SlideShare une entreprise Scribd logo

Red Team: Emulating Advanced Adversaries in Cyberspace

Don Anto
Don Anto

Red Team: Emulating Advanced Adversaries in Cyberspace

Services
1  sur  9
Télécharger pour lire hors ligne
RED TEAMING: EMULATING ADVANCED ADVERSARIES IN CYBERSPACE CDEF meetup 4th - Atik Pilihanto
Red Team Phases = Attack Kill Chains Initial Recon Weaponize Exploit Control Escalate Internal Recon Complete Research targeted organization and determine vectors to attack Stage attack infrastructures: C&C, fake page, exploits, simulated malwares Deliver the exploit (web, servers, social engineering, physical) to obtain initial foothold Compromise service accounts, helpdesk and/or domain administrator Install simulated malware to facilitate C&C, information gathering to escalate access, maintain presence Lateral movement and gathering more information of Red Team objectives Compromise systems or credentials associated with the objective. Complete the objectives
Initial Recon ■ Lets start with researching the targeted organization and determining vectors to attack. ■ Employee names, employee emails, employee phone numbers, employee roles, screenshot of employee’s computers (e.g., social media, search engine, hunter.io) ■ Recent company events (e.g., official company website) ■ Disclosed credentials in breaches (e.g., your own private repo!, pwnedlist?) – crack and/or utilize these credentials ■ Intentionally/unintentionally published corporate application source codes (e.g., github) ■ Network blocks, domains, subdomains, IP addresses, exposed ports, web applications (e.g., shodanhq, censysio, census_2012, whois, robtex and so forth) ■ Some activities can be scripted – Recon-ng, theharvester, EyeWitness, SpiderFoot, Maltego, etc ■ How’s about advanced adversaries?
Weaponize ■ Now you have the target detail, continue to stage attack infrastructures: C&C, fake page, exploits, simulated malwares! ■ C&C Infra to receive command & control traffic after compromise – Commonly used: HTTP, DNS, HTTPS (preferable, do not used default cert) – Simple redirector (e.g., iptables NAT), reverse proxy, domain fronting (AWS, Azure, etc) – Domain vs IP – categorized expired domain (e.g., expired domains in education) – CatMyFish, expireddommains.net, sitereview.bluecoat.com – Determine your malleable-c2 profile – Twitter, Gmail (e.g., twittor, gcat, gdog), etc ■ Fake web page to host social engineering stuffs – Domains – convincing domain name vs punycode vs categorized expired domain – To host a website to harvest credentials – To host payloads – HTA, ClickOnce, macro-enabled document/sheet, DDE document/sheet, malicious JAR, malicious applet etc – sometime victims even voluntarily opening password-protected document. – Obfuscate payload? (e.g., HTA obfuscation – demiguise nccgroup, morphHTA) ■ Exploits and simulated malwares – The exploit used to deliver attacks e.g., weaponized macro-enabled document, web page equipped with HTA, etc – Simulated malware – as the 2nd stage malware ■ Commonly used during a red team engagement – veiled metasploit payload, Empire, cobaltstrike ■ How’s about advanced adversaries?
Exploit ■ We have everything ready, now deliver the exploit (public applications, public servers, social engineering, physical) to obtain initial foothold ■ Public servers vulnerabilities – e.g. default password in administrative services, RCE to compromise the server ■ Web application vulnerabilities – e.g. SQL injection with DBA privilege, OS command injection ■ OK – those two vulnerabilities above seem to not make sense in mature cyber environment, but sometime being a shortcut ■ Social Engineering: most commonly used by adversaries is email – email vs phone? – Harvesting credentials – email must reach victim mailbox – bypass mail gateway, sandboxing, isolation – Web to harvest credential must bypass proxy (web filtering), sandboxing, isolation – victim must be convinced enough. ■ Credential harvested: Email, VPN, Citrix, or? ■ How’s about 2FA? (e.g., soft token with seed file, such as .sdtid file) ■ How’s about endpoint checker to join VPN? (see here for example: http://kolbi.cz/blog/?p=114) – Remote Code Execution – email must reach victim mailbox (attach or URL?) – bypass mail gateway, sandboxing, isolation – victim must be convinced enough to follow – the RCE payload should be able to bypass endpoint protection – even after bypassing EPP/EDR the C&C traffic must be able to bypass network/web filtering – 0day exploits during engagement? Depends on how you defined 0day – but most likely doesn’t make any sense. Well, even a 0day must be able to bypass all those mentioned perimeters otherwise you just gave away your 0day to another security vendor ■ In case remote attacks failure? Some made a hype of break-in physically. Ok, attempts to break in physically VS Simulated compromise (insider involvement) ■ How’s about advanced adversaries?
