When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught? In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

1. FA D E F R O M W H I T E H AT…
T O B L A C K
B E A U B U L L O C K

2. “Everyone is a moon and has a dark side which he never
shows to anybody”
~ Mark Twain

3. K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization

4. W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC

5. S I D E N O T E

6. 2 0 1 4

7. I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list

8. Enough about me

9. N O N - AT T R I B U T I O N

11. D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence

12. D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important
element being OPSEC
• Maintain anonymity in both the real and digital
worlds

13. N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)

14. L A P T O P P U R C H A S E

15. I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite…
apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference

16. N O T O P S E C S A F E

17. A B I T M O R E O P S E C S A F E

18. AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few
things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)

19. B U Y B I T C O I N F O R C A S H

20. V P S F O R B I T C O I N

21. P R I M A RY AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server

22. C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts

23. N O N - AT T R I B U T I O N D I A G R A M

24. 1. Live-booted off USB to Linux
2. Connected to free WiFi
3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to
attack server in VPS net 2
7. Mandatory Caffeination

25. TA R G E T A C Q U I S I T I O N

26. M O T I VAT I O N
• Easy Targets
• High Profile Targets
• Contracted Targets
• Vengeance

27. E A S Y TA R G E T S
• Shodan - Unauthenticated VNC Servers

28. E A S Y TA R G E T S
• Shodan - Vulnerable Services

29. H I G H P R O F I L E TA R G E T S

30. C O N T R A C T E D TA R G E T S

31. V E N G E A N C E

32. R E C O N N A I S S A N C E

33. I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges

34. M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open
ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these
are important shortly)

35. E X P L O I TAT I O N

36. AT TA C K 1 - C R E D E N T I A L R E U S E
• How can we exploit credential reuse on personal
accounts?

37. AT TA C K 1 - C R E D E N T I A L R E U S E
• Publicly Compromised accounts

38. AT TA C K 1 - C R E D E N T I A L R E U S E
• Pipl - locate employees based off their email address

39. AT TA C K 1 - C R E D E N T I A L R E U S E
• Attempt to login to their corporate account using the
creds recovered from previous breach

40. AT TA C K 2 - PA S S W O R D S P R AY I N G

41. AT TA C K 2 - PA S S W O R D S P R AY I N G
• FOCA

42. AT TA C K 2 - PA S S W O R D S P R AY I N G

43. AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise

44. AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal

45. AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.

46. R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network
remotely I move on.

47. P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local
admins)
• Internal password spraying
• PSexec/Mimikatz combo

48. L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.

49. P R O F I T I Z AT I O N

50. T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?

52. T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-
forensics. We get them in the real world when they do
something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier

53. T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial

54. T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com

55. B I T C O I N T O C A S H
• This becomes a money laundering problem

56. R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job

57. FA D I N G B A C K

58. W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world

59. W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers,
Developers, Forensicators, Network Engineers,
SysAdmins, DBA’s, etc.

60. D E F E N D E R S
• Shift focus from attribution to detection and
prevention
• Increase logging to detect when attackers are
performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies

61. AT TA C K E R S
• Continue to highlight the importance and value of
credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray
portals that use domain-based authentication
• Escalate internally & crack all the passwords

62. T H A N K Y O U
• beau@blackhillsinfosec.com
• beau@dafthack.com
• @dafthack