Greatforensicsisgreathomework!
GreatHackingisgreathomework!
Weneedtocooperate.
1
• YouareNOTtodistribute,disseminateorreusethesematerialswithoutmyexpresspermission.Thisistodeterredistributionofthesematerialstounsafeoruntrustedparties.
• Mycontactinformationisattheendofthepresentation
2
GroundRules
• Turnoffallrecordingdevices(cameras,voicerecorders,etc.)
• Whatyou’reabouttoseeisreal.Everymethod,attack,vectorandexploitationyouaregoingtoseehasbeenusedtogreatsuccessbynotonlymyself,butalso“thebadguys.”Weusethesametoolset.
• Bemindfuloftheknowledgeyou’reabouttogain.Useittodefendyourorganizationanditsassets.
• “Don’ttrythisathome…”
• Donothesitatetoaskquestionsatanypointduringtheconferenceorafterwards.Iwillalwaysofferasolutionoropinion.
• Don’tbescared,evenifthisisscary.Fearandshort-sighteddecisionshavedoomedmanyorganizations.(..andprobablygotthemintothissituationtobeginwith.)
• Wecandelveintoanyoneoftheseitemsforhours,I’mgivingyouthemostcommonissuesandhighestvaluetargets.
3
#OPSEC
Thenameofthegameis#OPSEC.
4
OPSEC
5
6
OPSEC
7
8
9
10
TheMonsterRetirementFund
12
HowdoesanAttackhappen?
• Determine“why”you’reatarget.
• Determine“who”islikelytoattackyou
• Determine“what”makesyouinteresting
• Determine“where”they’regoingtostrike
• Determine“how”they’regoingtoattack
• Whatdataorassetsdowehavethatarevaluable?
• Howcanthosebeleveragedforgainorusage?
• Doesourcorporatepolicy,imageorclienteledrawattentiontousorourindustry?
Whyareweatarget?
• Whowouldliketogainaccesstoourassets?
• Whatdotheyhavetogain?
• Howwouldanattackerfindusinthefirstplace?
Whoislikelytoattackus?
• Whatinformationwoulddrawattentiontousorshowustobevulnerable?’
• Doweleakinformationpubliclyorprivatelythatcouldriskanexposure?
• Canwecontrolourinformationanddatainawaythatwouldreducerisk?
• Dowebringituponourselves?
Whatmakes*us*interesting?
• Isthisaninternalorexternalthreat?
• Canweexamineourcontrols,informationorstaffanddeterminewhereourvulnerabilitiesorweakpointsare?
• Whatisthemostlikelyavenueofattack?
• Aretheythesameareas?
Wherearetheygoingtostrike?
• Canweputtogetheraprofile?
• Canwesimulateormodeltheirattack?
• Canwetestourcontrols?
• Arewecovered?
• Didwetakethemostappropriateandreasonablemeasurestopreventanexposure?
• Howlikelyisthistohappen?
• Whatdoweneedtodotopreventthisfromhappening?
Howaretheygoingtoattack?
OurScenario-- Statement
AsanorganizationthatdealswithvaluablepersonalorcorporateinformationincludingSSNs,TINs,bankingandprivilegedinformation;wehouseinformationthatcoulddirectlyorindirectlygiveacommittedexternalpartythemeanstocommitfraudortheft.
Thingstoremember
• AccuracybyVolume
• Castawidenet
• “Onalongenoughtimeline,thesurvivalrateforeveryonedropstozero”
• Acommittedattackerhasunlimitedtimeandresources
Thereisnosuchthingas“that’sagainsttherules.”
• DefenseinDepth– Buyyourselftime,throwupredflags
• FatherTimeisundefeated.
PublicInformationGathering
Acommittedattackerisgoingtopassivelyfarmandprofileyourcompany.Themostdevastatingpartofthisisthatsomeonecaneasilymapoutyourcompany,networkandinfrastructurewithouthavingtoconnecttoyournetwork.
PublicInformationGatheringTools
• FOCA• Maltego• Google• SocialNetworkingSites(LinkedIn,Myspace,Facebook,Twitter)• ARINRecordsSearch• Netcraft• Shodan• MailingLists• DNSLookups• WHOISInformation• WYDProfiling
PublicInformationGathering
• ProfileOrganization:Structure,EmailAddresses,Titles,Departments
• Determinepossibleinfrastructureandexploitstouseagainstit.(E-mailServers,Apps)
• Farmpasswordlistsandprofiles,gatherpersonalinformation
• BaitforPhishing
• Correlateandcross-referencesources
• Findclients,partners,determinewhatmaybeworthmytime
• Re-mineandRefine
MetadataExtractionDemonstration
FOCANote:Metadataismorevaluablethandatainmostcases.
26
ActiveInformationGathering
Acommittedattackerisgoingtoactivelybegintoprobeyourorganizationandnetworkusingtheinformationrefinedpreviously.Thekeyistorefinetheinformationandmaintainalowprofile.
