Social-Engineering Adaptive Pentesting

Kevin Mitnick (@kevinmitnick)

http://mitnicksecurity.com

Dave Kennedy (@Dave_ReL1K)

http://www.secmaniac.com

About Kevin

•  Check out the new book Ghost in the wires

•  CEO of Mitnick Security Consulting

•  Penetration tester

•  Social-Engineering? ..He’s learning J

About Me

•  Creator of the Social-Engineer Toolkit •  Founder of DerbyCon •  Co-Author of book from NoStarch Press on Metasploit •  Back|Track Development Team •  Exploit-DB Development Team •  Exploit Writer •  Penetration Tester •  Chief Information Security Officer, Fortune 1000 •  Social-Engineer podcast, ISD Podcast •  I give hugs..

Brief Introduction

The Basics of Penetration Testing

•  We have to explain this. Penetration testing continues to morph into different interpretations.

•  The Penetration Testing Execution Standard

•  We continue to see vuln + exploit smash and grab useless “pentests” going on.

Have we forgotten?

•  Have we forgotten the reason why we do penetration testing?

•  We are truly attempting to simulate an adversary and go after something that is important to the organization.

•  Hackers are creative, it’s their nature, it’s our nature. We get into standard methodologies, pre-canned penetration tests, and loose complete focus on what we’re really going after.

Something is obviously wrong…

•  2008 – 354 reported public data breaches

•  2009 – 251 reported public data breaches

•  2010 – 604 reported public data breaches

•  2011 – 499 reported public data breaches (we’re not done yet)

Source: http://www.privacyrights.org

We spend more.

•  So we went more and more money on protecting our infrastructure.

•  We buy that latest technology company that can protect us against zero-days.

We are the only industry that I know of that can take

more resources, more capital expenditures, more expense, and get worse.

9

This brings us to our point.

We strongly believe that penetration testing is a portion of the answer to secure your infrastructure.

10

Security breaches are the best thing that can happen

to a company.

11

Option 1 – A real breach

•  Company A experiences a breach. Security up until that point was extremely difficult to implement.

•  Company is bleeding cash at this point. Won’t go bankrupt (in most cases), but it hurts.

•  Company rebounds and depending on how its sold, can be the best thing that ever happened to the company.

Option 2 – A simulated breach

•  Maybe not AS effective as a real breach however if conducted properly can show a true breach.

•  The ability to simulate a breach on the bottom line.

•  If sold right, should have a positive effect on advancement of the security program.

Penetration Testing

•  It’s something MORE than a smash and grab.

•  It’s more then finding exposures.

•  It’s more than a pre-canned assessment you slap junior consultants on.

•  It’s suppose to be something that benefits the customers, not a 400 page report on vulnerabilities.

Adaptive Pentesting

•  The reason we wanted to do this talk was to explain how we need to think during penetration testing.

•  The tests need to impact the companies ability to generate revenue.

•  You can’t always do the same attack, you need to be creative. Think outside of the box. Think as a hacker.

The rest of this talk.

•  The rest of this talk is going to focus on real-world examples that we’ve used in the past.

•  Will focus on how we did it.

•  Not saying its perfect, but you need to frame your mind around being creative and doing something different.

Company 1 – Windows 7

December 2010

•  Penetration test for a large international company with over 5000 employees.

•  Several days spent on developing pretext and social-engineering campaign.

•  Initial probing of organization identified that Windows 7 was in use. FOCA, targeted emails, and pretext calls helped with identification of operating system.

System Profiler

•  Leveraged a javascript-based profiling application that identified operating system, version numbers, adobe versions, media players, Java, etc.

•  Used for identification around what the organization would be susceptible to.

Setting the Stage

•  Customized A/V evasive meterpreter shell was successfully created.

•  Windows 7 fully patched confirmed.

•  Unsure of Windows User-Access Control but highly likely.

Profiling the target

•  User was compromised via social-engineering leveraging the social-engineer toolkit.

•  Running under a limited user account. Two options, pivot further into the network and find other bugs or circumvent UAC.

•  After some deliberation, UAC needed to be bypassed.

Bypassing Windows UAC

•  Working together, we spent about a week researching how UAC worked and potential methods around.

