SlideShare a Scribd company logo
1 of 62
Download to read offline
FA D E F R O M W H I T E H AT…
T O B L A C K
B E A U B U L L O C K
“Everyone is a moon and has a dark side which he never
shows to anybody”
~ Mark Twain
K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization
W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
S I D E N O T E
2 0 1 4
I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list
Enough about me
N O N - AT T R I B U T I O N
Fade from Whitehat... to Black
D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence
D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important
element being OPSEC
• Maintain anonymity in both the real and digital
worlds
N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
L A P T O P P U R C H A S E
I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite…
apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference
N O T O P S E C S A F E
A B I T M O R E O P S E C S A F E
AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few
things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)
B U Y B I T C O I N F O R C A S H
V P S F O R B I T C O I N
P R I M A RY AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server
C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts
N O N - AT T R I B U T I O N D I A G R A M
1. Live-booted off USB to Linux
2. Connected to free WiFi
3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to
attack server in VPS net 2
7. Mandatory Caffeination
TA R G E T A C Q U I S I T I O N
M O T I VAT I O N
• Easy Targets
• High Profile Targets
• Contracted Targets
• Vengeance
E A S Y TA R G E T S
• Shodan - Unauthenticated VNC Servers
E A S Y TA R G E T S
• Shodan - Vulnerable Services
H I G H P R O F I L E TA R G E T S
C O N T R A C T E D TA R G E T S
V E N G E A N C E
R E C O N N A I S S A N C E
I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges
M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open
ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these
are important shortly)
E X P L O I TAT I O N
AT TA C K 1 - C R E D E N T I A L R E U S E
• How can we exploit credential reuse on personal
accounts?
AT TA C K 1 - C R E D E N T I A L R E U S E
• Publicly Compromised accounts
AT TA C K 1 - C R E D E N T I A L R E U S E
• Pipl - locate employees based off their email address
AT TA C K 1 - C R E D E N T I A L R E U S E
• Attempt to login to their corporate account using the
creds recovered from previous breach
AT TA C K 2 - PA S S W O R D S P R AY I N G
AT TA C K 2 - PA S S W O R D S P R AY I N G
• FOCA
AT TA C K 2 - PA S S W O R D S P R AY I N G
AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise
AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal
AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.
R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network
remotely I move on.
P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local
admins)
• Internal password spraying
• PSexec/Mimikatz combo
L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.
P R O F I T I Z AT I O N
T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?
Fade from Whitehat... to Black
T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-
forensics. We get them in the real world when they do
something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier
T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial
T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com
B I T C O I N T O C A S H
• This becomes a money laundering problem
R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job
FA D I N G B A C K
W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world
W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers,
Developers, Forensicators, Network Engineers,
SysAdmins, DBA’s, etc.
D E F E N D E R S
• Shift focus from attribution to detection and
prevention
• Increase logging to detect when attackers are
performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies
AT TA C K E R S
• Continue to highlight the importance and value of
credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray
portals that use domain-based authentication
• Escalate internally & crack all the passwords
T H A N K Y O U
• beau@blackhillsinfosec.com
• beau@dafthack.com
• @dafthack

More Related Content

What's hot

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 

What's hot (20)

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 

Similar to Fade from Whitehat... to Black

WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa UrosevicDataScienceConferenc1
 
Be Prepared - Internet Safety
Be Prepared - Internet SafetyBe Prepared - Internet Safety
Be Prepared - Internet SafetyMike Mackintosh
 
A Journey Into Deception Based Security
A Journey Into Deception Based SecurityA Journey Into Deception Based Security
A Journey Into Deception Based SecurityAdel Karimi
 
Wrangle Your Defense Using Offensive Tactics BSides CT 2019
Wrangle Your Defense Using Offensive Tactics BSides CT 2019Wrangle Your Defense Using Offensive Tactics BSides CT 2019
Wrangle Your Defense Using Offensive Tactics BSides CT 2019Matt Dunn
 
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Wrangle Your Defense Using Offensive Tactics - ISSA May MeetingWrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Wrangle Your Defense Using Offensive Tactics - ISSA May MeetingMatt Dunn
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security MindsetAdam W. Warner
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Decoupled APIs through Microservices
Decoupled APIs through MicroservicesDecoupled APIs through Microservices
Decoupled APIs through MicroservicesDavid Simons
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
All watched over machines of loving grace amsterdam
All watched over machines of loving grace  amsterdamAll watched over machines of loving grace  amsterdam
All watched over machines of loving grace amsterdamAndres Guadamuz
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Bh europe 2013_wilhoit
Bh europe 2013_wilhoitBh europe 2013_wilhoit
Bh europe 2013_wilhoitKyle Wilhoit
 
