why black hats always win
play

Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) - PowerPoint PPT Presentation

Sep 19, 2023 •302 likes •1.07k views

Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) Chris (chris@sdnaconsulting.com) Slide: 1 Bios Val Smith Affiliations: Attack Research Metasploit Work: Attack Techniques Research Previous Talks Pen

  1. Why Black Hats Always Win Val Smith (valsmith@attackresearch.com) Chris (chris@sdnaconsulting.com) Slide: 1

  2. Bios Val Smith – Affiliations: • Attack Research • Metasploit – Work: • Attack Techniques Research Previous Talks • Pen Tester/ Exploit developer – Exploiting malware & vm detection • Reverse Engineer – Kernel mode de-obfuscation of malware • Malware Analyst – Data mining malware collections – Tactical Exploitation – Post Exploitation – Analysis of foreign web attacks Slide: 2

  3. Bios Chris Chris is a Security Consultant and Researcher with Secure DNA. Chris specializes in web based application development security. He has collaborated with some of the top security researchers and companies in the world and has performed static and dynamic security assessments for numerous companies and government agencies across the U.S. and Asia. Slide: 3

  4. What are we talking about? • Overview of: – White hat Methodologies – Black Hat Methodologies • Attackers VS. Defenders • Analysis of Black Hat techniques in the Wild • Black Hat Methodologies Demystified • How can this help you? • What can you do? Slide: 4

  5. Overview of White Hat Methodologies Slide: 5

  6. Overview of White Hat Methodologies • Goals – Focus on racking up numbers of hacked machines – Data to fill reports – Identifying mitigations • How to prevent the attack – Vulnerability footprint, not penetration • Often identifying accessible data is secondary goal Slide: 6

  7. Overview of White Hat Methodologies • Goals – No downtime for the customer • DoS usually not allowed • Even if it facilitates access via reboot, etc. – No modifications • Typically can’t change: – Customer source code – Databases – Testing the response and detection mechanisms • Did the IDS catch us? Did they do anything? Slide: 7

  8. Overview of White Hat Methodologies • Information Gathering – Heavy focus on scans • Massive NMAPs / Nessus normal – Some overlap with Black Hat's • DNS / Domain lookup records • Google hacking • Personnel googling – Less concern for detection Slide: 8

  9. Overview of White Hat Methodologies • Vulnerability Assessment – Almost always automated scanners • Detectable & fingerprintable – Often a guess at potential vulnerability – Focus on risk & threat analysis • Vulnerability Consequences – How does this hurt client business – Do they stand to lose money / customers? – How likely is attack to occur Slide: 9

  10. Overview of White Hat Methodologies • Exploitation – Download and run exploits from milworm • Now defunct • How many pen test shops does this put out of business? – Securiteam & Security Focus – Core Impact / Canvas / Metasploit – Match up with nessus results – Usually no testing, run live against customer Slide: 10

  11. Overview of White Hat Methodologies • Data Collection – Screenshots – Sample documents • Just enough to prove access – No Analysis of attack paths – No prolonged infiltration • No long term sniffing / keylogging Slide: 11

  12. Overview of Black Hat Methodologies Slide: 12

  13. Overview of Black Hat Methodologies • Goals – Wide ranging – Data, not just access focused – Targeting specific trusts • People weakest link in trust chains – Semi-unrelated access that may provide stepping stone • 6 degrees of separation • Any box on any network 6 degrees away from true target Slide: 13

  14. Overview of Black Hat Methodologies • Goals – Access to source • Let THEM do the hacking for you – They infect their own systems with backdoored updates • Source enables more assets – Example: • Target runs wordpress • Black Hat owns wordpress source server • Audit & Backdoor code • Surefire ownage of ultimate target in time Slide: 14

  15. Overview of Black Hat Methodologies • Information Gathering – Nothing is off limits – If needed info resides on un- related box its still in scope – Social networking – Call up target and ask for info • Call targets friends, co workers, family Slide: 15

  16. Overview of Black Hat Methodologies • Vulnerability Assessment – Attacker’s often know what’s vulnerable ahead of time • No need for noisy scans – More efficient method than white hat’s trial & error – Stolen source code • Trojaned • Audited for 0days Slide: 16

