Offensive Operations - SploitLab · •Passive (OSINT) • Search Engines (Google Dorks) • Web...
Transcript of Offensive Operations - SploitLab · •Passive (OSINT) • Search Engines (Google Dorks) • Web...
@johnhsawyer [email protected]
OffensiveOperationsJohnH.Sawyer
SeniorManagingConsultantInGuardians,Inc.
BryceLay- Comsys
@johnhsawyer [email protected]
WorkshopAgenda• Administrivia• IntroductiontoPenetrationTesting
• Reconnaissance• Physical• SocialEngineering• PostExploitation
@johnhsawyer [email protected]
PurposeofthisWorkshop• Introductiontopenetrationtesting– Securityprofessionalsfocusedondefense– Systemsadministrators– Developers
• Hands-onwithCobaltStrikeandoffensivePowershelltools
• HaveFun!!
@johnhsawyer [email protected]
WhoAmI?• InGuardiansSeniorManagingConsultant
– RedTeamOperator/PenetrationTester– SocialEngineering– Web,Mobile,andDesktopApps– IncidentResponse&Forensics
• DarkReadingandInformationWeekauthorandspeaker• Infosec VolunteerandMentor• DEFCON14/15CapturetheFlag(1@stplace)
@johnhsawyer [email protected]
MyAwesomeEmployer• InGuardians,Inc.(formerlyIntelGuardians)• Founded2003byMikePoor,EdSkoudis,JayBeale,Jimmy
Alderson,andBobHillery• Ifit’ssecurity-related,wedoit.
– RedTeamAssessments– PenetrationTesting
• Network,Web,Mobile,Wireless,Hardware,People,andPhysical– IncidentResponseManagementandDigitalForensics
@johnhsawyer [email protected]
ThankYou• MyWifeandfamily• BryceLay– ComSys• InteropTeam• InGuardians• UBM,DarkReading,andTimWilson
@johnhsawyer [email protected]
PENETRATIONTESTINGIntroductionto
@johnhsawyer [email protected]
VulnerabilityAssessment• “Avulnerabilityassessmentistheprocessofidentifying,quantifying,andprioritizing(orranking)thevulnerabilitiesinasystem.”
• Source:Wikipedia
• Whatabout..– Validation– Risktothebusiness
@johnhsawyer [email protected]
PenetrationTest• “Apenetrationtest,ortheshortformpentest,isanattack
onacomputersystemwiththeintentionoffindingsecurityweaknesses,potentiallygainingaccesstoit,itsfunctionalityanddata.”
• Source:Wikipedia
• Mimicrealattackers• Showrealriskofvulnerabilities
@johnhsawyer [email protected]
EvolutionofPenetrationTesting• AttackProcess• Recon• Scan• Gainaccess• Maintainaccess• Covertracks
• Pentest Methodology• Preparation• Recon• Scan• Exploit• Analysis• Report
@johnhsawyer [email protected]
PenetrationTestingExecutionStd.• Pre-engagementinteractions• Intelligencegathering• Threatmodeling• Exploitation• Postexploitation• Reporting
@johnhsawyer [email protected]
TypesofPenetrationTesting• Network
– Internal– External
• Application– Web– Mobile– Desktop
• Physical
• SocialEngineering– Email– Phone– Other(Social,In-person)
• Wireless– WiFi– OtherRF
• Hardware
@johnhsawyer [email protected]
RedTeaming• Militaryorigins– practiceofviewingaproblemfromanadversaryorcompetitor'sperspective
• Long-term,persistentoperations– Monthstoyears
• Full-scope– Physical,socialengineering,web,mobile,wireless
@johnhsawyer [email protected]
OffensiveTraits• Passion• Curiosity• Experience• Adaptability• Communication• Notafraidoffailure
• Diversebackground– sysadmin,developer,networkengineer
@johnhsawyer [email protected]
LegalIssues• Jobdescription• Writtenpermission• Scope• RulesofEngagement
@johnhsawyer [email protected]
Risks• DenialofService
– Networkcongestion/saturation– Serviceresourceexhaustion– Crash(BSOD,Segfault)
• Datacorruption• Datadestruction• Angrypeople
– Sysadmins,users,HR,Legal
@johnhsawyer [email protected]
RECONNAISSANCEIntelligenceGathering
@johnhsawyer [email protected]
Reconnaissance• Passive(OSINT)• SearchEngines(GoogleDorks)• Webarchives• Newsgroups,GoogleGroups• Whois,Robtex,CentralOps• Shodan,Censys,Netcraft• Socialnetworks• Pwnedlist,Breachalarm
• Active• Nmap• DNSinterrogation• Nessus,Nexpose,Metasploit• Arachni,Burp,wpscan• FOCA,metagoofil• Anythingthatactivelytouches
thetargetnetwork
@johnhsawyer [email protected]
SearchEngines• “GoogleDorks”• BishopFoxSearchDiggity– GoogleDiggity,BingDiggity,BingLinkFromDomainDiggity– CodeSearchDiggity,DLPDiggity,FlashDiggity– MalwareDiggity,PortScanDiggity,SHODANDiggity– BingBinaryMalwareSearch,andNotInMyBackYard Diggity.
