FA D E F R O M W H I T E H AT… T O B L A C K

B E A U B U L L O C K

“Everyone is a moon and has a dark side which he never shows to anybody”

~ Mark Twain

K E Y F O C A L P O I N T S

• Non-attribution

• Target Acquisition

• Reconnaissance

• Exploitation

• Profitization

W H O A M I

• Beau Bullock

• Pentester at Black Hills Information Security

• Host of Hack Naked TV

• Previously an enterprise defender

• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC

S I D E N O T E

2 0 1 4

I N T W O Y E A R S S I N C E T H E N I ’ V E …

• Performed Pentests against 70 different companies

• Recorded 20 Hack Naked TV episodes

• Spoke at three different security conferences

• Wrote eight blog posts

• …now adding keynote to the list

Enough about me

N O N - AT T R I B U T I O N

D R E A D P I R AT E R O B E R T S ( D P R )

• How Ross Ulbricht got caught = Really bad OPSEC

• Boasted about creating an “economic simulation” on LinkedIn

• Put his real face on fake ID’s used to purchase servers

• Asked for advice on Stack Overflow about coding Silk Road

• Hired an undercover cop to perform a “hit” for him

• TOR IP Publishing leak - Leaked Silk Road’s actual IP

• Accessed Silk Road from Café half a block from residence

D E S I G N W I T H O P S E C I N M I N D

• Let’s try to avoid DPR’s mistakes

• Don’t trust humans

• Build attack infrastructure with the most important element being OPSEC

• Maintain anonymity in both the real and digital worlds

N O N - AT T R I B U TA B L E S E T U P

• Necessities (rebuilt from scratch for each job)

• A laptop to work from

• Internet

• VPN/proxies

• CnC and attack servers

• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)

L A P T O P P U R C H A S E

I N T E R N E T

• Free WiFi at coffee shops, hotels, or my favorite… apartment complexes

• Greater than 50 miles from residence

• Never bring residence into circumference

N O T O P S E C S A F E

A B I T M O R E O P S E C S A F E

AT TA C K A R C H I T E C T U R E S E T U P

• Never directly attacking an organization

• Will need multiple virtual private servers (VPS)

• In order to be non-attributable we will need a few things:

• Alternate identities

• Currency (Bitcoin, pre-paid VISA, etc.)

B U Y B I T C O I N F O R C A S H

V P S F O R B I T C O I N

P R I M A R Y AT TA C K S Y S T E M S

• VPS Network 1

• VPN server

• Management server

• Password cracking server

• VPS Network 2

• Primary attack server

• Command and Control server

C O N N E C T I V I T Y

• VPN from base camp to VPS network 1

• SSH/RDP to management server

• Route all traffic from management server through TOR

• SSH from management server to VPS network 2 hosts

N O N - AT T R I B U T I O N D I A G R A M

1. Live-booted off USB to Linux

2. Connected to free WiFi3. VPN’d to VPS net 1

4. VNC to management server in VPS net 1

5. Route all traffic from management server through TOR

6. SSH from management server over TOR to attack server in VPS net 2

7. Mandatory Caffeination

TA R G E T A C Q U I S I T I O N

M O T I VAT I O N

• Easy Targets

• High Profile Targets

• Contracted Targets

• Vengeance

E A S Y TA R G E T S

• Shodan - Unauthenticated VNC Servers

E A S Y TA R G E T S

• Shodan - Vulnerable Services

H I G H P R O F I L E TA R G E T S

C O N T R A C T E D TA R G E T S

V E N G E A N C E

R E C O N N A I S S A N C E

I N F O R M AT I O N D I S C L O S U R E

• Organization’s username structure

• Credentials in previous breaches

• External network ranges

M I N I M I Z E T H E N O I S E

• Use sites like Shodan and Censys to discover open ports on the target’s systems

• Again, look for low hanging fruit

• Locate external login portals (we’ll get to why these are important shortly)

E X P L O I TAT I O N

AT TA C K 1 - C R E D E N T I A L R E U S E

• How can we exploit credential reuse on personal accounts?

AT TA C K 1 - C R E D E N T I A L R E U S E

• Publicly Compromised accounts

AT TA C K 1 - C R E D E N T I A L R E U S E

• Pipl - locate employees based off their email address

AT TA C K 1 - C R E D E N T I A L R E U S E

• Attempt to login to their corporate account using the creds recovered from previous breach

AT TA C K 2 - PA S S W O R D S P R AY I N G

AT TA C K 2 - PA S S W O R D S P R AY I N G

• FOCA

AT TA C K 2 - PA S S W O R D S P R AY I N G

AT TA C K 3 - P H I S H I N G

• The “golden ticket” to pretty much any network

• Two types of phishing

• Credential gathering

• System compromise

AT TA C K 3 - P H I S H I N G

• Credential gathering

• Clone an external login portal

• Phish users to login to gather creds

• Redirect to actual portal

AT TA C K 3 - P H I S H I N G

• Remote exploitation

• Word doc macros, browser exploits, etc.

R E M O T E A C C E S S

• VPN - is 2FA in play?

• RDP?

• Access to OWA -

• Phishing across internal accounts = win

• No physical attacks. If I can’t compromise the network remotely I move on.

P O S T- E X P L O I TAT I O N

• PowerShell, and command line - no extra tools needed

• GPP

• Widespread local admin

• Insecure perms on other systems (domain users in local admins)

• Internal password spraying

• PSexec/Mimikatz combo

L O O T

• Pivot to DC, dump domain hashes

• Locate vCenter servers, DB’s, etc.

P R O F I T I Z AT I O N

T U R N I N G C O M P R O M I S E I N T O C A S H

• Carder?

• Identity Theft?

• Ransomware?

• Hacktivist?

T H E T R I C K Y PA R T…

"It's not that we find criminals like this through cyber-forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting

credit cards is easy. Turning it into cash is hard.”

~ Bruce Schneier

T W O M A J O R P R O B L E M S

• Bitcoin is not untraceable

• Turning large amounts of Bitcoin into cash is not trivial

T R A C I N G B I T C O I N

• blockchain.info

• blockseer.com

B I T C O I N T O C A S H

• This becomes a money laundering problem

R I P A N D R E P L A C E

• Full teardown and removal of all testing systems

• Rebuild from scratch for next job

FA D I N G B A C K

W H Y I D O N ’ T D O T H I S

• Ethics

• Inevitability of getting caught

• Danger of entering the criminal world

W E C A N M A K E I T B E T T E R

• Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.

D E F E N D E R S

• Shift focus from attribution to detection and prevention

• Increase logging to detect when attackers are performing attacks like password spraying

• Ensure all external login portals are using 2FA

• Increase length of password policies

AT TA C K E R S

• Continue to highlight the importance and value of credentials

• Attempt to locate credential reuse across accounts

• On external assessments attempt to password spray portals that use domain-based authentication

• Escalate internally & crack all the passwords

T H A N K Y O U

• beau@blackhillsinfosec.com

• beau@dafthack.com

• @dafthack