SlideShare ist ein Scribd-Unternehmen logo

Advanced red teaming all your badges are belong to us

Priyanka Aash
Priyanka Aash

Source : DEFCON 22

Technologie
1 von 46
DEFCON 22 Eric Smith & Joshua Perrymon LARES ALL YOUR BADGES ARE BELONG TO US
AGENDA INTRO WHAT IS RED TEAMING TRADITIONAL ATTACKS/TECHNIQUES RFID OVERVIEW ADVANCED ATTACKS REMEDIATION/RISK MITIGATION
ABOUT: LARES CORP • Minimum of 15 years InfoSec Experience per consultant (90+ combined) • Penetration Testing Execution Standard Core Members (PTES) • Publications • Aggressive Network Self Defense • Contributing writer to COBIT • Contributing writer to ISO17799, and one of less than 1000 certified auditors of the ISO17799 (international standards for security best practices) • Authors of multiple national / international security awareness training programs • Blogs/Podcasts/Media/Conferences
ABOUT: LARES PRESENTERS TedX InfraGard Defcon BlackHat OWASP SANS BruCon SOURCE ToorCon ISACA/ISSA ShmooCon PHNeutral Dark Reading Security B-Sides ChicagoCon NotaCon White Hat World Sec-T Troopers CSI HackCon Derbycon DakotaCon ShakaCon
ABOUT: ERIC SMITH Over 15 years IT/IS experience • Red Team Testing/Physical Security Assessments • Social Engineering • Penetration Testing • Risk Assessments Qualifications • B.Sc. Information Security/CISSP, CISA, CCSA, CCNA Work Experience: • Senior Partner/Principal Security Consultant – Lares Consulting • Senior Partner/Principal Security Consultant – Layer 8 Labs • Senior Security Consultant – Alternative Technology • Application Security Analyst – Equifax, Inc. • Senior Security Consultant – International Network Services • Security Engineer – GE Power Systems • Security Analyst - Bellsouth
ABOUT: JOSH PERRYMON Over 15 years IT/IS experience • Risk Assessments • Red Team Testing/Physical Security Assessments • Social Engineering • Vulnerability Assessments & Penetration Testing • Application Assessments • Wireless Security Assessments Qualifications • CEH, OPST, OPSA, OSSTMM Trainer Work Experience: • Senior Adversarial Engineer– Lares • Senior Partner – Layer 8 Labs • Advanced Insider Threat/Intel – Bank of America • Red Team Leader– Bank of America • CEO– PacketFocus • Sr. Consultant – BE&K • Sr. Consultant - EBSCO
TRUE STORY
WHAT IS RED TEAMING The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered  notes  saying  that  “your  codebooks  have  been   stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams. How do you know you can put up a fight if you have never taken a punch?
REASONS TO CONDUCT • Real world test to see how you will hold up against a highly skilled, motivated and funded attacker • The only type of testing that will cover a fully converged attack surface • Impact assessment is IMMEDIATE and built to show a maximum damage event • This IS the FULL DR test of an InfoSec Program
Electronic Physical Social • Network Penetration Testing • Surveillance & Implants • Direct attack on facilities and systems • In person Social Engineering • Phone conversations • Social profiling • Baiting RED TEAM EP Convergence Attacks on physical systems that are network enabled ES Convergence Phishing Profiling Creating moles Blackmail PS Convergence Tailgating Impersonation
TRADITIONAL ATTACKS & TECHNIQUES • Tailgating • Lock Picking • Shimming • Key Bumping • Under Door Hooks (K22) • Lock Bypass • Elevator Keys
RFID OVERVIEW
RFID TAG FREQUENCIES
WHO USES IT? Legacy 125-kilohertz proximity technology is still in place at around 70% to 80% of all physical access control deployments in the U.S. and it will be a long time before that changes, says Stephane Ardiley, product manager at HID Global.
WHO IS VULNERABLE? • Government facilities (contractors too) • Medical Facilities • Financial Institutions • Nuclear facilities • Power/Water Facilities • Education • List  is  endless….
UNDERSTANDING BADGE SYSTEMS
RFID OVERVIEW
RFID OVERVIEW – READ RANGES
RFID OVERVIEW – WIEGAND PROTOCOL
Internet FTW FACILITY Code & Access Card # Not so private.
EBAY FTW
RESELLER SERVICES
RFID HACKING
CLONING/REPLAY – LOW FREQUENCY (PROX II)
DEMO Low Freq Clone/Replay Proxmark III
PRIV ESCALATION - PROX BRUTE
LONG RANGE READING – LOW FREQUENCY
Long Range Tastic Reader (Low Frequency)
ADVANCED RFID ATTACKS
LONG RANGE READING – HIGH FREQUENCY (ICLASS)
ARDUINO WITH LCD, MOBILE READER
MOBILE READER PCB BUILD
DEMO Long Range Read – High Frequency
ICLASS VULNERABILITY (PUBLIC) • Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security • Milosch Meriac, meriac@OpenPCD.de • 27TH CHAOS COMMUNICATION CONGRESS IN BERLIN, DECEMBER 2010 • Firmware was dumped and encryption keys for Standard Security were compromised.
ICLASS CARD CLONING
DEMO IClass Cloning
ICLASS PRIVILEGE ESCALATION • Block 7 – Contains encrypted format of facility code and access card number • Use compromised keys and calculate new block 7 for Weigand data string • Write block 7 to clone card • Badge in! • Work in progress: • iClass brute
DEMO IClass Priv Esc
GECKO WIEGAND CAPTURE
BLENDED ATTACK – PRIVILEGE ESCALATION • Information leak from badge system • Remote compromise of access controls • Monitor activity • Identify system faults • Profiling • Access rights modification
UNDER DEVELOPMENT – BIO AND PIN ATTACKS
UNDER DEVELOPMENT – MESH NETWORK • Real Time Mesh Network – collaboration of multiple Red Team members and field hardware
UNDER DEVELOPMENT – BACKDOORED READER • Backdoored reader with Audrino • Captures Wiegand data and transmits over Zigbee or wifi to other Red Team member’s  hardware  device  in  the  field
RISK MITIGATION
REMEDIATION/RISK MITIGATION • Standard RFID asset protection/best practices • Protection strategies of badge systems (physical and electronic) • Protection against blended threads/Red Team targeted attacks • Custom card formats and Time To Reverse (TTR) • Protect badge systems with VLANs, 2-factor authentication or isolation • Training – Staff and Guards • Log Monitoring – IPS?
QUESTIONS? Eric Smith Josh Perrymon esmith@lares.com jperrymon@lares.com @infosecmafia @packetfocus http://www.lares.com Code: https://github.com/LaresConsulting

