derbycon adaptive pentesting - trustedsec · lessons learned • during the penetration test there...
TRANSCRIPT
Social-Engineering Adaptive Pentesting
Kevin Mitnick (@kevinmitnick)
http://mitnicksecurity.com
Dave Kennedy (@Dave_ReL1K)
http://www.secmaniac.com
About Kevin
• Check out the new book Ghost in the wires
• CEO of Mitnick Security Consulting
• Penetration tester
• Social-Engineering? ..He’s learning J
About Me
• Creator of the Social-Engineer Toolkit • Founder of DerbyCon • Co-Author of book from NoStarch Press on Metasploit • Back|Track Development Team • Exploit-DB Development Team • Exploit Writer • Penetration Tester • Chief Information Security Officer, Fortune 1000 • Social-Engineer podcast, ISD Podcast • I give hugs..
Brief Introduction
The Basics of Penetration Testing
• We have to explain this. Penetration testing continues to morph into different interpretations.
• The Penetration Testing Execution Standard
• We continue to see vuln + exploit smash and grab useless “pentests” going on.
Have we forgotten?
• Have we forgotten the reason why we do penetration testing?
• We are truly attempting to simulate an adversary and go after something that is important to the organization.
• Hackers are creative, it’s their nature, it’s our nature. We get into standard methodologies, pre-canned penetration tests, and loose complete focus on what we’re really going after.
Something is obviously wrong…
• 2008 – 354 reported public data breaches
• 2009 – 251 reported public data breaches
• 2010 – 604 reported public data breaches
• 2011 – 499 reported public data breaches (we’re not done yet)
Source: http://www.privacyrights.org
We spend more.
• So we went more and more money on protecting our infrastructure.
• We buy that latest technology company that can protect us against zero-days.
We are the only industry that I know of that can take
more resources, more capital expenditures, more expense, and get worse.
9
This brings us to our point.
We strongly believe that penetration testing is a portion of the answer to secure your infrastructure.
10
Security breaches are the best thing that can happen
to a company.
11
Option 1 – A real breach
• Company A experiences a breach. Security up until that point was extremely difficult to implement.
• Company is bleeding cash at this point. Won’t go bankrupt (in most cases), but it hurts.
• Company rebounds and depending on how its sold, can be the best thing that ever happened to the company.
Option 2 – A simulated breach
• Maybe not AS effective as a real breach however if conducted properly can show a true breach.
• The ability to simulate a breach on the bottom line.
• If sold right, should have a positive effect on advancement of the security program.
Penetration Testing
• It’s something MORE than a smash and grab.
• It’s more then finding exposures.
• It’s more than a pre-canned assessment you slap junior consultants on.
• It’s suppose to be something that benefits the customers, not a 400 page report on vulnerabilities.
Adaptive Pentesting
• The reason we wanted to do this talk was to explain how we need to think during penetration testing.
• The tests need to impact the companies ability to generate revenue.
• You can’t always do the same attack, you need to be creative. Think outside of the box. Think as a hacker.
The rest of this talk.
• The rest of this talk is going to focus on real-world examples that we’ve used in the past.
• Will focus on how we did it.
• Not saying its perfect, but you need to frame your mind around being creative and doing something different.
Company 1 – Windows 7
December 2010
• Penetration test for a large international company with over 5000 employees.
• Several days spent on developing pretext and social-engineering campaign.
• Initial probing of organization identified that Windows 7 was in use. FOCA, targeted emails, and pretext calls helped with identification of operating system.
System Profiler
• Leveraged a javascript-based profiling application that identified operating system, version numbers, adobe versions, media players, Java, etc.
• Used for identification around what the organization would be susceptible to.
Setting the Stage
• Customized A/V evasive meterpreter shell was successfully created.
• Windows 7 fully patched confirmed.
• Unsure of Windows User-Access Control but highly likely.
Profiling the target
• User was compromised via social-engineering leveraging the social-engineer toolkit.
• Running under a limited user account. Two options, pivot further into the network and find other bugs or circumvent UAC.
• After some deliberation, UAC needed to be bypassed.
Bypassing Windows UAC
• Working together, we spent about a week researching how UAC worked and potential methods around.
