Offensive Operations - SploitLab · •Passive (OSINT) • Search Engines (Google Dorks) • Web...

transcript

@johnhsawyer john@sploitlab.com

OffensiveOperationsJohnH.Sawyer

SeniorManagingConsultantInGuardians,Inc.

BryceLay- Comsys

WorkshopAgenda• Administrivia• IntroductiontoPenetrationTesting

• Reconnaissance• Physical• SocialEngineering• PostExploitation

PurposeofthisWorkshop• Introductiontopenetrationtesting– Securityprofessionalsfocusedondefense– Systemsadministrators– Developers

• Hands-onwithCobaltStrikeandoffensivePowershelltools

• HaveFun!!

WhoAmI?• InGuardiansSeniorManagingConsultant

– RedTeamOperator/PenetrationTester– SocialEngineering– Web,Mobile,andDesktopApps– IncidentResponse&Forensics

• DarkReadingandInformationWeekauthorandspeaker• Infosec VolunteerandMentor• DEFCON14/15CapturetheFlag(1@stplace)

MyAwesomeEmployer• InGuardians,Inc.(formerlyIntelGuardians)• Founded2003byMikePoor,EdSkoudis,JayBeale,Jimmy

Alderson,andBobHillery• Ifit’ssecurity-related,wedoit.

– RedTeamAssessments– PenetrationTesting

• Network,Web,Mobile,Wireless,Hardware,People,andPhysical– IncidentResponseManagementandDigitalForensics

ThankYou• MyWifeandfamily• BryceLay– ComSys• InteropTeam• InGuardians• UBM,DarkReading,andTimWilson

PENETRATIONTESTINGIntroductionto

VulnerabilityAssessment• “Avulnerabilityassessmentistheprocessofidentifying,quantifying,andprioritizing(orranking)thevulnerabilitiesinasystem.”

• Source:Wikipedia

• Whatabout..– Validation– Risktothebusiness

PenetrationTest• “Apenetrationtest,ortheshortformpentest,isanattack

onacomputersystemwiththeintentionoffindingsecurityweaknesses,potentiallygainingaccesstoit,itsfunctionalityanddata.”

• Source:Wikipedia

• Mimicrealattackers• Showrealriskofvulnerabilities

EvolutionofPenetrationTesting• AttackProcess• Recon• Scan• Gainaccess• Maintainaccess• Covertracks

• Pentest Methodology• Preparation• Recon• Scan• Exploit• Analysis• Report

PenetrationTestingExecutionStd.• Pre-engagementinteractions• Intelligencegathering• Threatmodeling• Exploitation• Postexploitation• Reporting

TypesofPenetrationTesting• Network

– Internal– External

• Application– Web– Mobile– Desktop

• Physical

• SocialEngineering– Email– Phone– Other(Social,In-person)

• Wireless– WiFi– OtherRF

• Hardware

RedTeaming• Militaryorigins– practiceofviewingaproblemfromanadversaryorcompetitor'sperspective

• Long-term,persistentoperations– Monthstoyears

• Full-scope– Physical,socialengineering,web,mobile,wireless

OffensiveTraits• Passion• Curiosity• Experience• Adaptability• Communication• Notafraidoffailure

• Diversebackground– sysadmin,developer,networkengineer

LegalIssues• Jobdescription• Writtenpermission• Scope• RulesofEngagement

Risks• DenialofService

– Networkcongestion/saturation– Serviceresourceexhaustion– Crash(BSOD,Segfault)

• Datacorruption• Datadestruction• Angrypeople

– Sysadmins,users,HR,Legal

RECONNAISSANCEIntelligenceGathering

Reconnaissance• Passive(OSINT)• SearchEngines(GoogleDorks)• Webarchives• Newsgroups,GoogleGroups• Whois,Robtex,CentralOps• Shodan,Censys,Netcraft• Socialnetworks• Pwnedlist,Breachalarm

• Active• Nmap• DNSinterrogation• Nessus,Nexpose,Metasploit• Arachni,Burp,wpscan• FOCA,metagoofil• Anythingthatactivelytouches

thetargetnetwork

SearchEngines• “GoogleDorks”• BishopFoxSearchDiggity– GoogleDiggity,BingDiggity,BingLinkFromDomainDiggity– CodeSearchDiggity,DLPDiggity,FlashDiggity– MalwareDiggity,PortScanDiggity,SHODANDiggity– BingBinaryMalwareSearch,andNotInMyBackYard Diggity.

