WEBVTT

00:00.390 --> 00:03.210
Applications are everywhere now.

00:03.270 --> 00:08.990
The first question to ask you is what is an application and how do we attack it.

00:09.000 --> 00:15.330
Now if you're an old guy like me an application was something that came on a CD and you installed it

00:15.330 --> 00:21.120
on your machine or you downloaded it from the Internet and then you went through some installation process

00:21.360 --> 00:25.580
and that's certainly an application and lots of organizations still do stuff like that.

00:25.680 --> 00:30.720
Lots of in-house applications for database work or whatever they might have.

00:31.050 --> 00:36.420
But I want to stress that there is an entire other class of applications where I'm talking about our

00:36.420 --> 00:37.350
web apps.

00:37.350 --> 00:45.780
So today with things like Google Maps or Dropbox or even slither dot IO are all applications in a very

00:45.780 --> 00:47.040
real sense of the word.

00:47.130 --> 00:49.680
But we access them through the web itself.

00:49.680 --> 00:54.820
Now in this episode I want to talk about attacking apps in a generic way.

00:54.930 --> 01:00.390
So we're just going to talk about some conceptual ideas of how apps are attacked but I'm going to save

01:00.420 --> 01:06.060
the whole discussion of web apps in a completely separate episode so let's keep it kind of generic at

01:06.060 --> 01:08.990
this point as we talk about attacking apps.

01:09.000 --> 01:15.480
Now the first thing a lot of people ask me is what Mike how do we attack an application when it's easy.

01:15.480 --> 01:17.280
It depends on the application.

01:17.370 --> 01:22.650
If it's a web app I can usually just type something that you are Ehle box that's weird that the server

01:22.650 --> 01:28.590
isn't anticipating or I might have a form that pops up and I can type something weird into a form that

01:28.590 --> 01:34.530
causes havoc or if I really want to be evil I can grab my colleague Linux and there's lots and lots

01:34.530 --> 01:41.310
of injection tools built into that toolset that allow me to create all kinds of naughty things that

01:41.310 --> 01:42.030
I might want to do.

01:42.030 --> 01:46.860
So there's lots and lots of different ways to actually attack an application.

01:46.860 --> 01:52.200
So what I want to concentrate on though right now is how do we actually do these attacks.

01:52.230 --> 01:56.520
And I'd like to start with probably one of the most common and most popular injection attacks

02:01.260 --> 02:09.840
an injection attack simply means that you add some extra stuff into your input into an application that

02:09.840 --> 02:11.790
does potentially naughty things.

02:11.790 --> 02:14.770
Now there's a lot of different ways to do injection attacks.

02:14.850 --> 02:20.610
And the first one I want to talk about is what I'm going to call a code injection a code injection simply

02:20.610 --> 02:27.510
means that somehow you add extra code to the application to make it do stuff that it isn't designed

02:27.510 --> 02:27.870
to do.

02:27.960 --> 02:31.470
There's lots of examples of this but right here is one of my favorites.

02:31.500 --> 02:36.120
This is a fellow named Seth bling who took a super any system.

02:36.180 --> 02:38.110
This was in 2016.

02:38.160 --> 02:44.400
So he takes a super NEA system and taken advantage of vulnerabilities in the super And yes he literally

02:44.550 --> 02:50.630
clicks around using the controllers and adds code and changes.

02:50.700 --> 02:55.030
This Super Mario Brothers game into flappy birds.

02:55.080 --> 03:02.560
Now a command injection uses the application to get to the underlying operating system.

03:02.560 --> 03:06.050
Now this is going to be very specific to the operating system.

03:06.060 --> 03:08.000
You might be using So to help you out.

03:08.130 --> 03:13.850
I've developed a very simplistic and very flawed form that we enter data into.

03:14.040 --> 03:20.550
And if we take a look at this if I type my name and then I'm going to type in this double ampersand

03:20.640 --> 03:26.520
and a linux command and if I hit enter it actually goes to a terminal.

03:26.520 --> 03:28.410
This is not a good thing.

03:28.410 --> 03:35.790
Most applications I should be careful when I say most but a huge percentage of applications are really

03:35.790 --> 03:38.610
nothing more than front end for databases.

