DeepSec 2015 Talk: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friend – Nikhil Mittal
In information security pessimism rules. Unfortunately. Extreme Programming might breed extreme problems, too. The short-lived app software cycle is a prime example. If your main goal is to hit the app store as soon and as often as possible, then critical bugs will show up faster than you can spell XCodeGhost. The development infrastructure has some nice features attackers will love and most probably exploit. In his presentation Nikhil Mittal will show you how Continuous Integration (CI) tools can be turned into a Continuous Intrusion.
Continuous Integration (CI) tools are part of build and development processes of a large number of organizations. I have seen a lot of CI tools during my penetration testing engagements. I always noticed the lack of basic security controls on the management consoles of such tools. On a default installation, many CI tools don’t even implement authentication for admin access! Couple this lack of security controls with the ability to execute commands and scripts on many machines (distributed and master-slave/agent build process) and you have the perfect attack surface to pwn an enterprise environment. Not only in the internal networks, CI tools are also regularly exposed to the Internet.
This talk takes a look at open source as well as proprietary/commercial CI tools from a hacker’s perspective. We will compare various tools on a common set of mis-configurations and security controls. We will show you how these tools can be compromised, how dangerous even unprivileged access to these tools is, talk about the OS level privileges (both Windows and Linux) and how they could result in a complete compromise of the target network. We will also show you how to defend against such attacks.
The talk will be full of live demonstrations.
If you are a developer or a project manager herding cats, you have to attend Nikhil’s presentation. Even if you do not develop software, you should know what the tools look like and how they can be abused. It’s easier to build a defence once you know what code does and how it “thinks”. Anticipation beats hindsight when it comes to exploits.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks in secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more. You can visit his blog.