• http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/

Shodan.io• “Shodan istheworld'sfirstsearchengineforInternet-connecteddevices.”

• http://www.shodanhq.com/help/filters– net,os,city,country,geo,hostname,port,before/after

Shodan Tools• ManytoolsleverageShodan– Spiderfoot,Maltego,etc.

• Shodan API– Pythonandrubylibraries

• Metasploit shodan_search module

Nmap• Networkportscanner• TCPandUDP• OSfingerprinting• Servicefingerprinting• Nmap ScriptingEngine– Advancedchecks– Vulnerabilitydetection

Spiderfoot• Automatesmuchofthereconprocess• FreeandOpenSource• RunsunderLinuxandWindows

• cd/opt/spiderfoot• python./sf.py• http://127.0.0.1:5001

Eyewitness• Screenshotsofwebapplications• Multipleformatimport(nmap,Nessus)• Serverheaders• PageSource• DefaultCreds• Alternatives– peepingtom,httpscreenshot,Spart

SOCIALENGINEERINGBecausethereisnopatchforhuman…

SocialEngineeringDefined• Theactofinfluencingsomeonetotakeanactionthatmayormaynotbeintheirbestinterest.

ExampleCareers• Doctors• Therapists• Radiohosts• Schoolteachers• Counselors• Lawenforcement

WhyDoesItWork?• Desiretobehelpful– ParAvion

• Tendencytotrustpeople• Fearofgettingintotrouble– Daisy

• Willingnesstocutcorners• http://www.social-engineer.org/framework

SomeGuidelines• GoldenRule– Leavesomeonebetterforhavingmetyou

• Manipulation– Thinkscamandpickupartists– Leavepeoplefeeling“dirty”orcheated• ChrisandMichelesurvey

SocialEngineeringMethodology• InformationGathering• PretextDevelopment• AttackPlanning• PerformAttacks• Reporting

ElementsofaGoodPhish• Urgesrecipienttotakeaction• Targetsanemotionalresponse• Mimicscontentforatrustedsource• Spoofsthesourcetoappearlegitimate• Bypassesmailsecuritycontrols

– http://arstechnica.com/information-technology/2014/02/16/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/

SomeReconTools• theharvester

– ThisisincludedontheVM• FOCA

– Windowsonly– Findsdocsandpulls

metadataincludingusernames,softwareversions,servers,networkshares.

• Maltego– Helpstoidentify

relationshipsbetweenhosts,networks,identitiesandmore.

• metagoofil– Metadatasearchand

extractor– Alittledatedbutstillvery

useful

PHYSICALOliviaNewtonJohnwantstoget…

Physical• Havingphysicalaccessrequireslittle/noexploitstocompromise

– Itisevenmorefunwhenitdoes!

• Thinkaboutwhatanattackercoulddoiftheyhavephysicalaccessto• areceptionist’sworkstation• anITstaffmember’sworkstation• anetworkcloset/IDF• yourdatacenter…• Physicalaccessisoftenconsidered“gameover”

DressthePart• Backtopowersofobservation…byothers

– Howwillstaffperceiveyouintheorganization?• Howareotherdressed?

