offense in depth n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Offense in Depth PowerPoint Presentation
Download Presentation
Offense in Depth

Loading in 2 Seconds...

play fullscreen
1 / 44

Offense in Depth - PowerPoint PPT Presentation


  • 199 Views
  • Uploaded on

Offense in Depth. A Developer’s Perspective on Hacker Tradecraft. Overview. Introduction / Terminology How to get a foothold Identifying and Defeating Defenses. The Take Away…. If you know how something works … you can defeat it this applies to offense and defense. Who am I?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Offense in Depth' - davis


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
offense in depth

Offense in Depth

A Developer’s Perspective on Hacker Tradecraft

overview
Overview
  • Introduction / Terminology
  • How to get a foothold
  • Identifying and Defeating Defenses
the take away
The Take Away…

If you know how something works…

you can defeat it

this applies to offense and defense

who am i
Who am I?
  • Solo Entrepreneur (I sell red team software)
  • Armitage and Cobalt Strike Dev
  • Previously…
    • DARPA CFT Performer
    • Red Team Svc to DoD agency
    • WordPress grammar checker
    • USAF Security Researcher
  • Exercises
    • CDX, *CCDC, ISTS, etc.
  • Primary Skill: Developer
the take away1
The Take Away…

If you know how something works…

you can defeat it

this applies to offense and defense

attack surface
Attack Surface
  • What can we, as attackers, manipulate or touch?
client side attacks
Client-side Attacks
  • What is a client-side attack?
    • An attack against application used to view attacker controlled content.
  • Why client-side attacks?
how to get a foothold
How to get a foothold
  • Map client-side attack surface
  • Create Virtual Machine for testing purposes
  • Use Virtual Machine to select best attack
  • Configure and disguise the attack
  • Email attack package to victim
reconnaissance system profiler
Reconnaissance: System Profiler
  • A web application (target must visit it)
  • Discovers client-side applications
  • Discovers internal IP address

See: http://www.browserspy.dk

features to abuse
Features to abuse…
  • Java Signed Applet
  • Disguise Windows Executable
  • Microsoft Office Macros
spear phishing
Spear Phishing
  • Create a target list
  • Create a template
  • Choose mail server to send through
  • Send the message…
templates
Templates

Click Reply -> View message source

sending the message
Sending the message…

telnet [ip address]25

HELO whatever.com

MAIL FROM: bounceaddress@whatever.com

RCPT TO: [target email here]

DATA

[paste template file (remove headers first)]

.

QUIT

defenses
Defenses
  • Mail Defenses
  • Host Anti-virus
  • Application Whitelisting
  • Egress
  • Payload Staging
  • Stay Low and Slow
sender policy framework
Sender Policy Framework
  • Defense verify senders IP to detect email spoofing
  • Attackget message to user regardless…
defeating spf
Defeating SPF
  • Register a typo of domain of interest
  • Use a webmail provider and send attack from their servers
  • Spoof another domain
mail anti virus gateway
Mail Anti-Virus Gateway
  • Defense check messages for bad stuff before delivery
  • Attacksend something that passes check
mail defense recon
Mail Defense Recon
  • Create anattack package
  • Send it to a non-existent user
  • Make sure MAIL FROM address is an address you control
  • Wait for non-delivery notice
  • Review non-delivery notice for your report card 
host anti virus
Host Anti-virus
  • Defense check for known bad and stop it
  • Attacksend unknown bad that passes check
defeat host anti virus
Defeat Host Anti-virus
  • Find out or guess which anti-virus is in use
    • DNS Cache Snooping
    • Information Gathering
    • Social Engineering
  • Put anti-virus on test Virtual Machine
  • Select undetected attack or modify existing attack
dns cache snooping
DNS Cache Snooping?

See: http://tinyurl.com/rob-dixon-is-hot

The command:

dig @serverdomainA +norecurse

how does anti virus work
How does Anti-virus work?
  • Check for known signature
  • Apply heuristic to detect bad behavior
  • Emulate binary to defeat packers and crypters
limitations
Limitations
  • False positives are bad
  • Non-intrusive(?)
  • Only checks file at certain points
    • When loaded in browser
    • When written to disk
getting past av
Getting Past AV
  • Client-side Exploits…
    • Change strings in module
    • Write your own implementation of the attack
application whitelisting
Application Whitelisting
  • Defense do not allow unapproved applications
  • Attackget agent into memory using a white-listed application.
defeating app whitelisting
Defeating App Whitelisting
  • Powershell
    • https://github.com/mattifestation/PowerSploit
  • MS Office Macro
  • Java
    • Create a DLL with your agent
    • Have program extract DLL
    • Call System.loadLibrary(“evil.dll”);
establish c2 the pain
Establish C2 – The Pain
  • Deny all outbound traffic
  • Allow egress only through a proxy device
    • Attack traffic must conform to expected protocol
    • Must pass other checks as well…
  • Attacker Limitation: Staging!
payload staging1
Payload Staging
  • Stage 1
    • Must be small. Exploit used limits space
    • Encoded with Framework encoder
  • Stage 2
    • Payload DLL goes over the wire as-is
    • Trivial to write IDS signature for
payload staging3
Payload Staging
  • windows/meterpreter/reverse_https
    • Staging process happens over SSL
  • EnableStageEncoding and StageEncoder
    • Metasploit Framework option to encode stage
asynchronous c2
Asynchronous C2
  • Stay Low and slow
    • Target phones home, asks for tasks
    • Sleep time? 1 hour, 1 day, 1 year?
    • C2 tries to look like normal traffic
  • Life line into a network
    • Use to execute commands
    • Upload / download files
    • Spawn “active” sessions to another server
asynchronous c2 bro rat
Asynchronous C2 – Bro RAT

See: http://tinyurl.com/bro-rat

the take away2
The Take Away…

If you know how something works…

you can defeat it

this applies to offense and defense