How we hacked Distributed Configuration Management Systems

March 23, 2017 (at 10:30 a.m.) in Attack and Research

With increase in necessity of distributed applications, coordination and configuration management tools for these classes of applications have popped up. These systems might pop-up occasionally during penetration tests. The major focus of this research was to find ways to abuse these systems as well as use them for getting deeper access to other systems.

The talk deals with how we came across and exploited different configuration management systems during our pentests.

Francis Alexander

Francis Alexander is an Information Security Researcher and the author of NoSQL Exploitation Framework. He has a strong vision of Free & Open Information Security Education for all. His areas of interest includes web app & standalone app security, DBMS security, coding tools and fuzzing. He has spoke at multiple conferences such as HITB AMS 2014,Hack in Paris 2014, 44Con 2014, Derbycon USA 2013, Defcon Kerala and Defcon Bangalore.All his tools are available at

Bharadwaj Machiraju

Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame All tools are available at and all ramblings at He has spoken at few conferences, most notably Brucon and Pycon India. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.