ActiveInformationGathering
• CalltheAdmins– Whoisresponsibleforwhat?Wheredopeoplework?DidIgetstructurecorrect?Cantheygivememoreinformation?
• CalltheITStaffandHelpdesk– WhendotheITstaffwork?Wheredotheywork?Arethereweaklinks?Howdotheyprocessinformationandtickets?Whoarethey(phishing)?
ActiveInformationGathering
• Locateyouroffices,findvulnerableareas– Doyouhaveasatelliteoffice?Doyoushareofficespace?DoyouhaveopenwindowsIcanlookinto?Cameras?Whattimedoesyourstaffleave?
• WarDriveforyourWi-Fi– Probeyourwireless
• Determinephysicalsecurityperimeter– CanIwalkintothelobbyandoffices?Whatareyoutryingtohide?Doyouhavecameraswatchingthings?Arethingshiddenbehindbushes?
ActiveInformationGathering
• SendE-Mails– Whatarevalidaddresses?Doyousendreadreceipts?Whowillrespond?CanIspoof?
• ScanyourNetwork– PortScanning,WebServerConnections,IDS/IPSdetermination,Identifypublicfacingserversandtheirvulnerabilities,begincraftingattacks
• Directlyconnecttopublicfacingserversanddevices(Ex.IISInternalIPweakness)
• GatherLogos,IdentifyinginformationforPhishing
• Re-mineandRefine
ActiveInformationGatheringDemonstration
• ReadNotify – HowIcanmapanetworkandresourceswithoneemail
• SearchEngineFarming– Whyshouldwekeepalowprofile?
31
Page 32
ZeroEffortHacking• SearchString:filetype:txt "password7""console"hospital
• OnlineDecrypterhttp://www.ibeast.com/content/tools/CiscoPassword/index.asp
AdvancedAttacks• SearchString:
intitle:"virtualoffice"sonicwall domain
Whatdoesthispagetellme?
• PointofEntrythroughaVPN
• It’sADintegrated
• It’soldinfrastructure– NoUpdates
• ExternalIPAddress
• TheSSLcertificateismisconfiguredorthedefault(self-signed?)
ARINSearch• GeographicArea
• Namesaresimilar
• NameofTarget
Backtogoogle!• MatchedTarget
• Address
• CareersPage
• ContactUs
• BusinessandProcesses
MytargetisVERYinteresting!
Page 38
WebsiteInformation• EmailAddresses
• PossibleLoginNames
• PhishingTargetsandDecisionMakers
• StaffTravel
Page39
DiggingthroughDNS• HostedEmail– ApointofattackorwhosefiltersIhavetobeat
• SPFRecord– NotPerfectbutweknowthey’rechecking
• DNSNameoftheirhostingprovider–Somethinginterestingtoexamine
DNSSearch• DNSNameisodd– KROSS
• DNSARecordQuery
• InternalIPoftheirhostingprovider’snetwork
WhathaveIgatheredsofar?
• ADDomainName• MultipleAttackSurfaces• PossibleUsernames• PointofLogin• DirectNetworkAccess• EmailAddresses• BusinessTypeandClients• InternalIPAddressesforMultipleNetworks• PhysicalLocation• VulnerableISP/HostingCompany
Page 42
WhatcanIsafelyassume?
• Nooneispatchingtheirenvironmentorthey’renotinvesting.
• Theirhostingcompanymaynotbesecurityconscious.
• ImportantPeoplearetraveling,it’sanopportunityformultipleattacks.
• OnsiteSocialEngineeringmaywork.
• ImaybeabletoattackOutlookOnlinewithoutfearofalerting.
• Thereisenoughmoneyorinformationtomakethisworthmywhile.
Page 43
PhishingandSocialEngineering
• Setupafakewebsitewithanamesimilartoyoursorwhichsounds“secure”.
• Sendemailstoyouremployeeswithalinktoaphishingsiteaskingforapasswordresetorvalidation.BrowserExploitation,clientsideexploitationarealsoviableoptions.
• UseYOURlogosandITstaffinformationorDirectSupervisor’snames
• Wehopeforapasswordentry,butjustclickingthelinkcanrenderusableinformationoraplatformforaclientsideexploit.
• IfIdidmyhomework,Ialreadyknowwhatappsyouareusing.Icandeliverpayloadviawebsite,emailsorattachments.
• Thisisthemosteffectiveattack– 75-85%successratePERengagement.
UserExploitation
Attemptdeliveryofexploitsbyallmeansavailable
• DropUSBSticksinparkinglotwithmyexploits(*sigh*)
• Callyouremployeesandhelpdeskattemptingtoresetpasswords,getremoteaccess,redirectthemtosites
• Resetpasswordsviausersideresets– UseIntelligencegatheredpreviouslyoractivelygatheragain.
• Attempttoenterthepremises,ifpossible.ShoulderSurfing,Tailgating,GrabIDsorseewhattheylooklike.
• ARIN&IPInformation->ServiceProvider->WHOISInformation->FakeID->Clipboard&CableTester->BotherAdmin->GetAccess->PlantDeviceorAccess
YouwouldbepetrifiedtoknowthetypesofplacesIhavejust“talked”mywayinto.
