HACKING TECHNIQUESand Mitigations

Brady Bloxham

About Us• Services

• Vulnerability assessments• Wireless assessments• Compliance testing• Penetration testing

• Eat, breathe, sleep, talk,

walk, think, act security!

Agenda• Old methodology• New methodology• Techniques in action• Conclusion

The Old Way• Footprinting• Network Enumeration• Vulnerability Identification• Gaining Access to the Network• Escalating Privileges• Retain Access• Return and Report

The Old Way (continued)

The New Way (my way!)• Recon• Plan• Exploit• Persist• Repeat

• Simple, right?!

The New Way (continued)

Recon

Plan

Exploit

Domain Admin?

No

Persist

Report!Yes

Old vs. New• So what you end up with is…

Recon• Two types

• Pre-engagement• On the box

Recon – Pre-engagment• Target IT• Social Networking

• LinkedIn• Facebook• Google• Bing

• Create profile• Play to their ego• Play to desperation• Play to what you know

Recon – Pre-engagment• Social Engineering

Recon – On the box• Netstat

Recon – On the box• Set

Recon – On the box• Net

Recon – On the box• Net

Recon – On the box• Net

Recon • Registry

• Audit Settings• HKLM\Security\Policy\PolAdtEv

• Dump hashes• Local hashes• Domain cached credentials• Windows credential editor• Application credentials (Pidgin, Outlook, browsers, etc.)

• RDP history• HKU\Software\Microsoft\Terminal Server Client\Default

• Installed software• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

Recon• What do we have?

• High value servers (domain controller, file servers, email, etc.)• Group and user list

• Domain admins• Other high value targets

• Installed applications• Detailed account information• Hashes and passwords

Plan

Plan

Plan• Test, test test!

• Real production environment!• Recreate target environment

• Proxies• AV• Domain

• Verify plan with customer

• Think outside the box!

Plan

Plan

Exploit

Exploit• The reality is…it’s much easier than that!

• No 0-days necessary!• Macros• Java applets• EXE PDFs

Exploit• Java Applet

• Domain – $4.99/year• Hosting – $9.99/year• wget – Free!• Pwnage – Priceless!

• Macros• Base64 encoded payload• Convert to binary • Write to disk• Execute binary• Shell!

Exploit• The problem? A reliable payload!

• Obfuscation• Firewalls• Antivirus• Proxies

Persist

Persist• Separates the men from the boys!• Custom, custom, custom!• Nothing good out there…

• Meterpreter – OSS• Core Impact – Commercial• Poison Ivy – Private• DarkComet – Private• Who’s going to trust these?

Persist• How?

• Registry• Service• Autorun• Startup folder• DLL hijacking

• What?• Beaconing backdoor• Stealthy• Blend with the noise• Modular

Repeat?!

Conclusion• Old methodology is busted!• Compliance != Secure• It’s not practice makes perfect…