  17. Overview of Black Hat Methodologies • Vulnerability Assessment – Non-traditional vulnerabilities – Example: • Software distro & licensing application • In house written by target • Installed on every computer • Runs with domain admin account privileges • Password changed every x min time interval – Accessible clear text in memory with debugger • Domain admin access to any machine for x minutes Slide: 17

  18. Overview of Black Hat Methodologies • Exploitation – 0 Days • Often only used when public bugs don't work • Avoid risking burning unpublished bug if possible – Usually interception from another box is better – Ex. Metasploit usually waits for 0day to become public before trunking – Wait till bug becomes 1day then blend in with worm traffic Slide: 18

  19. Overview of Black Hat Methodologies • Data Targets – Mail spools – Backup files – Database dumps – Sniffer logs – Keystrokes and chat logs – Access tokens • Crypto keys, kerberos tickets, windows domain tokens – Targets of opportunity • Maybe data xyz is the goal but abc is found more valuable Slide: 19

  20. Overview of Black Hat Methodologies • Data Theft – Client Injection / Exploitation • Vulnerable Client Applications – BSD IRC client exploit • Browsers – Grab sensitive data in browser POST » Before its SSL encrypted on screen keyboards = useless – Backdoors • Access Points • Services • Utilities Slide: 20

  21. Attackers vs. Defenders Slide: 21

  22. Attackers vs. Defenders • Defenders : • Attackers : – Limited resources – Unlimited resources – Limited time – Unlimited time – Rules of engagement – On a long enough timeline everything gets owned – Consequences based on – If attacker targets you, odds performance of success increase over time • If a pen tester never gets in, they stop getting hired – No consequences to not – Motivation getting in – Little to no rules – Motivation Slide: 22

  23. Attackers vs. Defenders • White Hats usually • Black Hats usually assigned limited know one piece of block of IP information and addresses have to expand from there • Unable to go – Domain Name beyond the scope – Email address of approved list Slide: 23

  24. Attackers vs. Defenders • Black Hats need techniques for discovering target related IPs and client side info – News group mail header harvesting – Proxy log analysis site mining – Backscatter spam – Botsvsbrowsers Slide: 24

  25. You know the target’s domain name Look at the IP range Unlikely to be the target’s operational LAN Slide: 25

  26. Searching newsgroup postings for the target domain yields an email bounce with headers Header shows the IP the email was sent from Likely to be the target LAN or a home IP of a user on the target LAN (vpn maybe?) Sometimes the headers in mailing list posts themselves have the same info Slide: 26

  27. Check the IP the email came from Totally different network, in the target country Slide: 27

  28. Search for file types associated with mail boxes to gather client side information Slide: 28

  29. Slide: 29

  30. Botsvsbrowsers gives you by IP address client information such as browser and operating system Slide: 30

  31. Some sites have exposed squid proxy log analysis pages In this view you can see some hostnames and internal IP addresses Slide: 31

  32. This view shows userIDs and traffic quantities Slide: 32

  33. This view shows addresses a particular user is browsing to Slide: 33

  34. This view shows internal IP addresses Slide: 34

  35. Shows what Antivirus program the target is running and how often they update Slide: 35

  36. Shows that target is running Microsoft windows and gives hints as to what updates are being installed as well as frequency of update Slide: 36

  37. Analysis of Black Hat Techniques in the Wild Slide: 37

  38. Profiling • How White Hats get • How Black Hats assigned Targets: Choose Targets: – "Only touch xyz – Source code devs hosts, don't touch – Pen testers abc, those are – Researchers production“ – Maintain Control – "Hosts 123 we – May not yield access already know are immediately vulnerable, don't worry about those" Slide: 38

  39. Analysis of Black Hat Techniques in the Wild • Environment Modeling & Testing – White hats test attacks against clients – We have seen whole environments mirrored – Base mock up on info gathering • Match OS, hardware, patch levels, applications • Virtualization up to real hardware • Exploit Development – Black Hats write them – White Hats use them Slide: 39

Recommend

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint Malo, September the 28th 1 Agenda Retro-futurism, Retrieving keys, Vulnerability analysis Fault enabled malware Conclusion 2 ZB

633 views • 37 slides
Many Hats The Many Hats of a Major Gifts Development Officer Introduction Why fundraising?

Many Hats The Many Hats of a Major Gifts Development Officer Introduction Why fundraising?