– Construction– FireExtinguisherinspection– Packagedelivery*– Repairtechnician*

• Casualofficeorprofessionaldress

Tools• Few“technical”toolsexisthere

– Unlesswetalkprox/pinpad– Mostoccasionsdon’trequireanythingtechnical

• Mostpowerfultoolforthispartisyourbrain– Time,creativityandpatience– Thinkingoutsideofthebox– Hacking“hardware”fromthedumpster

• Howminorgapsinimplementationcanbeused

RFIDTools&RubberDucky• https://proxmark3.com• https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/

• http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

PowersofObservation(1)• Observinghowphysicalsecuritysystemsareimplemented!• Observingthemovementsofothersperalongperiodoftime• Wheredocameraspoint?Aretheymonitoredactivelyor

reactively?• Howdodoorsunlockfromtheoutside?

– Howdotheyunlockfromthe inside?– Motionsensor?Capacitivetouchbar?– Whatsidearethehingeson?

PowersofObservation(2)• Underdoorgaps?Gapsindoorframes?

– Whatcanweuseoutofthedumpster?– Lowes/Homedepotcrafttime!

• Othermethodsofaccess– Balconies– LoadingDocks

• Unmotivated/Laxbuildingsecurity• Whatdobadgeslooklike?Totheinternet!

SocialEngineering• Thisisagameuntoitself– Somanysubtleties

• TL;DR,itisagameofconfidence– Actlikeyoubelong– Playthepart– “Hey,how’sitgoing?”

Policies• Physicalsecuritydesignattimeofbuild– JustlikeDevOps,bakeinsecurity

• Tailgating• Reportingofsuspiciousactivity• Auditandobserveadherencetopolicy

GETTINGAFOOTHOLDOMG!TheyopenedtheMACRO!!1!1!

Responder• PassiveandActiverecon• Exploitation(LLMNR,NBT-NS,DNS,MDNS)

• Stealpasswordhashesandcrackwithjohn/hashcat

• https://github.com/lgandx/Responder-Windows

Inveigh• LLMNR,mDNS,andNBNS

spoofer• Man-in-the-middletool• HTTP/HTTPS/Proxy

listeners• Slimmeddown,Powershell

versionofResponder

PasswordCracking• CrackthehashescapturedfromResponderusing:– johntheripper– hashcat

POWERSHELLIt’severywhereyouwanttobe…

OffensivePowershell• Greatforbypassingantivirus

andapplicationwhitelisting• OncurrentWindows

workstationandserveroperatingsystems

• MoreoffensivetoolsareleveragingPowershell

• Thebadguysareusingit,too!

Powershell ExecutionPolicy• ExecutionPolicy*IS*nota

securityfeature!!• 15waystobypass

Powershell executionpolicy– https://blog.netspi.com/15-

ways-to-bypass-the-powershell-execution-policy/

Powershell Pwnage Must-Haves• Empire

– http://www.powershellempire.com

• Powersploit– https://github.com/PowerShell

Mafia/PowerSploit• BloodHound

– https://github.com/BloodHoundAD/BloodHound

• PowerUpSQL– https://github.com/NetSPI/Po

werUpSQL• MailSniper

– https://github.com/dafthack/MailSniper

• DomainPasswordSpray– https://github.com/dafthack/D

omainPasswordSpray

COBALTSTRIKEPost-exploitationandC2excellence

CobaltStrike• Post-exploitation• CommandandControl

(C2)• Flexibleprotocols• Powershell integration• Scriptable

ListenersandPayloads

MacrosfortheFoothold

InjectingADCredstoAccessSysvol

MovingLaterally:SMBBeacons

Credentials

Powershell Integration

NEXTSTEPSWheretogofromhere…

NextSteps• Buildyourownlab

– VMWare (ESXi),VirtualBox,Hyper-V,AWS,Docker– Vulnhub.com– Networkequipment(HWorSW)

• Certifications– OSCP– GPEN,GPWN,GXPN

• BugBountiesandCapturetheFlagevents

ContactInformation• Contactinformation:

JohnH.Sawyerjohn@sploitlab.com@johnhsawyer352-389-4704

• Slides- https://www.sploitlab.com

Offensive Operations - SploitLab · •Passive (OSINT) • Search Engines (Google Dorks) • Web...

Documents