Empfohlen

Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
Priyanka Aash
 

Empfohlen

Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
Priyanka Aash
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow upBlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6
FRSecure
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
Barcamp Kerala
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
Outhai SAIOUDOM
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow upBlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 

Was ist angesagt? (20)

Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It Right
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow upBlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat v18 || Dep for the app layer - time for app sec to grow up
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 

Ähnlich wie Advanced red teaming all your badges are belong to us

CYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptxCYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptx
ssuser4db968
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
sathiyamaha
 

Ähnlich wie Advanced red teaming all your badges are belong to us (20)

Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
CYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdfCYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdf
 
CYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptxCYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptx
 
Network Security
Network SecurityNetwork Security
Network Security
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITW
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
The importance of Cybersecurity
The importance of CybersecurityThe importance of Cybersecurity
The importance of Cybersecurity
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking Redefined
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Advanced red teaming all your badges are belong to us

  • 1. DEFCON 22 Eric Smith & Joshua Perrymon LARES ALL YOUR BADGES ARE BELONG TO US
  • 2. AGENDA INTRO WHAT IS RED TEAMING TRADITIONAL ATTACKS/TECHNIQUES RFID OVERVIEW ADVANCED ATTACKS REMEDIATION/RISK MITIGATION
  • 3. ABOUT: LARES CORP • Minimum of 15 years InfoSec Experience per consultant (90+ combined) • Penetration Testing Execution Standard Core Members (PTES) • Publications • Aggressive Network Self Defense • Contributing writer to COBIT • Contributing writer to ISO17799, and one of less than 1000 certified auditors of the ISO17799 (international standards for security best practices) • Authors of multiple national / international security awareness training programs • Blogs/Podcasts/Media/Conferences
  • 4. ABOUT: LARES PRESENTERS TedX InfraGard Defcon BlackHat OWASP SANS BruCon SOURCE ToorCon ISACA/ISSA ShmooCon PHNeutral Dark Reading Security B-Sides ChicagoCon NotaCon White Hat World Sec-T Troopers CSI HackCon Derbycon DakotaCon ShakaCon
  • 5. ABOUT: ERIC SMITH Over 15 years IT/IS experience • Red Team Testing/Physical Security Assessments • Social Engineering • Penetration Testing • Risk Assessments Qualifications • B.Sc. Information Security/CISSP, CISA, CCSA, CCNA Work Experience: • Senior Partner/Principal Security Consultant – Lares Consulting • Senior Partner/Principal Security Consultant – Layer 8 Labs • Senior Security Consultant – Alternative Technology • Application Security Analyst – Equifax, Inc. • Senior Security Consultant – International Network Services • Security Engineer – GE Power Systems • Security Analyst - Bellsouth
  • 6. ABOUT: JOSH PERRYMON Over 15 years IT/IS experience • Risk Assessments • Red Team Testing/Physical Security Assessments • Social Engineering • Vulnerability Assessments & Penetration Testing • Application Assessments • Wireless Security Assessments Qualifications • CEH, OPST, OPSA, OSSTMM Trainer Work Experience: • Senior Adversarial Engineer– Lares • Senior Partner – Layer 8 Labs • Advanced Insider Threat/Intel – Bank of America • Red Team Leader– Bank of America • CEO– PacketFocus • Sr. Consultant – BE&K • Sr. Consultant - EBSCO
  • 8. WHAT IS RED TEAMING The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered  notes  saying  that  “your  codebooks  have  been   stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams. How do you know you can put up a fight if you have never taken a punch?
  • 9. REASONS TO CONDUCT • Real world test to see how you will hold up against a highly skilled, motivated and funded attacker • The only type of testing that will cover a fully converged attack surface • Impact assessment is IMMEDIATE and built to show a maximum damage event • This IS the FULL DR test of an InfoSec Program
  • 10. Electronic Physical Social • Network Penetration Testing • Surveillance & Implants • Direct attack on facilities and systems • In person Social Engineering • Phone conversations • Social profiling • Baiting RED TEAM EP Convergence Attacks on physical systems that are network enabled ES Convergence Phishing Profiling Creating moles Blackmail PS Convergence Tailgating Impersonation
  • 11. TRADITIONAL ATTACKS & TECHNIQUES • Tailgating • Lock Picking • Shimming • Key Bumping • Under Door Hooks (K22) • Lock Bypass • Elevator Keys
  • 14. WHO USES IT? Legacy 125-kilohertz proximity technology is still in place at around 70% to 80% of all physical access control deployments in the U.S. and it will be a long time before that changes, says Stephane Ardiley, product manager at HID Global.
  • 15. WHO IS VULNERABLE? • Government facilities (contractors too) • Medical Facilities • Financial Institutions • Nuclear facilities • Power/Water Facilities • Education • List  is  endless….
  • 18. RFID OVERVIEW – READ RANGES
  • 19. RFID OVERVIEW – WIEGAND PROTOCOL
  • 20. Internet FTW FACILITY Code & Access Card # Not so private.
  • 24. CLONING/REPLAY – LOW FREQUENCY (PROX II)
  • 26. PRIV ESCALATION - PROX BRUTE
  • 27. LONG RANGE READING – LOW FREQUENCY
  • 28. Long Range Tastic Reader (Low Frequency)
  • 30. LONG RANGE READING – HIGH FREQUENCY (ICLASS)
  • 31. ARDUINO WITH LCD, MOBILE READER
  • 33. DEMO Long Range Read – High Frequency
  • 34. ICLASS VULNERABILITY (PUBLIC) • Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security • Milosch Meriac, meriac@OpenPCD.de • 27TH CHAOS COMMUNICATION CONGRESS IN BERLIN, DECEMBER 2010 • Firmware was dumped and encryption keys for Standard Security were compromised.
  • 37. ICLASS PRIVILEGE ESCALATION • Block 7 – Contains encrypted format of facility code and access card number • Use compromised keys and calculate new block 7 for Weigand data string • Write block 7 to clone card • Badge in! • Work in progress: • iClass brute
  • 40. BLENDED ATTACK – PRIVILEGE ESCALATION • Information leak from badge system • Remote compromise of access controls • Monitor activity • Identify system faults • Profiling • Access rights modification
  • 41. UNDER DEVELOPMENT – BIO AND PIN ATTACKS
  • 42. UNDER DEVELOPMENT – MESH NETWORK • Real Time Mesh Network – collaboration of multiple Red Team members and field hardware
  • 43. UNDER DEVELOPMENT – BACKDOORED READER • Backdoored reader with Audrino • Captures Wiegand data and transmits over Zigbee or wifi to other Red Team member’s  hardware  device  in  the  field
  • 45. REMEDIATION/RISK MITIGATION • Standard RFID asset protection/best practices • Protection strategies of badge systems (physical and electronic) • Protection against blended threads/Red Team targeted attacks • Custom card formats and Time To Reverse (TTR) • Protect badge systems with VLANs, 2-factor authentication or isolation • Training – Staff and Guards • Log Monitoring – IPS?
  • 46. QUESTIONS? Eric Smith Josh Perrymon esmith@lares.com jperrymon@lares.com @infosecmafia @packetfocus http://www.lares.com Code: https://github.com/LaresConsulting