Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hackers Bag Of Tricks 2019

95 views

Published on

CyberArk Hackers Bag of Tricks Lunch and Learn presentation. 6 full attacks, mousejacking, SETH, Responder with multi relay,

Published in: Technology
  • Be the first to comment

Hackers Bag Of Tricks 2019

  1. 1. Inside The Hackers Bag Of Tricks I Am A Hacker, If I’m Laughing…Hope You Have Backups
  2. 2. Len noe ▪ Len.Noe@CyberArk.com ■ Linkedin: linkedin.com/in/len-noe ■ GitHub: github.com/hacker213 ■ YouTube: hacker_213 ■ Twitter: @hacker_213 ▪ Global Corp. SE Manager ▪ CyberArk SME PTA/EPM/MFA ▪ Certified Ethical Hacker ▪ COMPTIA Sec+ ▪ Microsoft Certified Professional ▪ Solaris Certified Administrator ▪ Citrix Certified Administrator ▪ SANS 560, 570 ▪ OWASP ▪ CNA
  3. 3. Inside the hackers bag of tricks • No uber 1337 H4kz! • More than one way to skin a cat. • So simple a Script-Kiddie can do it! • Demos will FAIL!! DISCLAIMERS!
  4. 4. The Cyber Kill Chain Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration Inside the hackers bag of tricks
  5. 5. Inside the hackers bag of tricks 6 • “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
  6. 6. Inside the hackers bag of tricks 6 Full Attacks In 30 Minutes 1.MouseJack / JackIT 2.SSH-MiTM 3.BashBunny – QuickCreds 4.S.E.T.H. 5.Responder / MulttiRelay 6.WHID Cactus
  7. 7. Inside the hackers bag of tricks MouseJack / JackIT • MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15. An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected. The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.
  8. 8. Inside the hackers bag of tricks MouseJack / JackIT Inside the hackers bag of tricks MouseJack / JackIT
  9. 9. Inside the hackers bag of tricks SSH-MiTM • This penetration testing tool allows an auditor to intercept SSH connections. A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk. • The victim's SSH client will complain that the server's key has changed. But because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.
  10. 10. Inside the hackers bag of tricks SSH-MiTM
  11. 11. Inside the hackers bag of tricks Hak5 Bash Bunny - QuickCreds • The Bash Bunny by Hak5 is a simple and powerful multi-function USB attack and automation platform for penetration testers and systems administrators. It's easy setup & deployment with a simple "Bunny Script" language, multi-position attack switch and a centralized repository of payloads. • It's powerful with multiple attack vectors including HID keyboard, USB Ethernet, Serial and Mass Storage. Simultaneously perform keystroke injection attacks, bring-your-own-network attacks and intelligent exfiltration.
  12. 12. Inside the hackers bag of tricks Hak5 Bash Bunny - QuickCreds The BashBunny is a device that masquerades as a USB Ethernet adapter and has a computer running linux within the enclosure, it capture credentials from a system, even when locked. The hash capturing is done with Laurent Gaffié’s Responder Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed and initialized. There are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), Ethernet/LAN is on the white list. Computers are constantly creating traffic, even if there are no browsers or applications open, and most computers trust their local network by default Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, by default “wired” and “newer/faster” win out. This means that by plugging in the device it becomes the gateway, DNS server, WPAD server and others due to Responder. The average time for freshly inserted into a locked workstation and by the time creds have been harvested is approx 13 seconds.
  13. 13. Inside the hackers bag of tricks Hak5 Bash Bunny - QuickCreds
  14. 14. Inside the hackers bag of tricks S.E.T.H. • Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH). • The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time..
  15. 15. Inside the hackers bag of tricks S.E.T.H. https://github.com/SySS-Research/Seth Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH) ./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>] Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway. The last parameter is optional. It can contain a command that is executed on the RDP host
  16. 16. Inside the hackers bag of tricks S.E.T.H. Keystroke injection depends on which keyboard layout the victim is using - currently it's only reliable with the English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done. The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:
  17. 17. Inside the hackers bag of tricks S.E.T.H.
  18. 18. Responder / MultiRelay Inside the hackers bag of tricks • Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB. • The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
  19. 19. Inside the hackers bag of tricks Responder / MultiRelay Multi-Relay Use collected Hash to perform Pass The Hash as opposed to cracking hash Hash Harvesting: {eth0 or the current active connection} <responder folder>/python Responder.py –I eth0 MultiRelay – Requires 2 Terminal Windows <responder folder>/python Responder.py –I eth0 -wrFb Window listening for requests <responder folder>/tools/python MultiRelay.py –t <Target IP> -u ALL Window Pointing to target to perform PTH against
  20. 20. Responder / MultiRelay Inside the hackers bag of tricks Responder / MultiRelay Inside the hackers bag of tricks
  21. 21. Inside the hackers bag of tricks WHID Cactus / Mimikatz • This device allows keystrokes to be sent via WiFi to a target machine. The target recognises the Ducky as both a standard HID keyboard and a serial port, allows interactive commands and scripts to be executed on the target remotely. Hardware Design Author: Luca Bongiorni • Third-Party Softwares Compatible with WHID’s Hardware 1.whid.ninja 2.https://github.com/sensepost/USaBUSe 3.https://github.com/spacehuhn/wifi_ducky 4.https://github.com/basic4/WiDucky 5. https://github.com/exploitagency/ESPloitV2 • This demonstration will use “ESPloit”
  22. 22. Inside the hackers bag of tricks WHID Cactus / Mimikatz • ESPloit uses its own scripting language and not Ducky Script, although a Ducky Script to ESPloit converter is available at: https://exploitagency.github.io/Duckuino/index.html • Exfiltrating Data Serial Exfiltration Method WiFi Exfiltration Methods: HTTP exfiltration FTP exfiltration • ESPortal Credential Harvester(Phisher) • Live Payload Mode Here you may type out or copy/paste a payload to run without uploading. • Duckuino Mode Convert Ducky Script to ESPloit Script and then optionally run the script.
  23. 23. Inside the hackers bag of tricks WHID Cactus / Mimikatz • Mimikatz is an open-source utility that enables the viewing of credential information from the Windows lsass (Local Security Authority Subsystem Service) through its sekurlsa module which includes plaintext passwords and Kerberos tickets which could then be used for attacks such as pass-the-hash and pass-the- ticket.
  24. 24. Inside the hackers bag of tricks WHID Cactus / Mimikatz
  25. 25. Inside the hackers bag of tricks Take Aways • MultiFactor Auth • Tier Segregation • Credential Boundaries • PAS System
  26. 26. Thank You

×