SlideShare ist ein Scribd-Unternehmen logo

Enter The back|track Linux Dragon

Andrew Kozma
Andrew Kozma

My presentation at AtlSecCon 2013

Technologie
1 von 42
Downloaden Sie, um offline zu lesen
Enter the BackTrack Linux Dragon Andrew Kozma Atlantic Security Conference March 21-22, 2013 1
• Infosec professional working in healthcare • Fan of all things ninja, samurai and kung fu cinema • A huge fan of BackTrack, Offensive-Security and Bruce Lee • Blues fanatic that secretly wants to learn how to play the harmonica • I am forever a student, always learning something new “A wise man can learn more from a foolish question than a fool can learn from a wise answer.” ~Bruce Lee 2
• Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting 3
• “Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.” ~ Bruce Lee • “Obey the principles without being bound by them.” ~ Bruce Lee • “To hell with circumstances; I create opportunities.” ~ Bruce Lee 4
• Primary difference between an authorized pentest and “Hacking” • Defines the rules of engagement • Provides scope so that critical infrastructure may not be impacted • Legal “CYA” stuff… 5
• Web Reconnaissance framework written in Python • Module based • No direct queries to target (OSINT) • Organized to support the phases of a pentest 6
• The command “show modules” will display all available modules • We are interested what google has stored in its databases regarding our target • We will load the module with the command “load recon/hosts/gather/http/google” • The command “info” provides additional information about the module and any options that can be set. • We have to add our target with the command “set domain your target” 7
• To start reconnaissance we enter the command “run” • It starts to query Google for known hosts associated with the target. • Notice the sleeping to avoid lockout message 8
• Now that we have some hosts we want to get some contacts • We run the “show modules” command again and this time select Jigsaw as our source • To load the module we enter the command “load recon/contacts/gather/http/jigsaw” • Type the command “info” for additional information about this module. • Once again we have to select our target in the options by entering the command “set company your target” • The more information gathered at this phase significantly improves our chances for a successful exploit 9
• We enter the command “run” to start the query against our target • We can already start seeing contacts being collected 10
• Now lets put our intel into a format that will help support Threat Modeling • Lets load the output html report model using the command “load reporting/html_report” • Lets title the report by setting the value for company “set company your target” • Set the filename and location to put the created report “set filename /root/Desktop/yourtarget.html” 11
12 *Note additional modules can be run to gather DNS and geographic data to complete this report*
• Leveraging all of the data gathered to select attack vectors and plan a well organized strategic attack • Will include social media and various other forms of information • For the demo today we will be targeting an employee A snippet from the PTES site at http://www.pentest-standard.org 13
• Up until now everything was done passively, no direct contact with the target and its related hosts/systems • Will include multiple scans for: ports, services banners and of course vulnerabilities 14
• Attacker - BackTrack 5r3 with updated repositories and tools • Target - Fully patched and updated W7 installation with Microsoft Security Essentials installed and updated • Using a phishing email targeted at an employee with relevant information (Client Side Exploits) • In the “real world” most likely the client will indicate client side attacks are out of scope at the pre-engagement phase due to the incredibly high success rate…. 15
• We are going to use the Social Engineers Toolset • In a terminal navigate to SET “cd/pentest/exploits/set” • From the SET directory “./set” • Select Option 1 16
• For this demo we are going to utilize website attack vectors 17
• We are going to select the Java applet attack • Leverages a customized java applet to deliver the payload • According to Oracle there are a lot of Java users out there  18
• We are going to clone a site using option 2 • NAT/Port forward is required if you have to traverse a firewall for this demo we will say no • We have to enter the ip address of the attacker so the reverse connection can be successful • Enter the url for the site we wish to clone 19
• We want to be able to interact in various ways with the target system • A Meterpreter session provides multiple options and is preferred 20
• We want to successfully compromise the target and option 16 is described as (BEST) 21
• We need to configure some options for our back door • We select port 4444 for this demo • The payload is encoded and hidden within an executable • Then it is moved into the cloned site and our listener is setup to wait for the reverse connection 22
• Now that we have our listener waiting and we see that the payload handler is starting lets send our Phishing email and wait • Notice that the embedded link indicates HalifaxMooseheads.ca • Looks legit right? and from our intel we can see the target has posted pictures on social media sites of his friends and family enjoying the games 23
• The target has clicked the link to browse to our malicious site • He is presented with a “Trusted” java applet indicating that something needs to be installed • This is persistent, if the user clicks cancel the applet will return again • User thoughts… Hey it says (VERIFIED SAFE) right… 24
• The attacker can tell the user has clicked the link • However no reverse session appears indicating something went awry • In this particular instance Microsoft Security Essentials detected our payload and prevented the reverse session • What do we do now… 25
“Defeat is not defeat unless accepted as a reality-in your own mind.” ~Bruce Lee “If you always put limits on everything you do, physical or anything else, it will spread into your work and into your life. There are no limits. There are only plateaus, and you must not stay there, you must go beyond them.” ~Bruce Lee 26
*Try Harder and the BackTrack Dragon are registered Trademarks of Offensive-Security* Many thanks to the team at Offensive Security for being an educational sponsor of AtlSecCon 2013 27
• Lets try this again… • The attack vector will not change but we will be changing the delivery of the payload • We are still leveraging Social-Engineering Attacks 28
• Once again we will be using option 2 Website Attack Vectors 29
• We are going to clone a site again with option 2 • Automation is a beautiful thing… let’s take moment to thank David Kennedy of TrustedSec .com @dave_rel1k for all of his efforts. • Hugs brah! SET is so full of win! 30
• This time however we are going to change the payload • Pyinjector is relatively new and has been available since the summer of 2012 • It injects shellcode directly into memory via powershell • Because it does not touch disk it makes it very difficult for AV services to detect … sneaky sneaky… 31
• Once again we want to use Meterpreter to interact with the compromised host via a reverse tcp connection 32
• This is definitely sweet! • Yuuupp Multi-Powershell- Injection homie! (*Notice the ports associated) • The payload is moved into the cloned website 33
• Our reverse handler is ready and waiting • Again the target sees the same java applet message • User thoughts… it must be ok… It even says it is (Verified Safe)… plus I really want those tickets… • What is going to happen this time… 34
• Sessions baby…. 5 of them • Lets list the active sessions using the command “sessions -i” • Lets interact with the host using one of the sessions with the command “sessions - i 1” for session 1 35
• Entering the command “screenshot” at the meterpreter prompt saves a .jpg of whatever the target is currently viewing • We can start an interactive shell with the “shell” command • We can view “sysinfo”, create new users or dump password hashes for offline cracking 36
• We can even create a directory or steal data, the possibilities are numerous 37
• We want to further penetrate the targets network, looking for other services and additional targets. (Pivoting) • We want to maintain persistence so that we can return as required • Dump the hashes for offline cracking and use those credentials to compromise other systems and services. (Pass the Hash) 38
• Nobody likes to do it • This is where the real value for the client is • A sample report can be downloaded from Offensive Security for review 39
• How could this have all been avoided? • Security awareness… • User Behavior… • What is the impact of tools like SET allowing the automation of attacks? • Easier to attack? – Yes… this is how a 12 year old script kiddie can pwn a seasoned infosec professional with years of experience. • Easier to defend? - The use of tools like SET can help your defensive posture because it allows us as security professionals to quickly test new attack vectors and exploits . The results can be leveraged to modify or change security counter measures where required. 40
• A great resource from Rapid7 (AtlSecCon 2013 Sponsor) to setup your lab: • https://community.rapid7.com/community/infosec/blog/2011/01/05/how-to-set-up-a-pentesting-lab • For additional information on the Penetration Testing Execution Standard please visit: • http://www.pentest-standard.org/index.php/Main_Page • http://nostarch.com/metasploit • The Recon-ng project created by Tim Tomes (@LaNMaSteR53) can be located here: • https://bitbucket.org/LaNMaSteR53/recon-ng • For news about all things SET and a great security blog: • https://www.trustedsec.com/news-and-events/ • @dave_rel1k • A sample penetration report from Offensive-Security can be downloaded from here: • http://www.offensive-security.com/penetration-testing-sample-report.pdf • BackTrack, the BackTrack dragon logo, the Try Harder message, Kali-Linux and Offensive-Security are all registered trademarks of Offensive-Security. • The amazing images of Bruce Lee are the work of South Korea’s Kim Dae Hwan darkdamage.deviantart.com/ 41
• “Absorb what is useful, discard what is not, add what is uniquely your own.” ~Bruce Lee • Social Media • @k0z1can • http://ca.linkedin.com/in/andrewkozma 42

Empfohlen

Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 

Empfohlen

Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
Dan Kaminsky
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Dan Kaminsky
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
Dan Kaminsky
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Interpolique
InterpoliqueInterpolique
Interpolique
Dan Kaminsky
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
Dan Kaminsky
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
Michael Gough
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Dan Kaminsky
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
Dan Kaminsky
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 

Was ist angesagt? (20)

Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Confidence web
Confidence webConfidence web
Confidence web
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 

Ähnlich wie Enter The back|track Linux Dragon

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 

Ähnlich wie Enter The back|track Linux Dragon (20)

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systems
 
Mastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systemsMastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systems
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTY
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
JavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systemsJavaLand 2022 - Debugging distributed systems
JavaLand 2022 - Debugging distributed systems
 
GOTO night April 2022 - Debugging distributed systems
GOTO night April 2022 - Debugging distributed systemsGOTO night April 2022 - Debugging distributed systems
GOTO night April 2022 - Debugging distributed systems
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Enter The back|track Linux Dragon

  • 1. Enter the BackTrack Linux Dragon Andrew Kozma Atlantic Security Conference March 21-22, 2013 1
  • 2. • Infosec professional working in healthcare • Fan of all things ninja, samurai and kung fu cinema • A huge fan of BackTrack, Offensive-Security and Bruce Lee • Blues fanatic that secretly wants to learn how to play the harmonica • I am forever a student, always learning something new “A wise man can learn more from a foolish question than a fool can learn from a wise answer.” ~Bruce Lee 2
  • 3. • Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting 3
  • 4. • “Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.” ~ Bruce Lee • “Obey the principles without being bound by them.” ~ Bruce Lee • “To hell with circumstances; I create opportunities.” ~ Bruce Lee 4
  • 5. • Primary difference between an authorized pentest and “Hacking” • Defines the rules of engagement • Provides scope so that critical infrastructure may not be impacted • Legal “CYA” stuff… 5
  • 6. • Web Reconnaissance framework written in Python • Module based • No direct queries to target (OSINT) • Organized to support the phases of a pentest 6
  • 7. • The command “show modules” will display all available modules • We are interested what google has stored in its databases regarding our target • We will load the module with the command “load recon/hosts/gather/http/google” • The command “info” provides additional information about the module and any options that can be set. • We have to add our target with the command “set domain your target” 7
  • 8. • To start reconnaissance we enter the command “run” • It starts to query Google for known hosts associated with the target. • Notice the sleeping to avoid lockout message 8
  • 9. • Now that we have some hosts we want to get some contacts • We run the “show modules” command again and this time select Jigsaw as our source • To load the module we enter the command “load recon/contacts/gather/http/jigsaw” • Type the command “info” for additional information about this module. • Once again we have to select our target in the options by entering the command “set company your target” • The more information gathered at this phase significantly improves our chances for a successful exploit 9
  • 10. • We enter the command “run” to start the query against our target • We can already start seeing contacts being collected 10
  • 11. • Now lets put our intel into a format that will help support Threat Modeling • Lets load the output html report model using the command “load reporting/html_report” • Lets title the report by setting the value for company “set company your target” • Set the filename and location to put the created report “set filename /root/Desktop/yourtarget.html” 11
  • 12. 12 *Note additional modules can be run to gather DNS and geographic data to complete this report*
  • 13. • Leveraging all of the data gathered to select attack vectors and plan a well organized strategic attack • Will include social media and various other forms of information • For the demo today we will be targeting an employee A snippet from the PTES site at http://www.pentest-standard.org 13
  • 14. • Up until now everything was done passively, no direct contact with the target and its related hosts/systems • Will include multiple scans for: ports, services banners and of course vulnerabilities 14
  • 15. • Attacker - BackTrack 5r3 with updated repositories and tools • Target - Fully patched and updated W7 installation with Microsoft Security Essentials installed and updated • Using a phishing email targeted at an employee with relevant information (Client Side Exploits) • In the “real world” most likely the client will indicate client side attacks are out of scope at the pre-engagement phase due to the incredibly high success rate…. 15
  • 16. • We are going to use the Social Engineers Toolset • In a terminal navigate to SET “cd/pentest/exploits/set” • From the SET directory “./set” • Select Option 1 16
  • 17. • For this demo we are going to utilize website attack vectors 17
  • 18. • We are going to select the Java applet attack • Leverages a customized java applet to deliver the payload • According to Oracle there are a lot of Java users out there  18
  • 19. • We are going to clone a site using option 2 • NAT/Port forward is required if you have to traverse a firewall for this demo we will say no • We have to enter the ip address of the attacker so the reverse connection can be successful • Enter the url for the site we wish to clone 19
  • 20. • We want to be able to interact in various ways with the target system • A Meterpreter session provides multiple options and is preferred 20
  • 21. • We want to successfully compromise the target and option 16 is described as (BEST) 21
  • 22. • We need to configure some options for our back door • We select port 4444 for this demo • The payload is encoded and hidden within an executable • Then it is moved into the cloned site and our listener is setup to wait for the reverse connection 22
  • 23. • Now that we have our listener waiting and we see that the payload handler is starting lets send our Phishing email and wait • Notice that the embedded link indicates HalifaxMooseheads.ca • Looks legit right? and from our intel we can see the target has posted pictures on social media sites of his friends and family enjoying the games 23
  • 24. • The target has clicked the link to browse to our malicious site • He is presented with a “Trusted” java applet indicating that something needs to be installed • This is persistent, if the user clicks cancel the applet will return again • User thoughts… Hey it says (VERIFIED SAFE) right… 24
  • 25. • The attacker can tell the user has clicked the link • However no reverse session appears indicating something went awry • In this particular instance Microsoft Security Essentials detected our payload and prevented the reverse session • What do we do now… 25
  • 26. “Defeat is not defeat unless accepted as a reality-in your own mind.” ~Bruce Lee “If you always put limits on everything you do, physical or anything else, it will spread into your work and into your life. There are no limits. There are only plateaus, and you must not stay there, you must go beyond them.” ~Bruce Lee 26
  • 27. *Try Harder and the BackTrack Dragon are registered Trademarks of Offensive-Security* Many thanks to the team at Offensive Security for being an educational sponsor of AtlSecCon 2013 27
  • 28. • Lets try this again… • The attack vector will not change but we will be changing the delivery of the payload • We are still leveraging Social-Engineering Attacks 28
  • 29. • Once again we will be using option 2 Website Attack Vectors 29
  • 30. • We are going to clone a site again with option 2 • Automation is a beautiful thing… let’s take moment to thank David Kennedy of TrustedSec .com @dave_rel1k for all of his efforts. • Hugs brah! SET is so full of win! 30
  • 31. • This time however we are going to change the payload • Pyinjector is relatively new and has been available since the summer of 2012 • It injects shellcode directly into memory via powershell • Because it does not touch disk it makes it very difficult for AV services to detect … sneaky sneaky… 31
  • 32. • Once again we want to use Meterpreter to interact with the compromised host via a reverse tcp connection 32
  • 33. • This is definitely sweet! • Yuuupp Multi-Powershell- Injection homie! (*Notice the ports associated) • The payload is moved into the cloned website 33
  • 34. • Our reverse handler is ready and waiting • Again the target sees the same java applet message • User thoughts… it must be ok… It even says it is (Verified Safe)… plus I really want those tickets… • What is going to happen this time… 34
  • 35. • Sessions baby…. 5 of them • Lets list the active sessions using the command “sessions -i” • Lets interact with the host using one of the sessions with the command “sessions - i 1” for session 1 35
  • 36. • Entering the command “screenshot” at the meterpreter prompt saves a .jpg of whatever the target is currently viewing • We can start an interactive shell with the “shell” command • We can view “sysinfo”, create new users or dump password hashes for offline cracking 36
  • 37. • We can even create a directory or steal data, the possibilities are numerous 37
  • 38. • We want to further penetrate the targets network, looking for other services and additional targets. (Pivoting) • We want to maintain persistence so that we can return as required • Dump the hashes for offline cracking and use those credentials to compromise other systems and services. (Pass the Hash) 38
  • 39. • Nobody likes to do it • This is where the real value for the client is • A sample report can be downloaded from Offensive Security for review 39
  • 40. • How could this have all been avoided? • Security awareness… • User Behavior… • What is the impact of tools like SET allowing the automation of attacks? • Easier to attack? – Yes… this is how a 12 year old script kiddie can pwn a seasoned infosec professional with years of experience. • Easier to defend? - The use of tools like SET can help your defensive posture because it allows us as security professionals to quickly test new attack vectors and exploits . The results can be leveraged to modify or change security counter measures where required. 40
  • 41. • A great resource from Rapid7 (AtlSecCon 2013 Sponsor) to setup your lab: • https://community.rapid7.com/community/infosec/blog/2011/01/05/how-to-set-up-a-pentesting-lab • For additional information on the Penetration Testing Execution Standard please visit: • http://www.pentest-standard.org/index.php/Main_Page • http://nostarch.com/metasploit • The Recon-ng project created by Tim Tomes (@LaNMaSteR53) can be located here: • https://bitbucket.org/LaNMaSteR53/recon-ng • For news about all things SET and a great security blog: • https://www.trustedsec.com/news-and-events/ • @dave_rel1k • A sample penetration report from Offensive-Security can be downloaded from here: • http://www.offensive-security.com/penetration-testing-sample-report.pdf • BackTrack, the BackTrack dragon logo, the Try Harder message, Kali-Linux and Offensive-Security are all registered trademarks of Offensive-Security. • The amazing images of Bruce Lee are the work of South Korea’s Kim Dae Hwan darkdamage.deviantart.com/ 41
  • 42. • “Absorb what is useful, discard what is not, add what is uniquely your own.” ~Bruce Lee • Social Media • @k0z1can • http://ca.linkedin.com/in/andrewkozma 42