Presentation is loading. Please wait.

Presentation is loading. Please wait.

Offense in Depth A Developer’s Perspective on Hacker Tradecraft.

Published byCharlotte Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "Offense in Depth A Developer’s Perspective on Hacker Tradecraft."— Presentation transcript:

1 Offense in Depth A Developer’s Perspective on Hacker Tradecraft

2 Overview Introduction / Terminology How to get a foothold Identifying and Defeating Defenses

3 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

4 Who am I? Solo Entrepreneur (I sell red team software) Armitage and Cobalt Strike Dev Previously… DARPA CFT Performer Red Team Svc to DoD agency WordPress grammar checker USAF Security Researcher Exercises CDX, *CCDC, ISTS, etc. Primary Skill: Developer

5 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

6 Attack Surface What can we, as attackers, manipulate or touch?

7 What is a client-side attack? – An attack against application used to view attacker controlled content. Why client-side attacks? Client-side Attacks

8 How to get a foothold 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim

9 A web application (target must visit it) Discovers client-side applications Discovers internal IP address See: http://www.browserspy.dkhttp://www.browserspy.dk Reconnaissance: System Profiler

10 Hacking with features?

11 Features to abuse… Java Signed Applet Disguise Windows Executable Microsoft Office Macros

12 Spear Phishing 1.Create a target list 2.Create a template 3.Choose mail server to send through 4.Send the message…

13 Spear Phishing Templates

14 Templates Click Reply -> View message source

15 Templates

16 Sending the message… telnet [ip address] 25 HELO whatever.com MAIL FROM: bounceaddress@whatever.com RCPT TO: [target email here] DATA [paste template file (remove headers first)]. QUIT

17 Now, walk this minefield…

18 Defenses Mail Defenses Host Anti-virus Application Whitelisting Egress Payload Staging Stay Low and Slow

19 Sender Policy Framework Defense verify senders IP to detect email spoofing Attack get message to user regardless…

20 Defeating SPF Register a typo of domain of interest Use a webmail provider and send attack from their servers Spoof another domain

21 Mail Anti-Virus Gateway Defense check messages for bad stuff before delivery Attack send something that passes check

22 Mail Defense Recon 1.Create an attack package 2.Send it to a non-existent user 3.Make sure MAIL FROM address is an address you control 4.Wait for non-delivery notice 5.Review non-delivery notice for your report card

23 Non-Delivery Notices

24 Host Anti-virus Defense check for known bad and stop it Attack send unknown bad that passes check

25 Defeat Host Anti-virus 1.Find out or guess which anti-virus is in use – DNS Cache Snooping – Information Gathering – Social Engineering 2.Put anti-virus on test Virtual Machine 3.Select undetected attack or modify existing attack

26 DNS Cache Snooping? See: http://tinyurl.com/rob-dixon-is-hot The command: dig @server domain A +norecurse

27 How does Anti-virus work? Check for known signature Apply heuristic to detect bad behavior Emulate binary to defeat packers and crypters

28 Limitations False positives are bad Non-intrusive(?) Only checks file at certain points – When loaded in browser – When written to disk

29 Getting Past AV Client-side Exploits… – Change strings in module – Write your own implementation of the attack

30 Application Whitelisting Defense do not allow unapproved applications Attack get agent into memory using a white-listed application.

31 Defeating App Whitelisting Powershell – https://github.com/mattifestation/PowerSploit https://github.com/mattifestation/PowerSploit MS Office Macro Java – Create a DLL with your agent – Have program extract DLL – Call System.loadLibrary(“evil.dll”);

32 Establish C2

33

34 Establish C2 – The Pain Deny all outbound traffic Allow egress only through a proxy device – Attack traffic must conform to expected protocol – Must pass other checks as well… Attacker Limitation: Staging!

35 Payload Staging…

36 Payload Staging Stage 1 – Must be small. Exploit used limits space – Encoded with Framework encoder Stage 2 – Payload DLL goes over the wire as-is – Trivial to write IDS signature for

37 Payload Staging

38 windows/meterpreter/reverse_https – Staging process happens over SSL EnableStageEncoding and StageEncoder – Metasploit Framework option to encode stage

39 Riddle me this… Batman

40 Asynchronous C2 Stay Low and slow – Target phones home, asks for tasks – Sleep time? 1 hour, 1 day, 1 year? – C2 tries to look like normal traffic Life line into a network – Use to execute commands – Upload / download files – Spawn “active” sessions to another server

41 Asynchronous C2 - Beacon

42 Asynchronous C2 – Bro RAT See: http://tinyurl.com/bro-rat

43 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

44 Summary…

Download ppt "Offense in Depth A Developer’s Perspective on Hacker Tradecraft."

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
A C ONCEPT OF O PERATIONS. Raphael Mudge, Strategic Cyber LLC – I develop Cobalt Strike – Would.

A C ONCEPT OF O PERATIONS. Raphael Mudge, Strategic Cyber LLC – I develop Cobalt Strike – Would.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

Similar presentations

Ads by Google