1.
FA D E F R O M W H I T E H AT…
T O B L A C K
B E A U B U L L O C K

2.
“Everyone is a moon and has a dark side which he never
shows to anybody”
~ Mark Twain

3.
K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization

4.
W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC

5.
S I D E N O T E

6.
2 0 1 4

7.
I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list

8.
Enough about me

9.
N O N - AT T R I B U T I O N

10.
D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence

11.
D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important
element being OPSEC
• Maintain anonymity in both the real and digital
worlds

12.
N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)

13.
L A P T O P P U R C H A S E

14.
I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite…
apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference

15.
N O T O P S E C S A F E

16.
A B I T M O R E O P S E C S A F E

17.
AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few
things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)

18.
B U Y B I T C O I N F O R C A S H

19.
V P S F O R B I T C O I N

20.
P R I M A RY AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server

21.
C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts

22.
N O N - AT T R I B U T I O N D I A G R A M

23.
1. Live-booted off USB to Linux
2. Connected to free WiFi
3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to
attack server in VPS net 2
7. Mandatory Caffeination

24.
TA R G E T A C Q U I S I T I O N

25.
M O T I VAT I O N
• Easy Targets
• High Profile Targets
• Contracted Targets
• Vengeance

26.
E A S Y TA R G E T S
• Shodan - Unauthenticated VNC Servers

27.
E A S Y TA R G E T S
• Shodan - Vulnerable Services

28.
H I G H P R O F I L E TA R G E T S

29.
C O N T R A C T E D TA R G E T S

30.
V E N G E A N C E

31.
R E C O N N A I S S A N C E

32.
I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges

33.
M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open
ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these
are important shortly)

34.
E X P L O I TAT I O N

35.
AT TA C K 1 - C R E D E N T I A L R E U S E
• How can we exploit credential reuse on personal
accounts?

36.
AT TA C K 1 - C R E D E N T I A L R E U S E
• Publicly Compromised accounts

37.
AT TA C K 1 - C R E D E N T I A L R E U S E
• Pipl - locate employees based off their email address

38.
AT TA C K 1 - C R E D E N T I A L R E U S E
• Attempt to login to their corporate account using the
creds recovered from previous breach

39.
AT TA C K 2 - PA S S W O R D S P R AY I N G

40.
AT TA C K 2 - PA S S W O R D S P R AY I N G
• FOCA

41.
AT TA C K 2 - PA S S W O R D S P R AY I N G

42.
AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise

43.
AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal

44.
AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.

45.
R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network
remotely I move on.

46.
P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local
admins)
• Internal password spraying
• PSexec/Mimikatz combo

47.
L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.

48.
P R O F I T I Z AT I O N

49.
T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?

50.
T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-
forensics. We get them in the real world when they do
something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier

51.
T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial

52.
T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com

53.
B I T C O I N T O C A S H
• This becomes a money laundering problem

54.
R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job

55.
FA D I N G B A C K

56.
W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world

57.
W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers,
Developers, Forensicators, Network Engineers,
SysAdmins, DBA’s, etc.

58.
D E F E N D E R S
• Shift focus from attribution to detection and
prevention
• Increase logging to detect when attackers are
performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies

59.
AT TA C K E R S
• Continue to highlight the importance and value of
credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray
portals that use domain-based authentication
• Escalate internally & crack all the passwords

60.
T H A N K Y O U
• beau@blackhillsinfosec.com
• beau@dafthack.com
• @dafthack