Post on 09-Jun-2015
transcript
Thomas Mackenzie
Obfuscation methods and planning
Northumbria University
Web Application Testing
WordPress
upSploit
About Me
WINDOWS
METASPLOIT / METEPRETERNOTE
Based upon and continued work and research by Carlos Perez.
All about a new vector / idea / problem that needs to reported to a client
EARLY STAGES
15 minutes: Overview of what I want to find and some information about what I want to get out of it in the end
About The Project
Locard Exchange Principle
“WITH CONTACT BETWEEN TWO ITEMS, THERE WILL BE AN EXCHANGE”
Every action you take will always leave a trace. Even when the action is to cover or delete the trace of another action.
You will not only leave artefacts and traces on the target system but also on some of the devices you transit and communicate through.
?
Developers may create vulnerable code (always has and always will be a problem)
Another problem however, that I don’t believe is looked at is:
At what stage to SysAdmin’s know that their system is being attacked / is this early enough?
Problem?
Create part of a testing stage that the SysAdmin’s can join in with!
A low to high noise area of testing.
What does this mean?
Idea?
Checklist or Testing Guide.
Make sure that the SysAdmin is aware of what is going to happen and ask them to co-operate.
Plan a low – medium – high framework that can used.
See where the SysAdmin picks it up.
Incorporate this into the report.
Idea (2)?
It is all well and good know you have been attacked, but the fact you don’t know when is when you need to worry.
What information has been compromised.
Idea (3)?
Not all companies have IR Teams
Low hanging fruit with be checked first:
Processes, connections, EventLog and in some cases memory dumps
Knowing your enemy
Process lists that are specifically checked:
Time of Creation
Parent PID
Owner
Command Line
Knowing your enemy (2)
On connections things that stand out are obvious:
Why is notepad connecting to the web?
Why is Internet Explorer connecting to 1337
Once they believe there is a possible compromise they will create a timeline
Knowing your enemy (3)
Hide your connections
Connections from svchost.exe look normal is connecting to high ports
IE, Firefox, Chrome, AV, Dropbox and other 443 and 80
Meterpreter offers and API to read and clear Event Logs
What types of things can we do?
New methodology
Should be testing the security of knowledge as well as the security of the app or the infrastructure
Learn new ways to hide so that we can learn new ways to find!
Summary