A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Hacking IIS and .NET - Kevin Miller (Circle City Con 2015 Videose 2015) (Hacking Illustrated Series InfoSec Tutorial Videos)

Hacking IIS and .NET
Kevin Miller

Circle City Con 2015

Even in the most secure Windows environments the communication between development and infrastructure causes issues to slip through the cracks and holes to open on machines. Hopefully, a windows machine running IIS is hardened, but often the misconfiguration of accounts and poorly written .NET code allows attackers to gain information thought to be inaccessible. Once someone gains access to a machine, there are a number of places to look for credentials and alter programs which either allows access to other machines connected to it or change data processed by applications written by the organization. Most organizations don't even know these holes exist, because they don't know where and how they are stored both in the server and applications. Changing registry settings to help with application health, switching account types systems run under, and aggressively validating data passing through parts of an application are all necessary for securing a system beyond the recommended processes. Even with all of this, systems which don't re-validate inputs from "trusted tiers" are vulnerable, and any code which places unchecked business rules on exposed machines run the risk of being hijacked and subverted to an attackers benefit.

Bio: Over the last 14 years Kevin has worked on exciting projects with truly great people while unsuccessfully pleading with compilers to break their steadfast rules. He enjoys studying the inherit beauty of logic and when inspired by the muses actually codes something deserving a modicum of pride from time to time. His interests lay in security, distributed systems, and data but he has a short attention ...Squirrel!

Back to Circle City Con 2015 Videos list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast