Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced Persistent Pentesting: Fighting Fire with Fire

12,144 views

Published on

Advanced Persistent Pentesting: Fighting Fire with Fire

  1. 1. Advanced Persistent Pentesting Fighting Fire with Fire Hacker Halted 2012 jcran n00bznet
  2. 2. @jcran• CTO Pwnie Express• QA’d largest OSS Ruby project• Penetration tester of Fortune 500 orgs• Presented at Black Hat, Defcon, SOURCE Boston, BSidesLV
  3. 3. @n00bznet• Native Floridian• Degree in Finance• In security for 10 years but started out in securities.• Wonder each day why he took that Red pill!
  4. 4. Fire with fire?• Keep the uncontrollable in a semi- controlled environment• Burn the old before something / someone else does• Creates boundaries
  5. 5. Agenda• A look at the threat landscape in 2012• Quick compromise case studies• A hard look at APT in 2012• Lessons we can take away• Not if, but when
  6. 6. PROCESS• Much of the IR data is analyzed here from published sources• Huge props to Mandiant, Trustwave, Verizon, Shadowserver, others for sharing specifics
  7. 7. Threat Landscape in 2012
  8. 8. Threat Actors• Hactivists• Financially Motivated Attackers• State-Sponsored Attackers• Employees / Contractors / Insiders• Casual “Attackers”
  9. 9. Focus on the attacker• Attackers are people too• Attackers have a personality• Attackers have a limited set of knowledge• Attackers have less visibility on your network than you do as a defender
  10. 10. 2012 Major Breaches• Verisign “successfully and repeatedly"• Global Payments, 1.5m• Barnes & Noble• Public disclosures rarely discuss espionage • RSA, Northrup Grumman, L3, Lockheed
  11. 11. Apalling Stats• 6% self-detection of breaches in 2011, up from 2009*• Typical attack went undetected for 416 days• 100% of incidents had creds stolen*• Targeted attackers go straight for the SAM*
  12. 12. Case Studies
  13. 13. Attack Process• Phishing attack• RAT Installed• Pass-the-hash• Domain access• Exfiltration
  14. 14. Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
  15. 15. List of Windows Usernames / ACME Enterprises Machines Domain Admin Oracle Security Assessment 2009 SMB Credentials Credentials Finge Key: r printi ng (q uiet) List of Windows RED – Did Not Obtain / Failed he s Create Obtain Unix Vulnerabilties Ha s Domain Creds on GREEN – Obtained / Success AN Admin Local SMB Browsing (quiet) te (no is y) AN M Account Machine GREY – Not Attempted / Not Attainable cu xe Scan kL E y ac t Cr Domain Domain User bili ln e ra Administrator Data on Local Vu Domain Admin Token PC Hashes ith Access to ARP Spoofing W o B oi w Ad rks row pl g Internal as in m tat se t e t ss Network in io M Pa i st n s ra a en Ex to s k r To p lo it Vu l ne Local Admin ra Credentials bi lity OS-Level ireless Access on Web Local Exploit / Gain Control of In Pass-The-Hash wit Server / Escalate Privs h ug Web Application ct to W Uti Metasploit / Crack Database Pl l i ze a ch i n Ut Passwords M iliz Lo e eV C onne gg PN ed -In Ut Local Admin iliz e Hashes Ba c kd oo es H a sh r Network Jack less min al Ad D ro p Loc t to Wire Wireless User Credentials Connec Physical Exploit access to Valid Domain Exploit Simplistic Service Exploit Web ACME PC Account Vulnerability Exploit Web Password Configuration AppFind Inconspicu on External Vulnerability Guessing / ous Area on External Configuration Device Brute Force Device Find Successful Inconspicuous guess Area Backdoor VPN Success / Intercept Traffic Access to Installed Failure Access to Tailgate User / Steal HID Card ACME Secured ACME Floor Area User Opens Brute Force attachment or Attack clicks link using Medusa Tailgate Valid User Email List of Potential constructed Username / Find Network- Find Web with Backdoor Password Level application Access to 529 MITM’d  Wireless   W Combos Vulnerability Vulnerability Wireless Key ide building Network s pr ea d/ By T Generate list of p as At arg possible sG Intercept client tac ete ua PA k d P usernames / rd probes using kW his St ac hpasswords at KARMA Cr ing ion Spoke / External Hoovers / Vulnerability Physical Company Scan Results Perimeter Access Directory
  16. 16. Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
  17. 17. 2008 - 2011 Findings• Phishing (when in scope)• Vulnerable to Pass-the-hash• Improper network segmentation• Improper Egress filtering• Zero detection rate• Collaboration between tester & testee, but only superficial
  18. 18. “Scope?”
  19. 19. APT in 2012
  20. 20. APT• email with the subject line "2011 Recruitment Plan" / Excel spreadsheet• "We went through a domain name and password reset " - caught "even senior managers by surprise"• shut down remote access to its internal network• logged in to the VPN to gain access remotely to the corporate network.
  21. 21. APT in 2012• APT is much more likely to hang out vs Financially-motivated attackers• More interested in remaining stealthy• Likely to install multiple backdoors for persistent access
  22. 22. Breakdown• Discuss Capabilities• Discuss Testing• Discuss Detection
  23. 23. Infiltration
  24. 24. APT Infiltration• Spear Phishing • Now with better spelling • Reader, Powerpoint, Word, Excel• Compromise trusted sites or simply set up a fake domain • Browser Exploits / 3rd Party Plugins• Connectback over HTTPS
