Hacking the Perimeter
-
Upload
varunhirve -
Category
Documents
-
view
60 -
download
0
Transcript of Hacking the Perimeter
![Page 1: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/1.jpg)
Social-Engineering Hacking your perimeter….
Not everyone needs to use zero days…
David Kennedy (ReL1K)
http://www.secmaniac.com Twitter: Dave_ReL1K
![Page 2: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/2.jpg)
About the speaker
• Wrote the Social-Engineer Toolkit (SET), Member of the Social-Engineer.org podcast, contributor to Back|Track, Metasploit, etc.
• Director of Information Security for a Fortune 1000
• Penetration testing and exploit focus
• Worked for the US Marines, VP/Partner of a information security consulting firm.
![Page 3: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/3.jpg)
q Overview of perimeter security q Main attack vectors utilized to compromise the
perimeter q Walkthrough of each attack vector q Recommendations and conclusions
Agenda
3
![Page 4: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/4.jpg)
q Security is getting better. Harder to find traditional vanilla attack vectors
q Hackers adapt and overcome controls and technology
put in place q We’ll talk about social-engineering and the zero-day
angle but there’s still a ton of companies out there that do horrible when = to security.
Overview
4
![Page 5: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/5.jpg)
q Traditional attack methods don’t work
q You’ve undergone several dozen penetration tests and vulnerability scans
q You have a security team and a functioning security program
q You have anti-virus, HIPS, IPS, IDS, heuristics, and behavioral detection and prevention capabilities.
Hacking your Perimeter
5
![Page 6: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/6.jpg)
q Social-Engineering and Physical attack vectors – Probably our most preferred
q Zero-Day Angle – Crafting an exploit from your target
Perimeter Hacking Options
6
![Page 7: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/7.jpg)
Social-Engineering and Security
• Why fight your:
• SIEM • Anti-Virus • HIPS/NIPS/IPS/IDS • Web Application Firewall • Secure Coding Practices • Patch Management Why fight everything you’ve built your entire security program
on?
![Page 8: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/8.jpg)
It’s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link,
the human element.
![Page 9: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/9.jpg)
The easiest way in
• It usually takes me a week of steady fuzzing and
reversing to find a zero-day and craft a reliable exploit.
• It takes me a day to get access to the internal network from social-engineering.
![Page 10: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/10.jpg)
It’s not just us doing this…
• The security community revolves around real world
attacks.
• We are protecting against attacks out in the wild, hackers use social-engineering on a regular basis.
• State-sponsored attacks are the largest threat out there today. A country that has 10,000 people dedicated to hacking can’t be good..
![Page 11: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/11.jpg)
q Big increase in targeted attacks against organizations in an effort to steal intellectual property and financial motivations.
q Focused attacks that utilize specialized attacks
are difficult to protect against.
State-Sponsored Attacks
11
![Page 12: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/12.jpg)
Which country is the worst?
• Well… Working with government agencies I really cant
say…
![Page 13: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/13.jpg)
Completely unrelated slide
![Page 14: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/14.jpg)
Why should they care?
• No repercussions (except from Google), almost
untraceable, and cheap.
• Why build a new industry when you can take it?
![Page 15: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/15.jpg)
Couple SE favorites
• Pretexting is your hack. What your going to do during
your social-engineer attack.
• Nuero Linguistic Programming (NLP) – How we think as humans
![Page 16: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/16.jpg)
Steps of Anchoring • Establish an Anchoring - This is triggering the stimuli
that will be your ultimate Anchor. For example talking frantic, and in need of help.
• Firing your Anchor (also known as Activating) – You’ve triggered a feeling in the victim, you need help. Now you ask for that help.
![Page 17: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/17.jpg)
So why use SE? • We’re lazy, we go for the easiest route.
![Page 18: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/18.jpg)
![Page 19: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/19.jpg)
Basics of SET
• Open-Source purely Python driven.
