1 / 35

Hacking Techniques

Hacking Techniques. and Mitigations Brady Bloxham. About Us. Services Vulnerability assessments Wireless assessments Compliance testing Penetration testing Eat, breathe, sleep, talk, walk, think, act security!. Agenda. Old methodology New methodology Techniques in action

milo
Download Presentation

Hacking Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Techniques and Mitigations Brady Bloxham

  2. About Us • Services • Vulnerability assessments • Wireless assessments • Compliance testing • Penetration testing • Eat, breathe, sleep, talk, walk, think, act security!

  3. Agenda • Old methodology • New methodology • Techniques in action • Conclusion

  4. The Old Way • Footprinting • Network Enumeration • Vulnerability Identification • Gaining Access to the Network • Escalating Privileges • Retain Access • Return and Report

  5. The Old Way (continued)

  6. The New Way (my way!) • Recon • Plan • Exploit • Persist • Repeat • Simple, right?!

  7. The New Way (continued) Recon Plan Exploit Persist Domain Admin? No Yes Report!

  8. Old vs. New • So what you end up with is…

  9. Recon • Two types • Pre-engagement • On the box

  10. Recon – Pre-engagment • Target IT • Social Networking • LinkedIn • Facebook • Google • Bing • Create profile • Play to their ego • Play to desperation • Play to what you know

  11. Recon – Pre-engagment • Social Engineering

  12. Recon – On the box • Netstat

  13. Recon – On the box • Set

  14. Recon – On the box • Net

  15. Recon – On the box • Net

  16. Recon – On the box • Net

  17. Recon • Registry • Audit Settings • HKLM\Security\Policy\PolAdtEv • Dump hashes • Local hashes • Domain cached credentials • Windows credential editor • Application credentials (Pidgin, Outlook, browsers, etc.) • RDP history • HKU\Software\Microsoft\Terminal Server Client\Default • Installed software • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

  18. Recon • What do we have? • High value servers (domain controller, file servers, email, etc.) • Group and user list • Domain admins • Other high value targets • Installed applications • Detailed account information • Hashes and passwords

  19. Plan

  20. Plan

  21. Plan • Test, test test! • Real production environment! • Recreate target environment • Proxies • AV • Domain • Verify plan with customer • Think outside the box!

  22. Plan

  23. Plan

  24. Exploit

  25. Exploit • The reality is…it’s much easier than that!  • No 0-days necessary! • Macros • Java applets • EXE PDFs

  26. Exploit • Java Applet • Domain – $4.99/year • Hosting – $9.99/year • wget – Free! • Pwnage – Priceless! • Macros • Base64 encoded payload • Convert to binary • Write to disk • Execute binary • Shell!

  27. Exploit • The problem? A reliable payload! • Obfuscation • Firewalls • Antivirus • Proxies

  28. Persist

  29. Persist • Separates the men from the boys! • Custom, custom, custom! • Nothing good out there… • Meterpreter – OSS • Core Impact – Commercial • Poison Ivy – Private • DarkComet– Private • Who’s going to trust these?

  30. Persist • How? • Registry • Service • Autorun • Startup folder • DLL hijacking • What? • Beaconing backdoor • Stealthy • Blend with the noise • Modular

  31. Repeat?!

  32. Conclusion • Old methodology is busted! • Compliance != Secure • It’s not practice makes perfect…

More Related