offensive operations - sploitlab · •passive (osint) • search engines (google dorks) • web...

@johnhsawyer [email protected]

OffensiveOperationsJohnH.Sawyer

SeniorManagingConsultantInGuardians,Inc.

BryceLay- Comsys


WorkshopAgenda• Administrivia• IntroductiontoPenetrationTesting

• Reconnaissance• Physical• SocialEngineering• PostExploitation


PurposeofthisWorkshop• Introductiontopenetrationtesting– Securityprofessionalsfocusedondefense– Systemsadministrators– Developers

• Hands-onwithCobaltStrikeandoffensivePowershelltools

• HaveFun!!


WhoAmI?• InGuardiansSeniorManagingConsultant

– RedTeamOperator/PenetrationTester– SocialEngineering– Web,Mobile,andDesktopApps– IncidentResponse&Forensics

• DarkReadingandInformationWeekauthorandspeaker• Infosec VolunteerandMentor• DEFCON14/15CapturetheFlag(1@stplace)


MyAwesomeEmployer• InGuardians,Inc.(formerlyIntelGuardians)• Founded2003byMikePoor,EdSkoudis,JayBeale,Jimmy

Alderson,andBobHillery• Ifit’ssecurity-related,wedoit.

– RedTeamAssessments– PenetrationTesting

• Network,Web,Mobile,Wireless,Hardware,People,andPhysical– IncidentResponseManagementandDigitalForensics


ThankYou• MyWifeandfamily• BryceLay– ComSys• InteropTeam• InGuardians• UBM,DarkReading,andTimWilson


PENETRATIONTESTINGIntroductionto


VulnerabilityAssessment• “Avulnerabilityassessmentistheprocessofidentifying,quantifying,andprioritizing(orranking)thevulnerabilitiesinasystem.”

• Source:Wikipedia

• Whatabout..– Validation– Risktothebusiness


PenetrationTest• “Apenetrationtest,ortheshortformpentest,isanattack

onacomputersystemwiththeintentionoffindingsecurityweaknesses,potentiallygainingaccesstoit,itsfunctionalityanddata.”

• Source:Wikipedia

• Mimicrealattackers• Showrealriskofvulnerabilities


EvolutionofPenetrationTesting• AttackProcess• Recon• Scan• Gainaccess• Maintainaccess• Covertracks

• Pentest Methodology• Preparation• Recon• Scan• Exploit• Analysis• Report


PenetrationTestingExecutionStd.• Pre-engagementinteractions• Intelligencegathering• Threatmodeling• Exploitation• Postexploitation• Reporting


TypesofPenetrationTesting• Network

– Internal– External

• Application– Web– Mobile– Desktop

• Physical

• SocialEngineering– Email– Phone– Other(Social,In-person)

• Wireless– WiFi– OtherRF

• Hardware


RedTeaming• Militaryorigins– practiceofviewingaproblemfromanadversaryorcompetitor'sperspective

• Long-term,persistentoperations– Monthstoyears

• Full-scope– Physical,socialengineering,web,mobile,wireless


OffensiveTraits• Passion• Curiosity• Experience• Adaptability• Communication• Notafraidoffailure

• Diversebackground– sysadmin,developer,networkengineer


LegalIssues• Jobdescription• Writtenpermission• Scope• RulesofEngagement


Risks• DenialofService

– Networkcongestion/saturation– Serviceresourceexhaustion– Crash(BSOD,Segfault)

• Datacorruption• Datadestruction• Angrypeople

– Sysadmins,users,HR,Legal


RECONNAISSANCEIntelligenceGathering


Reconnaissance• Passive(OSINT)• SearchEngines(GoogleDorks)• Webarchives• Newsgroups,GoogleGroups• Whois,Robtex,CentralOps• Shodan,Censys,Netcraft• Socialnetworks• Pwnedlist,Breachalarm

• Active• Nmap• DNSinterrogation• Nessus,Nexpose,Metasploit• Arachni,Burp,wpscan• FOCA,metagoofil• Anythingthatactivelytouches

thetargetnetwork


SearchEngines• “GoogleDorks”• BishopFoxSearchDiggity– GoogleDiggity,BingDiggity,BingLinkFromDomainDiggity– CodeSearchDiggity,DLPDiggity,FlashDiggity– MalwareDiggity,PortScanDiggity,SHODANDiggity– BingBinaryMalwareSearch,andNotInMyBackYard Diggity.