• SET utilizes Metasploit for both the exploit repository for client-side attacks and payloads.
• Multiple attack vectors specifically designed for Social-Engineering.
• Has become the standard for Social-Engineering in penetration tests across the world.
![Page 20: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/20.jpg)
SET Attack Vectors
• Spear-Phishing – Spoof or utilize already established email addresses to do spear-phishing attacks with fileformat attack vectors.
• Web Attacks – Multiple attack vectors including java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester.
• Malicious USB/DVD/CD – Autorun creation, allows you to deploy MSF payloads in a simple autorun.
![Page 21: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/21.jpg)
SET Attack Vectors Cont.
• Arduino / Teensy USB HID Attack Vector – Multiple payload selection for the USB keyboard HID attacks.
![Page 22: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/22.jpg)
Scenario 1 - USB HID Attack Vector
• Send an employee a brand new keyboard with all of the great bells and whistles with a company letter head saying we’re doing updates to keyboards.
• Plugs in the device, motion sensors detect if user is on the system or not. Mouse is moved 1 pixel every 3 minutes to ensure screen is not locked.
![Page 23: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/23.jpg)
DEMO
![Page 24: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/24.jpg)
The keyboard attack
• Bypasses all autorun capabilities to execute arbitrary code on the system.
• Can drop malicious binaries, trigger overflows, utilize downloaders, implant keystroke loggers, or backdoor your stuff.
• Easily hidden in peripheral devices like docking stations, mouse, keyboard, computers, USB thumb drives, and much more…
![Page 25: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/25.jpg)
Integrating into Existing Hardware
• Most new keyboards have integrated USB Hubs.
![Page 26: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/26.jpg)
Motion Sensor capabilities (thanks Garland)
![Page 27: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/27.jpg)
Scenario 2 - Java Applet Attack
• You perform recon on the company your targeting. You learn their lingo, they structure, harvest email addresses, you know your pretext.
• You register a domain name similar to your victims.
• You call up the sales department claiming to be a customer that is experiencing issues connecting to your new company site.
![Page 28: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/28.jpg)
DEMO
![Page 29: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/29.jpg)
Thomas Werth Attack Vector
• Released at ShmooCon, this attack vector allows you to create a malicious Java Applet.
• User hits “run” and the payload is executed on the victims machine.
• Redirects user back to original site to make attack less conspicuous.
• Heavy obfuscation of java and payload for A/V bypass and fixed major issues with Linux/OSX payload deployment. Applet source just opened today!
![Page 30: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/30.jpg)
DEMO
![Page 31: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/31.jpg)
Multi Attack
• You want to build the best possible pretext and ensure that if one option fails, there are multiple redundancies within the attack to ensure success rates.
• You call the IT Help Desk claiming to be a high-level employee that is having issues getting to a mission critical website. You spoof your source number to come from the executives phone number.
![Page 32: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/32.jpg)
DEMO
![Page 33: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/33.jpg)
The Multi-Attack Vector
• As you can see, this attack vector has multiple attacks built into one website.
• Ability to have failover in case one attack option is not successful.
• Utilizes a combination of harvester, java applet, and client-side exploits in order to compromise the victim.
![Page 34: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/34.jpg)
Why is it effective?
• We are humans, we are programmed from birth through our lives to act and behave a certain way.
• Our brains all work the same way, we are all vulnerable and there really is no patch.
![Page 35: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/35.jpg)
So why use SET?
• The threat is real.
• This isn’t FUD or overhype stuff.
• As to be incorporated into your normal penetration testing methodologies.
• It test’s your security controls and information security awareness program and how effective you can stop these types of attacks.
![Page 36: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/36.jpg)
q Zero days are defined as an attack vector that has not been patched or found before in the past.
q Zero days are out there, they aren’t public and they can be around for years without being released.
q Adobe has lately been getting hit it seems like almost every week with a new zero-day.
q Zero days are extremely difficult to detect or prevent against.
