Upload
hoangkiet
View
215
Download
1
Embed Size (px)
Citation preview
Using Offensive Tools to Improve Your Defenses
How to hack yourself andsecure things while having fun!
John H. SawyerSploitLab.com
whoami
• IOActive: Director of Services, Red Team
• InGuardians: Senior Managing Consultant, Mentor, Trainer
• University of Florida: Security Team Lead, Offensive and Forensic Expert, Systems Administrator, Help Desk, Alumnus
• SploitLab: Consultant, Educator, Hacker
• UF Student Infosec Team: CoFounder, Sponsor
• SwampSec: Founder
• DEF CON 14/15 CTF Winning Team 1@stplace: Defense, NSM
Cyber Kill Chain
• Developed by Lockheed Martin
• Legacy, perimeter-focused view
• More “we need to get inside” and less “we’re inside, now what?”
• Now ask yourself:
• Where do your security controls fit into this model?
• What impact can you have at these earlier stages?
Expanded Kill Chain
https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf
Reconnaissance
• Open Source Intelligence – OSINT
• Social Media
• Job Postings
• Corporate Sites
• Metadata
• Social engineering
• Phishing
• Vishing: Voice calls
• In-Person: Impersonation
• Physical Observation
• Watching employee & building visitors
• Dumpster diving
Open Source Intelligence Gathering
• https://yourcompany.com
• Metadata
• Social media
• Job postings
• Shodan and Censys
• ”Paste” sites
• Developer sites
DNS Recon with DNSdumpster.com
Passive analysis using Alexa Top 1 Million sites, Search Engines, CommonCrawl, Certificate Transparency, Max Mind, Team Cymru, Shodan and scans.io
CertStream - certstream.calidog.io
• “CertStream is an intelligence feed that gives you real-time updates from the Certificate Transparency Log network...”
• “We do all…watching, aggregating, and parsing…give you super simple libraries that enable you to do awesome things...”
Delivery
• Social Engineering• Phishing
• Instant Message
• Phone calls
• Physical Access• Brute force
• Insider
• Impersonation
• Exploitation of vulnerability• SQL injection
• Remote Code Execution
• Stolen credentials
• What controls do you have to detect or prevent these attacks?
Internal Attacker Activities
• Reconnaissance
• Exploitation
• Local and Enterprise Privilege Escalation
• Lateral Movement
Recon Activities
• Network and host discovery
• DNS
• Active Directory
• Passive listening
• Network file shares
• Wikis and Sharepoint
• Identify users, sysadmins, DBAs, etc.
Privilege Escalation
• Local
• Unquoted service paths
• Weak file permissions
• Weak service permissions
• DLL hijacking
• Enterprise
• Group Policy Preferences
• LLMNR, NetBIOS-NS, WPAD
• Weak network share permissions
• Sensitive and credential exposure
Lateral Movement
• Native operating system tools & protocols
• WMI
• PSRemoting
• SMB
• Common syadmin tools
• Pstools
• PowerShell
• Network file shares
• Sharepoint
• Filesystem mounted remotely
• Remote access
• RDP, Citrix, SSH, VPN
Final Thoughts
• Think like an attacker; become more offensive and find the vulnerabilities BEFORE they are exploited.
• Assess your organization’s online profile, clean up what’s possible, and mitigate what you can’t.
• Confirm that your security controls workas expected by testing them at each stage of the Kill Chain. Never assume…
Tim Medin @ RedSiege