View
236
Download
0
Category
Tags:
Preview:
Citation preview
HACKING TECHNIQUESand Mitigations
Brady Bloxham
About Us• Services
• Vulnerability assessments• Wireless assessments• Compliance testing• Penetration testing
• Eat, breathe, sleep, talk,
walk, think, act security!
Agenda• Old methodology• New methodology• Techniques in action• Conclusion
The Old Way• Footprinting• Network Enumeration• Vulnerability Identification• Gaining Access to the Network• Escalating Privileges• Retain Access• Return and Report
The Old Way (continued)
The New Way (my way!)• Recon• Plan• Exploit• Persist• Repeat
• Simple, right?!
The New Way (continued)
Recon
Plan
Exploit
Domain Admin?
No
Persist
Report!Yes
Old vs. New• So what you end up with is…
Recon• Two types
• Pre-engagement• On the box
Recon – Pre-engagment• Target IT• Social Networking
• LinkedIn• Facebook• Google• Bing
• Create profile• Play to their ego• Play to desperation• Play to what you know
Recon – Pre-engagment• Social Engineering
Recon – On the box• Netstat
Recon – On the box• Set
Recon – On the box• Net
Recon – On the box• Net
Recon – On the box• Net
Recon • Registry
• Audit Settings• HKLM\Security\Policy\PolAdtEv
• Dump hashes• Local hashes• Domain cached credentials• Windows credential editor• Application credentials (Pidgin, Outlook, browsers, etc.)
• RDP history• HKU\Software\Microsoft\Terminal Server Client\Default
• Installed software• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Recon• What do we have?
• High value servers (domain controller, file servers, email, etc.)• Group and user list
• Domain admins• Other high value targets
• Installed applications• Detailed account information• Hashes and passwords
Plan
Plan
Plan• Test, test test!
• Real production environment!• Recreate target environment
• Proxies• AV• Domain
• Verify plan with customer
• Think outside the box!
Plan
Plan
Exploit
Exploit• The reality is…it’s much easier than that!
• No 0-days necessary!• Macros• Java applets• EXE PDFs
Exploit• Java Applet
• Domain – $4.99/year• Hosting – $9.99/year• wget – Free!• Pwnage – Priceless!
• Macros• Base64 encoded payload• Convert to binary • Write to disk• Execute binary• Shell!
Exploit• The problem? A reliable payload!
• Obfuscation• Firewalls• Antivirus• Proxies
Persist
Persist• Separates the men from the boys!• Custom, custom, custom!• Nothing good out there…
• Meterpreter – OSS• Core Impact – Commercial• Poison Ivy – Private• DarkComet – Private• Who’s going to trust these?
Persist• How?
• Registry• Service• Autorun• Startup folder• DLL hijacking
• What?• Beaconing backdoor• Stealthy• Blend with the noise• Modular
Repeat?!
Conclusion• Old methodology is busted!• Compliance != Secure• It’s not practice makes perfect…
Recommended