Advanced Persistent Pentesting: Fighting Fire with Fire

Advanced Persistent Pentesting Fighting Fire with Fire Hacker Halted 2012 jcran n00bznet

@jcran• CTO Pwnie Express• QA’d largest OSS Ruby project• Penetration tester of Fortune 500 orgs• Presented at Black Hat, Defcon, SOURCE Boston, BSidesLV

@n00bznet• Native Floridian• Degree in Finance• In security for 10 years but started out in securities.• Wonder each day why he took that Red pill!

Fire with ﬁre?• Keep the uncontrollable in a semi- controlled environment• Burn the old before something / someone else does• Creates boundaries

Agenda• A look at the threat landscape in 2012• Quick compromise case studies• A hard look at APT in 2012• Lessons we can take away• Not if, but when

PROCESS• Much of the IR data is analyzed here from published sources• Huge props to Mandiant, Trustwave, Verizon, Shadowserver, others for sharing speciﬁcs

Threat Landscape in 2012

Threat Actors• Hactivists• Financially Motivated Attackers• State-Sponsored Attackers• Employees / Contractors / Insiders• Casual “Attackers”

Focus on the attacker• Attackers are people too• Attackers have a personality• Attackers have a limited set of knowledge• Attackers have less visibility on your network than you do as a defender

2012 Major Breaches• Verisign “successfully and repeatedly"• Global Payments, 1.5m• Barnes & Noble• Public disclosures rarely discuss espionage • RSA, Northrup Grumman, L3, Lockheed

Apalling Stats• 6% self-detection of breaches in 2011, up from 2009*• Typical attack went undetected for 416 days• 100% of incidents had creds stolen*• Targeted attackers go straight for the SAM*

Case Studies

Attack Process• Phishing attack• RAT Installed• Pass-the-hash• Domain access• Exﬁltration

Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exﬁltration

List of Windows Usernames / ACME Enterprises Machines Domain Admin Oracle Security Assessment 2009 SMB Credentials Credentials Finge Key: r printi ng (q uiet) List of Windows RED – Did Not Obtain / Failed he s Create Obtain Unix Vulnerabilties Ha s Domain Creds on GREEN – Obtained / Success AN Admin Local SMB Browsing (quiet) te (no is y) AN M Account Machine GREY – Not Attempted / Not Attainable cu xe Scan kL E y ac t Cr Domain Domain User bili ln e ra Administrator Data on Local Vu Domain Admin Token PC Hashes ith Access to ARP Spoofing W o B oi w Ad rks row pl g Internal as in m tat se t e t ss Network in io M Pa i st n s ra a en Ex to s k r To p lo it Vu l ne Local Admin ra Credentials bi lity OS-Level ireless Access on Web Local Exploit / Gain Control of In Pass-The-Hash wit Server / Escalate Privs h ug Web Application ct to W Uti Metasploit / Crack Database Pl l i ze a ch i n Ut Passwords M iliz Lo e eV C onne gg PN ed -In Ut Local Admin iliz e Hashes Ba c kd oo es H a sh r Network Jack less min al Ad D ro p Loc t to Wire Wireless User Credentials Connec Physical Exploit access to Valid Domain Exploit Simplistic Service Exploit Web ACME PC Account Vulnerability Exploit Web Password Configuration AppFind Inconspicu on External Vulnerability Guessing / ous Area on External Configuration Device Brute Force Device Find Successful Inconspicuous guess Area Backdoor VPN Success / Intercept Traffic Access to Installed Failure Access to Tailgate User / Steal HID Card ACME Secured ACME Floor Area User Opens Brute Force attachment or Attack clicks link using Medusa Tailgate Valid User Email List of Potential constructed Username / Find Network- Find Web with Backdoor Password Level application Access to 529 MITM’d Wireless W Combos Vulnerability Vulnerability Wireless Key ide building Network s pr ea d/ By T Generate list of p as At arg possible sG Intercept client tac ete ua PA k d P usernames / rd probes using kW his St ac hpasswords at KARMA Cr ing ion Spoke / External Hoovers / Vulnerability Physical Company Scan Results Perimeter Access Directory

Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exﬁltration

2008 - 2011 Findings• Phishing (when in scope)• Vulnerable to Pass-the-hash• Improper network segmentation• Improper Egress ﬁltering• Zero detection rate• Collaboration between tester & testee, but only superﬁcial

“Scope?”

APT in 2012

APT• email with the subject line "2011 Recruitment Plan" / Excel spreadsheet• "We went through a domain name and password reset " - caught "even senior managers by surprise"• shut down remote access to its internal network• logged in to the VPN to gain access remotely to the corporate network.

APT in 2012• APT is much more likely to hang out vs Financially-motivated attackers• More interested in remaining stealthy• Likely to install multiple backdoors for persistent access

Breakdown• Discuss Capabilities• Discuss Testing• Discuss Detection

Inﬁltration

APT Inﬁltration• Spear Phishing • Now with better spelling • Reader, Powerpoint, Word, Excel• Compromise trusted sites or simply set up a fake domain • Browser Exploits / 3rd Party Plugins• Connectback over HTTPS

Inﬁltration Testing• SET + Metasploit• Commercial Tools • Metasploit Pro • Core Impact • Phishme / SaaS services • generally neutered attack

Inﬁltration Detection• Users• Egress Filtering - Break HTTPS & DNS at the perimeter• Monitor DNS for rogue domains• Windows event logging