  25. 25. Infiltration Testing• SET + Metasploit• Commercial Tools • Metasploit Pro • Core Impact • Phishme / SaaS services • generally neutered attack
  26. 26. Infiltration Detection• Users• Egress Filtering - Break HTTPS & DNS at the perimeter• Monitor DNS for rogue domains• Windows event logging
  27. 27. Escalation
  28. 28. APT Escalation + Lateral Movement• Phishing lands you on a user-level workstation• You’ll need to escalate priviledges to admin• You’ll probably need to bypass UAC• Now you need admin creds• Lots of handy user creds in the registry
  29. 29. Escalation & LM Testing• Metasploit / Meterpreter • getsystem • BypassUAC• Post modules by thelightcosine• Everybody loves PSExec• Everybody loves Pass the Hash
  30. 30. Escalation & LM Detection• Maybe NIDS• Windows Event Logging
  31. 31. Internal Recon
  32. 32. APT Internal Recon• Most files attackers want are on desktops or a network share or email• Permissions can be a pain, but gathering more access is easy with PTH & Token Impersonation
  33. 33. RAT Capabilities• Upload to remote server• Steal certificates• Search the hard drive for Word / PDF (sensitive words) / RDP files• Screenshot / record audio / video• Scan the local network to identify hosts• Execute commands on the infected system
  34. 34. Internal Recon Testing• Builtin tools• Meterpreter has some nice capabilities• VPN or RDP is sometimes necessary (email)
  35. 35. Internal Recon Detection• Monitor access to files• Event Logging
  36. 36. Persistence
  37. 37. APT Persistence• Remote access solutions • Two factor ups the ante, but doesn’t seem to be a major issue• Rootkits • PoisonIvy, Gh0stRAT, ZeroAccess, TDSS
  38. 38. Persistence Testing• Get a hold of some VPN Accounts, use’m• Use RDP if it’s available• Backdoor several systems using not only metasploit, but an RAT• Use a C&C Server
  39. 39. Persistence Detection• Monitor DNS • But there may be a backup domain• Endpoint - Registry or Memory Scan
  40. 40. Exfiltration
  41. 41. APT Exfiltration• 3-4 Years ago - FTP, IRC, etc• Now, beacon & exfil over HTTPS / DNS• RDP & VPN• 46% of systems didn’t have malware*• Cleaning up slackspace
  42. 42. Exfiltration Testing• Metasploit / Meterpreter Channels• Pwnie Express Pwn Plug
  43. 43. Exfiltration Detection• Ingress filter everything• Egress filter everything• Break DNS and HTTPS at the perimeter• DO NOT ALLOW outbound DNS or HTTP/HTTPS without monitoring / filtering
  44. 44. Lessons Learned
  45. 45. Lessons Learned• Focus of a pentest is on the binary result• Pentest == APT• Red Team - you should be simulating the threat• Blue Team - Structure roles so your team can focus on investigating suspicious events*• We can improve security by repeating the testing process
  46. 46. Lessons Learned• We can learn a lot from the IR data• You are fighting a constant attack . Be IR- ready• When prevention fails, rapid detection and response helps• You can monitor change on your network more effectively than anyone else
  47. 47. Lessons Learned• You should have enough prevention to buy you time for detection and reaction.• You don’t have to stop the threat entirely• Remediate in the strike zone.• OPFOR• My NFL team is awesome in practice, they only suck in the game
  48. 48. Being IR Ready• Develop overview of Enterprise Infrastructure• Centralize the Storage and Analysis of key Logs• Implement robust Logging• http://www.mandiant.com/resources/m- trends/ - MTrends 2010
  49. 49. Lessons Learned• Bejtlich: 2 goals: classify and count security incidents & measure time from detection to containment• Do you know where your sensitive data is?• If we gave you a hostname, could you tell us within a few hours whether it had sensitive data on it?*
  50. 50. Ideas...
  51. 51. Rethink the test as a product• It shouldn’t be a binary result• A stack of paper is a stack of paper• The process itself is a product• Better product => better capability• Better capability => measurably lower response times
  52. 52. Gamification• Haroon Meer introduced this idea• Gamify the test• Play cards for certain access / systems• “Collaborative Wargaming”• “Scenario Testing”
  53. 53. Pentesting => IR Training• It’s one thing to tell your target to “watch” for trouble• It’s another to actively work with and train your target• Lares, Attack Research, others?
  54. 54. Not If, But When
  55. 55. Ask
  56. 56. Counter Attack
  57. 57. Pass the Hash Pass the Hash works on more than Windows
  58. 58. Lateral Movement
  59. 59. Getting Owned
  60. 60. Not if but When!
  61. 61. • We have Infected our PC from Lab, then gave Cyber Attacker Fake ZIP Archive with his own• Virus inside and the name “Georgian-Nato Agreement”.• Attacker Stole that archive and executed malicious files.• As we had access to BOT Panel, we had maintained control over his PC.• http://dea.gov.ge/uploads/CERT%20DOCS/ Cyber%20Espionage.pdf
  62. 62. Take Aways• As a tester, DEMAND to work together, As a testee, DEMAND to work together• Pentests should not operate in a silo• Even if you don’t want the results, you want the capability• Adding or enhancing a capability qualifies as actionable results• Offensive capabilities lead, defensive capabilities lag
  63. 63. Further Reading• Mandiant Webinars• Penetration Testing Considered Harmful• Threat Report Collection

×