Connecting the Dots


Published on

Presented at InnoTech Oklahoma 2013. All rights reserved.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Metasploit like framework to lessen the learning curve
  • Connecting the Dots

    1. 1. Connecting the dots…. Footprints in the ether, and other musings. Sean Satterlee – Principal Security Engineer
    2. 2. Disclaimer THIS IS PURELY FOR EDUCATIONAL PURPOSE. Myself, any identities that I may use, Net Source, Inc., NetSourceLabs, NetSourceSecure and any other organizations that I am affiliated with cannot be held liable for any negligence or illegal activity that may result in the disclosure of the information included in this briefing.
    3. 3. About me intentionally left blank
    4. 4. A “howto” or “readme.txt” • A quick guide to a talk by me. • Be prepared – – – – – – – – – – – – – – – – Topics will be all over the place I will chase rabbits I use profanity to make my point I am passionate about my work If you get up during this talk, be prepared to be heckled. Did I mention that I will jump around on topics? I will bring in points that I find interesting, while they might not be germane to the exact topic, you may find them useful. If I switch languages for a certain word or concept. Do not get angry. Write it down, google it, you can figure it out for yourself later. I may repeat things every now again. I will chase rabbits I need to make a “logic-chart” for following my talks I should also remember to start using the “notes” feature for powerpoint. I like it when people clap immediately after pseudo profound statements. I do not like the obligatory applause at the end of my talks My talks are interactive. Several of my friends are in the crowd – – Sometimes I will just skip slides because I don’t feel like talking about them. It’s alright though, you can download this slide deck The detailed sections are out of order. Sorry, I don’t want to fix it. • They are not “plants”, but I will sometimes call on them to help me remember antic dotes.
    5. 5. Business Intelligence? • A nice name for Corporate Espionage • Knowing the business model for a given target (read: client), and you will further understand the areas of their infrastructure that may be less guarded • Knowing more about your target will lead you to appropriate attack vectors
    6. 6. Dox? • Is it necessary to publish this information? • In short, the answer is no.
    7. 7. HOWEVER… • Having information is one thing. • Displaying that you have this information is another. • An entire generation raised with the notion that “knowledge is power” has caused this. • Displaying this information as a means to show power and to hinder some else‟s operations is something completely different.
    8. 8. Forms of Reconnaissance and Intel Gathering • Physical • Social • OSINT
    9. 9. Subsets of Physical • Drive-bys – Done at multiple times throughout the day/night. – Establish key employees and work shifts – Use a rental car with a contour cam (HD), just leave it. • Wardrive – Don’t get too close – Use everything you can in BT5, or Kali • Dumpster Dive – Do this at night – Avoid the critters
    10. 10. • Get a tour, make note of how physical security is managed. – Organics – CCTV – RFID – Magstrips – Electronic Keypads – “Secure” keylocks
    11. 11. • Make note of the badges, if you are conducting a social, you may need to create one. • It doesn’t need to “work”, Just pass a glance.
    12. 12. • RFID? Sure, we can do that…
    13. 13. • Magstrips? Yeah, that too. Info available on
    14. 14. Keylocks • Seriously? Are you kidding me? • Medco, Chubb, and Bonowi keys are now available for download to be printed on your reprap
    15. 15. Physical Locks
    16. 16. Security Keypads Type Procedure Sentex Keypads ***00000099#* DoorKing *029999 AeGIS #,0 (same time) followed by 0000 Elite “Program” button, followed by 7777 Linear #,9,# 123456 add your code by: 0,1,#,%desired code% Multicode 1234 (no lockout, just keep pecking)
    17. 17. Keys to a successful “Social” • Accurate data • Susceptible targets • Audacity
    18. 18. USB drops and rubber duckies
    19. 19. CD/USB drop • Curiosity killed the cat • Think of this as a „reverse dead drop‟. Pseudo public place, and you WANT it to be found. – You may ask yourself, “who would actually plug this in?” – Now tell yourself, “too many people that probably work with me.”
    20. 20. You knew this would come up
    21. 21. Other methods • The USB drop isn‟t always needed – If you can gain physical access: • a rubber-ducky can be used to drop a payload and a reverse, persistent shell – If you can‟t gain physical access: • You can squeeze a rubber-ducky into anything that uses a USB connection. Ship it to someone in the target company. Human stupidity will take over, and SOMEONE will plug it in.
    22. 22. Just how easy is that? • Not calling anyone out, but certain people in this industry are literally, batting 1000 using this technique. – But seriously, how easy is it?