03:38.610 --> 03:42.850
If we want to do a lot of stuff of keeping track of things or whatever we're doing.

03:42.930 --> 03:50.250
Databases are very very important and probably the most common type of way to talk to a database is

03:50.250 --> 03:52.920
through structured query language better known as S..

03:52.920 --> 04:02.550
Q Well now as well is a wildly complicated incredibly powerful queering language for Eski Well compliant

04:02.580 --> 04:03.720
databases.

04:03.810 --> 04:10.050
So I'm not going to ask you to memorize a ton of sequel commands but I do want you to look for stuff

04:10.050 --> 04:11.200
like this.

04:11.280 --> 04:21.390
Commands like inner join select from insert into all of these types of words are clues that you're looking

04:21.390 --> 04:23.740
at some form of sequel query.

04:23.790 --> 04:29.070
In fact here's an example of an incredibly complicated sequel query right here.

04:29.490 --> 04:32.760
Now to do a sequel injection Let's bring that form back up.

04:32.850 --> 04:35.400
And in this case I can do something fairly trivial.

04:35.400 --> 04:39.900
For example I'm going to type something into one of these fields that I'm just going to say.

04:40.000 --> 04:42.060
Select asterisked from last name.

04:42.060 --> 04:48.180
So basically I'm saying show me all of the last names and what happens really depends on the application

04:48.180 --> 04:49.980
itself and how well it's protected.

04:49.980 --> 04:54.440
Now the last type of injection I want to talk about is El Deppe injections.

04:54.430 --> 05:01.450
Now L DEP stands for lightweight directory access protocol and eldership is a way to query directories.

05:01.470 --> 05:08.190
Most large networks especially if you're running Windows is going to have some type of directory basis

05:08.190 --> 05:14.430
for storing usernames and passwords and computers and locations and printers and groups and whatever

05:14.430 --> 05:15.590
you might have.

05:15.630 --> 05:21.150
So a lot of applications that want to get a username and password then it can store this by themselves

05:21.290 --> 05:26.250
where they're going to do is they're going to use Elda app queries to talk to something to go ahead

05:26.250 --> 05:29.050
and do some authentication or whatever it might be.

05:29.100 --> 05:31.430
Now elde apps been around for a long long time.

05:31.470 --> 05:38.190
It's based on the X-Com 500 which you need to know for the exam and it works fantastically well uses

05:38.190 --> 05:40.310
tailless encryption all kinds of stuff like that.

05:40.500 --> 05:48.380
But the challenge we can run into is that poor and we formed applications can be taken advantage of.

05:48.390 --> 05:55.200
By putting all that information in where we shouldn't be doing it and creating eldership injections.

05:55.230 --> 06:00.900
Now before we get into this I don't want to turn you to an el DEP expert but I do want to make sure

06:00.900 --> 06:08.130
you understand what the structure of different objects in a directory look like so let's take a look

06:08.130 --> 06:09.260
at this.

06:09.270 --> 06:15.380
So what I've got written out here is a complete listing for one person in my directory.

06:15.390 --> 06:19.100
So this entire thing is known as the distinguished name.

06:19.100 --> 06:23.520
Now you read these actually from right to left but I'm just going to go from left to right because well

06:23.520 --> 06:27.850
I'm a human being so N stands for the common name.

06:27.860 --> 06:32.970
So if I'm querying a particular user or a particular printer or a computer it is going to be just the

06:32.970 --> 06:34.430
name itself.

06:34.450 --> 06:39.150
Now will also then have organizational units that's what all these o use are for.

06:39.210 --> 06:41.260
So all use if you're in a Windows world.

06:41.280 --> 06:49.710
They can be easily thought of as groups but they help to define where John Smith is within my organization

06:50.190 --> 06:54.630
and then at the very end you're going to see what we call domain components and that's because pretty

06:54.630 --> 06:56.590
much everybody is a part of some domain.

06:56.730 --> 07:00.370
So I can read this and read it from right to left I can see some interesting things.

07:00.510 --> 07:02.840
So might top level domain as dot com.

