List of Windows Usernames / ACME Enterprises Machines Domain Admin Oracle Security Assessment 2009 SMB Credentials Credentials Finge Key: r printi ng (q uiet) List of Windows RED – Did Not Obtain / Failed he s Create Obtain Unix Vulnerabilties Ha s Domain Creds on GREEN – Obtained / Success AN Admin Local SMB Browsing (quiet) te (no is y) AN M Account Machine GREY – Not Attempted / Not Attainable cu xe Scan kL E y ac t Cr Domain Domain User bili ln e ra Administrator Data on Local Vu Domain Admin Token PC Hashes ith Access to ARP Spoofing W o B oi w Ad rks row pl g Internal as in m tat se t e t ss Network in io M Pa i st n s ra a en Ex to s k r To p lo it Vu l ne Local Admin ra Credentials bi lity OS-Level ireless Access on Web Local Exploit / Gain Control of In Pass-The-Hash wit Server / Escalate Privs h ug Web Application ct to W Uti Metasploit / Crack Database Pl l i ze a ch i n Ut Passwords M iliz Lo e eV C onne gg PN ed -In Ut Local Admin iliz e Hashes Ba c kd oo es H a sh r Network Jack less min al Ad D ro p Loc t to Wire Wireless User Credentials Connec Physical Exploit access to Valid Domain Exploit Simplistic Service Exploit Web ACME PC Account Vulnerability Exploit Web Password Configuration AppFind Inconspicu on External Vulnerability Guessing / ous Area on External Configuration Device Brute Force Device Find Successful Inconspicuous guess Area Backdoor VPN Success / Intercept Traffic Access to Installed Failure Access to Tailgate User / Steal HID Card ACME Secured ACME Floor Area User Opens Brute Force attachment or Attack clicks link using Medusa Tailgate Valid User Email List of Potential constructed Username / Find Network- Find Web with Backdoor Password Level application Access to 529 MITM’d Wireless W Combos Vulnerability Vulnerability Wireless Key ide building Network s pr ea d/ By T Generate list of p as At arg possible sG Intercept client tac ete ua PA k d P usernames / rd probes using kW his St ac hpasswords at KARMA Cr ing ion Spoke / External Hoovers / Vulnerability Physical Company Scan Results Perimeter Access Directory
2008 - 2011 Findings• Phishing (when in scope)• Vulnerable to Pass-the-hash• Improper network segmentation• Improper Egress ﬁltering• Zero detection rate• Collaboration between tester & testee, but only superﬁcial
APT• email with the subject line "2011 Recruitment Plan" / Excel spreadsheet• "We went through a domain name and password reset " - caught "even senior managers by surprise"• shut down remote access to its internal network• logged in to the VPN to gain access remotely to the corporate network.
APT in 2012• APT is much more likely to hang out vs Financially-motivated attackers• More interested in remaining stealthy• Likely to install multiple backdoors for persistent access
APT Inﬁltration• Spear Phishing • Now with better spelling • Reader, Powerpoint, Word, Excel• Compromise trusted sites or simply set up a fake domain • Browser Exploits / 3rd Party Plugins• Connectback over HTTPS
Inﬁltration Testing• SET + Metasploit• Commercial Tools • Metasploit Pro • Core Impact • Phishme / SaaS services • generally neutered attack
Inﬁltration Detection• Users• Egress Filtering - Break HTTPS & DNS at the perimeter• Monitor DNS for rogue domains• Windows event logging
APT Escalation + Lateral Movement• Phishing lands you on a user-level workstation• You’ll need to escalate priviledges to admin• You’ll probably need to bypass UAC• Now you need admin creds• Lots of handy user creds in the registry
Escalation & LM Testing• Metasploit / Meterpreter • getsystem • BypassUAC• Post modules by thelightcosine• Everybody loves PSExec• Everybody loves Pass the Hash
Escalation & LM Detection• Maybe NIDS• Windows Event Logging
APT Internal Recon• Most ﬁles attackers want are on desktops or a network share or email• Permissions can be a pain, but gathering more access is easy with PTH & Token Impersonation
RAT Capabilities• Upload to remote server• Steal certiﬁcates• Search the hard drive for Word / PDF (sensitive words) / RDP ﬁles• Screenshot / record audio / video• Scan the local network to identify hosts• Execute commands on the infected system
Internal Recon Testing• Builtin tools• Meterpreter has some nice capabilities• VPN or RDP is sometimes necessary (email)
Internal Recon Detection• Monitor access to ﬁles• Event Logging
Lessons Learned• Focus of a pentest is on the binary result• Pentest == APT• Red Team - you should be simulating the threat• Blue Team - Structure roles so your team can focus on investigating suspicious events*• We can improve security by repeating the testing process
Lessons Learned• We can learn a lot from the IR data• You are ﬁghting a constant attack . Be IR- ready• When prevention fails, rapid detection and response helps• You can monitor change on your network more effectively than anyone else
Lessons Learned• You should have enough prevention to buy you time for detection and reaction.• You don’t have to stop the threat entirely• Remediate in the strike zone.• OPFOR• My NFL team is awesome in practice, they only suck in the game
Being IR Ready• Develop overview of Enterprise Infrastructure• Centralize the Storage and Analysis of key Logs• Implement robust Logging• http://www.mandiant.com/resources/m- trends/ - MTrends 2010
Lessons Learned• Bejtlich: 2 goals: classify and count security incidents & measure time from detection to containment• Do you know where your sensitive data is?• If we gave you a hostname, could you tell us within a few hours whether it had sensitive data on it?*
Rethink the test as a product• It shouldn’t be a binary result• A stack of paper is a stack of paper• The process itself is a product• Better product => better capability• Better capability => measurably lower response times
Gamiﬁcation• Haroon Meer introduced this idea• Gamify the test• Play cards for certain access / systems• “Collaborative Wargaming”• “Scenario Testing”
Pentesting => IR Training• It’s one thing to tell your target to “watch” for trouble• It’s another to actively work with and train your target• Lares, Attack Research, others?
• We have Infected our PC from Lab, then gave Cyber Attacker Fake ZIP Archive with his own• Virus inside and the name “Georgian-Nato Agreement”.• Attacker Stole that archive and executed malicious ﬁles.• As we had access to BOT Panel, we had maintained control over his PC.• http://dea.gov.ge/uploads/CERT%20DOCS/ Cyber%20Espionage.pdf
Take Aways• As a tester, DEMAND to work together, As a testee, DEMAND to work together• Pentests should not operate in a silo• Even if you don’t want the results, you want the capability• Adding or enhancing a capability qualiﬁes as actionable results• Offensive capabilities lead, defensive capabilities lag
Further Reading• Mandiant Webinars• Penetration Testing Considered Harmful• Threat Report Collection
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.