Many Hats The Many Hats of a Major Gifts Development Officer Introduction Why fundraising? "For small creatures such as we the vastness is bearable only through love." -Carl Sagan The Big Gift The Big Gift 2 year, 8 month

610 views • 28 slides
HATS Project Overview and Introduction Reiner Hhnle Technische Universitt Darmstadt HATS

HATS Project Overview and Introduction Reiner Hhnle Technische Universitt Darmstadt HATS

HATS Project Overview and Introduction Reiner Hhnle Technische Universitt Darmstadt HATS Annual Review Meeting 2012 http://www.hats-project.eu Reiner Hhnle HATS Project Overview and Introduction Annual Review Meeting 2012 1 / 26 HATS

540 views • 33 slides
HATs off to DAWN? Simon Rudge. VTE Nurse. Hospital Acquired Thrombosis (HAT) The process ~650

HATs off to DAWN? Simon Rudge. VTE Nurse. Hospital Acquired Thrombosis (HAT) The process ~650

HATs off to DAWN? Simon Rudge. VTE Nurse. Hospital Acquired Thrombosis (HAT) The process ~650 scans ~130 positive ~30 HATs X ref 64 fields. 37 manual data entry. DVT Clinic Surgery aug 14 #POP THR 7/52 Yes The RCA Additional

478 views • 8 slides
Modeling Spatial and Temporal Variability with the HATS Abstract Behavioral Modeling Language Ina

Modeling Spatial and Temporal Variability with the HATS Abstract Behavioral Modeling Language Ina

Modeling Spatial and Temporal Variability with the HATS Abstract Behavioral Modeling Language Ina Schaefer Technische Universit at Braunschweig, Germany 18 June 2011 http://www.hats-project.eu I. Schaefer SFM-11:CONNECT 0 / 60

942 views • 82 slides
HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle

HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle

Titlepage HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle Chalmers University of Technology, Gothenburg, Sweden Sophia-Antipolis, 23 October 2008 R. H ahnle HATS: Adaptable & Trustworthy

563 views • 28 slides
WHA HATS I IN N A WORD RD? Explicit Vocabulary Instruction in the ABE, ASE, and CTE

WHA HATS I IN N A WORD RD? Explicit Vocabulary Instruction in the ABE, ASE, and CTE

WHA HATS I IN N A WORD RD? Explicit Vocabulary Instruction in the ABE, ASE, and CTE Classrooms TODA DAYS A AGENDA DA Welcomes + Poll Objectives for T odays Session Vocabulary, Comprehension, and Learning

765 views • 39 slides
Of Hats and Islandora T h e T u q u e S t o r y 1 Who is this guy? Jonathan Green Chief

Of Hats and Islandora T h e T u q u e S t o r y 1 Who is this guy? Jonathan Green Chief

Of Hats and Islandora T h e T u q u e S t o r y 1 Who is this guy? Jonathan Green Chief Technology Officer at jonathan@discoverygarden.ca twitter: @jonawesomegreen slides: http://bit.ly/1atrzte 2 3 Overview 4 Links

344 views • 22 slides
WHA HATS T THE HE DE DEAL W AL WITH TH FOOD WAS ASTE TE? A third of all food produced

WHA HATS T THE HE DE DEAL W AL WITH TH FOOD WAS ASTE TE? A third of all food produced

WHA HATS T THE HE DE DEAL W AL WITH TH FOOD WAS ASTE TE? A third of all food produced for human consumption is wasted. In the UK alone more than 10 million tonnes of food, worth over 20 billion, is wasted throughout the supply chain

644 views • 9 slides
DISCUSSION TOPICS Wha hats s t the he R Risk? k? Understanding what it means

DISCUSSION TOPICS Wha hats s t the he R Risk? k? Understanding what it means

DISCUSSION TOPICS Wha hats s t the he R Risk? k? Understanding what it means for your LCO to engage in fixed anchor replacement High level overview of a potential claim against an LCO Volunteers conducting fixed anchor

328 views • 14 slides
Three Days Living In The Digital First World Beyond the Bio Many different hats in 25 years

Three Days Living In The Digital First World Beyond the Bio Many different hats in 25 years

Three Days Living In The Digital First World Beyond the Bio Many different hats in 25 years in newspapers Sports Writer District Sales Manager Zone Manager Home Delivery Manager Assistant Circulation Director Director