Control ■ Now you have the network access either through VPN or the RCE. Now, aim to install the simulated malware (if you haven’t) to facilitate C&C, maintain presence, and information gathering to escalate access. ■ Your initial compromise is a Windows or Non-Windows? Is the system in the domain or no? – most of the cases, social engineering victims were Windows & joined to the domain. ■ OK, we’ll focus with an initial compromise on a Windows workstation joined to the Windows domain – which is most of the case in a corporate network, other scenarios? Let’s have another session. ■ Simulated malware: to runs only on memory or drop a file to hard drive? ■ How to be persistence? Autorun registries, schedule task, windows services, etc? ■ Exploring the first compromised machine – processes, endpoint protections, local users, local group, group memberships, etc? – If any high privileged domain users ever logged in? Event Log ID 4624, C:Users ■ Start exploring the windows domain: domain users, domain groups, hosts joined to the domain, trust relation between domain/forest, membership of sensitive groups, etc? ■ Some tools to help: Windows CLI (such as net, tasklist, etc), PowerSploit, BloodHound, PS Get-EventLog, CobaltStrike aggressor script ■ Tools to help evading detection: Invoke-DOSfucation, Invoke-Obfucation, Invoke-CradleCrafter ■ Post compromise, be careful with “big name” MSSP ■ How’s about advanced adversaries?
Escalate ■ Now we have information about the network, Lets escalate - Compromise service accounts, helpdesk and/or domain administrator ■ Local Escalation VS Domain Escalation? ■ Local Escalation – In some cases local escalation is not necessary – minimize risk being detected. – Escalation required to dump credentials e.g., mimikatz ■ Domain Escalation – MS14-025 Group Policy Preference Password – vulnerability against KB2962486 – MS14-068 Kerberos Vulnerability – vulnerability against KB3011780 – Kerberoasting – requires an event with ID 4769 – SQL server with weak password – File/folder sharing – Vulnerable JBOSS, Windows Exploit such as ms17-010, ms10-061, ms08-067 – Local Administrator Pivot (WMI/psexec/WinRM,DCOM) (if Red Team has possession to privileged user) – Obfuscated Mimikatz ■ Once domain admin compromised, collect all domain admins’ username & password, obtain plaintext or crack the NTLM hash ■ Some tools to help: PowerSploit (e.g., PowerView Get-GPPPassword, Invoke-FileFinder; PowerUp Allchecks), PowerUpSQL, Invoke- AutoKerberoast, Mimikatz, Proxychains, Jboss scanner, metasploit ■ How’s about advanced adversaries?
Internal Recon ■ Now you have the key to the kingdom! Lets look for the target objectives, key person managed those systems, lateral movement and gathering more information. ■ The objective can be within the domain but on a strictly filtered network segment. The objective system is also possibly outside the domain/different domain on a strictly filtered network segment. – Intranet portal such as Sharepoint, Jira, Wiki? (if any) – this can be a gold mine to look for the target – Who’s responsible for the target systems? – What process is likely associated? – Determine whether or not there’s “jump host” servers? – What is the systems (e.g., Unix, Linux, Mainframe, Web App, etc) – File/folder sharing associated with systems of interest ■ Lateral movement to systems of interest using privileged accounts that has been compromised during escalation (WMI/WinRM/ DCOM/psexec) – e.g., workstation of employee who is responsible to target systems, compromise “jump host” servers, etc ■ Some tools to help: Proxychains, PowerSploit PowerView (e.g., Invoke-UserHunter, Invoke-ProcessHunter, Invoke-FileFinder), Invoke-SessionGopher, Key Logger, BrowserGather.ps1 ■ How’s about advanced adversaries?
Complete ■ Once the target has been determined and credentials have been obtained, complete missions of the Red Team e.g.,: – Access the system or web application – Doing certain transactions, modify configuration, add admin users, or financial transactions – Exfiltrate data or information ■ Some obstacles: – DLP? – 2FA? – etc