ExploitingWeakness,IgnoranceandPredictability
Somepointstoconsider:
• Wehavenotattemptedatraditional,“technical”exploit.
• Noneofyourinfrastructurehasbeendirectlyattacked,compromisedorexploited.
• Mostofthisiseitherhardtodetectorissocommonthatithidesinplainsight.Ifyouhaven’timplementedsecuredetectivecontrolsortrainedyourusers,youmayneverknowthisisoccurring.
• ThemosttechnicalattackwehaveattemptedisexploitationofaworkstationviaUSBstick.Auser,iftheywereexploited,arenotlikelytoreportthistoyou.
UserExploitationDemonstration
• WirelessHijacking
• Keyloggers
• USBdeviceattacks
47
Trainingvs.Reality
IfIhavesuccessfullyexploitedauserbeforethispoint,Iwillnotdirectlyattackyourinfrastructure.Thegoalisentrytoyournetworkusingthepathofleastresistance.Iwanttostayundetectedinsideyournetworkforaslongasisneeded.Wehavetraditionallybeentrainedtofightoffthe hackerwhositsbehindthekeyboardandattacksforthechallengeortoslashandburnyourinfrastructure.
Intrusion&Enumeration
• Thegoalistogatherinformation andexploit• Attemptentryviacompromisedaccountsandmachines• Enumeratethenetwork– WHATdoIhaveaccessto?WhatdoIwanttoaccessnext?
• Find“weak”spotsorexploitableinformationandsystems
Onceaccessisgainedyournetwork,thegameisover.ContainmentandIncidentResponseisparamount!
Intrusion&Enumeration
• ProbingQUIETLY viaNetworkScans&Tools
• PrivilegeEscalation– LikelynottohaveAdminrightswiththisattack
• Attemptentryintoshares,databases,applications
• RBAC,LeastPrivilege,SeparationofDuties,UserProfilingandBehavior,ACL’sandLoggingbecomeincrediblyimportant
InteralProbing
• AttackActiveDirectory– ViewGroupMemberships,ConfirmAccounts,FindAdminAccounts
• Attemptentryusingcredentials– SQLDB’s,Exchange/Lotus,ReadE-mail,opendocs/shares
• DEFAULTPASSWORDS!
• EstablishRe-entrymethods– Keepaccessandabilitytohideattack
(i.e.‘HoldthebeachforaslongasIneedto’)
• DetermineInternalSecurityMeasures- Disablethemoravoiddetection
AccessandTheft
• DataExfiltration– SendInformation/Dataoffsitedisguisedasuserorview/capture
• MonetaryTheft– Slamvs.Nibble,OffsiteAccountAccess
• CreditCardFraud– GatherNumbers,Information,Applyforcredit
• PersonalInformationGathering– TINandSSNs,ClientsListsandothersitesforattack
• MetadataScavenging– Dataaboutthedataanditsvalue
TheGreatEscape
• DestroyorObfuscateincriminatingdataandinformation
• Enableavenueforre-entryifdesired– Agents,Bots,RemoteAccess,UserAccounts
• ScorchedEarthorSurgicalStrike?
• Leverageyournetworkforfurtheracts
Triage
• MostimportantstepforInfoSecandForensics
• ForensicallySound
• LegalandBusinessRequirements
• PreserveInformationbutRemediatesituation
• AssessmentandDecisionmakingarekey
• Documentationiscritical
DuringIncident1.AlertManagement
2.TakePictures
3.DocumentEVERYTHING
4.CaptureVolatileData(RAM,RunningProcesses,Pagefile,etc.)
5.Containment
6.Assessment
Post-Incident7.Securelytransportandstoreinformation
8.Investigate
9.Remediate
10.Prepforfutureaction
11.ReviewandImprove
RequirementsorQualifications
• Appointamemberofstafforateam
• Baselinetraining(ACEorEnCE,Sec+,others)
• Empowertheteamormanager
• InterfaceswithManagement– “Looksgoodinfrontofacamera”
• IntelligentandIntuitive– Critical,Proactivethinkers
• UnderstandtheEvolutionofInfoSecandRisk– “BeLikeWater”
• Discipline– Work,Eat,Security(Notimeforsleep)
• Determineanacceptableamountofrisk
• Securityvs.Convenience
• Getexecutivebuy-in
• Transparencythroughtheprocess
• BeREASONABLE
RiskManagement
ToolsandLinks
• InformationParadoxhttp://www.information-paradox.net
• Cain&Abelhttp://www.oxid.it/cain.html
• NMAPhttp://nmap.org/
• Metasploit http://www.rapid7.com/
• Nessushttp://www.tenable.com/products/nessus
• Hacme Bankv2.0http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
• OWASPhttps://www.owasp.org/index.php/Main_Page
• Hackthissite http://www.hackthissite.org/
• Metasploitable VMhttps://community.rapid7.com/docs/DOC-1875
58
Top Related