Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Hacking Techniques

advertisement 
HACKING TECHNIQUES
and Mitigations
Brady Bloxham
About Us
• Services
• Vulnerability assessments
• Wireless assessments
• Compliance testing
• Penetration testing
• Eat, breathe, sleep, talk,
walk, think, act security!
Agenda
• Old methodology
• New methodology
• Techniques in action
• Conclusion
The Old Way
• Footprinting
• Network Enumeration
• Vulnerability Identification
• Gaining Access to the Network
• Escalating Privileges
• Retain Access
• Return and Report
The Old Way (continued)
The New Way (my way!)
• Recon
• Plan
• Exploit
• Persist
• Repeat
• Simple, right?!
The New Way (continued)
Recon
Plan
Exploit
Persist
Report!
Yes
Domain
Admin?
No
Old vs. New
• So what you end up with is…
Recon
• Two types
• Pre-engagement
• On the box
Recon – Pre-engagment
• Target IT
• Social Networking
• LinkedIn
• Facebook
• Google
• Bing
• Create profile
• Play to their ego
• Play to desperation
• Play to what you know
Recon – Pre-engagment
• Social Engineering
Recon – On the box
• Netstat
Recon – On the box
• Set
Recon – On the box
• Net
Recon – On the box
• Net
Recon – On the box
• Net
Recon
• Registry
• Audit Settings
• HKLM\Security\Policy\PolAdtEv
• Dump hashes
• Local hashes
• Domain cached credentials
• Windows credential editor
• Application credentials (Pidgin, Outlook, browsers, etc.)
• RDP history
• HKU\Software\Microsoft\Terminal Server Client\Default
• Installed software
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Recon
• What do we have?
• High value servers (domain controller, file servers, email, etc.)
• Group and user list
• Domain admins
• Other high value targets
• Installed applications
• Detailed account information
• Hashes and passwords
Plan
Plan
Plan
• Test, test test!
• Real production environment!
• Recreate target environment
• Proxies
• AV
• Domain
• Verify plan with customer
• Think outside the box!
Plan
Plan
Exploit
Exploit
• The reality is…it’s much easier than that! 
• No 0-days necessary!
• Macros
• Java applets
• EXE PDFs
Exploit
• Java Applet
• Domain
– $4.99/year
• Hosting
– $9.99/year
• wget
– Free!
• Pwnage
– Priceless!
• Macros
• Base64 encoded payload
• Convert to binary
• Write to disk
• Execute binary
• Shell!
Exploit
• The problem? A reliable payload!
• Obfuscation
• Firewalls
• Antivirus
• Proxies
Persist
Persist
• Separates the men from the boys!
• Custom, custom, custom!
• Nothing good out there…
• Meterpreter – OSS
• Core Impact – Commercial
• Poison Ivy – Private
• DarkComet – Private
• Who’s going to trust these?
Persist
• How?
• Registry
• Service
• Autorun
• Startup folder
• DLL hijacking
• What?
• Beaconing backdoor
• Stealthy
• Blend with the noise
• Modular
Repeat?!
Conclusion
• Old methodology is busted!
• Compliance != Secure
• It’s not practice makes perfect…
Related documents
Troop Leading Procedures
Troop Leading Procedures
Visual Reverse Engineering
Visual Reverse Engineering
ODF Aviation
ODF Aviation
APPENDIX 1.4 CADRE LAB GUDIANCE TO ANNEX A TO
APPENDIX 1.4 CADRE LAB GUDIANCE TO ANNEX A TO
ppt - Common Solutions Group
ppt - Common Solutions Group
RECON Overview (Spring 2013)
RECON Overview (Spring 2013)
Common RECON Recommended Controls
Common RECON Recommended Controls
RECON Project Name: Jassim M. Al-Fadhli Ministry of Defense
RECON Project Name: Jassim M. Al-Fadhli Ministry of Defense
REBEL YELL Vol. 34 - HMGS
REBEL YELL Vol. 34 - HMGS
Evangelos SimoudisT Brian Livezey,
Evangelos SimoudisT Brian Livezey,
Learning to Live with an Advanced Persistent Threat PPT Only
Learning to Live with an Advanced Persistent Threat PPT Only
Weather Presentation - Air Force Association Chapter 147
Weather Presentation - Air Force Association Chapter 147
Download
advertisement