Recommandé

Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 Dre Armeda
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-FinalStephan Borosh
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 

Recommandé

Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 WordPress Security - WordCamp phoenix 2013
WordPress Security - WordCamp phoenix 2013 Dre Armeda
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-FinalStephan Borosh
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmMuhammadJalalShah1
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING Sweta Leena Panda
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Computer security
Computer securityComputer security
Computer securityMohamed Abdo
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Introduction to Offensive Security.pptx
Introduction to Offensive Security.pptxIntroduction to Offensive Security.pptx
Introduction to Offensive Security.pptxMaaitrayoDas
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Anirban webappsecusa2014
Anirban webappsecusa2014Anirban webappsecusa2014
Anirban webappsecusa2014banerjeea
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Network & Computer Forensic
Network & Computer Forensic Network & Computer Forensic
Network & Computer Forensic Don Anto
 

Contenu connexe

Similaire à Red Team: Emulating Advanced Adversaries in Cyberspace

Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmMuhammadJalalShah1
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Introduction to Offensive Security.pptx
Introduction to Offensive Security.pptxIntroduction to Offensive Security.pptx
Introduction to Offensive Security.pptxMaaitrayoDas
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Anirban webappsecusa2014
Anirban webappsecusa2014Anirban webappsecusa2014
Anirban webappsecusa2014banerjeea
 

Similaire à Red Team: Emulating Advanced Adversaries in Cyberspace (20)

SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Computer security
Computer securityComputer security
Computer security
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Introduction to Offensive Security.pptx
Introduction to Offensive Security.pptxIntroduction to Offensive Security.pptx
Introduction to Offensive Security.pptx
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Anirban webappsecusa2014
Anirban webappsecusa2014Anirban webappsecusa2014
Anirban webappsecusa2014
 

Plus de Don Anto

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Network & Computer Forensic
Network & Computer Forensic Network & Computer Forensic
Network & Computer Forensic Don Anto
 
BGP Vulnerability
BGP VulnerabilityBGP Vulnerability
BGP VulnerabilityDon Anto
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
Spying The Wire
Spying The WireSpying The Wire
Spying The WireDon Anto
 
Distributed Cracking
Distributed CrackingDistributed Cracking
Distributed CrackingDon Anto
 
Deep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDeep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDon Anto
 

Plus de Don Anto (7)

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Network & Computer Forensic
Network & Computer Forensic Network & Computer Forensic
Network & Computer Forensic
 
BGP Vulnerability
BGP VulnerabilityBGP Vulnerability
BGP Vulnerability
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
 
Distributed Cracking
Distributed CrackingDistributed Cracking
Distributed Cracking
 
Deep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDeep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking Philosopy
 

Dernier

Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Sana Rajpoot
 
Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Ifra Zohaib
 
Mysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort serviceMysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort servicemaheshsingh64440
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.riyadelhic riyadelhic
 
Girls For Night in Islamabad | 03274100048 🔞
Girls For Night in Islamabad | 03274100048 🔞Girls For Night in Islamabad | 03274100048 🔞
Girls For Night in Islamabad | 03274100048 🔞Ifra Zohaib
 
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579diyaspanoida
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Servicenishacall1
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowapshanarani255
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort servicemaheshsingh64440
 
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7Sana Rajpoot
 
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Servicenishacall1
 
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowKolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowapshanarani255
 
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...teencall080
 
Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Ifra Zohaib
 
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARJAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARNiteshKumar82226
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...riyasharma00119
 
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...DelhiMahipalpur
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowapshanarani255
 
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...aakahthapa70
 
Call Girls in Luxus Grand Hotel | 💋 03274100048
Call Girls in Luxus Grand Hotel | 💋 03274100048Call Girls in Luxus Grand Hotel | 💋 03274100048
Call Girls in Luxus Grand Hotel | 💋 03274100048Ifra Zohaib
 

Dernier (20)

Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
 
Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848
 
Mysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort serviceMysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort service
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
 
Girls For Night in Islamabad | 03274100048 🔞
Girls For Night in Islamabad | 03274100048 🔞Girls For Night in Islamabad | 03274100048 🔞
Girls For Night in Islamabad | 03274100048 🔞
 
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
Best VIP Call Girl Noida Sector 48 Call Me: 8700611579
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort service
 
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
 
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 18 (Delhi) Call Girl Service
 
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowKolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
 
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
+91-9310611641 Russian Call Girls In New Delhi Independent Russian Call Girls...
 
Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048
 
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGARJAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
JAMNAGAR CALL GIRLS 92628/71154 JAMNAGAR
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
 
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...
Call Girls In Noida Free Ad 24/7 Hours Online Call 9310659962 Shot 2000 Night...
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
 
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...
Call Girls In {Connaught Place Delhi} 9667938988 IndianRussian High Profile E...
 