Battlefield network
Battlefield networkBattlefield network
Battlefield networkTal Be'ery
 

Similar to Fade from Whitehat... to Black (20)

WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for Beginners
 
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
 
Be Prepared - Internet Safety
Be Prepared - Internet SafetyBe Prepared - Internet Safety
Be Prepared - Internet Safety
 
A Journey Into Deception Based Security
A Journey Into Deception Based SecurityA Journey Into Deception Based Security
A Journey Into Deception Based Security
 
Wrangle Your Defense Using Offensive Tactics BSides CT 2019
Wrangle Your Defense Using Offensive Tactics BSides CT 2019Wrangle Your Defense Using Offensive Tactics BSides CT 2019
Wrangle Your Defense Using Offensive Tactics BSides CT 2019
 
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Wrangle Your Defense Using Offensive Tactics - ISSA May MeetingWrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security Mindset
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Decoupled APIs through Microservices
Decoupled APIs through MicroservicesDecoupled APIs through Microservices
Decoupled APIs through Microservices
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
All watched over machines of loving grace amsterdam
All watched over machines of loving grace  amsterdamAll watched over machines of loving grace  amsterdam
All watched over machines of loving grace amsterdam
 
Dark web
Dark webDark web
Dark web
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Bh europe 2013_wilhoit
Bh europe 2013_wilhoitBh europe 2013_wilhoit
Bh europe 2013_wilhoit
 
Battlefield network
Battlefield networkBattlefield network
Battlefield network
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

More from Beau Bullock

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Beau Bullock
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 

More from Beau Bullock (7)