484 views • 32 slides
NEW NFPA STANDARDS EXPLAINED Hot & Cold Aisle Containment Wha hats di s di fff er

NEW NFPA STANDARDS EXPLAINED Hot & Cold Aisle Containment Wha hats di s di fff er

Cary Frame, President NEW NFPA STANDARDS EXPLAINED Hot & Cold Aisle Containment Wha hats di s di fff er erent: r ent: rooms within a r ooms within a room oom Sources of Confusion NFP NFPA A 2013 NFPA 75 Covers Aisle

512 views • 12 slides
Guardianship; Turning 18 w hats next? Making the decision; Understanding the process Learning

Guardianship; Turning 18 w hats next? Making the decision; Understanding the process Learning

Supporting Arizona families of children with disabilities or special health needs Guardianship; Turning 18 w hats next? Making the decision; Understanding the process Learning Objectives Participants will learn: Guardianship,

720 views • 41 slides
Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach Steve Roach Fares Fraij Department of Computer Science The University of Texas at El Paso Fifth International Workshop on the ACL2 Theorem

299 views • 17 slides
Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag

Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag

Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag Ginsberg - jag@redhat.com @j00bar (those are zeroes) Chief Architect - Management Platform Engineering 2 (graphic by Leigh Ann Ivey) (graphic by

1.01k views • 32 slides
The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005

1.9k views • 73 slides
Workshop J Is Safety One of Your Many Hats? Keys for Safety Success Tuesday, March 21, 2017

Workshop J Is Safety One of Your Many Hats? Keys for Safety Success Tuesday, March 21, 2017

Workshop J Is Safety One of Your Many Hats? Keys for Safety Success Tuesday, March 21, 2017 11:15 a.m. to 12:30 p.m. Biographical Information Randy Miller, Sr. EHS Specialist AECOM, 1300 East 9 th St., Cleveland, OH 44114 216-523-3320

487 views • 24 slides
Six Thinking Hats Emotions, feeling, hunches, intuition, likes RED HAT and dislikes How do I

Six Thinking Hats Emotions, feeling, hunches, intuition, likes RED HAT and dislikes How do I

Six Thinking Hats Emotions, feeling, hunches, intuition, likes RED HAT and dislikes How do I feel about Think of: this? Fire and warmth What do I like about the idea? Questions to ask: What dont I like 1. What do you like about about

557 views • 9 slides
When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer:

When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer:

When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer: Please dont be a dick. I accept no responsibility. Ever. For Anything. 1997 was not a good year... Windows 95 OSR 2.5 came out

606 views • 23 slides
Selling out vs. Scaling up Software buyers findings & The 3 hats Paddy MccGwire, Managing

Selling out vs. Scaling up Software buyers findings & The 3 hats Paddy MccGwire, Managing

Selling out vs. Scaling up Software buyers findings & The 3 hats Paddy MccGwire, Managing Director E: pm@silverpeakib.com T: +44 (0) 20 7659 0310 London, 31 st January 2018 LONDON | PARIS | MILAN | HAMBURG | MUNICH | BERLIN Silverpeak

335 views • 7 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
Wearing Many Hats: Tips to Take Your Small Shop to Big Funds Presented by Kelton Artuso, Alex

Wearing Many Hats: Tips to Take Your Small Shop to Big Funds Presented by Kelton Artuso, Alex

Wearing Many Hats: Tips to Take Your Small Shop to Big Funds Presented by Kelton Artuso, Alex McCray and Georganna Woods October 10, 2018 Learning Outcomes Participants will gain: Insight on successful fundraising tips utilized by

453 views • 33 slides
Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments

Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments

Overview Natural First Steps in . . . Decision Making: . . . Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments Towards a Reference Home Page Fuzzy-Logic-Based Title Page Explanation

121 views • 8 slides
Design Quality Assessment in Practice my two hats... Radu Marinescu radum@cs.upt.ro

Design Quality Assessment in Practice my two hats... Radu Marinescu radum@cs.upt.ro

Design Quality Assessment in Practice my two hats... Radu Marinescu radum@cs.upt.ro http://www.intooitus.com/ Associate Professor Co-Founder and Head since 2006 since 2003 Co-Founder (2008) 1 1 Assessment with metrics Assessment with

519 views • 21 slides

More recommend