Call Girls in Luxus Grand Hotel | 💋 03274100048
Call Girls in Luxus Grand Hotel | 💋 03274100048Call Girls in Luxus Grand Hotel | 💋 03274100048
Call Girls in Luxus Grand Hotel | 💋 03274100048
 

Red Team: Emulating Advanced Adversaries in Cyberspace

  • 1. RED TEAMING: EMULATING ADVANCED ADVERSARIES IN CYBERSPACE CDEF meetup 4th - Atik Pilihanto
  • 2. Red Team Phases = Attack Kill Chains Initial Recon Weaponize Exploit Control Escalate Internal Recon Complete Research targeted organization and determine vectors to attack Stage attack infrastructures: C&C, fake page, exploits, simulated malwares Deliver the exploit (web, servers, social engineering, physical) to obtain initial foothold Compromise service accounts, helpdesk and/or domain administrator Install simulated malware to facilitate C&C, information gathering to escalate access, maintain presence Lateral movement and gathering more information of Red Team objectives Compromise systems or credentials associated with the objective. Complete the objectives
  • 3. Initial Recon ■ Lets start with researching the targeted organization and determining vectors to attack. ■ Employee names, employee emails, employee phone numbers, employee roles, screenshot of employee’s computers (e.g., social media, search engine, hunter.io) ■ Recent company events (e.g., official company website) ■ Disclosed credentials in breaches (e.g., your own private repo!, pwnedlist?) – crack and/or utilize these credentials ■ Intentionally/unintentionally published corporate application source codes (e.g., github) ■ Network blocks, domains, subdomains, IP addresses, exposed ports, web applications (e.g., shodanhq, censysio, census_2012, whois, robtex and so forth) ■ Some activities can be scripted – Recon-ng, theharvester, EyeWitness, SpiderFoot, Maltego, etc ■ How’s about advanced adversaries?
  • 4. Weaponize ■ Now you have the target detail, continue to stage attack infrastructures: C&C, fake page, exploits, simulated malwares! ■ C&C Infra to receive command & control traffic after compromise – Commonly used: HTTP, DNS, HTTPS (preferable, do not used default cert) – Simple redirector (e.g., iptables NAT), reverse proxy, domain fronting (AWS, Azure, etc) – Domain vs IP – categorized expired domain (e.g., expired domains in education) – CatMyFish, expireddommains.net, sitereview.bluecoat.com – Determine your malleable-c2 profile – Twitter, Gmail (e.g., twittor, gcat, gdog), etc ■ Fake web page to host social engineering stuffs – Domains – convincing domain name vs punycode vs categorized expired domain – To host a website to harvest credentials – To host payloads – HTA, ClickOnce, macro-enabled document/sheet, DDE document/sheet, malicious JAR, malicious applet etc – sometime victims even voluntarily opening password-protected document. – Obfuscate payload? (e.g., HTA obfuscation – demiguise nccgroup, morphHTA) ■ Exploits and simulated malwares – The exploit used to deliver attacks e.g., weaponized macro-enabled document, web page equipped with HTA, etc – Simulated malware – as the 2nd stage malware ■ Commonly used during a red team engagement – veiled metasploit payload, Empire, cobaltstrike ■ How’s about advanced adversaries?
  • 5. Exploit ■ We have everything ready, now deliver the exploit (public applications, public servers, social engineering, physical) to obtain initial foothold ■ Public servers vulnerabilities – e.g. default password in administrative services, RCE to compromise the server ■ Web application vulnerabilities – e.g. SQL injection with DBA privilege, OS command injection ■ OK – those two vulnerabilities above seem to not make sense in mature cyber environment, but sometime being a shortcut ■ Social Engineering: most commonly used by adversaries is email – email vs phone? – Harvesting credentials – email must reach victim mailbox – bypass mail gateway, sandboxing, isolation – Web to harvest credential must bypass proxy (web filtering), sandboxing, isolation – victim must be convinced enough. ■ Credential harvested: Email, VPN, Citrix, or? ■ How’s about 2FA? (e.g., soft token with seed file, such as .sdtid file) ■ How’s about endpoint checker to join VPN? (see here for example: http://kolbi.cz/blog/?p=114) – Remote Code Execution – email must reach victim mailbox (attach or URL?) – bypass mail gateway, sandboxing, isolation – victim must be convinced enough to follow – the RCE payload should be able to bypass endpoint protection – even after bypassing EPP/EDR the C&C traffic must be able to bypass network/web filtering – 0day exploits during engagement? Depends on how you defined 0day – but most likely doesn’t make any sense. Well, even a 0day must be able to bypass all those mentioned perimeters otherwise you just gave away your 0day to another security vendor ■ In case remote attacks failure? Some made a hype of break-in physically. Ok, attempts to break in physically VS Simulated compromise (insider involvement) ■ How’s about advanced adversaries?