• http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/


Shodan.io• “Shodan istheworld'sfirstsearchengineforInternet-connecteddevices.”

• http://www.shodanhq.com/help/filters– net,os,city,country,geo,hostname,port,before/after


Shodan Tools• ManytoolsleverageShodan– Spiderfoot,Maltego,etc.

• Shodan API– Pythonandrubylibraries

• Metasploit shodan_search module


Nmap• Networkportscanner• TCPandUDP• OSfingerprinting• Servicefingerprinting• Nmap ScriptingEngine– Advancedchecks– Vulnerabilitydetection


Spiderfoot• Automatesmuchofthereconprocess• FreeandOpenSource• RunsunderLinuxandWindows

• cd/opt/spiderfoot• python./sf.py• http://127.0.0.1:5001


Eyewitness• Screenshotsofwebapplications• Multipleformatimport(nmap,Nessus)• Serverheaders• PageSource• DefaultCreds• Alternatives– peepingtom,httpscreenshot,Spart


SOCIALENGINEERINGBecausethereisnopatchforhuman…


SocialEngineeringDefined• Theactofinfluencingsomeonetotakeanactionthatmayormaynotbeintheirbestinterest.


ExampleCareers• Doctors• Therapists• Radiohosts• Schoolteachers• Counselors• Lawenforcement


WhyDoesItWork?• Desiretobehelpful– ParAvion

• Tendencytotrustpeople• Fearofgettingintotrouble– Daisy

• Willingnesstocutcorners• http://www.social-engineer.org/framework


SomeGuidelines• GoldenRule– Leavesomeonebetterforhavingmetyou

• Manipulation– Thinkscamandpickupartists– Leavepeoplefeeling“dirty”orcheated• ChrisandMichelesurvey


SocialEngineeringMethodology• InformationGathering• PretextDevelopment• AttackPlanning• PerformAttacks• Reporting


ElementsofaGoodPhish• Urgesrecipienttotakeaction• Targetsanemotionalresponse• Mimicscontentforatrustedsource• Spoofsthesourcetoappearlegitimate• Bypassesmailsecuritycontrols

– http://arstechnica.com/information-technology/2014/02/16/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/


SomeReconTools• theharvester

– ThisisincludedontheVM• FOCA

– Windowsonly– Findsdocsandpulls

metadataincludingusernames,softwareversions,servers,networkshares.

• Maltego– Helpstoidentify

relationshipsbetweenhosts,networks,identitiesandmore.

• metagoofil– Metadatasearchand

extractor– Alittledatedbutstillvery

useful


PHYSICALOliviaNewtonJohnwantstoget…


Physical• Havingphysicalaccessrequireslittle/noexploitstocompromise

– Itisevenmorefunwhenitdoes!

• Thinkaboutwhatanattackercoulddoiftheyhavephysicalaccessto• areceptionist’sworkstation• anITstaffmember’sworkstation• anetworkcloset/IDF• yourdatacenter…• Physicalaccessisoftenconsidered“gameover”


DressthePart• Backtopowersofobservation…byothers

– Howwillstaffperceiveyouintheorganization?• Howareotherdressed?