• http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
@johnhsawyer [email protected]
Shodan.io• “Shodan istheworld'sfirstsearchengineforInternet-connecteddevices.”
• http://www.shodanhq.com/help/filters– net,os,city,country,geo,hostname,port,before/after
@johnhsawyer [email protected]
Shodan Tools• ManytoolsleverageShodan– Spiderfoot,Maltego,etc.
• Shodan API– Pythonandrubylibraries
• Metasploit shodan_search module
@johnhsawyer [email protected]
Nmap• Networkportscanner• TCPandUDP• OSfingerprinting• Servicefingerprinting• Nmap ScriptingEngine– Advancedchecks– Vulnerabilitydetection
@johnhsawyer [email protected]
Spiderfoot• Automatesmuchofthereconprocess• FreeandOpenSource• RunsunderLinuxandWindows
• cd/opt/spiderfoot• python./sf.py• http://127.0.0.1:5001
@johnhsawyer [email protected]
Eyewitness• Screenshotsofwebapplications• Multipleformatimport(nmap,Nessus)• Serverheaders• PageSource• DefaultCreds• Alternatives– peepingtom,httpscreenshot,Spart
@johnhsawyer [email protected]
SOCIALENGINEERINGBecausethereisnopatchforhuman…
@johnhsawyer [email protected]
SocialEngineeringDefined• Theactofinfluencingsomeonetotakeanactionthatmayormaynotbeintheirbestinterest.
@johnhsawyer [email protected]
ExampleCareers• Doctors• Therapists• Radiohosts• Schoolteachers• Counselors• Lawenforcement
@johnhsawyer [email protected]
WhyDoesItWork?• Desiretobehelpful– ParAvion
• Tendencytotrustpeople• Fearofgettingintotrouble– Daisy
• Willingnesstocutcorners• http://www.social-engineer.org/framework
@johnhsawyer [email protected]
SomeGuidelines• GoldenRule– Leavesomeonebetterforhavingmetyou
• Manipulation– Thinkscamandpickupartists– Leavepeoplefeeling“dirty”orcheated• ChrisandMichelesurvey
@johnhsawyer [email protected]
SocialEngineeringMethodology• InformationGathering• PretextDevelopment• AttackPlanning• PerformAttacks• Reporting
@johnhsawyer [email protected]
ElementsofaGoodPhish• Urgesrecipienttotakeaction• Targetsanemotionalresponse• Mimicscontentforatrustedsource• Spoofsthesourcetoappearlegitimate• Bypassesmailsecuritycontrols
– http://arstechnica.com/information-technology/2014/02/16/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/
@johnhsawyer [email protected]
SomeReconTools• theharvester
– ThisisincludedontheVM• FOCA
– Windowsonly– Findsdocsandpulls
metadataincludingusernames,softwareversions,servers,networkshares.
• Maltego– Helpstoidentify
relationshipsbetweenhosts,networks,identitiesandmore.
• metagoofil– Metadatasearchand
extractor– Alittledatedbutstillvery
useful
@johnhsawyer [email protected]
PHYSICALOliviaNewtonJohnwantstoget…
@johnhsawyer [email protected]
Physical• Havingphysicalaccessrequireslittle/noexploitstocompromise
– Itisevenmorefunwhenitdoes!
• Thinkaboutwhatanattackercoulddoiftheyhavephysicalaccessto• areceptionist’sworkstation• anITstaffmember’sworkstation• anetworkcloset/IDF• yourdatacenter…• Physicalaccessisoftenconsidered“gameover”
@johnhsawyer [email protected]
DressthePart• Backtopowersofobservation…byothers
– Howwillstaffperceiveyouintheorganization?• Howareotherdressed?
– Construction– FireExtinguisherinspection– Packagedelivery*– Repairtechnician*
• Casualofficeorprofessionaldress
@johnhsawyer [email protected]
Tools• Few“technical”toolsexisthere
– Unlesswetalkprox/pinpad– Mostoccasionsdon’trequireanythingtechnical
• Mostpowerfultoolforthispartisyourbrain– Time,creativityandpatience– Thinkingoutsideofthebox– Hacking“hardware”fromthedumpster
• Howminorgapsinimplementationcanbeused
@johnhsawyer [email protected]
RFIDTools&RubberDucky• https://proxmark3.com• https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/
• http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
@johnhsawyer [email protected]
PowersofObservation(1)• Observinghowphysicalsecuritysystemsareimplemented!• Observingthemovementsofothersperalongperiodoftime• Wheredocameraspoint?Aretheymonitoredactivelyor
reactively?• Howdodoorsunlockfromtheoutside?
– Howdotheyunlockfromthe inside?– Motionsensor?Capacitivetouchbar?– Whatsidearethehingeson?
@johnhsawyer [email protected]
PowersofObservation(2)• Underdoorgaps?Gapsindoorframes?
– Whatcanweuseoutofthedumpster?– Lowes/Homedepotcrafttime!
• Othermethodsofaccess– Balconies– LoadingDocks
• Unmotivated/Laxbuildingsecurity• Whatdobadgeslooklike?Totheinternet!
@johnhsawyer [email protected]
SocialEngineering• Thisisagameuntoitself– Somanysubtleties
• TL;DR,itisagameofconfidence– Actlikeyoubelong– Playthepart– “Hey,how’sitgoing?”
@johnhsawyer [email protected]
Policies• Physicalsecuritydesignattimeofbuild– JustlikeDevOps,bakeinsecurity
• Tailgating• Reportingofsuspiciousactivity• Auditandobserveadherencetopolicy
@johnhsawyer [email protected]
GETTINGAFOOTHOLDOMG!TheyopenedtheMACRO!!1!1!
@johnhsawyer [email protected]
Responder• PassiveandActiverecon• Exploitation(LLMNR,NBT-NS,DNS,MDNS)
• Stealpasswordhashesandcrackwithjohn/hashcat
• https://github.com/lgandx/Responder-Windows
@johnhsawyer [email protected]
Inveigh• LLMNR,mDNS,andNBNS
spoofer• Man-in-the-middletool• HTTP/HTTPS/Proxy
listeners• Slimmeddown,Powershell
versionofResponder
@johnhsawyer [email protected]
PasswordCracking• CrackthehashescapturedfromResponderusing:– johntheripper– hashcat
@johnhsawyer [email protected]
POWERSHELLIt’severywhereyouwanttobe…
@johnhsawyer [email protected]
OffensivePowershell• Greatforbypassingantivirus
andapplicationwhitelisting• OncurrentWindows
workstationandserveroperatingsystems
• MoreoffensivetoolsareleveragingPowershell
• Thebadguysareusingit,too!
@johnhsawyer [email protected]
Powershell ExecutionPolicy• ExecutionPolicy*IS*nota
securityfeature!!• 15waystobypass
Powershell executionpolicy– https://blog.netspi.com/15-
ways-to-bypass-the-powershell-execution-policy/
@johnhsawyer [email protected]
Powershell Pwnage Must-Haves• Empire
– http://www.powershellempire.com
• Powersploit– https://github.com/PowerShell
Mafia/PowerSploit• BloodHound
– https://github.com/BloodHoundAD/BloodHound
• PowerUpSQL– https://github.com/NetSPI/Po
werUpSQL• MailSniper
– https://github.com/dafthack/MailSniper
• DomainPasswordSpray– https://github.com/dafthack/D
omainPasswordSpray
@johnhsawyer [email protected]
COBALTSTRIKEPost-exploitationandC2excellence
@johnhsawyer [email protected]
CobaltStrike• Post-exploitation• CommandandControl
(C2)• Flexibleprotocols• Powershell integration• Scriptable
@johnhsawyer [email protected]
ListenersandPayloads
@johnhsawyer [email protected]
MacrosfortheFoothold
@johnhsawyer [email protected]
InjectingADCredstoAccessSysvol
@johnhsawyer [email protected]
MovingLaterally:SMBBeacons
@johnhsawyer [email protected]
Credentials
@johnhsawyer [email protected]
Powershell Integration
@johnhsawyer [email protected]
NEXTSTEPSWheretogofromhere…
@johnhsawyer [email protected]
NextSteps• Buildyourownlab
– VMWare (ESXi),VirtualBox,Hyper-V,AWS,Docker– Vulnhub.com– Networkequipment(HWorSW)
• Certifications– OSCP– GPEN,GPWN,GXPN
• BugBountiesandCapturetheFlagevents
@johnhsawyer [email protected]
ContactInformation• Contactinformation:
[email protected]@johnhsawyer352-389-4704
• Slides- https://www.sploitlab.com