Zero-Days
36
![Page 37: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/37.jpg)
q Your performing a penetration test for CompanyXYZ, you have exhausted all manual efforts and have found no viable attack method through the perimeter.
q Web applications are solid and have no apparent vulnerability.
q The ‘zero-day’ angle is your only option to gain access to the systems.
Scenario 1
37
![Page 38: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/38.jpg)
q Brute force method to bug hunting.
q Sends random commands in hopes of a crash.
q Buffer length = 50 you send 51
An introduction into ‘Fuzzing’
38
![Page 39: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/39.jpg)
q The example you are about to see is a basic overflow and is as easy as it gets.
q There are several different types of overflows and different ways of exploiting them.
q We’ll talk shortly about Windows protection mechanisms, in this scenario they are disabled.
Precursor
39
![Page 40: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/40.jpg)
q SMTP server is susceptible to a stack based overflow in the “EHLO” parameter.
q By sending 6000 “\x41”’s or ASCII = ‘A’ causes a crash.
q An attacker knows that a vulnerability is here and with further research can exploit this vulnerability.
Buffer Overflow Example
40
![Page 41: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/41.jpg)
q JMP – Jump <address> (jump to instruction)
q EIP – Instruction Pointer (return address)
q ESP – Starter Pointer (where the beginning of our stack is)
q NOP – No operand (do nothing)
q NOP Slide – Multiple NOP’s that create a slide affect
Some Basic Instructions to be aware of
41
![Page 42: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/42.jpg)
How Windows is setup…
42
![Page 43: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/43.jpg)
Before
43
![Page 44: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/44.jpg)
After
44
![Page 45: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/45.jpg)
q Data Execution Prevention – In this attack if DEP was enabled the stack would be marked read only and fail
q Stack Canaries (GS) – Random cookie values are inserted to ensure stack integrity
q Address Space Layout Randomization (ASLR) randomizes memory addresses by 2 bytes
Windows Protection Mechanisms
45
![Page 46: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/46.jpg)
q Return-to-libc attack utilizing Return Oriented Programming (ROP). This can also defeat ASLR.
q Remember when we inserted a “JMP ESP” command? Instead we can use “gadgets” to build our attack and prep our stack to call the WriteProcessMemory function.
q This will copy our shellcode from our stack to a writable memory address (for example a kernel driver).
Defeating Data Execution Prevention (DEP) (and ALSR)
46
![Page 47: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/47.jpg)
q Third party closed-source applications are tough. Having a mature third party application security review process is critical.
q Internally developed software needs to undergo rigorous testing and source code analysis to ensure overflows are mitigated before reaching production.
q Have a team dedicated to the research and protection to zero-day based threats and being able to detect these types of attacks from occurring.
Protecting Against Overflows
47
![Page 48: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/48.jpg)
q When utilizing overflows, generally a reverse connection is needed.
q Ensure tight egress filtering is in place and that servers can only connect to what is absolutely necessary on the Internet.
q Proper controls in place is OK.
Minimizing Zero-Day Damage
48
![Page 49: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/49.jpg)
Traditional Pentests are Dead
![Page 50: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/50.jpg)
Out of scope..
• Businesses don’t understand what a true penetration test represents.
• No solid framework, not all of us get to do fun stuff like this…
• Things are taken out of scope, and there’s limited budget..
![Page 51: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/51.jpg)
Where we need to go…
![Page 52: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/52.jpg)
If you aren’t doing this…
• If you aren’t doing SE as apart of your regular penetration tests you are seriously missing out.
• If you don’t know about this, you should learn…
• Success ratio’s for compromise with SET are estimated at around 94%.
![Page 53: Hacking the Perimeter](https://reader034.fdocuments.in/reader034/viewer/2022042607/54fe9d8b4a7959422b8b5307/html5/thumbnails/53.jpg)
Learning more about SE
• http://www.social-engineer.org - Created by Chris Hadnagy (loganWHD) , great reference for Social-Engineering