  • 6. Control ■ Now you have the network access either through VPN or the RCE. Now, aim to install the simulated malware (if you haven’t) to facilitate C&C, maintain presence, and information gathering to escalate access. ■ Your initial compromise is a Windows or Non-Windows? Is the system in the domain or no? – most of the cases, social engineering victims were Windows & joined to the domain. ■ OK, we’ll focus with an initial compromise on a Windows workstation joined to the Windows domain – which is most of the case in a corporate network, other scenarios? Let’s have another session. ■ Simulated malware: to runs only on memory or drop a file to hard drive? ■ How to be persistence? Autorun registries, schedule task, windows services, etc? ■ Exploring the first compromised machine – processes, endpoint protections, local users, local group, group memberships, etc? – If any high privileged domain users ever logged in? Event Log ID 4624, C:Users ■ Start exploring the windows domain: domain users, domain groups, hosts joined to the domain, trust relation between domain/forest, membership of sensitive groups, etc? ■ Some tools to help: Windows CLI (such as net, tasklist, etc), PowerSploit, BloodHound, PS Get-EventLog, CobaltStrike aggressor script ■ Tools to help evading detection: Invoke-DOSfucation, Invoke-Obfucation, Invoke-CradleCrafter ■ Post compromise, be careful with “big name” MSSP ■ How’s about advanced adversaries?
  • 7. Escalate ■ Now we have information about the network, Lets escalate - Compromise service accounts, helpdesk and/or domain administrator ■ Local Escalation VS Domain Escalation? ■ Local Escalation – In some cases local escalation is not necessary – minimize risk being detected. – Escalation required to dump credentials e.g., mimikatz ■ Domain Escalation – MS14-025 Group Policy Preference Password – vulnerability against KB2962486 – MS14-068 Kerberos Vulnerability – vulnerability against KB3011780 – Kerberoasting – requires an event with ID 4769 – SQL server with weak password – File/folder sharing – Vulnerable JBOSS, Windows Exploit such as ms17-010, ms10-061, ms08-067 – Local Administrator Pivot (WMI/psexec/WinRM,DCOM) (if Red Team has possession to privileged user) – Obfuscated Mimikatz ■ Once domain admin compromised, collect all domain admins’ username & password, obtain plaintext or crack the NTLM hash ■ Some tools to help: PowerSploit (e.g., PowerView Get-GPPPassword, Invoke-FileFinder; PowerUp Allchecks), PowerUpSQL, Invoke- AutoKerberoast, Mimikatz, Proxychains, Jboss scanner, metasploit ■ How’s about advanced adversaries?
  • 8. Internal Recon ■ Now you have the key to the kingdom! Lets look for the target objectives, key person managed those systems, lateral movement and gathering more information. ■ The objective can be within the domain but on a strictly filtered network segment. The objective system is also possibly outside the domain/different domain on a strictly filtered network segment. – Intranet portal such as Sharepoint, Jira, Wiki? (if any) – this can be a gold mine to look for the target – Who’s responsible for the target systems? – What process is likely associated? – Determine whether or not there’s “jump host” servers? – What is the systems (e.g., Unix, Linux, Mainframe, Web App, etc) – File/folder sharing associated with systems of interest ■ Lateral movement to systems of interest using privileged accounts that has been compromised during escalation (WMI/WinRM/ DCOM/psexec) – e.g., workstation of employee who is responsible to target systems, compromise “jump host” servers, etc ■ Some tools to help: Proxychains, PowerSploit PowerView (e.g., Invoke-UserHunter, Invoke-ProcessHunter, Invoke-FileFinder), Invoke-SessionGopher, Key Logger, BrowserGather.ps1 ■ How’s about advanced adversaries?
  • 9. Complete ■ Once the target has been determined and credentials have been obtained, complete missions of the Red Team e.g.,: – Access the system or web application – Doing certain transactions, modify configuration, add admin users, or financial transactions – Exfiltrate data or information ■ Some obstacles: – DLP? – 2FA? – etc