Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Fade from Whitehat... to Black

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Próximo SlideShare
Red Team Apocalypse
Red Team Apocalypse
Cargando en…3
×

Eche un vistazo a continuación

1 de 62 Anuncio

Fade from Whitehat... to Black

Descargar para leer sin conexión

When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?

In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?

In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Fade from Whitehat... to Black (20)

Anuncio

Más reciente (20)

Anuncio

Fade from Whitehat... to Black

  1. 1. FA D E F R O M W H I T E H AT… T O B L A C K B E A U B U L L O C K
  2. 2. “Everyone is a moon and has a dark side which he never shows to anybody” ~ Mark Twain
  3. 3. K E Y F O C A L P O I N T S • Non-attribution • Target Acquisition • Reconnaissance • Exploitation • Profitization
  4. 4. W H O A M I • Beau Bullock • Pentester at Black Hills Information Security • Host of Hack Naked TV • Previously an enterprise defender • OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
  5. 5. S I D E N O T E
  6. 6. 2 0 1 4
  7. 7. I N T W O Y E A R S S I N C E T H E N I ’ V E … • Performed Pentests against 70 different companies • Recorded 20 Hack Naked TV episodes • Spoke at three different security conferences • Wrote eight blog posts • …now adding keynote to the list
  8. 8. Enough about me
  9. 9. N O N - AT T R I B U T I O N
  10. 10. D R E A D P I R AT E R O B E R T S ( D P R ) • How Ross Ulbricht got caught = Really bad OPSEC • Boasted about creating an “economic simulation” on LinkedIn • Put his real face on fake ID’s used to purchase servers • Asked for advice on Stack Overflow about coding Silk Road • Hired an undercover cop to perform a “hit” for him • TOR IP Publishing leak - Leaked Silk Road’s actual IP • Accessed Silk Road from Café half a block from residence
  11. 11. D E S I G N W I T H O P S E C I N M I N D • Let’s try to avoid DPR’s mistakes • Don’t trust humans • Build attack infrastructure with the most important element being OPSEC • Maintain anonymity in both the real and digital worlds
  12. 12. N O N - AT T R I B U TA B L E S E T U P • Necessities (rebuilt from scratch for each job) • A laptop to work from • Internet • VPN/proxies • CnC and attack servers • Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
  13. 13. L A P T O P P U R C H A S E
  14. 14. I N T E R N E T • Free WiFi at coffee shops, hotels, or my favorite… apartment complexes • Greater than 50 miles from residence • Never bring residence into circumference
  15. 15. N O T O P S E C S A F E
  16. 16. A B I T M O R E O P S E C S A F E
  17. 17. AT TA C K A R C H I T E C T U R E S E T U P • Never directly attacking an organization • Will need multiple virtual private servers (VPS) • In order to be non-attributable we will need a few things: • Alternate identities • Currency (Bitcoin, pre-paid VISA, etc.)
  18. 18. B U Y B I T C O I N F O R C A S H
  19. 19. V P S F O R B I T C O I N
  20. 20. P R I M A RY AT TA C K S Y S T E M S • VPS Network 1 • VPN server • Management server • Password cracking server • VPS Network 2 • Primary attack server • Command and Control server
  21. 21. C O N N E C T I V I T Y • VPN from base camp to VPS network 1 • SSH/RDP to management server • Route all traffic from management server through TOR • SSH from management server to VPS network 2 hosts
  22. 22. N O N - AT T R I B U T I O N D I A G R A M
  23. 23. 1. Live-booted off USB to Linux 2. Connected to free WiFi 3. VPN’d to VPS net 1 4. VNC to management server in VPS net 1 5. Route all traffic from management server through TOR 6. SSH from management server over TOR to attack server in VPS net 2 7. Mandatory Caffeination
  24. 24. TA R G E T A C Q U I S I T I O N
  25. 25. M O T I VAT I O N • Easy Targets • High Profile Targets • Contracted Targets • Vengeance