– Construction– FireExtinguisherinspection– Packagedelivery*– Repairtechnician*

• Casualofficeorprofessionaldress


Tools• Few“technical”toolsexisthere

– Unlesswetalkprox/pinpad– Mostoccasionsdon’trequireanythingtechnical

• Mostpowerfultoolforthispartisyourbrain– Time,creativityandpatience– Thinkingoutsideofthebox– Hacking“hardware”fromthedumpster

• Howminorgapsinimplementationcanbeused


RFIDTools&RubberDucky• https://proxmark3.com• https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/

• http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649


PowersofObservation(1)• Observinghowphysicalsecuritysystemsareimplemented!• Observingthemovementsofothersperalongperiodoftime• Wheredocameraspoint?Aretheymonitoredactivelyor

reactively?• Howdodoorsunlockfromtheoutside?

– Howdotheyunlockfromthe inside?– Motionsensor?Capacitivetouchbar?– Whatsidearethehingeson?


PowersofObservation(2)• Underdoorgaps?Gapsindoorframes?

– Whatcanweuseoutofthedumpster?– Lowes/Homedepotcrafttime!

• Othermethodsofaccess– Balconies– LoadingDocks

• Unmotivated/Laxbuildingsecurity• Whatdobadgeslooklike?Totheinternet!


SocialEngineering• Thisisagameuntoitself– Somanysubtleties

• TL;DR,itisagameofconfidence– Actlikeyoubelong– Playthepart– “Hey,how’sitgoing?”


Policies• Physicalsecuritydesignattimeofbuild– JustlikeDevOps,bakeinsecurity

• Tailgating• Reportingofsuspiciousactivity• Auditandobserveadherencetopolicy


GETTINGAFOOTHOLDOMG!TheyopenedtheMACRO!!1!1!


Responder• PassiveandActiverecon• Exploitation(LLMNR,NBT-NS,DNS,MDNS)

• Stealpasswordhashesandcrackwithjohn/hashcat

• https://github.com/lgandx/Responder-Windows


Inveigh• LLMNR,mDNS,andNBNS

spoofer• Man-in-the-middletool• HTTP/HTTPS/Proxy

listeners• Slimmeddown,Powershell

versionofResponder


PasswordCracking• CrackthehashescapturedfromResponderusing:– johntheripper– hashcat


POWERSHELLIt’severywhereyouwanttobe…


OffensivePowershell• Greatforbypassingantivirus

andapplicationwhitelisting• OncurrentWindows

workstationandserveroperatingsystems

• MoreoffensivetoolsareleveragingPowershell

• Thebadguysareusingit,too!


Powershell ExecutionPolicy• ExecutionPolicy*IS*nota

securityfeature!!• 15waystobypass

Powershell executionpolicy– https://blog.netspi.com/15-

ways-to-bypass-the-powershell-execution-policy/


Powershell Pwnage Must-Haves• Empire

– http://www.powershellempire.com

• Powersploit– https://github.com/PowerShell

Mafia/PowerSploit• BloodHound

– https://github.com/BloodHoundAD/BloodHound

• PowerUpSQL– https://github.com/NetSPI/Po

werUpSQL• MailSniper

– https://github.com/dafthack/MailSniper

• DomainPasswordSpray– https://github.com/dafthack/D

omainPasswordSpray


COBALTSTRIKEPost-exploitationandC2excellence


CobaltStrike• Post-exploitation• CommandandControl

(C2)• Flexibleprotocols• Powershell integration• Scriptable


ListenersandPayloads


MacrosfortheFoothold


InjectingADCredstoAccessSysvol


MovingLaterally:SMBBeacons


Credentials


Powershell Integration


NEXTSTEPSWheretogofromhere…


NextSteps• Buildyourownlab

– VMWare (ESXi),VirtualBox,Hyper-V,AWS,Docker– Vulnhub.com– Networkequipment(HWorSW)

• Certifications– OSCP– GPEN,GPWN,GXPN

• BugBountiesandCapturetheFlagevents


ContactInformation• Contactinformation:

[email protected]@johnhsawyer352-389-4704

• Slides- https://www.sploitlab.com

offensive operations - sploitlab · •passive (osint) • search engines (google dorks) • web...

Documents