A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Code Execution with JDK Scripting Tools & Nashorn Javascript Engine - Brett Hawkins Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Code Execution with JDK Scripting Tools & Nashorn Javascript Engine
Brett Hawkins
Derbycon 2018

There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.

Brett has been in Information Security for several years in the private sector working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, with more of a focus on the offensive side recently. He holds several industry recognized certifications from SANS and Offensive Security, and has spoken at BSides Cleveland previously. His extensive knowledge and experience in a breadth of different areas in Information Security give him a unique and well-rounded perspective. When not at his day job, he enjoys doing security research, programming, and playing sports and video games.

@h4wkst3r

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast