Painting a Company Red and Blue

Ian Amit Director of Services

Hi

What is a Red Team?

What is a Red Team?

electronic

socialphysical

Red Team

electronic

socialphysical

Red Team

Why?

Why?

Red TeamPentestVuln Scan

Red TeamPentestVuln Scan

Compliant you are. Matter it does not.

There is security

outside of IT

What to look for in a team?

Skills Matrix

Electronic Physical Social

Bob 5 9 1

Joe 3 8 9

Jenny 9 4 7

*Neither Bob, Joe nor Jenny were hurt in making this slide

First rule

Go for the jugular !

• What can take the business down?

• Who is involved???

vs.

Second Rule

Give it all you’ve got

Second Rule

Give it all you’ve got

“You start as fast as you can go, and then slowly speed up” Krembo

Let’s paint!

Red Team Blue Team• Simulate real

intelligence gathering

• Create key personnel profiles

• Identify social weak points

!

• Identify and control public information

• Train key personnel on personal safety

• Work with HR on social issues

Wireless Network Penetration Testing Services

Confidential. Proprietary. [18]

Detailed Findings Tables

#RAPCON–1 Unauthenticated RAP Console Leaks IPSec Configuration

Device(s) RAP Console

Category Information Disclosure

Testing Method Black Box (Hardware)

Tools Used Firefox

Likelihood Medium (3)

Impact High (4)

Total Risk Rating High (12)

Effort to Fix Medium

Threat and Impact

The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page.

Figure 1: Unauthenticated RAP Console

On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:

IKE_EXAMPLE: Starting up IKE server

Wireless Network Penetration Testing Services

Confidential. Proprietary. [18]

Detailed Findings Tables

#RAPCON–1 Unauthenticated RAP Console Leaks IPSec Configuration

Device(s) RAP Console

Category Information Disclosure

Testing Method Black Box (Hardware)

Tools Used Firefox

Likelihood Medium (3)

Impact High (4)

Total Risk Rating High (12)

Effort to Fix Medium

Threat and Impact

The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page.

Figure 1: Unauthenticated RAP Console

On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:

IKE_EXAMPLE: Starting up IKE server

Wireless Network Penetration Testing Services

Confidential. Proprietary. [19]

setup_tunnel Initialized Timers IKE_init: completed after (0.0) (pid:16341) time:1999-12-31 16:37:53 seconds. Before getting PSK PSK:****** User:xiaobo1 Pass:******

A more serious information disclosure is the “Generate & save support file” option available on the home page of the RAP Console. The support.tgz file contained 73 files, including the ikepsk, pappasswd, and papuser files, as shown in Figure 2.

Figure 2: Contents of support.tgz

These files contain the encrypted IPSec pre-shared key, and the unique username and the encrypted password for this access point.

An attacker who has gained physical access to the access point or access to the RAP Console for the access point would be able to recover the credentials used by the access point to establish a VPN back to the controller. The credentials are encrypted with a static key, which can be easily decrypted.

Recommendations

The RAP Console has no security model. Disable it if possible.

Red Team Blue Team• Supply chain

compromise

• Piercing the perimeter paradigm

• Access internal resources without controls

!

• IT is solid - go beyond the technology

• Expand monitoring towards the “unknown”

• Role based access controls on top of location/asset based.

Red Team Blue Team• Uncover new/

undocumented assets

• Leverage technical issues in devices that control environment

• Combine environment control with social engineering

• Expand control base into additional aspects of business

• Recruit stakeholders

• Train and educate personnel from other business units, learn the details of their business

Red Team Blue Team• Access critical assets

out of their element

• Avoid triggering alarms on heavily guarded areas

!

!

• Scope secondary/tertiary locations for assets

• Correlate alerts for same asset category

Red Team Blue Team• Access non-production

equipment.

• Implant backdoors for later use

!

!

• Involvement in security should be started in early phases of design and testing

• Test-to-production should be scrutinized and no test setup should be relied on (same for default manufacturer settings)

Red Team Blue Team• Virtualized

environments and out of band management for servers compromises

• Completely bypass host security. Full access to bios level configuration, full KVM access remotely.

!

• Datacenter security - both physical, as well as internal and vendor support

• Logging and auditing of all access to assets - including correlation of local and remote access with additional footprints (doors, VPNs)

Blue Team Work

Quick response: assess, involve, minimize damage, control

environment, apply learning to process/people/technology

Trigger Warning:Business Speak!

• ROI

• Buy-In

• Identify Risks and Gaps

• Processes

• People

• Technology

• Reapply to Organization

Q1-1

20

40

60

80

Blue Red

• ROI

• Buy-In

• Identify Risks and Gaps

• Processes

• People

• Technology

• Reapply to Organization

Q3-2

20

40

60

80

Blue Red

Retest / VerifyYou can’t just click “go” again…

!

!

Retest/verify means reasserting core issue is

addressed - to create new scenario that includes it!

Deliver

Deliver

Deliver

Don’t sell

Questions?

Ian Amit @iiamit