3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1
Table of Contents Presentation � Example of a Red Team Mission � Attack the Desktop Computer � Search for information Example: Open a Back Door � Social Engineering � Limitations � Reserve � Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 2
Presentation Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 3
Red Team Definition 1 A red team is an independent group that challenges an organization to improve its effectiveness. Simulate a real attack Use all possible means to test the system The “Blue Team” is protecting the system and challanged by the red team. See which assets of the enterprise may be compromised by a “real” attack (by motivated attackers). Goal: Show the management that security is not a funny game When reading a classical penetration testing report : “XSS on an error page, this is just a theoretical attack, nobody could use it” After a red team attack accessed the laptop of the CEO and the history of his browser: “YOU MUST FIX IT NOW!!!” . 1 source: Wikipedia Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 4
Example: a Red Team Mission Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 5
Goal of the Red Team Mission Goal: show what a determined attacker could access In a Bank: access to money (transfer for instance), see one’s account In a eHealth environment: access to medical information . . . Show which of the strategic items can be accessed, and what can be achieved with them Active Directory, ERP, Data bases, File storage systems, R&D data, Without being detected A “Blue team” is hiding you, They may know a test is running, or not Better if they do not know. Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 6
What is a “Red Team Mission”? Includes: Penetration tests on the IP addresses of the firm Penetration testing is a crucial part of the mission First determine the scope of the attack But also: Physical penetration A firm must protect its infrastructure On-Line, but also Off-line. Once in the premises: Hide a small device like: PwnPlug, Fonera, Raspberry Pi Having a 3G access, you can use it as a bridge to enter the system And: Social engineering The most impressive part Less technical, but very efficient Phone calls, emails with trojan, phishing emails, . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 7
First step: Nmap of all the Internets First determine the scope What are the IP-Ranges used by the firm? Normally included in the scope written in the contract. Scan the ports Impossible to scan exhaustively all ports of all machines Search for easy exploitable services FTP Servers File Sharing SNMP services Rlogin and other antiques You can not enter the system with this, but the information will be useful later Scan the classical targets for penetration testing Web servers, Web services, VPN access point, admin interfaces. Goal : get a Webshell access to a DMZ machine Upload flows, Admin interface of servers (Tomcat, Jboss, Websphere) Content Management Systems (including plugins) and their Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 8 well known vulnerabilities
Attack the Desktop Computer Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 9
Spear Phishing to compromise a client Spear Phishing Send a mail, to install malware on a client Goal is to install a back-door Mean of action Send a mail containing a hyperlink or an attachement Executed malware Will be executed on the victim’s computer Will allow the attacker to control the machine Installs a back-door Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 10
Search for information Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 11
Search for Information Search for the email addresses of the employees Access some addresses, Understand the construct of the address: firstname.name@target.com, fname@target.com, firstname-name@target.com, name@target.com, . . . Source of information: LinkedIn, Viadeo or Xing Automatically harvest the addresses in Web sites Theharvester (a python program) search for emails in Google, Bing, LinkedIn, Twiter or even Shodan Build your own crawler Find email, phone numbers or names of employees Use Scrapy in Python for visiting web sites Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 12
The Harvester Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 13
Manually See information directly Find employees that are very enthousisatic (and not secure) Find phone numbers of specific persons Office numbers, location in the premises Visit manually the web sites You may find useful information Use Google Dorks site:linkedin.com inurl:pub -inurl:dir "at firm-name’’ "Current" Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 14
Phishing We have a good list of possible targets We need to know who are the targets (role, rank in the organisation) Interesting subjects in a phishing email “Your bank account was just missused if you want to save your money, connect now” “If you want the new iPhone for CHF 100, open this document” This CV is very interesting, you need to activate the Macros to see it Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 15
How to send eMails Using a public SMTP server Gmail / GMX / . . . Easy to do You inherit the reputation of Google in spam filters Problem 1: The domain name is not very serious Problem 2: Attacking a third party using Google poses confidentiality questions. Using a private SMTP server You can chose the domain name you want You need to be sure not to be treated as a spam server Increase your server reputation: Deactivate the open relay function of the SMTP server Give the DNS MX entry of the domain Configure the DKIM signature . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 16
The Payload We want to maximize the efficiency of the attack No need to a special exploit for the version X of Accrobat Reader on Windows 7.2 Ask kindly to your victim to execute macros. Microsoft Office Macros A macro to see the photo of a CV A macro to see the content of the invoice sent A macro to get data in a presentation . . . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 17
Browser Extensions Give a link to an extension in Firefox Can access to the whole machine: the browser Cookies, history But also the disk And execute a shell You need to install it inside the addons.mozilla.org server Ask kindly to the victim to install it You will be rewarded / you can only access this site with / . . . (depends highly on the profile of your victim). Installation genuine, just click twice Extension for Internet Explorer Browser Helper Objects (BHO) Much more complex to install : will not be done Chrome You must install your application on the Chrome Web Store . Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 18
Exploits Very “cool” to exploit a vulnerability Execute code in “Ninja mode” Nobody sees it Applications are always more complex to exploit Started in sandbox Protections are higher and higher Must develop an exploit for each version (32- / 64-bit, Windows 7, 8 or 10, . . . ) Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 19
Phishings Mails containing XSS We will see it in detail later A mail containing a link to the valid server ( https:// www.target.com for instance) can lead to a manipulated page Can contain links to download software Mails or SMS to Smartphones One of the most efficient way to infect a person Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 20
Protections against such attacks Sensibilisation You must teach all your users Not just a course Serious training with testing of the users Hardening of the configurations For less experienced users Restrict any possibilities to install anything VERY difficult: How can I work without Macros? Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 21
Example: Open a Back Door Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 22
Recommend
More recommend