations are unrestricted
  • 12. Accessing a Port Forward • Application Layer – Connect Directly to 127.0.0.1 or “localhost” • Operating System Layer (“systemspace”) – Pre-empt DNS lookup in hosts file • Unix: /etc/hosts • Win95: windowshosts • WinNT: WINNTsystem32driversetchosts • All forwards must be preannounced, and share the same IP (127.0.0.1)
  • 13. Problem: Static Forwards Are Inflexible • Work decently only when: – Each port is only used once • Passes: – Mail(smtp, pop3, imap) – Simple Web(HTTP) • Fails: – Web Surfing Multiple Sites (HTTP) – P2P File Transfer(Napster, Gnutella), – Ports are predictable in advance • Fails miserably – FTP, both Active and Passive
  • 14. Solution: Dynamic Forwarding w/ SOCKS • ssh user@host -D1080 • SOCKS4/5: An in-band protocol header, nothing more, that allows the client to very quickly tell a proxy server where its actual destination was • SOCKS4 is extraordinarily simple – ~9 bytes from Client, 8 byte response, and the client has informed the “proxy” where it actually wants to go! – “Library Preloads” are excessive • The idea: Run a trivial SOCKS daemon in the ssh client; use it to redirect the destination of each channel.
  • 15. Dynamic Forwarding: Application Support • Most major Windows applications support SOCKS proxies directly – Internet Explorer, CuteFTP, IM Clients, P2P Clients(Napster, Gnutella) – Dialpad (Voice over IP to a telephone for free over SSH!) • SocksCap32 can be used to “Socksify” remaining apps on Windows – Outlook Express, LeechFTP, Media Player, etc. • Unix applications can be reasonably socksified too
  • 16. Dynamic Forwarding: Faults In The Hack • No Network Isolation – Though this, of course, is “trusting the client”, there’s still value in a client itself volunteering to ignore all communications not through the VPN “solution”. • No Unified Configuration and Management Interface – Fixable, should this become popular.
  • 17. Dynamic Forwarding: THE BIG PROBLEM • Server Freeze • Most SSH servers will temporarily block(lock up) if you attempt to open a channel to a host that either doesn’t exist or cannot be resolved • General purpose solutions to this get…ugly. – OpenSSH has fewer problems in this arena • OpenSSH has no inherent SOCKS client support – cannot easily connect to dynamic port forwards
  • 18. ProxyCommand: Blind Proxying w/ SSH • ssh -o 'ProxyCommand arbitrary_tool proxy %u %h %p' user@10.1.0.1 • A ProxyCommand is an arbitrary tool that, after it finishes executing, leads to an 8 bit clean path to an SSH daemon – OpenSSH's excuse for SOCKS support :-) • Allows end-to-end crypto through any 8bit clean link – Like SSL over HTTP Connect
  • 19. Wire Mode: Facilitating Self-Proxying SSH • ssh user@proxy -Whost:22 • ProxyCommand needs an 8 bit path • SSH exists to provide 8 bit paths – Correct Method: Open a local port forward, use glue code to directly connect it to ttyless stdio code – Cheap Hack Method: Translate –Whost:22 into “nc host 22”
  • 20. Using netcat-based Wire Mode • ssh -o 'ProxyCommand ssh user@proxy "nc %h %p"' user@server • Completely unusable • Alternative Syntax Under Development – ssh –B proxy user@server – ssh proxy/user@server • Competes with: – ssh user@proxy proxy$ ssh user@server • The PROXY authenticates • The PROXY decrypts • The PROXY is Internet accessible • If the Proxy gets hacked, the network is toast.
  • 21. No Internet Accessible Bastion Proxy: Now What? • proxy$ ssh user@client -R2022:127.0.0.1:22 client$ ssh user@127.0.0.1 -o "HostKeyAlias proxy" -L8000:www-internal:80 or (in upcoming builds, hopefully) client$ ssh user@proxy/2022 -L8000:www-internal:80 • Turns inability to trust into irrelevancy of trust – Negative: “You can’t trust the addresses of x, y, or z!” – Positive: “It doesn’t matter if you think you’re talking to the addresses of x, y, or z.” • MUST CHECK HOSTKEY – it’ll work even if you don’t
  • 22. Cross-Connecting Mutually Firewalled Hosts • server$ ssh proxyuser@proxy -R10022:127.0.0.1:22 client$ ssh -o 'ProxyCommand ssh proxyuser2@proxy ‘nc 127.0.0.1 10022' user@server or in my syntax client$ ssh proxyuser2@proxy/10022 user@server • Again, as long as IP addresses cannot be trusted, it doesn’t matter that you’re talking to the proxy and connecting through one of its ports.