•  Through leveraging an exploit (still unpatched) through trust relationships with Trusted Publisher Certificates, UAC was successfully bypassed.

•  Further penetrating into the network, eventually obtained future trade projections, access to financial systems, and source code for the next software release.

DEMO

Lessons Learned

•  During the penetration test there were a lot of hurdles around persistence, UAC, and others. Being adaptive to the surroundings led to a successful penetration test.

•  In conjunction with the external testing, a physical test was also launched.

•  Showed significant value to the customer by hitting future projection margins, intellectual property, and impact the companies ability to generate revenue.

Company 2 – Malicious Media

September 2011

•  Yep this month.

•  Fortune 1000, international financial institution.

•  Customer requested to deploy malicious items through parking lot.

Some things to think about

•  How many times have we seen on an RFP “Must do this and this.”

•  We were bored with the standard USB or DVD/CD deployment. Everyone has done this before.

•  We decided to take a new approach.

The attack

•  Customized “fancy” keyboard. Who wouldn’t want this thing

•  Sent to five systems administrators at the company.

The Teensy Attack

•  Added a small chip, called the “Teensy” device.

Teensy, Teensy ++, Customized

In-Line attack

•  Soldered the teensy to act as a keyboard repeater.

•  Can detect when the victim is not at the keyboard.

•  Moves mouse 1 pixel (undetectable to human eye).

•  During offline hours, deploys malicious payload.

The Results

•  Nine shells. Which was strange, we only sent 5. My only guess is that the other sysadmins were jealous and ganked it as we do in IT.

•  Jokes on them J

•  Further penetrated the network. In this instance we breached the source code repository for the entire company. Yep… It hurt.

DEMO

Lessons Learned

•  The USB/DVD may have worked. We thought we had a much higher success rate on this.

•  Huge impact to the organization by taking the life-blood of the company, their software.

Company 3 – Dead end. WAIT!

March 2011

•  External and wireless penetration test for large customer.

•  Profiling organization, social engineering was deemed somewhat risky and a more direct avenue was quickly detect.

•  SQLi on a front web application.

Penetrating the Network

•  MSSQLi yielded local customized A/V safe reverse meterpreter.

•  Pivoting attack yielded we were in a significantly segmented DMZ zone with minimal connections back.

•  Unable to breach internal network.

•  Small external footprint, other avenues were not found.

More information on exporting certs

•  Check out the whitepaper written by Jason Geffner around exporting non-exportable RSA Keys.

•  Tool written by isecpartners that exports the keys. Called JBStore (jailbreak store)

Ding ding ding.

•  Pillaging system yielded a private certificate signed by the internal CA.

•  After war-walking, the organization was leveraging 802.1x WPA2.

•  Fake access point crafted leveraging a valid private certificate from the internal CA (web server certificate).

•  Successfully had clients connect to access point.

Lessons Learned

•  Although one area was a dead end, the ability to take something from information obtained and leverage it somewhere else is what makes us hackers.

•  We HAVE to think like this as we’re doing our penetration testing or else we are loosing focus on what we are there to do.

Company 4 – Powerlines Rock.

August 2011

•  Physical penetration test on armed guard facility.

•  Reconnaissance performed on camera system and using bathrooms inside could see model numbers for motion sensors.

•  Company was leveraging powerlines for communication of protocols for security system, cameras, and much more.

Coming up with an attack

•  After researching specific brand names, X10 was the protocol being leveraged.

•  X10 leverages powerline communication

Being creative

•  Decided to try something new and come up with an attack avenue to disrupt the security systems and go into the building without detection.

X10 Kit

Testing the jammer/sniffer

The Arduino Device

Modifying the TW523

Too much voltage/current…

The working Jammer

DEMO

The Results

•  Night-operation.

•  Security systems disarmed.

•  Lockpicked back entrance door.

•  Alarm system never fired.

•  Full access to facility.

What we wanted out of this

•  Think creative

•  Do something unexpected

•  Be a hacker!

•  Give some real value to the customer versus some 400 page report.

The Social-Engineer Toolkit v2.1

•  Getting released today.

•  Over 27 new features, 22 bug fixes, and 18 enhancements.

•  Fast-Track is now apart of SET. Completely recoded from scratch.

DEMO