Escalation

APT Escalation + Lateral Movement• Phishing lands you on a user-level workstation• You’ll need to escalate priviledges to admin• You’ll probably need to bypass UAC• Now you need admin creds• Lots of handy user creds in the registry

Escalation & LM Testing• Metasploit / Meterpreter • getsystem • BypassUAC• Post modules by thelightcosine• Everybody loves PSExec• Everybody loves Pass the Hash

Escalation & LM Detection• Maybe NIDS• Windows Event Logging

Internal Recon

APT Internal Recon• Most ﬁles attackers want are on desktops or a network share or email• Permissions can be a pain, but gathering more access is easy with PTH & Token Impersonation

RAT Capabilities• Upload to remote server• Steal certiﬁcates• Search the hard drive for Word / PDF (sensitive words) / RDP ﬁles• Screenshot / record audio / video• Scan the local network to identify hosts• Execute commands on the infected system

Internal Recon Testing• Builtin tools• Meterpreter has some nice capabilities• VPN or RDP is sometimes necessary (email)

Internal Recon Detection• Monitor access to ﬁles• Event Logging

Persistence

APT Persistence• Remote access solutions • Two factor ups the ante, but doesn’t seem to be a major issue• Rootkits • PoisonIvy, Gh0stRAT, ZeroAccess, TDSS

Persistence Testing• Get a hold of some VPN Accounts, use’m• Use RDP if it’s available• Backdoor several systems using not only metasploit, but an RAT• Use a C&C Server

Persistence Detection• Monitor DNS • But there may be a backup domain• Endpoint - Registry or Memory Scan

Exﬁltration

APT Exﬁltration• 3-4 Years ago - FTP, IRC, etc• Now, beacon & exﬁl over HTTPS / DNS• RDP & VPN• 46% of systems didn’t have malware*• Cleaning up slackspace

Exﬁltration Testing• Metasploit / Meterpreter Channels• Pwnie Express Pwn Plug

Exfiltration Detection• Ingress filter everything• Egress filter everything• Break DNS and HTTPS at the perimeter• DO NOT ALLOW outbound DNS or HTTP/HTTPS without monitoring / filtering

Lessons Learned

Lessons Learned• Focus of a pentest is on the binary result• Pentest == APT• Red Team - you should be simulating the threat• Blue Team - Structure roles so your team can focus on investigating suspicious events*• We can improve security by repeating the testing process

Lessons Learned• We can learn a lot from the IR data• You are ﬁghting a constant attack . Be IR- ready• When prevention fails, rapid detection and response helps• You can monitor change on your network more effectively than anyone else

Lessons Learned• You should have enough prevention to buy you time for detection and reaction.• You don’t have to stop the threat entirely• Remediate in the strike zone.• OPFOR• My NFL team is awesome in practice, they only suck in the game

Being IR Ready• Develop overview of Enterprise Infrastructure• Centralize the Storage and Analysis of key Logs• Implement robust Logging• http://www.mandiant.com/resources/m- trends/ - MTrends 2010

Lessons Learned• Bejtlich: 2 goals: classify and count security incidents & measure time from detection to containment• Do you know where your sensitive data is?• If we gave you a hostname, could you tell us within a few hours whether it had sensitive data on it?*

Ideas...

Rethink the test as a product• It shouldn’t be a binary result• A stack of paper is a stack of paper• The process itself is a product• Better product => better capability• Better capability => measurably lower response times

Gamiﬁcation• Haroon Meer introduced this idea• Gamify the test• Play cards for certain access / systems• “Collaborative Wargaming”• “Scenario Testing”

Pentesting => IR Training• It’s one thing to tell your target to “watch” for trouble• It’s another to actively work with and train your target• Lares, Attack Research, others?

Not If, But When

Counter Attack

Pass the Hash Pass the Hash works on more than Windows

Lateral Movement

Getting Owned

Not if but When!

• We have Infected our PC from Lab, then gave Cyber Attacker Fake ZIP Archive with his own• Virus inside and the name “Georgian-Nato Agreement”.• Attacker Stole that archive and executed malicious ﬁles.• As we had access to BOT Panel, we had maintained control over his PC.• http://dea.gov.ge/uploads/CERT%20DOCS/ Cyber%20Espionage.pdf

Take Aways• As a tester, DEMAND to work together, As a testee, DEMAND to work together• Pentests should not operate in a silo• Even if you don’t want the results, you want the capability• Adding or enhancing a capability qualiﬁes as actionable results• Offensive capabilities lead, defensive capabilities lag

Further Reading• Mandiant Webinars• Penetration Testing Considered Harmful• Threat Report Collection

http://pwnieexpress.com	3466
http://blog.pentestify.com	2195
https://twitter.com	28
http://localhost	13
http://www.letmeknowyou.eu	7
http://webcache.googleusercontent.com	6
http://translate.googleusercontent.com	5
http://newsblur.com	3
http://3155902575615240558_9d05eb41265b96763296d2d3f6489e1706e3c4ea.blogspot.com	2
https://si0.twimg.com	2
http://tweetedtimes.com	2
http://en.twitter.com	1
http://www.linkedin.com	1
http://www.newsblur.com	1
http://meatspin.com&_=1365987970558 HTTP	1

Advanced Persistent Pentesting: Fighting Fire with Fire

by Jonathan Cran on Oct 31, 2012

Accessibility

Upload Details

Usage Rights

15 Embeds 5,733

Statistics

Advanced Persistent Pentesting: Fighting Fire with Fire Presentation Transcript