  • 23. Fixing Port Forwards: Defaults • ssh -L143 -> ssh -L143:127.0.0.1:143 ssh -Lfoo -> ssh -L22:foo:22 ssh -R2022: -> ssh -R2022:127.0.0.1:22 • Begin with a default of 22:127.0.0.1:22, do some moderately painful string parsing in C, and actually end up with a decently compressed syntax • Would forwarding ranges be useful, i.e. ssh -L7000-7020 ?
  • 24. Expanding Escape Syntax • noname# ~? Supported escape sequences: ~. - terminate connection ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice (Note that escapes are only recognized immediately after newline.) • Eventual goal: Port both ssh_config syntax and ssh command line syntax to the escape character mode – Allow on-demand things like activation of X forwarding
  • 25. Secure SU: The Battle Against Direct Root • Most “security gurus” will decry direct root login – Holdover from the battle against admins doing everything as root – SU is a painless enough context switch • If it hurts to switch, people will just do it all as root – Advantages to being forced to switch accounts • Inertia • Emotion – significance of the action is emphasized • Accounting – logs show who used root – Even though it essentially reduces the security of the root account to the security of the Alice account, even OpenBSD (2.7, at least) still exhorts users not to ssh directly to root, and instead to use SU.
  • 26. Secure SU: The Near-Perfect Compromise • alicehost$ ssh alice@bobhost -t “su –l root” or in my syntax ssh alice+root@bobhost • SSHD creates a secure execution environment when commands are explicitly specified – Shell configuration files not loaded – su, as a setuid app, can’t generally be traced by ordinary users • User logs in as normal, is safely prompted for the root password, gets a root shell without having to “slum” in through insecure space
  • 27. Secure SU: Developing: Individuated Root • Individual Public Keys For Root Access – Nobody learns root password • authorized_keys contains list of identities allowed to connect as root to the system – SSHD modified to log who connected to root – Scales to multiple security-critical accounts • Root can modify its own authorized_keys, but other accounts could have root owned, root readable authorized_keys files. • Individual Root Accounts – Multiple accounts all set to same UID, but with different passwords • Alice_Root, Bob_Root, etc. – Really only works for root
  • 28. SLIRP/PPTP over SSH: Starting with PPPD • PPPD: Standard Unix PPP Server – Generally creates an interface on its host called ppp# – Sets up a bidirectional route—works as an infrastructure-level datapath – Addressing can be manually or automatically negotiated – Standard Dialup Protocol • Command Forwarding allows remote PPPD to cleanly talk to local PPPD, thus creating a Host- To-Host VPN between two hosts – Requires root on both – “PPP over SSH”
  • 29. SLIRP/PPTP over SSH: SLIRPing a way • SLIRP: User Mode NAT – Written around 1995 – Amazingly useful to this day—doesn’t require root! – Converts any 8 bit clean shell into a PPP server, NATs the incoming TCP/UDP/ICMP and opens the necessary sockets on the shell server – Command Forwarding SLIRP instead of PPPD into local PPPD requires root on only one host, but only the host running PPPD gets an OS-level route • Useful, but dangerous--but you’re trusting the server not to replace SLIRP with a hacked version that gives them a path back through your ready-and-willing PPPD.
  • 30. SLIRP/PPTP over SSH: PPP over PPTP • PPTP: Point to Point Protocol – Encapsulates PPP(Layer 2) inside of a GRE(Layer 3) Tunnel, allowing TCP/UDP/ICMP(Layer 4) traffic to pass • Try not to wrap your brain around this – Created by Microsoft as a VPN Solution • Version one was…infamously flawed. Version two is somewhat better, but not widely trusted. • Client ships with and is integrated into Windows 98/Me/2000 – Stable Interface – Network Isolation – Good UI – SSH cannot forward GRE internally
  • 31. SLIRP/PPTP over SSH: PoPToP Puts It Together • PoPToP: Unix PPTP Daemon – Implements GRE encapsulation only • Doesn’t re-implement PPP! • Executes PPPD or SLIRP inside of GRE • Who says the daemon needs to be local? • End Result – Windows 98 connects to user bastion host using PPTP – PoPToP strips GRE header, goes to execute PPP daemon – SSH cleanly forwards a SLIRP command run as a user on a remote bastion host into PoPToP – Windows 98 isolates itself and experiences remote
  • 32. SLIRP/PPTP over SSH: HowTo • The really lazy way – Used when source is closed but the binary app shells out to some external binary – Really really lazy for PoPToP because it’s open source – mv /usr/bin/slirp slirp_binary echo ‘#!/bin/sh’ >> /usr/bin/slirp echo ‘ssh user@host slirp_binary’ >> /usr/bin/slirp; • The less lazy way – Modify PoPToP to execute ‘ssh user@host slirp’ instead of ‘slirp’; • Should be noted that there’s *no* authentication to this link inside the PPTP network
  • 33. Conclusion • ssh is powerful • ssh is flexible • ssh is fun. • any questions? any requests?