3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term - - PowerPoint PPT Presentation
3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Example of a Red Team Mission
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 2
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 3
A red team is an independent group that challenges an
Use all possible means to test the system The “Blue Team” is protecting the system and challanged by the red team. See which assets of the enterprise may be compromised by a “real” attack (by motivated attackers).
When reading a classical penetration testing report : “XSS on an error page, this is just a theoretical attack, nobody could use it” After a red team attack accessed the laptop of the CEO and the history of his browser: “YOU MUST FIX IT NOW!!!”.
1source: Wikipedia Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 4
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 5
In a Bank: access to money (transfer for instance), see one’s account In a eHealth environment: access to medical information . . .
Active Directory, ERP, Data bases, File storage systems, R&D data,
A “Blue team” is hiding you, They may know a test is running, or not Better if they do not know.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 6
Penetration testing is a crucial part of the mission First determine the scope of the attack
A firm must protect its infrastructure On-Line, but also Off-line. Once in the premises: Hide a small device like: PwnPlug, Fonera, Raspberry Pi Having a 3G access, you can use it as a bridge to enter the system
The most impressive part Less technical, but very efficient Phone calls, emails with trojan, phishing emails, . . .
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 7
What are the IP-Ranges used by the firm? Normally included in the scope written in the contract.
Impossible to scan exhaustively all ports of all machines Search for easy exploitable services FTP Servers File Sharing SNMP services Rlogin and other antiques You can not enter the system with this, but the information will be useful later
Web servers, Web services, VPN access point, admin interfaces. Goal : get a Webshell access to a DMZ machine Upload flows, Admin interface of servers (Tomcat, Jboss, Websphere) Content Management Systems (including plugins) and their well known vulnerabilities
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 8
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 9
Send a mail, to install malware on a client Goal is to install a back-door
Send a mail containing a hyperlink
Will be executed on the victim’s computer Will allow the attacker to control the machine Installs a back-door
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 10
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 11
Access some addresses, Understand the construct of the address: firstname.name@target.com, fname@target.com, firstname-name@target.com, name@target.com, . . . Source of information: LinkedIn, Viadeo or Xing
Theharvester (a python program) search for emails in Google, Bing, LinkedIn, Twiter or even Shodan
Find email, phone numbers or names of employees Use Scrapy in Python for visiting web sites
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 12
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 13
Find employees that are very enthousisatic (and not secure) Find phone numbers of specific persons Office numbers, location in the premises
You may find useful information
site:linkedin.com inurl:pub -inurl:dir "at firm-name’’ "Current"
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 14
We need to know who are the targets (role, rank in the
“Your bank account was just missused if you want to save your money, connect now” “If you want the new iPhone for CHF 100, open this document” This CV is very interesting, you need to activate the Macros to see it
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 15
Gmail / GMX / . . . Easy to do You inherit the reputation of Google in spam filters Problem 1: The domain name is not very serious Problem 2: Attacking a third party using Google poses confidentiality questions.
You can chose the domain name you want You need to be sure not to be treated as a spam server Increase your server reputation: Deactivate the open relay function of the SMTP server Give the DNS MX entry of the domain Configure the DKIM signature . . .
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 16
No need to a special exploit for the version X of Accrobat Reader on Windows 7.2 Ask kindly to your victim to execute macros.
A macro to see the photo of a CV A macro to see the content of the invoice sent A macro to get data in a presentation . . .
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 17
Can access to the whole machine: the browser Cookies, history But also the disk And execute a shell
You will be rewarded / you can only access this site with / . . . (depends highly on the profile of your victim). Installation genuine, just click twice
Browser Helper Objects (BHO) Much more complex to install : will not be done
You must install your application on the Chrome Web Store.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 18
Execute code in “Ninja mode” Nobody sees it
Started in sandbox Protections are higher and higher Must develop an exploit for each version (32- / 64-bit, Windows 7, 8 or 10, . . . )
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 19
We will see it in detail later A mail containing a link to the valid server (https://www.target.com for instance) can lead to a manipulated page Can contain links to download software
One of the most efficient way to infect a person
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 20
You must teach all your users Not just a course Serious training with testing of the users
For less experienced users Restrict any possibilities to install anything VERY difficult: How can I work without Macros?
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 21
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 22
Write an email, that will motivate the victim to open your link Can be the result of a social engineering action (phones, mails, . . . ) “I send you the command for 1000 items”
A file with an exotic suffix (for instance .scr) Executable file hidden in a Zip file PDF exploiting Adobe Reader Chosen Method: MS Office Macros
Buy an existing back-door : Too dangerous to execute an unknown program on a client’s computer Isn’t a back door in the back door? Solution develop one’s own back-door Advantage: control of the functionalities and the dangerousness
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 23
Synchron Protocols : Can execute any program at any time But requires an open connection: will be monitored by firewall
Asynchron Protocols : Back door controls if new commands are sent regularly Much more difficult to be discovered
IRC or XMPP are used by Botnets: too easy to be found by a firewall Better: HTTP; Can not be prohibited by a firewall Will use the standard proxy to exit the LAN (to overgo the firewall).