07:02.850 --> 07:05.490
So it's total Semb dot com.

07:05.490 --> 07:07.130
This person is a people.

07:07.250 --> 07:08.950
This person is in Dallas.

07:08.970 --> 07:15.730
This person works for accounting and this person's name is John Smith.

07:15.930 --> 07:22.530
So an application might take this type of information so we'll put in our form and we'll type in the

07:22.530 --> 07:28.200
user name and stuff like that and hit enter and they'll go ahead and query a domain controller to authenticate

07:28.200 --> 07:29.220
this person.

07:29.220 --> 07:33.810
But the actual authentication the actual query itself might look something like this.

07:35.090 --> 07:36.140
Now that's great.

07:36.140 --> 07:42.040
But imagine if I took that same form and I took this one particular field and I typed in this L damp

07:42.050 --> 07:47.560
injection Basically I'm saying as my name is admin and my password is everything.

07:47.720 --> 07:52.130
What that will do really depends on the actual system itself.

07:52.130 --> 07:57.800
Now those are the injection attacks that you're going to see generically on the exam but that's not

07:57.800 --> 08:00.840
the only way to attack an application.

08:00.860 --> 08:05.180
What I want to do is go through a couple of other examples and let's do I don't know how about buffer

08:05.180 --> 08:09.990
overflow.

08:10.210 --> 08:17.590
Every time you enter data into an application it goes into a buffer a buffer is just a part of memory

08:17.590 --> 08:22.970
that's set aside to store the data before it actually gets put into the application itself.

08:22.990 --> 08:30.310
So a buffer overflow simply means to enter so much data into the buffer that the buffer blows up.

08:30.310 --> 08:36.340
So what we can do here is like if we take a look at this little application here so in a particular

08:36.340 --> 08:43.030
field I'm just going to start typing one letter zillions of times earn it and with any kind of luck

08:43.180 --> 08:45.160
I can lock the system up.

08:48.800 --> 08:52.690
The last one I want to talk about is integer overflow.

08:53.120 --> 08:59.510
Any variable that's stored within an application usually is declared at the beginning of the application

08:59.510 --> 08:59.870
itself.

08:59.870 --> 09:06.080
So if you're going to have a age variable and that age variable is going to go from 1 to 110 and if

09:06.080 --> 09:11.930
somebody is 100 and 11 Well they're not getting your application whatever the case might be the actual

09:11.930 --> 09:13.580
value is fixed in size.

09:13.580 --> 09:18.410
So it might be for example a to byte integer values.

09:18.410 --> 09:24.340
So in this case it's only going to be able to store 16 bits and heaven forbid you put in 18 bits.

09:24.410 --> 09:26.180
You never know what's going to happen.

09:26.210 --> 09:29.240
So it's really really important to be comfortable with your bits and bytes.

09:29.240 --> 09:34.970
Now probably the best way to show you exactly how this works is I'm going to use my calculator here

09:35.030 --> 09:36.350
on my phone itself.

09:37.090 --> 09:39.350
So I'm going to type in a big value here.

09:39.590 --> 09:50.120
Really big you and I'm going to do some of the power on that and make it even bigger equals and you

09:50.120 --> 09:52.580
can see I've generated an error.

09:52.580 --> 10:00.830
So this is a great example of an integer overflow it just can't handle these types of values so we need

10:00.830 --> 10:03.450
to be careful about these things on the exam.

10:03.470 --> 10:09.740
Watch for questions or talk about I've got a variable of X number of bytes and you've got these number

10:09.740 --> 10:14.120
of bits and it doesn't fit and that's going to be a good clue that you're running into these types of

10:14.120 --> 10:15.430
problems.

10:15.480 --> 10:20.780
OK so we've gone through a number of different ways to attack applications.

10:20.780 --> 10:23.520
Now in later episodes I'm going to be showing you.

10:23.660 --> 10:27.350
Well first of all we're going to be talking about web apps in particular and some of the things we can

10:27.350 --> 10:32.300
do there but in later episodes we're also going to be talking about how do we hardener applications

10:32.570 --> 10:47.930
to prevent stuff exactly like this from happening to your apps.