  26. 26. E A S Y TA R G E T S • Shodan - Unauthenticated VNC Servers
  27. 27. E A S Y TA R G E T S • Shodan - Vulnerable Services
  28. 28. H I G H P R O F I L E TA R G E T S
  29. 29. C O N T R A C T E D TA R G E T S
  30. 30. V E N G E A N C E
  31. 31. R E C O N N A I S S A N C E
  32. 32. I N F O R M AT I O N D I S C L O S U R E • Organization’s username structure • Credentials in previous breaches • External network ranges
  33. 33. M I N I M I Z E T H E N O I S E • Use sites like Shodan and Censys to discover open ports on the target’s systems • Again, look for low hanging fruit • Locate external login portals (we’ll get to why these are important shortly)
  34. 34. E X P L O I TAT I O N
  35. 35. AT TA C K 1 - C R E D E N T I A L R E U S E • How can we exploit credential reuse on personal accounts?
  36. 36. AT TA C K 1 - C R E D E N T I A L R E U S E • Publicly Compromised accounts
  37. 37. AT TA C K 1 - C R E D E N T I A L R E U S E • Pipl - locate employees based off their email address
  38. 38. AT TA C K 1 - C R E D E N T I A L R E U S E • Attempt to login to their corporate account using the creds recovered from previous breach
  39. 39. AT TA C K 2 - PA S S W O R D S P R AY I N G
  40. 40. AT TA C K 2 - PA S S W O R D S P R AY I N G • FOCA
  41. 41. AT TA C K 2 - PA S S W O R D S P R AY I N G
  42. 42. AT TA C K 3 - P H I S H I N G • The “golden ticket” to pretty much any network • Two types of phishing • Credential gathering • System compromise
  43. 43. AT TA C K 3 - P H I S H I N G • Credential gathering • Clone an external login portal • Phish users to login to gather creds • Redirect to actual portal
  44. 44. AT TA C K 3 - P H I S H I N G • Remote exploitation • Word doc macros, browser exploits, etc.
  45. 45. R E M O T E A C C E S S • VPN - is 2FA in play? • RDP? • Access to OWA - • Phishing across internal accounts = win • No physical attacks. If I can’t compromise the network remotely I move on.
  46. 46. P O S T- E X P L O I TAT I O N • PowerShell, and command line - no extra tools needed • GPP • Widespread local admin • Insecure perms on other systems (domain users in local admins) • Internal password spraying • PSexec/Mimikatz combo
  47. 47. L O O T • Pivot to DC, dump domain hashes • Locate vCenter servers, DB’s, etc.
  48. 48. P R O F I T I Z AT I O N
  49. 49. T U R N I N G C O M P R O M I S E I N T O C A S H • Carder? • Identity Theft? • Ransomware? • Hacktivist?
  50. 50. T H E T R I C K Y PA R T… "It's not that we find criminals like this through cyber- forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting credit cards is easy. Turning it into cash is hard.” ~ Bruce Schneier
  51. 51. T W O M A J O R P R O B L E M S • Bitcoin is not untraceable • Turning large amounts of Bitcoin into cash is not trivial
  52. 52. T R A C I N G B I T C O I N • blockchain.info • blockseer.com
  53. 53. B I T C O I N T O C A S H • This becomes a money laundering problem
  54. 54. R I P A N D R E P L A C E • Full teardown and removal of all testing systems • Rebuild from scratch for next job
  55. 55. FA D I N G B A C K
  56. 56. W H Y I D O N ’ T D O T H I S • Ethics • Inevitability of getting caught • Danger of entering the criminal world
  57. 57. W E C A N M A K E I T B E T T E R • Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.
  58. 58. D E F E N D E R S • Shift focus from attribution to detection and prevention • Increase logging to detect when attackers are performing attacks like password spraying • Ensure all external login portals are using 2FA • Increase length of password policies
  59. 59. AT TA C K E R S • Continue to highlight the importance and value of credentials • Attempt to locate credential reuse across accounts • On external assessments attempt to password spray portals that use domain-based authentication • Escalate internally & crack all the passwords
  60. 60. T H A N K Y O U • beau@blackhillsinfosec.com • beau@dafthack.com • @dafthack

×