    23. 23. I was going to make a political joke here, but… well, let’s just skip that part as I don’t really have any politics.
    24. 24. OSINT • TheHarvester • Maltego • NetGlub • Spokeo • Palantir
    25. 25. Quality of Sources • None of these tools are worth the processing power of launching them if you don’t know where to look.
    26. 26. Sources, you say? • • • • • • • • Spokeo Anywho Lexis-Nexis Ancestry Public Records for target area ESRI – GIS data County Assessors office Social Networks – – – – – Twitter Facebook Myspace Google+ Youtube
    27. 27. Twitter?
    28. 28. Flickr? Why flickr? • Because sometimes smart people do very stupid things. • You can do something about it…
    29. 29. OR…
    30. 30. Examples, you say? • Users will come up with a “clever” password… – And reuse it. – And reuse it. – And reuse it.
    31. 31. So what comes of this behavior?
    32. 32. Again
    33. 33. And again…
    34. 34. Why Facebook?
    35. 35. Inadvertent Excess • Go into the Kinko‟s closest to your target. • Say you “forgot your thumbdrive” • They show you a box, you say “that‟s it!” • YAHTZEE!
    36. 36. A quick note about ‘excessed equipment’ • Please wipe configs on hardware and remove drives • 4th Saturday sales have yielded quite a few Cis** devices with current configs for an organization STILL ON THEM.
    37. 37. Recon-ng • Recon gets it’s own slide, because. Well, it’s cool.
    38. 38. Create your own transforms • There is a wealth of information in public databases – Property taxes – Marriages, divorces, VPO’s, traffic citations, etc – Foreclosures – Birth records, death certificates – blogs
    39. 39. Quality of Product • Your information is only as good as your starting point – Use CORRECT and ACCURATE information. Do not guess.
    40. 40. Otherwise… • The signal to noise ration is horrendous This entire section is total junk and incorrect data
    41. 41. Social Engineering • I will not pretend that neuro-linguistics has gotten me past some serious security measures. – However, a fake accent did get ri0t and I quite a few drinks in Vegas. • How does it work? – You appeal to a person’s sensibility and logic.
    42. 42. Seriously though, what does SE get us? • It gets us physical access to a location to actually DO the CD/USB drop • If the target is in a shared office location, hangout in the smoker’s area. – – – – Listen Sniff RFID Snarf bluetooth Pay attention to visual layout of ID badges in case you need to fabricate one – Possibly tailgate a person into a secure area
    43. 43. • Become a customer/client of the target. • Remember, people are inherently stupid and willing to trust. Exploit this. – “Give them an ounce of quality lies, and you will get a pound of truth in return.” - me
    44. 44. Qualify your statements and questions • Don’t ask stupid questions that are DIRECT. • You will always need to fill some gaps, it’s important to do this without inferring a fictional story. • Be knowledgeable of the subject matter at hand. – This means taking an interest in whatever widget you are trying to gather information about
    45. 45. Pushing in • So what options do I have to exploit a location using the information I have gathered? – – – – – CD/USB drops Social Engineering Client-side Attacks Intranet access portals with weak user/pass combos Sub-domains for test/development environments to attack via web applications to extract data – Complete Breach of network via wireless to create a C&C
    46. 46. Wait, I just said wireless “techie LUsers” – let me tell you why they are your biggest problem.
    47. 47. “Why?” you ask? • Because they are the ones that take it upon themselves to create and fix things with only half of the ‘larger picture’ • Which, in turn, just ends up causing more problems • Like?
    48. 48. Rogue AP’s anyone?
    49. 49. People who build “labs” at work
    50. 50. How this can cause issues • Vast majority of ‘labs’ are default passwords • Rogue AP’s lack strong encryption or any at all • A shared password used over an open wifi connection • Unused accounts with the “default P@ssw0rd!”
    51. 51. How is this remedied? • • • • Strengthen your policies Educate users Educate users (yes, that’s twice on purpose) Self audit – Old machine accounts in AD – Maintenance (service) accounts – Accounts that have never been used
    52. 52. In conclusion • Try harder • Enable yourself and your staff – Come to local hacker meetings – We will gladly show you stuff • No such thing as a stupid question. – Just stupid people, that don’t ask questions.
    53. 53. Any questions that relate to the actual topic? • I like to eat steak cooked medium rare • I have two cats, a dog, a planted aquarium and a entire school of carnivorous fish • My favorite color is clear • Etc…
    54. 54. Errata Email: Twitter: @seanwayne