When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?
In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
Fade from Whitehat... to Black
1. FA D E F R O M W H I T E H AT…
T O B L A C K
B E A U B U L L O C K
2. “Everyone is a moon and has a dark side which he never
shows to anybody”
~ Mark Twain
3. K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization
4. W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
7. I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list
11. D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence
12. D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important
element being OPSEC
• Maintain anonymity in both the real and digital
worlds
13. N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
15. I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite…
apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference
18. AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few
things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)
21. P R I M A RY AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server
22. C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts
24. 1. Live-booted off USB to Linux
2. Connected to free WiFi
3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to
attack server in VPS net 2
7. Mandatory Caffeination
33. I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges
34. M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open
ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these
are important shortly)
43. AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise
44. AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal
45. AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.
46. R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network
remotely I move on.
47. P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local
admins)
• Internal password spraying
• PSexec/Mimikatz combo
48. L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.
50. T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?
52. T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-
forensics. We get them in the real world when they do
something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier
53. T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial
54. T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com
55. B I T C O I N T O C A S H
• This becomes a money laundering problem
56. R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job
58. W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world
59. W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers,
Developers, Forensicators, Network Engineers,
SysAdmins, DBA’s, etc.
60. D E F E N D E R S
• Shift focus from attribution to detection and
prevention
• Increase logging to detect when attackers are
performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies
61. AT TA C K E R S
• Continue to highlight the importance and value of
credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray
portals that use domain-based authentication
• Escalate internally & crack all the passwords
62. T H A N K Y O U
• beau@blackhillsinfosec.com
• beau@dafthack.com
• @dafthack