Transcript Hacking Techniques

HACKING TECHNIQUES
and Mitigations
Brady Bloxham
About Us
• Services
• Vulnerability assessments
• Wireless assessments
• Compliance testing
• Penetration testing
• Eat, breathe, sleep, talk,
walk, think, act security!
Agenda
• Old methodology
• New methodology
• Techniques in action
• Conclusion
The Old Way
• Footprinting
• Network Enumeration
• Vulnerability Identification
• Gaining Access to the Network
• Escalating Privileges
• Retain Access
• Return and Report
The Old Way (continued)
The New Way (my way!)
• Recon
• Plan
• Exploit
• Persist
• Repeat
• Simple, right?!
The New Way (continued)
Recon
Plan
Exploit
Persist
Report!
Yes
Domain
Admin?
No
Old vs. New
• So what you end up with is…
Recon
• Two types
• Pre-engagement
• On the box
Recon – Pre-engagment
• Target IT
• Social Networking
• LinkedIn
• Facebook
• Google
• Bing
• Create profile
• Play to their ego
• Play to desperation
• Play to what you know
Recon – Pre-engagment
• Social Engineering
Recon – On the box
• Netstat
Recon – On the box
• Set
Recon – On the box
• Net
Recon – On the box
• Net
Recon – On the box
• Net
Recon
• Registry
• Audit Settings
• HKLM\Security\Policy\PolAdtEv
• Dump hashes
• Local hashes
• Domain cached credentials
• Windows credential editor
• Application credentials (Pidgin, Outlook, browsers, etc.)
• RDP history
• HKU\Software\Microsoft\Terminal Server Client\Default
• Installed software
• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Recon
• What do we have?
• High value servers (domain controller, file servers, email, etc.)
• Group and user list
• Domain admins
• Other high value targets
• Installed applications
• Detailed account information
• Hashes and passwords
Plan
Plan
Plan
• Test, test test!
• Real production environment!
• Recreate target environment
• Proxies
• AV
• Domain
• Verify plan with customer
• Think outside the box!
Plan
Plan
Exploit
Exploit
• The reality is…it’s much easier than that! 
• No 0-days necessary!
• Macros
• Java applets
• EXE PDFs
Exploit
• Java Applet
• Domain
– $4.99/year
• Hosting
– $9.99/year
• wget
– Free!
• Pwnage
– Priceless!
• Macros
• Base64 encoded payload
• Convert to binary
• Write to disk
• Execute binary
• Shell!
Exploit
• The problem? A reliable payload!
• Obfuscation
• Firewalls
• Antivirus
• Proxies
Persist
Persist
• Separates the men from the boys!
• Custom, custom, custom!
• Nothing good out there…
• Meterpreter – OSS
• Core Impact – Commercial
• Poison Ivy – Private
• DarkComet – Private
• Who’s going to trust these?
Persist
• How?
• Registry
• Service
• Autorun
• Startup folder
• DLL hijacking
• What?
• Beaconing backdoor
• Stealthy
• Blend with the noise
• Modular
Repeat?!
Conclusion
• Old methodology is busted!
• Compliance != Secure
• It’s not practice makes perfect…