Fade from Whitehat... to Black
-
Upload
beau-bullock -
Category
Technology
-
view
371 -
download
2
Transcript of Fade from Whitehat... to Black
![Page 1: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/1.jpg)
FA D E F R O M W H I T E H AT… T O B L A C K
B E A U B U L L O C K
![Page 2: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/2.jpg)
“Everyone is a moon and has a dark side which he never shows to anybody”
~ Mark Twain
![Page 3: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/3.jpg)
K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization
![Page 4: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/4.jpg)
W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
![Page 5: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/5.jpg)
S I D E N O T E
![Page 6: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/6.jpg)
2 0 1 4
![Page 7: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/7.jpg)
I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list
![Page 8: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/8.jpg)
Enough about me
![Page 9: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/9.jpg)
N O N - AT T R I B U T I O N
![Page 10: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/10.jpg)
![Page 11: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/11.jpg)
D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence
![Page 12: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/12.jpg)
D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important element being OPSEC
• Maintain anonymity in both the real and digital worlds
![Page 13: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/13.jpg)
N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
![Page 14: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/14.jpg)
L A P T O P P U R C H A S E
![Page 15: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/15.jpg)
I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite… apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference
![Page 16: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/16.jpg)
N O T O P S E C S A F E
![Page 17: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/17.jpg)
A B I T M O R E O P S E C S A F E
![Page 18: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/18.jpg)
AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)
![Page 19: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/19.jpg)
B U Y B I T C O I N F O R C A S H
![Page 20: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/20.jpg)
V P S F O R B I T C O I N
![Page 21: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/21.jpg)
P R I M A R Y AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server
![Page 22: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/22.jpg)
C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts
![Page 23: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/23.jpg)
N O N - AT T R I B U T I O N D I A G R A M
![Page 24: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/24.jpg)
1. Live-booted off USB to Linux
2. Connected to free WiFi3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to attack server in VPS net 2
7. Mandatory Caffeination
![Page 25: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/25.jpg)
TA R G E T A C Q U I S I T I O N
![Page 26: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/26.jpg)
M O T I VAT I O N
• Easy Targets
• High Profile Targets
• Contracted Targets
• Vengeance
![Page 27: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/27.jpg)
E A S Y TA R G E T S
• Shodan - Unauthenticated VNC Servers
![Page 28: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/28.jpg)
E A S Y TA R G E T S
• Shodan - Vulnerable Services
![Page 29: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/29.jpg)
H I G H P R O F I L E TA R G E T S
![Page 30: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/30.jpg)
C O N T R A C T E D TA R G E T S
![Page 31: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/31.jpg)
V E N G E A N C E
![Page 32: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/32.jpg)
R E C O N N A I S S A N C E
![Page 33: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/33.jpg)
I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges
![Page 34: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/34.jpg)
M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these are important shortly)
![Page 35: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/35.jpg)
E X P L O I TAT I O N
![Page 36: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/36.jpg)
AT TA C K 1 - C R E D E N T I A L R E U S E
• How can we exploit credential reuse on personal accounts?
![Page 37: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/37.jpg)
AT TA C K 1 - C R E D E N T I A L R E U S E
• Publicly Compromised accounts
![Page 38: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/38.jpg)
AT TA C K 1 - C R E D E N T I A L R E U S E
• Pipl - locate employees based off their email address
![Page 39: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/39.jpg)
AT TA C K 1 - C R E D E N T I A L R E U S E
• Attempt to login to their corporate account using the creds recovered from previous breach
![Page 40: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/40.jpg)
AT TA C K 2 - PA S S W O R D S P R AY I N G
![Page 41: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/41.jpg)
AT TA C K 2 - PA S S W O R D S P R AY I N G
• FOCA
![Page 42: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/42.jpg)
AT TA C K 2 - PA S S W O R D S P R AY I N G
![Page 43: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/43.jpg)
AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise
![Page 44: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/44.jpg)
AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal
![Page 45: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/45.jpg)
AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.
![Page 46: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/46.jpg)
R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network remotely I move on.
![Page 47: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/47.jpg)
P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local admins)
• Internal password spraying
• PSexec/Mimikatz combo
![Page 48: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/48.jpg)
L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.
![Page 49: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/49.jpg)
P R O F I T I Z AT I O N
![Page 50: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/50.jpg)
T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?
![Page 51: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/51.jpg)
![Page 52: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/52.jpg)
T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier
![Page 53: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/53.jpg)
T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial
![Page 54: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/54.jpg)
T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com
![Page 55: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/55.jpg)
B I T C O I N T O C A S H
• This becomes a money laundering problem
![Page 56: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/56.jpg)
R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job
![Page 57: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/57.jpg)
FA D I N G B A C K
![Page 58: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/58.jpg)
W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world
![Page 59: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/59.jpg)
W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.
![Page 60: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/60.jpg)
D E F E N D E R S
• Shift focus from attribution to detection and prevention
• Increase logging to detect when attackers are performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies
![Page 61: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/61.jpg)
AT TA C K E R S
• Continue to highlight the importance and value of credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray portals that use domain-based authentication
• Escalate internally & crack all the passwords
![Page 62: Fade from Whitehat... to Black](https://reader034.fdocuments.in/reader034/viewer/2022042723/58f1a4251a28ab8f3d8b45b3/html5/thumbnails/62.jpg)
T H A N K Y O U
• @dafthack