SLIDE 1
2
Geek 20 year of experience doing hacking Authored tools / articles / books / etc Speaker at conferences around the world Volunteer at OWASP Still getting the same thrill when compromising a host CEO at SECFORCE
Taking security a step further Red Team operations ME 2 Geek 20 - - PowerPoint PPT Presentation
Taking security a step further Red Team operations ME 2 Geek 20 - - PowerPoint PPT Presentation
Taking security a step further Red Team operations ME 2 Geek 20 year of experience doing hacking Authored tools / articles / books / etc Speaker at conferences around the world Volunteer at OWASP Still getting the same thrill when
SLIDE 2
SLIDE 3
3
IT Security Consultancy – penetration testing Highly specialised in offensive security Teams located in London (UK) and Malta
SECFORCE
Blockchain security Red Team Testing Penetration Testing Incident Response
SLIDE 4
Agenda
SLIDE 5
5
Introduction
1
Agenda
2 3 4
Why Red Teaming How is a Red Team operation conducted Questions and answers
SLIDE 6
Introduction
1
SLIDE 7
7
SLIDE 8
Taking security a step further Red Team operations
SLIDE 9
9
DEFENSIVE OFFENSIVE
SLIDE 10
10
DEFENSIVE OFFENSIVE
AV and Firewall vendors Blue Team, sysadmins, etc SIEM, IDS, IPS, etc. Penetration Testing Red Team A lot more fun! :-)
SLIDE 11
11
PENETRATION TESTING RED TEAM
SLIDE 12
12
PENETRATION TESTING RED TEAM
Specific target – narrow scope Aiming for full coverage of issues Stealth is not important Assess the security controls such as patch management, password policies, access control, etc Wider scope Stealth attack Assess controls such as incident response, monitoring, network sensors, user security awareness, etc. Sophisticated attacks Longer engagements
SLIDE 13
13
WHAT IS A RED TEAM OPERATION?
Assessment to identify the resilience of an
- rganisation to highly sophisticated targeted attacks
A team of attackers performs an attack to help the target organisation to identify weaknesses in their defensive mechanisms Some of these exercise may replicate attacks such as: Hacktivists Ransomware attacks State sponsored threat actors
SLIDE 14
Why Red Teaming?
2
SLIDE 15
15
Why performing a Red Team assessment?
SLIDE 16
16
Why performing a Red Team assessment?
How else would an organisation know their resilience? Regulatory compliance Assess security holistically, instead of in isolation Assess user security awareness Train a blue team
SLIDE 17
How is a Red Team conducted?
3
SLIDE 18
18
SLIDE 19
19
SLIDE 20
20
INFRASTRUCTURE STAFF
SLIDE 21
21
INFRASTRUCTURE STAFF
Identification of security holes Critical issues affecting the perimeter Development systems? UAT? Etc. Misconfigurations, etc. Spear phishing attacks
SLIDE 22
22
OUTSIDE INSIDE
SLIDE 23
23
OUTSIDE INSIDE
External reconnaissance Assessment of the perimeter Identify target users for phishing Goal: Network foothold Network awareness Persistence Understanding the current security controls Identification of misconfigurations Privilege escalation
SLIDE 24
24
Tools
Cobalt Strike Empire Powershell (Microsoft’s Post-Exploitation Language ;-) ) PowerView, PowerUp, PowerSploit Custom scripts Living off the land WMI WinRM GPO Nmap and Nessus (only for external testing)
SLIDE 25
25
Methodology
Detective work Design an attack Deliver the attack
SLIDE 26
26
User Reconnaissance
Look for: emails, departments, files (metadata), user/domain names, password dumps, ex-employees.. Google-fu Social media The harvester Maltego FOCA Threat Intelligence
SLIDE 27
27
Infrastructure Reconnaissance
Goal: Get a list of IP addresses / domain to target Google-fu Whois DNS bruteforce SSL certificates review Web crawling, etc.
SLIDE 28
28
Infrastructure Assessment
Goal: Identification of RCE issues such as misconfigured Tomcat, SQLi, SMTP relays, shellshock, hearbleed, etc Nmap (common ports) Nessus Standard penetration testing tools Commonly conducted over VPN
SLIDE 29
29
Phishing
Recon gave us emails, departments and ideas Profiling Prepare pretexts (domains, mail server, sites, etc) Delivery: Macros or Java usually but others exist (hta, js, sct files) Password protected zip files Payload: Cobalt Strike Beacon Spoofing? SPF + DKIM + mail relays Mail filters? MX records and NDR help!
SLIDE 30
30
Phishing
SLIDE 31
31
Phishing - profiling
SLIDE 32
32
Phishing - profiling
SLIDE 33
33
Phishing payload creation
We have a good understanding of the target Choose the angle of attack AV bypass Communication channels to C2 server
SLIDE 34
34
AV evasion
SLIDE 35
35
Delivery – office macro
SLIDE 36
36
Delivery – Java Applet
SLIDE 37
37
Command & Control
HTTP(S) Beacon is proxy aware but some proxies inflict pain :( DNS Beware of command output! Totally legit domains: static-jquery.com, msn-cdn.com, onedrive-live.co.uk Web filtering checks domain reputation based on age, etc Cobalt Strike Malleable C2
SLIDE 38
38
Malleable C2 profile
SLIDE 39
39
Gaining a network foothold!
SLIDE 40
40
Gaining a network foothold!
SLIDE 41
41
OUTSIDE INSIDE
SLIDE 42
42
We are in! Now what?
Situational awareness whoami /groups process list + steal_token (explorer.exe) powershell $PSVersionTable.PSVersion net start | findstr -i "protect vir“ systeminfo | find "Boot Time“ echo %temp% & time /t Watch out for network monitoring Only be interactive when you need to sleep 10
SLIDE 43
43
Wait! Let’s be safe!
SLIDE 44
44
Persistence
We need to survive reboot Don’t want to phish again Persist on workstations, not servers Typical methods: Registry Scheduled tasks WMI (requires admin) VPN (requires creds)
SLIDE 45
45
Persistence - Registry
SLIDE 46
46
Persistence – Scheduled tasks
SLIDE 47
47
Persistence – WMI
SLIDE 48
48
Privilege escalation + lateral movement
They go hand in hand Priv esc goals Local Admin -> Domain Admin (of course) Domain User -> Domain User with access to target system Lateral movement goals Our box -> key workstation -> target system Our box -> box that leads to compromise of higher priv user Our box -> box that leads to box that leads to box… General goal: remain undetected
SLIDE 49
49
Privilege escalation tactics
PowerUp GPP files Clear text passwords in files/scripts/shares Monitor users Inveigh / Responder General misconfigurations Abuse of common practices Users often have a low + high priv account
SLIDE 50
50
Capturing password hashes
SLIDE 51
51
Lateral movement tactics
User hunting Find more interesting users Find out where they are logged in Can we log in there? Steal their token/creds Repeat Tools for this include PowerView’s UserHunter Bloodhound
SLIDE 52
52
Bloodhound
SLIDE 53
53
Lateral movement tactics (continued)
SMB comms for pivoting Not psexec, use wmic/winrm dir c:\ is often enough to check privs runas /user:domain\user cmd Don’t portscan, query the domain - SPN scanning
SLIDE 54
54
Lateral movement tactics (continued)
setspn -Q */* (query all SPNs) setspn -L <server/user> (query specific SPN) setspn –L MSSQLSvc
SLIDE 55
55
Summary
SLIDE 56
56
SLIDE 57
SLIDE 58
Questions?
4
SLIDE 59