and Mitigations Brady Bloxham Hacking Techniques and Mitigations Brady Bloxham
About Us Services Eat, breathe, sleep, talk, Vulnerability assessments Wireless assessments Compliance testing Penetration testing Eat, breathe, sleep, talk, walk, think, act security!
Agenda Old methodology New methodology Techniques in action Conclusion
The Old Way Footprinting Network Enumeration Vulnerability Identification Gaining Access to the Network Escalating Privileges Retain Access Return and Report
The Old Way (continued)
The New Way (my way!) Recon Plan Exploit Persist Repeat Simple, right?! - Pen testing is more of an art than a science! - Not simple! The focus shifts from checking the box testing to not getting caught and finding ANY hole or vulnerability.
The New Way (continued) Recon Plan Exploit Persist Domain Admin? Report! Yes No
Old vs. New So what you end up with is…
Recon Two types Pre-engagement On the box
Recon – Pre-engagment Target IT Social Networking Create profile LinkedIn Facebook Google Bing Create profile Play to their ego Play to desperation Play to what you know - Called a target to identify AV before sending over file - Take people’s niceness and use it against them!
Recon – Pre-engagment Social Engineering - Called a target to identify AV before sending over file - Take people’s niceness and use it against them!
Recon – On the box Netstat
Recon – On the box Set
Recon – On the box Net
Recon – On the box Net
Recon – On the box Net
Recon Registry Audit Settings Dump hashes RDP history HKLM\Security\Policy\PolAdtEv Dump hashes Local hashes Domain cached credentials Windows credential editor Application credentials (Pidgin, Outlook, browsers, etc.) RDP history HKU\Software\Microsoft\Terminal Server Client\Default Installed software HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Recon What do we have? High value servers (domain controller, file servers, email, etc.) Group and user list Domain admins Other high value targets Installed applications Detailed account information Hashes and passwords - This can be automated using batch scripts or even better…METERPRETER scripts! - All this information after 5-10 minutes of recon!
Plan
Plan
Plan Test, test test! Think outside the box! Real production environment! Recreate target environment Proxies AV Domain Verify plan with customer Think outside the box!
Plan
Plan
Exploit
Exploit The reality is…it’s much easier than that! No 0-days necessary! Macros Java applets EXE PDFs
Exploit Java Applet Macros Domain – $4.99/year Hosting – $9.99/year wget – Free! Pwnage – Priceless! Macros Base64 encoded payload Convert to binary Write to disk Execute binary Shell!
Exploit The problem? A reliable payload! Obfuscation Firewalls Antivirus Proxies
Straight-up meterpreter executable
Packed using a well known packer
Created custom exe template
Persist
Persist Separates the men from the boys! Custom, custom, custom! Nothing good out there… Meterpreter – OSS Core Impact – Commercial Poison Ivy – Private DarkComet – Private Who’s going to trust these?
Persist How? What? Registry Service Autorun Startup folder DLL hijacking What? Beaconing backdoor Stealthy Blend with the noise Modular
Repeat?!
Conclusion Old methodology is busted! Compliance != Secure It’s not practice makes perfect… - It’s CORRECT practice makes perfect!