Presentation is loading. Please wait.

Presentation is loading. Please wait.

and Mitigations Brady Bloxham

Similar presentations

Presentation on theme: "and Mitigations Brady Bloxham"— Presentation transcript:

1 and Mitigations Brady Bloxham
Hacking Techniques and Mitigations Brady Bloxham

2 About Us Services Eat, breathe, sleep, talk,
Vulnerability assessments Wireless assessments Compliance testing Penetration testing Eat, breathe, sleep, talk, walk, think, act security!

3 Agenda Old methodology New methodology Techniques in action Conclusion

4 The Old Way Footprinting Network Enumeration
Vulnerability Identification Gaining Access to the Network Escalating Privileges Retain Access Return and Report

5 The Old Way (continued)

6 The New Way (my way!) Recon Plan Exploit Persist Repeat
Simple, right?! - Pen testing is more of an art than a science! - Not simple! The focus shifts from checking the box testing to not getting caught and finding ANY hole or vulnerability.

7 The New Way (continued)
Recon Plan Exploit Persist Domain Admin? Report! Yes No

8 Old vs. New So what you end up with is…

9 Recon Two types Pre-engagement On the box

10 Recon – Pre-engagment Target IT Social Networking Create profile
LinkedIn Facebook Google Bing Create profile Play to their ego Play to desperation Play to what you know - Called a target to identify AV before sending over file - Take people’s niceness and use it against them!

11 Recon – Pre-engagment Social Engineering
- Called a target to identify AV before sending over file - Take people’s niceness and use it against them!

12 Recon – On the box Netstat

13 Recon – On the box Set

14 Recon – On the box Net

15 Recon – On the box Net

16 Recon – On the box Net

17 Recon Registry Audit Settings Dump hashes RDP history
HKLM\Security\Policy\PolAdtEv Dump hashes Local hashes Domain cached credentials Windows credential editor Application credentials (Pidgin, Outlook, browsers, etc.) RDP history HKU\Software\Microsoft\Terminal Server Client\Default Installed software HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

18 Recon What do we have? High value servers (domain controller, file servers, , etc.) Group and user list Domain admins Other high value targets Installed applications Detailed account information Hashes and passwords - This can be automated using batch scripts or even better…METERPRETER scripts! - All this information after 5-10 minutes of recon!

19 Plan

20 Plan

21 Plan Test, test test! Think outside the box!
Real production environment! Recreate target environment Proxies AV Domain Verify plan with customer Think outside the box!

22 Plan

23 Plan

24 Exploit

25 Exploit The reality is…it’s much easier than that! 
No 0-days necessary! Macros Java applets EXE PDFs

26 Exploit Java Applet Macros Domain – $4.99/year Hosting – $9.99/year
wget – Free! Pwnage – Priceless! Macros Base64 encoded payload Convert to binary Write to disk Execute binary Shell!

27 Exploit The problem? A reliable payload! Obfuscation Firewalls
Antivirus Proxies

28 Straight-up meterpreter executable

29 Packed using a well known packer

30 Created custom exe template

31 Persist

32 Persist Separates the men from the boys! Custom, custom, custom!
Nothing good out there… Meterpreter – OSS Core Impact – Commercial Poison Ivy – Private DarkComet – Private Who’s going to trust these?

33 Persist How? What? Registry Service Autorun Startup folder
DLL hijacking What? Beaconing backdoor Stealthy Blend with the noise Modular

34 Repeat?!

35 Conclusion Old methodology is busted! Compliance != Secure
It’s not practice makes perfect… - It’s CORRECT practice makes perfect!

Download ppt "and Mitigations Brady Bloxham"

Similar presentations

Ads by Google