CYBER JUDO: OFFENSIVE CYBER DEFENSE - Black Hat · PDF fileCYBER JUDO: OFFENSIVE CYBER DEFENSE...

Post on 25-Mar-2018

227 views 6 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

CYBER JUDO: OFFENSIVE CYBER DEFENSETal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySecItai Grady, Security Researcher, Microsoft ATA, @ItaiGrady

Intro

https://en.wikipedia.org/wiki/Sun_Tzu#/media/File:Enchoen27n3200.jpg

Defenders Attackers

Network Deployment Proxy / Network Monitoring MITM / Eavesdropper

Host Deployment Agent (but the prefer to refrain: compatibility, performance)

Malware (but the prefer to refrain: compatibility, performance, detection)

Privileges Least, o.w. part of the problem (see:

@taviso)

Least, privileged user are more

monitored

Integrations “living off the land”. Core functionality must be delivered independently, opportunistic integrations

“living off the land”. Core functionality must be delivered independently,opportunistic existing non-default capabilities abuse

Expertise OS internals, networking OS internals, networking

waza1234/

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

DC

DC

TGT

TGS

③ TGS-REQ (Server)

④ TGS-REP

⑤ UsageUser

Server

• Authentication

• Authorization

DC

waza1234/

LSASS (NTLM)

NTLM(rc4_hmac_nt)

cc36cf7a8514893efccd332446158b1a

User

Server① Negotiate

③ Response

② Challenge

⑥ Auth verified

Lateral Movement Reconnaissance

HERE

THERE

HERE THERE

Logged-on User Recon

Computer’s Local Admin Recon

Users + Group Membership Recon

https://github.com/adaptivethreat/BloodHound

Lateral Movement Reconnaissance: Defense

Win version Who can query SAMR by default Can default be changed

< Win10 Any domain user No

Win10 Any domain user Yes (only via registry)

> Win10 (e.g.

anniversary)

Only local administrators Yes (registry or GPO)

/

https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b/

Cyber Judo with NetSess

• Authentication

• Authorization

DC

waza1234/

LSASS (NTLM)

NTLM(rc4_hmac_nt)

cc36cf7a8514893efccd332446158b1a

User

Server① Negotiate

③ Response

② Challenge

⑥ Auth verified

Cyber Judo with SAMR

https://twitter.com/JohnLaTwC/status/777569424156921856

Kerberos Error Message Injection

waza1234/

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

DC

DC

TGT

TGS

③ TGS-REQ (Server)

④ TGS-REP

⑤ UsageUser

Server

https://www.youtube.com/watch?v=CSdJ_-PhauI

KDC

waza1234/

User1

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..

user1 cc36cf7a…

1a7ddc…

Doe

TGT

• RC4-HMAC does not have any!

• RC4-HMAC does not have any!https://commons.wikimedia.org/wiki/File:Jodsalz_mit_Fluor_und_Folsaeure.jpg

KDC

waza1234/

User1

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..

user1 cc36cf7a…

1a7ddc…

Doe

TGT

Kerberos Error Injection: Defense

Cyber Judo with Kerberos Error Injection

https://www.google.com/patents/US20160014077

Parting Thoughts

Top related

OFFENSIVE CYBER WARFARE_roughdraft_3
Documents
Australian Army Journal Cyber-warfare Edition · Australian Army Journal Cyber-Warfare Edition Army Serving our Nation • The Utility of Offensive Cyber-Operations in Conventional
Documents
CHAPTER OFFENSIVE OPERATIONS CHAPTER OFFENSIVE …
Documents
War in the 5th domain: Cyber Offensive Capability
Technology
Judo Championships 2019 Washington State · Judo/United States Judo, Inc., United States Judo Association, Inc., Washington State Judo, Inc., Coeur d’Alene School District, Lakeland
Documents
Cyber-Desk Review: Report #2 - ICT Report 2.pdfCyber-Desk Review: Report #2 The second cyber-desk report addresses two main subjects: cyber-terrorism (offensive, defensive, and the
Documents
OpenHouse Workshop on Cyber Security Offensive ...OpenHouse Workshop on Cyber Security Offensive/Defensive Boot Camp - 2 Days Theme: Understanding the Cyber Attack Defence Controls
Documents
CYBER WARFARE - WordPress.com...Cyber warfare involves units organized along nation-state boundaries, in offensive and defensive operations, using computers to attack other computers
Documents
2019 Samurai Slam Judo Championships · Judo, Inc., United States Judo Association, Inc., American Traditional Jujitsu Association, Samurai Judo Association, American Judo Foundation,
Documents
Cyber-Terrorism Activities Report No. 12 January March 2015This report covers the period of January - March 2015 and covers two main subjects: cyber-terrorism (offensive, defensive,
Documents
Offensive Cyber Capabilities at the Operational Level: The ...
Documents
Taking the offensive...Taking the offensive: Disrupting Cyber Crime 01 Rethink the cyber security threat As the threat of cyber attack grows, major corporations are struggling to keep
Documents
Cyber in War: Assessing the Strategic, Tactical, and ...capabilities” (van Haaster 2019, 148). The term operations indicates a sequential or parallel use of offensive cyber attacks
Documents
adi2013.pbworks.comadi2013.pbworks.com/w/file/fetch/67999112/Fellows... · Web viewScenario 1 is cyber prolif: Status quo offensive cyber operations by the US has set a precedent
Documents
Focus on Judo Games - United States Judo Associationmedia.usja.net/growing-judo/GrowingJudo2007_06.pdf · Growing Judo June 2007 1 June 2007 Focus on Judo Games Monthly Newsletter
Documents
Program Guide - ITEA Cyber/2016... · sessions addressing Offensive Cyberspace Operations (OCO) capabilities, Threat Resources, and Cyber-EW ... Using the automated red team capability
Documents
Bullying/Cyber-bullying - Kings Local · Cyber-bullying Cyberbullying is defined as threats or other offensive behavior sent through an electronic means (online, email, IM, phone
Documents
AUSTRALIA’S OFFENSIVE CYBER CAPABILITY - acs.org.au offensive cyber operations, ... of Intelligence and Security has noted in the context of cyber operations in support of the ADF
Documents
JUDO PROFIMAT DN 65 - 100 JUDO PROFIMAT PLUS ¾ - 2 judo profimat...Installation and operating instructions JUDO PROFIMAT PLUS ¾" - 2" JUDO PROFIMAT DN 65 - 100 Automatic backwash
Documents
Russia’s Approach to Cyber Warfare...Russia has employed its offensive cyber capabilities in order to derive observations based on patterns of behavior. The first case study we examine
Documents

Copyright © 2018 DOCUMENTS