A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Managed to Mangled: Exploitation of Enterprise Network Management Systems - Deral Heiland, Matthew Kienow Derbycon 2016 (Hacking Illustrated Series InfoSec Tutorial Videos)

Managed to Mangled: Exploitation of Enterprise Network Management Systems
Deral Heiland, Matthew Kienow
Derbycon 2016

Network Management Systems (NMSs) are widely deployed in medium and large organizations to map and control network and host infrastructure, and provide an excellent attack surface. NMSs are information rich for an attacker, saving reconnaissance time and providing a pivot point to hide their network activity in the background noise. The talk explores many NMS attack vectors, including persistent cross-site scripting (XSS), format string vulnerabilities, command injection, SQL injection and forced browsing to take control of the NMS and authenticated user?s host. Using live demonstrations we explore attack delivery, execution and factors that control the success of each attack. In conclusion, we discuss overall risk factors and mitigation techniques for providing protection against these attacks.

Deral Heiland: Deral Heiland CISSP, serves as a Research Lead for Rapid7 Global Service. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 8+ years Deral?s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral is the creator of the open source tool ?Praeda? used for harvesting data from embedded devices. Deral also conducted security research on a numerous technical subject, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, Hackcon Norway, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC, SC Magazine, Threat Post and The Register. Matthew Kienow: Matthew Kienow is a software engineer and an independent security researcher. Matthew has presented at various security conferences including Hack In Paris, DerbyCon and CarolinaCon. Matthew has designed, built, and successfully deployed secure software solutions, however, often enjoys breaking them instead. Matthew?s research has been cited by CSO, Threatpost and SC Magazine.

Deral - @Percent_x, Matthew - @HacksForProfit

Back to Derbycon 2016 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast