SlideShare a Scribd company logo

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

Andrew Kozma
Andrew Kozma
Technology
1 of 36
Download to read offline
“Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com)  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
Demo (metasploitable2)  NMAP Scan  Identify OS, Services and open ports  Nessus Vuln Scan  Run a scan to find vulnerabilities that can potentially be exploited  Metasploit console  Import the info  Exploit the target  Post exploitation  Crack passwords with john  PWN the box
Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
Demo (nmap output)
Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
Demo (Nessus) • Export and save the report
Demo (Nessus Output)
Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
Demo (Usernames and Hashes)
Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
Parting thoughts  Do you still think the best defense is a good offense?  IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
References  Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw  @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/  Nessus software and home feed licensing can be found on their site: http://www.tenable.com/  Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security  Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875  Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
Thank you  Twitter handle - @k0z1can  ca.linkedin.com/in/andrewkozma/

Recommended

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
About linux-english
About linux-englishAbout linux-english
About linux-english
Shota Ito
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 

Recommended

Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
About linux-english
About linux-englishAbout linux-english
About linux-english
Shota Ito
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Native or External?
Native or External?Native or External?
Native or External?
ESUG
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
CTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
Brandon Arvanaghi
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyff
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
 
Marketing warefare
Marketing warefareMarketing warefare
Marketing warefare
Vaibhav Raj
 
Marketing and the warfare metaphor
Marketing and the warfare metaphorMarketing and the warfare metaphor
Marketing and the warfare metaphor
Andrew Hirst
 

More Related Content

What's hot

Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 

What's hot (20)

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Native or External?
Native or External?Native or External?
Native or External?
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 

Viewers also liked

Viewers also liked (8)

Marketing warefare
Marketing warefareMarketing warefare
Marketing warefare
 
Marketing and the warfare metaphor
Marketing and the warfare metaphorMarketing and the warfare metaphor
Marketing and the warfare metaphor
 
Marketing warfare
Marketing warfareMarketing warfare
Marketing warfare
 
Warfare Strategies
Warfare StrategiesWarfare Strategies
Warfare Strategies
 
Marketing Warfare
Marketing WarfareMarketing Warfare
Marketing Warfare
 
Marketing warfare
Marketing warfareMarketing warfare
Marketing warfare
 
Discriminant analysis
Discriminant analysisDiscriminant analysis
Discriminant analysis
 
marketing_warfare summary/ review
marketing_warfare summary/ reviewmarketing_warfare summary/ review
marketing_warfare summary/ review
 

Similar to The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
phanleson
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 

Similar to The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter) (20)

First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Bc0056 unix operating system
Bc0056 unix operating systemBc0056 unix operating system
Bc0056 unix operating system
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

  • 1. “Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
  • 2. A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
  • 3. Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
  • 4. Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com)  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
  • 5.
  • 6. Demo (metasploitable2)  NMAP Scan  Identify OS, Services and open ports  Nessus Vuln Scan  Run a scan to find vulnerabilities that can potentially be exploited  Metasploit console  Import the info  Exploit the target  Post exploitation  Crack passwords with john  PWN the box
  • 7. Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
  • 9. Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
  • 10. Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
  • 11. Demo (Nessus) • Export and save the report
  • 13. Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
  • 14. Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
  • 15. Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
  • 16. Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
  • 17. Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
  • 18. Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
  • 19. Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
  • 20. Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
  • 22. Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
  • 23. Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
  • 24. Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
  • 25. Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
  • 26. Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
  • 27. Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
  • 28. Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
  • 29. Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
  • 30. Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
  • 31.
  • 32. Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
  • 33. Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
  • 34. Parting thoughts  Do you still think the best defense is a good offense?  IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
  • 35. References  Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw  @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/  Nessus software and home feed licensing can be found on their site: http://www.tenable.com/  Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security  Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875  Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
  • 36. Thank you  Twitter handle - @k0z1can  ca.linkedin.com/in/andrewkozma/