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract Auditing
 
Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 

Recently uploaded

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 

Recently uploaded (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 

Fade from Whitehat... to Black

  • 1. FA D E F R O M W H I T E H AT… T O B L A C K B E A U B U L L O C K
  • 2. “Everyone is a moon and has a dark side which he never shows to anybody” ~ Mark Twain
  • 3. K E Y F O C A L P O I N T S • Non-attribution • Target Acquisition • Reconnaissance • Exploitation • Profitization
  • 4. W H O A M I • Beau Bullock • Pentester at Black Hills Information Security • Host of Hack Naked TV • Previously an enterprise defender • OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
  • 5. S I D E N O T E
  • 6. 2 0 1 4
  • 7. I N T W O Y E A R S S I N C E T H E N I ’ V E … • Performed Pentests against 70 different companies • Recorded 20 Hack Naked TV episodes • Spoke at three different security conferences • Wrote eight blog posts • …now adding keynote to the list
  • 9. N O N - AT T R I B U T I O N
  • 11. D R E A D P I R AT E R O B E R T S ( D P R ) • How Ross Ulbricht got caught = Really bad OPSEC • Boasted about creating an “economic simulation” on LinkedIn • Put his real face on fake ID’s used to purchase servers • Asked for advice on Stack Overflow about coding Silk Road • Hired an undercover cop to perform a “hit” for him • TOR IP Publishing leak - Leaked Silk Road’s actual IP • Accessed Silk Road from Café half a block from residence
  • 12. D E S I G N W I T H O P S E C I N M I N D • Let’s try to avoid DPR’s mistakes • Don’t trust humans • Build attack infrastructure with the most important element being OPSEC • Maintain anonymity in both the real and digital worlds
  • 13. N O N - AT T R I B U TA B L E S E T U P • Necessities (rebuilt from scratch for each job) • A laptop to work from • Internet • VPN/proxies • CnC and attack servers • Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
  • 14. L A P T O P P U R C H A S E
  • 15. I N T E R N E T • Free WiFi at coffee shops, hotels, or my favorite… apartment complexes • Greater than 50 miles from residence • Never bring residence into circumference
  • 16. N O T O P S E C S A F E
  • 17. A B I T M O R E O P S E C S A F E
  • 18. AT TA C K A R C H I T E C T U R E S E T U P • Never directly attacking an organization • Will need multiple virtual private servers (VPS) • In order to be non-attributable we will need a few things: • Alternate identities • Currency (Bitcoin, pre-paid VISA, etc.)
  • 19. B U Y B I T C O I N F O R C A S H
  • 20. V P S F O R B I T C O I N
  • 21. P R I M A RY AT TA C K S Y S T E M S • VPS Network 1 • VPN server • Management server • Password cracking server • VPS Network 2 • Primary attack server • Command and Control server
  • 22. C O N N E C T I V I T Y • VPN from base camp to VPS network 1 • SSH/RDP to management server • Route all traffic from management server through TOR • SSH from management server to VPS network 2 hosts
  • 23. N O N - AT T R I B U T I O N D I A G R A M
  • 24. 1. Live-booted off USB to Linux 2. Connected to free WiFi 3. VPN’d to VPS net 1 4. VNC to management server in VPS net 1 5. Route all traffic from management server through TOR 6. SSH from management server over TOR to attack server in VPS net 2 7. Mandatory Caffeination
  • 25. TA R G E T A C Q U I S I T I O N
  • 26. M O T I VAT I O N • Easy Targets • High Profile Targets • Contracted Targets • Vengeance
  • 27. E A S Y TA R G E T S • Shodan - Unauthenticated VNC Servers
  • 28. E A S Y TA R G E T S • Shodan - Vulnerable Services
  • 29. H I G H P R O F I L E TA R G E T S
  • 30. C O N T R A C T E D TA R G E T S
  • 31. V E N G E A N C E
  • 32. R E C O N N A I S S A N C E
  • 33. I N F O R M AT I O N D I S C L O S U R E • Organization’s username structure • Credentials in previous breaches • External network ranges
  • 34. M I N I M I Z E T H E N O I S E • Use sites like Shodan and Censys to discover open ports on the target’s systems • Again, look for low hanging fruit • Locate external login portals (we’ll get to why these are important shortly)
  • 35. E X P L O I TAT I O N
  • 36. AT TA C K 1 - C R E D E N T I A L R E U S E • How can we exploit credential reuse on personal accounts?
  • 37. AT TA C K 1 - C R E D E N T I A L R E U S E • Publicly Compromised accounts
  • 38. AT TA C K 1 - C R E D E N T I A L R E U S E • Pipl - locate employees based off their email address
  • 39. AT TA C K 1 - C R E D E N T I A L R E U S E • Attempt to login to their corporate account using the creds recovered from previous breach
  • 40. AT TA C K 2 - PA S S W O R D S P R AY I N G
  • 41. AT TA C K 2 - PA S S W O R D S P R AY I N G • FOCA
  • 42. AT TA C K 2 - PA S S W O R D S P R AY I N G
  • 43. AT TA C K 3 - P H I S H I N G • The “golden ticket” to pretty much any network • Two types of phishing • Credential gathering • System compromise
  • 44. AT TA C K 3 - P H I S H I N G • Credential gathering • Clone an external login portal • Phish users to login to gather creds • Redirect to actual portal
  • 45. AT TA C K 3 - P H I S H I N G • Remote exploitation • Word doc macros, browser exploits, etc.
  • 46. R E M O T E A C C E S S • VPN - is 2FA in play? • RDP? • Access to OWA - • Phishing across internal accounts = win • No physical attacks. If I can’t compromise the network remotely I move on.
  • 47. P O S T- E X P L O I TAT I O N • PowerShell, and command line - no extra tools needed • GPP • Widespread local admin • Insecure perms on other systems (domain users in local admins) • Internal password spraying • PSexec/Mimikatz combo
  • 48. L O O T • Pivot to DC, dump domain hashes • Locate vCenter servers, DB’s, etc.
  • 49. P R O F I T I Z AT I O N
  • 50. T U R N I N G C O M P R O M I S E I N T O C A S H • Carder? • Identity Theft? • Ransomware? • Hacktivist?
  • 52. T H E T R I C K Y PA R T… "It's not that we find criminals like this through cyber- forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting credit cards is easy. Turning it into cash is hard.” ~ Bruce Schneier
  • 53. T W O M A J O R P R O B L E M S • Bitcoin is not untraceable • Turning large amounts of Bitcoin into cash is not trivial
  • 54. T R A C I N G B I T C O I N • blockchain.info • blockseer.com
  • 55. B I T C O I N T O C A S H • This becomes a money laundering problem
  • 56. R I P A N D R E P L A C E • Full teardown and removal of all testing systems • Rebuild from scratch for next job
  • 57. FA D I N G B A C K
  • 58. W H Y I D O N ’ T D O T H I S • Ethics • Inevitability of getting caught • Danger of entering the criminal world
  • 59. W E C A N M A K E I T B E T T E R • Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.
  • 60. D E F E N D E R S • Shift focus from attribution to detection and prevention • Increase logging to detect when attackers are performing attacks like password spraying • Ensure all external login portals are using 2FA • Increase length of password policies
  • 61. AT TA C K E R S • Continue to highlight the importance and value of credentials • Attempt to locate credential reuse across accounts • On external assessments attempt to password spray portals that use domain-based authentication • Escalate internally & crack all the passwords
  • 62. T H A N K Y O U • beau@blackhillsinfosec.com • beau@dafthack.com • @dafthack