Using Offensive Tools to Improve Your Defenses

How to hack yourself andsecure things while having fun!

John H. SawyerSploitLab.com

whoami

• IOActive: Director of Services, Red Team

• InGuardians: Senior Managing Consultant, Mentor, Trainer

• University of Florida: Security Team Lead, Offensive and Forensic Expert, Systems Administrator, Help Desk, Alumnus

• SploitLab: Consultant, Educator, Hacker

• UF Student Infosec Team: CoFounder, Sponsor

• SwampSec: Founder

• DEF CON 14/15 CTF Winning Team 1@stplace: Defense, NSM

The Attack ProcessExpanded Cyber Kill Chain

Cyber Kill Chain

• Developed by Lockheed Martin

• Legacy, perimeter-focused view

• More “we need to get inside” and less “we’re inside, now what?”

• Now ask yourself:

• Where do your security controls fit into this model?

• What impact can you have at these earlier stages?

Expanded Kill Chain

https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf

Mitre ATT&CK Framework

ReconnaissanceGet out the black light and gloves

Reconnaissance

• Open Source Intelligence – OSINT

• Social Media

• Job Postings

• Corporate Sites

• Metadata

• Social engineering

• Phishing

• Vishing: Voice calls

• In-Person: Impersonation

• Physical Observation

• Watching employee & building visitors

• Dumpster diving

Open Source Intelligence Gathering

• https://yourcompany.com

• Metadata

• Social media

• Job postings

• Shodan and Censys

• ”Paste” sites

• Developer sites

DNS Recon with DNSdumpster.com

Passive analysis using Alexa Top 1 Million sites, Search Engines, CommonCrawl, Certificate Transparency, Max Mind, Team Cymru, Shodan and scans.io

Shodan & Censys

CertStream - certstream.calidog.io

• “CertStream is an intelligence feed that gives you real-time updates from the Certificate Transparency Log network...”

• “We do all…watching, aggregating, and parsing…give you super simple libraries that enable you to do awesome things...”

DeliveryKnock, knock, Neo.

Delivery

• Social Engineering• Phishing

• Instant Message

• Phone calls

• Physical Access• Brute force

• Insider

• Impersonation

• Exploitation of vulnerability• SQL injection

• Remote Code Execution

• Stolen credentials

• What controls do you have to detect or prevent these attacks?

Internal Kill ChainYou have the home court advantage

Internal Attacker Activities

• Reconnaissance

• Exploitation

• Local and Enterprise Privilege Escalation

• Lateral Movement

Recon Activities

• Network and host discovery

• DNS

• Active Directory

• Passive listening

• Network file shares

• Wikis and Sharepoint

• Identify users, sysadmins, DBAs, etc.

Privilege Escalation

• Local

• Unquoted service paths

• Weak file permissions

• Weak service permissions

• DLL hijacking

• Enterprise

• Group Policy Preferences

• LLMNR, NetBIOS-NS, WPAD

• Weak network share permissions

• Sensitive and credential exposure

Lateral Movement

• Native operating system tools & protocols

• WMI

• PSRemoting

• SMB

• Common syadmin tools

• Pstools

• PowerShell

• Network file shares

• Sharepoint

• Filesystem mounted remotely

• Remote access

• RDP, Citrix, SSH, VPN

Final Thoughts

• Think like an attacker; become more offensive and find the vulnerabilities BEFORE they are exploited.

• Assess your organization’s online profile, clean up what’s possible, and mitigate what you can’t.

• Confirm that your security controls workas expected by testing them at each stage of the Kill Chain. Never assume…

Tim Medin @ RedSiege

Thank you

Email: john at sploitlab.com

Slides: https://www.sploitlab.com/presentations/

Offensive tool demos: https://www.sploitlab.com/blog