3 intrusion tests red team approach
play

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term - PowerPoint PPT Presentation

Nov 24, 2022 •261 likes •728 views

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Example of a Red Team Mission

  1. 3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1

  2. Table of Contents Presentation � Example of a Red Team Mission � Attack the Desktop Computer � Search for information Example: Open a Back Door � Social Engineering � Limitations � Reserve � Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 2

  3. Presentation Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 3

  4. Red Team Definition 1 A red team is an independent group that challenges an organization to improve its effectiveness. Simulate a real attack Use all possible means to test the system The “Blue Team” is protecting the system and challanged by the red team. See which assets of the enterprise may be compromised by a “real” attack (by motivated attackers). Goal: Show the management that security is not a funny game When reading a classical penetration testing report : “XSS on an error page, this is just a theoretical attack, nobody could use it” After a red team attack accessed the laptop of the CEO and the history of his browser: “YOU MUST FIX IT NOW!!!” . 1 source: Wikipedia Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 4

  5. Example: a Red Team Mission Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 5

  6. Goal of the Red Team Mission Goal: show what a determined attacker could access In a Bank: access to money (transfer for instance), see one’s account In a eHealth environment: access to medical information . . . Show which of the strategic items can be accessed, and what can be achieved with them Active Directory, ERP, Data bases, File storage systems, R&D data, Without being detected A “Blue team” is hiding you, They may know a test is running, or not Better if they do not know. Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 6

  7. What is a “Red Team Mission”? Includes: Penetration tests on the IP addresses of the firm Penetration testing is a crucial part of the mission First determine the scope of the attack But also: Physical penetration A firm must protect its infrastructure On-Line, but also Off-line. Once in the premises: Hide a small device like: PwnPlug, Fonera, Raspberry Pi Having a 3G access, you can use it as a bridge to enter the system And: Social engineering The most impressive part Less technical, but very efficient Phone calls, emails with trojan, phishing emails, . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 7

  8. First step: Nmap of all the Internets First determine the scope What are the IP-Ranges used by the firm? Normally included in the scope written in the contract. Scan the ports Impossible to scan exhaustively all ports of all machines Search for easy exploitable services FTP Servers File Sharing SNMP services Rlogin and other antiques You can not enter the system with this, but the information will be useful later Scan the classical targets for penetration testing Web servers, Web services, VPN access point, admin interfaces. Goal : get a Webshell access to a DMZ machine Upload flows, Admin interface of servers (Tomcat, Jboss, Websphere) Content Management Systems (including plugins) and their Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 8 well known vulnerabilities

  9. Attack the Desktop Computer Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 9

  10. Spear Phishing to compromise a client Spear Phishing Send a mail, to install malware on a client Goal is to install a back-door Mean of action Send a mail containing a hyperlink or an attachement Executed malware Will be executed on the victim’s computer Will allow the attacker to control the machine Installs a back-door Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 10

  11. Search for information Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 11

  12. Search for Information Search for the email addresses of the employees Access some addresses, Understand the construct of the address: firstname.name@target.com, fname@target.com, firstname-name@target.com, name@target.com, . . . Source of information: LinkedIn, Viadeo or Xing Automatically harvest the addresses in Web sites Theharvester (a python program) search for emails in Google, Bing, LinkedIn, Twiter or even Shodan Build your own crawler Find email, phone numbers or names of employees Use Scrapy in Python for visiting web sites Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 12

  13. The Harvester Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 13

  14. Manually See information directly Find employees that are very enthousisatic (and not secure) Find phone numbers of specific persons Office numbers, location in the premises Visit manually the web sites You may find useful information Use Google Dorks site:linkedin.com inurl:pub -inurl:dir "at firm-name’’ "Current" Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 14

  15. Phishing We have a good list of possible targets We need to know who are the targets (role, rank in the organisation) Interesting subjects in a phishing email “Your bank account was just missused if you want to save your money, connect now” “If you want the new iPhone for CHF 100, open this document” This CV is very interesting, you need to activate the Macros to see it Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 15

  16. How to send eMails Using a public SMTP server Gmail / GMX / . . . Easy to do You inherit the reputation of Google in spam filters Problem 1: The domain name is not very serious Problem 2: Attacking a third party using Google poses confidentiality questions. Using a private SMTP server You can chose the domain name you want You need to be sure not to be treated as a spam server Increase your server reputation: Deactivate the open relay function of the SMTP server Give the DNS MX entry of the domain Configure the DKIM signature . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 16

  17. The Payload We want to maximize the efficiency of the attack No need to a special exploit for the version X of Accrobat Reader on Windows 7.2 Ask kindly to your victim to execute macros. Microsoft Office Macros A macro to see the photo of a CV A macro to see the content of the invoice sent A macro to get data in a presentation . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 17

  18. Browser Extensions Give a link to an extension in Firefox Can access to the whole machine: the browser Cookies, history But also the disk And execute a shell You need to install it inside the addons.mozilla.org server Ask kindly to the victim to install it You will be rewarded / you can only access this site with / . . . (depends highly on the profile of your victim). Installation genuine, just click twice Extension for Internet Explorer Browser Helper Objects (BHO) Much more complex to install : will not be done Chrome You must install your application on the Chrome Web Store . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 18