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 24
Is more complex to implement (For synchrone communication, you just need one socket)
Send a request regularly, asking for orders Send the result of the order to another program
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 25
Sometime, just showing the existing risk is sufficient Persistance : restart even after the end of the session
Add your executable in the following directory %APTDATA%\Microsoft\Windows\Start Menu\Programs\Startup Add a register key in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Create a scheduled task using the command schtasks
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Add a register key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Create a scheduled task using the commands at and schtasks
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 26
Name of the machine, username, Active Directory domain, network card configuration
Very impressive to see your wife’s picture
Real backdoor allows to execute shell commands Problem: sometime hard to transfer the results using HTTP POST
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 27
One can make the process easy to find, So that it can be removed easily
The CC must have a command for all the victims bots to self-destruct All bots must self destruct after the date of the mendate expires
A bot remains on a computer and someone else may take control on the machine.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 28
First solution: rely on the SSL encryption of HTTPS (need to verify the certificat) Nice to have: Encrypt the communication using a shared key (not so sure). Even Better: Use a public key
In Browser In the Mail client Solution 1) Get files, send files to the CC, use Mimikatz or Meterpreter to decrypt the passwords Solution 2) Implement an extractor from the disk by yourself Better: find the passwords direct in memory
Can access password Exploitation is quite difficult (data are huge)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 29
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 30
What do we want to test
Very important Goal: have an overview of the enterprise to find the most vulnerable targets Build realistic scenarios to attack the targets
Use all the collected information Goal: Extract information, enter the premises, install malware, . . .
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 31
Whois, certificate, moneyhouse, public contracts, reports, Swiss army officiers lists . . .
mail, web server, CMS, ERP, admin pages : can be useful for exploiting
LinkedIn, Xing, Facebook, Google+
Blogs, Forums, homepages
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 32
Can collect banking information, ID’s, Hollydays planning,
Follow them in public transportation See who arrives when, and how (car/public transportation/line/. . . ) See the dress code (do not come in jeans in a Swiss bank) Listen to conversations between colleges (at the restaurant for instance)
To monitor the inside of the enterprise (physical security, IT-Infrastructure, . . . ) Forge a CV to be invited to an interview for a job offer Pretend to be a client Pretend to be a provider Or only come inside with all other employees (one in a big group) You could also pick a lock to enter an office
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 33
They will provide a lot of information
A cigaret if the group is smocking outside,
The victim will want to give you something in return
During the break, talk about the last TV show on the Internet You will learn about filter policy of the firm
You will be corrected by your victim, that will explain much more than what you already know.
If you can provide the insider’s vocabulary, (security by
2Source: www.westroane.com/content/documents/DHS/
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 34
If the scenario you built is not serious, you will be discovered: end of the mission for you
If you know the person like a country (from Facebook),
It needs to be very consistant, since you will have to discuss a long time to learn interesting information
Do not bring too many accessories, chose 3 important details A geek T-shirt, if you pretend to be from the support A helm, a box and a sheet of paper: you are the delivery man
Work on the special effects (what should be the surrounding environment)
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 35
If you help someone, the person will help you back Example: Hold the door to enter, the person will unlock the next door for you.
Pretend that you work directly for the director: “John told me to do it” (you show your familiarity with the director) If you know the director is on a business trip and unavailable
This offer is only valid for 10 days Reserved to the 40 first persons Only today
You need to be friendly to increase your chances
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 36
In order not to go in jail, you need to have with you the authorization the direction gave you.
Tool for visiting the trashes (thanks to recycling, this much easier) Maltego to agglomerate all the information known about one person.
A web site, LinkedIn pages, papers with logo, Clothes with logo (depending on the role), you may even create some wikipedia pages
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 37
Functionalities for automatizing phishing Uses metasploit functionalities for Social Engineering For instance: generate a PDF containing an exploit with the logo of the firm, and send it to a list of employees.
Generates a hook in javascript (hook.js) Need to be executed by the victim (using a XSS for instance)
Let you emulate a keyboard an mouse (less visible than using the keyboard an mouse of the victim)
To simulate Wifi access point Duplication of SSID : play the man in the middle attack
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 38
For instance the visit card of Kevin Mitnick
To clone a RFID card
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 39
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 40
Do not accept any USB stick Do not install any software . . . But you need to train an test it also after the teaching
Grant only the minimal authorization to users Can not install software What about Bring your own device policy? What about MS Office Macros?
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 41
You see your desktop in the powerpoint of the red team All your secrets can be found
There is not a list of vulnerabilities Can not be seen as a list of things to fix.
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 42
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 43
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 44
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 45
Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 46