2. Disclaimer
THIS IS PURELY FOR EDUCATIONAL PURPOSE.
Myself, any identities that I may use, Net Source,
Inc., NetSourceLabs, NetSourceSecure and any
other organizations that I am affiliated with
cannot be held liable for any negligence or
illegal activity that may result in the disclosure
of the information included in this briefing.
4. A “howto” or “readme.txt”
•
A quick guide to a talk by me.
•
Be prepared
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Topics will be all over the place
I will chase rabbits
I use profanity to make my point
I am passionate about my work
If you get up during this talk, be prepared to be heckled.
Did I mention that I will jump around on topics?
I will bring in points that I find interesting, while they might not be germane to the exact topic, you may find them useful.
If I switch languages for a certain word or concept. Do not get angry. Write it down, google it, you can figure it out for yourself
later.
I may repeat things every now again.
I will chase rabbits
I need to make a “logic-chart” for following my talks
I should also remember to start using the “notes” feature for powerpoint.
I like it when people clap immediately after pseudo profound statements.
I do not like the obligatory applause at the end of my talks
My talks are interactive.
Several of my friends are in the crowd
–
–
Sometimes I will just skip slides because I don’t feel like talking about them. It’s alright though, you can download this slide deck
The detailed sections are out of order. Sorry, I don’t want to fix it.
•
They are not “plants”, but I will sometimes call on them to help me remember antic dotes.
5. Business Intelligence?
• A nice name for Corporate Espionage
• Knowing the business model for a given target
(read: client), and you will further understand
the areas of their infrastructure that may be
less guarded
• Knowing more about your target will lead you
to appropriate attack vectors
6. Dox?
• Is it necessary to publish this information?
• In short, the answer is no.
7. HOWEVER…
• Having information is one thing.
• Displaying that you have this information is
another.
• An entire generation raised with the notion
that “knowledge is power” has caused this.
• Displaying this information as a means to
show power and to hinder some else‟s
operations is something completely different.
9. Subsets of Physical
• Drive-bys
– Done at multiple times throughout the day/night.
– Establish key employees and work shifts
– Use a rental car with a contour cam (HD), just leave it.
• Wardrive
– Don’t get too close
– Use everything you can in BT5, or Kali
• Dumpster Dive
– Do this at night
– Avoid the critters
10. • Get a tour, make note of how physical security
is managed.
– Organics
– CCTV
– RFID
– Magstrips
– Electronic Keypads
– “Secure” keylocks
11. • Make note of the badges, if you are conducting
a social, you may need to create one.
• It doesn’t need to “work”, Just pass a glance.
19. CD/USB drop
• Curiosity killed the cat
• Think of this as a „reverse dead drop‟.
Pseudo public place, and you WANT it to
be found.
– You may ask yourself, “who would actually
plug this in?”
– Now tell yourself, “too many people that
probably work with me.”
21. Other methods
• The USB drop isn‟t always needed
– If you can gain physical access:
• a rubber-ducky can be used to drop a payload and
a reverse, persistent shell
– If you can‟t gain physical access:
• You can squeeze a rubber-ducky into anything that
uses a USB connection. Ship it to someone in the
target company. Human stupidity will take over,
and SOMEONE will plug it in.
22. Just how easy is that?
• Not calling anyone out, but certain people in
this industry are literally, batting 1000 using
this technique.
– But seriously, how easy is it?
23. I was going to make a political joke
here, but… well, let’s just skip that
part as I don’t really have any
politics.
37. Inadvertent Excess
• Go into the Kinko‟s
closest to your target.
• Say you “forgot your
thumbdrive”
• They show you a box,
you say “that‟s it!”
• YAHTZEE!
38. A quick note about ‘excessed
equipment’
• Please wipe configs on hardware and
remove drives
• 4th Saturday sales have yielded quite a
few Cis** devices with current configs for
an organization STILL ON THEM.
40. Create your own transforms
• There is a wealth of information in public
databases
– Property taxes
– Marriages, divorces, VPO’s, traffic citations, etc
– Foreclosures
– Birth records, death certificates
– blogs
41. Quality of Product
• Your information is only as good as your
starting point
– Use CORRECT and ACCURATE information. Do not
guess.
42. Otherwise…
• The signal to noise ration is horrendous This entire
section is total
junk and
incorrect data
43. Social Engineering
• I will not pretend that neuro-linguistics has gotten me past some
serious security measures.
– However, a fake accent did get ri0t and I quite a few drinks in Vegas.
• How does it work?
– You appeal to a person’s sensibility and logic.
44. Seriously though, what does SE get us?
• It gets us physical access to a location to actually
DO the CD/USB drop
• If the target is in a shared office location, hangout
in the smoker’s area.
–
–
–
–
Listen
Sniff RFID
Snarf bluetooth
Pay attention to visual layout of ID badges in case you
need to fabricate one
– Possibly tailgate a person into a secure area
45. • Become a customer/client of the target.
• Remember, people are inherently stupid
and willing to trust. Exploit this.
– “Give them an ounce of quality lies, and you
will get a pound of truth in return.” - me
46. Qualify your statements and questions
• Don’t ask stupid questions that are DIRECT.
• You will always need to fill some gaps, it’s
important to do this without inferring a
fictional story.
• Be knowledgeable of the subject matter at
hand.
– This means taking an interest in whatever widget
you are trying to gather information about
47. Pushing in
• So what options do I have to exploit a location
using the information I have gathered?
–
–
–
–
–
CD/USB drops
Social Engineering
Client-side Attacks
Intranet access portals with weak user/pass combos
Sub-domains for test/development environments to
attack via web applications to extract data
– Complete Breach of network via wireless to create a
C&C
48. Wait, I just said wireless
“techie LUsers” – let me tell you why they are
your biggest problem.
49. “Why?” you ask?
• Because they are the ones that take it upon
themselves to create and fix things with only
half of the ‘larger picture’
• Which, in turn, just ends up causing more
problems
• Like?
52. How this can cause issues
• Vast majority of ‘labs’ are default passwords
• Rogue AP’s lack strong encryption or any at all
• A shared password used over an open wifi
connection
• Unused accounts with the “default
P@ssw0rd!”
53. How is this remedied?
•
•
•
•
Strengthen your policies
Educate users
Educate users (yes, that’s twice on purpose)
Self audit
– Old machine accounts in AD
– Maintenance (service) accounts
– Accounts that have never been used
54. In conclusion
• Try harder
• Enable yourself and your staff
– Come to local hacker meetings
– We will gladly show you stuff
• No such thing as a stupid question.
– Just stupid people, that don’t ask questions.
55. Any questions that relate to the actual
topic?
• I like to eat steak cooked medium rare
• I have two cats, a dog, a planted aquarium
and a entire school of carnivorous fish
• My favorite color is clear
• Etc…