  19. Exploits Very “cool” to exploit a vulnerability Execute code in “Ninja mode” Nobody sees it Applications are always more complex to exploit Started in sandbox Protections are higher and higher Must develop an exploit for each version (32- / 64-bit, Windows 7, 8 or 10, . . . ) Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 19

  20. Phishings Mails containing XSS We will see it in detail later A mail containing a link to the valid server ( https:// www.target.com for instance) can lead to a manipulated page Can contain links to download software Mails or SMS to Smartphones One of the most efficient way to infect a person Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 20

  21. Protections against such attacks Sensibilisation You must teach all your users Not just a course Serious training with testing of the users Hardening of the configurations For less experienced users Restrict any possibilities to install anything VERY difficult: How can I work without Macros? Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 21

  22. Example: Open a Back Door Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems

Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems

Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems ACSAC, December 13th, 2019 1 HP Labs, United Kingdom (ronny.chevalier@hp.com, david.plaquin@hp.com, cid@hp.com) 2 CIDRE Team,

820 views • 56 slides
Some of the Team Facebook AI Intelligent Dialogue tests Tests 5 99.5% represents an error in the

Some of the Team Facebook AI Intelligent Dialogue tests Tests 5 99.5% represents an error in the

Some of the Team Facebook AI Intelligent Dialogue tests Tests 5 99.5% represents an error in the test result due to an error in the input file. We did not attempt to recode to produce the wrong result to pass the test Demo 1: Meaning Matcher

639 views • 25 slides
Wisconsin: Vapor Intrusion Prevention Partnership Initiative Alyssa Sellwood, P.E. Vapor

Wisconsin: Vapor Intrusion Prevention Partnership Initiative Alyssa Sellwood, P.E. Vapor

Local/State Efforts Wisconsin: Vapor Intrusion Prevention Partnership Initiative Alyssa Sellwood, P.E. Vapor Intrusion Team Leader Bureau of Remediation and Redevelopment Wisconsin Department of Natural Resources Contact Information

216 views • 7 slides
Press intrusion. Identifying similar words with different connotations What is press intrusion?

Press intrusion. Identifying similar words with different connotations What is press intrusion?

Topic 12: Press intrusion. Identifying similar words with different connotations What is press intrusion? Press intrusion is an issue which has many stances, often depending on whether you are a member of the press or have been on the receiving

602 views • 9 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001

485 views • 14 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION

THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION

engineers | scientists | architects | constructors THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION The migration of volatile chemical from the subsurface into overlying building (USEPA 2002)

585 views • 31 slides
Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and Computer Security Com puter security: confidentiality, integrity, and availability Intrusion: actions to com prom ise security W hy

1.09k views • 63 slides
Higher-Order Conditional Moment Tests: A Simple Robust Approach Yi-Ting Chen Institute of

Higher-Order Conditional Moment Tests: A Simple Robust Approach Yi-Ting Chen Institute of

Higher-Order Conditional Moment Tests: A Simple Robust Approach Yi-Ting Chen Institute of Economics Academia Sinica (Incomplete draft) Abstract In this paper, we propose a simple approach to purge the estimation uncertainty effect on the

483 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
mami Plane 1 In the beginning there was ping , and it was good. (still the only

mami Plane 1 In the beginning there was ping , and it was good. (still the only

Platforms and Tools for Internet Measurement: Current and Future Developments Brian Trammell IRTF/ISOC Workshop on Research and Applications of Internet Measurements Yokohama, Japan, 31 October 2015 mami Plane 1 In the beginning

683 views • 32 slides
United States Army Security Assistance Command North Alabama International Trade Association

United States Army Security Assistance Command North Alabama International Trade Association

UNCLASSIFIED//FOUO UNCLASSIFIED//FOUO United States Army Security Assistance Command North Alabama International Trade Association (NAITA) Industry Day 2017 Foreign Military Sales: Ready for Today Set Conditions for Tomorrow Go

539 views • 16 slides
Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan

, Faculty of computer science Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 Armin Wasicek 2 Stefan Kpsell 1 Thorsten Strufe 1 1 Chair of Privacy and Data Security TU Dresden firstname.lastname@tu-dresden.de 2 Avast Inc.

652 views • 44 slides
Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018

Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018

Working with Reconnaissance Teams Post-Earthquake Reconnaissance Workshop PIEPC April 17, 2018 Laurel Nelson EERI Washington Chapter (Seattle Office of Emergency Management) People Infrastructure Environment Culture 2 4/19/2018 Add a

387 views • 10 slides
BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National

BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National Cybersecurity Assessments and Technical Services

522 views • 27 slides
Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Pre-CERCLA Screening Training Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1 Course Objectives After taking this course, participants will be able to explain: What a Pre-CERCLA Screening

1.02k views • 57 slides
GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

Marshall Heilman GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions Introduction 3 3 Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance -

948 views • 47 slides
StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

Slide 1 StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western States Legal Foundation April 12, 2008 Presented at the 16 th Annual Space Organizing Conference Global Network Against Weapons & Nuclear

419 views • 18 slides

More recommend