• Through leveraging an exploit (still unpatched) through trust relationships with Trusted Publisher Certificates, UAC was successfully bypassed.
• Further penetrating into the network, eventually obtained future trade projections, access to financial systems, and source code for the next software release.
DEMO
Lessons Learned
• During the penetration test there were a lot of hurdles around persistence, UAC, and others. Being adaptive to the surroundings led to a successful penetration test.
• In conjunction with the external testing, a physical test was also launched.
• Showed significant value to the customer by hitting future projection margins, intellectual property, and impact the companies ability to generate revenue.
Company 2 – Malicious Media
September 2011
• Yep this month.
• Fortune 1000, international financial institution.
• Customer requested to deploy malicious items through parking lot.
Some things to think about
• How many times have we seen on an RFP “Must do this and this.”
• We were bored with the standard USB or DVD/CD deployment. Everyone has done this before.
• We decided to take a new approach.
The attack
• Customized “fancy” keyboard. Who wouldn’t want this thing
• Sent to five systems administrators at the company.
The Teensy Attack
• Added a small chip, called the “Teensy” device.
Teensy, Teensy ++, Customized
In-Line attack
• Soldered the teensy to act as a keyboard repeater.
• Can detect when the victim is not at the keyboard.
• Moves mouse 1 pixel (undetectable to human eye).
• During offline hours, deploys malicious payload.
The Results
• Nine shells. Which was strange, we only sent 5. My only guess is that the other sysadmins were jealous and ganked it as we do in IT.
• Jokes on them J
• Further penetrated the network. In this instance we breached the source code repository for the entire company. Yep… It hurt.
DEMO
Lessons Learned
• The USB/DVD may have worked. We thought we had a much higher success rate on this.
• Huge impact to the organization by taking the life-blood of the company, their software.
Company 3 – Dead end. WAIT!
March 2011
• External and wireless penetration test for large customer.
• Profiling organization, social engineering was deemed somewhat risky and a more direct avenue was quickly detect.
• SQLi on a front web application.
Penetrating the Network
• MSSQLi yielded local customized A/V safe reverse meterpreter.
• Pivoting attack yielded we were in a significantly segmented DMZ zone with minimal connections back.
• Unable to breach internal network.
• Small external footprint, other avenues were not found.
More information on exporting certs
• Check out the whitepaper written by Jason Geffner around exporting non-exportable RSA Keys.
• Tool written by isecpartners that exports the keys. Called JBStore (jailbreak store)
Ding ding ding.
• Pillaging system yielded a private certificate signed by the internal CA.
• After war-walking, the organization was leveraging 802.1x WPA2.
• Fake access point crafted leveraging a valid private certificate from the internal CA (web server certificate).
• Successfully had clients connect to access point.
Lessons Learned
• Although one area was a dead end, the ability to take something from information obtained and leverage it somewhere else is what makes us hackers.
• We HAVE to think like this as we’re doing our penetration testing or else we are loosing focus on what we are there to do.
Company 4 – Powerlines Rock.
August 2011
• Physical penetration test on armed guard facility.
• Reconnaissance performed on camera system and using bathrooms inside could see model numbers for motion sensors.
• Company was leveraging powerlines for communication of protocols for security system, cameras, and much more.
Coming up with an attack
• After researching specific brand names, X10 was the protocol being leveraged.
• X10 leverages powerline communication
Being creative
• Decided to try something new and come up with an attack avenue to disrupt the security systems and go into the building without detection.
X10 Kit
Testing the jammer/sniffer
The Arduino Device
Modifying the TW523
Too much voltage/current…
The working Jammer
DEMO
The Results
• Night-operation.
• Security systems disarmed.
• Lockpicked back entrance door.
• Alarm system never fired.
• Full access to facility.
What we wanted out of this
• Think creative
• Do something unexpected
• Be a hacker!
• Give some real value to the customer versus some 400 page report.
The Social-Engineer Toolkit v2.1
• Getting released today.
• Over 27 new features, 22 bug fixes, and 18 enhancements.
• Fast-Track is now apart of SET. Completely recoded from scratch.
DEMO