SlideShare uma empresa Scribd logo

Attacker Ghost Stories - ShmooCon 2014

Rob Fuller
Rob Fuller

Talk that I gave at ShmooCon 2014 in the One Track Mind track.

Tecnologia
1 de 58
Baixar para ler offline
Attacker Ghost Stories Mostly free defenses that give attackers nightmares
20
Invoking HD. Moore Mode
About me... Mubix “Rob” Fuller Father Husband NoVA Hacker Marine o  o  o  o 
Why are we here?
Untitled Slide
Untitled Slide
Attribution Slide
Attribution Retribution Slide
Attribution Retribution Slide
Why are we here?
Why are we here? o  We want to learn how to attack or defend better. o  We want to hang out in “Lobby Con” o  We want to test our skills against the badge contest, GITS, Wireless CTF or Hack Fortress o  We are afraid of Heidi’s wrath if we don’t show up (staff) o  4 the lulz
I’m a security tree hugger. I’m here to make the world a better place.
Lets share the commonalities of attacks, and care about the effectiveness of our defenses.
EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect Deployable by GPO Logs FREE o  o  o 
Protections
What about EMET bypasses? http://goo.gl/QrJZdd
Another good resource about EMET http://goo.gl/ELlBsi
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 1
Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 2
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 3 This never happens if they can’t pull the code!
Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. FREE Stops java exploits loaded by a browser. Attacker cannot modify UA pre-exploit o  o  o  o 
Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
Block Java UA at the Proxy Oh yea, it protects Macs too…
Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) HIPS (enable the prevention part) Vuln Scanning is what a tool does. Lets start Vuln Reporting. Get your pentester/red team involved! o  o  o  o 
Crowdsourcing Security Security Incident / Phishing Incentive Program Reward “top” users for reporting malicious or “phishy” content. Make a big deal out of it (company / section wide emails) Every employee becomes an IDS Quarterly “Think Evil” games o  o  o  o 
Crowdsourcing Security Internal Bug Bounty Program Developers Developers Developers …. Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o  o  o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
WPAD My _favorite_ vulnerability:
WPAD o Make null routed (127.0.0.1) DNS entry for WPAD Make null routed (::1) for DNS entry WPADWPADWPAD Disable NetBIOS resolution domain wide. Your DNS servers can handle it. It’s also a privacy concern NetBIOS traffic is broadcasted to everyone FREE o  o  o  o 
DNS o There is no reason a user needs to resolve Google.com internally Let your web proxies do all the DNS FREE Turn off forward lookups on your internal DNS servers. Point your proxies at DNS servers that only they are allowed to use. o  o  o  o 
Dump your own hashes!
Dump your own hashes! o Crackers o  o  John the Ripper Rockyou.txt o Dumpers o  o  o  o  Depends… Goes back to the, “don’t use code you don’t trust”. List by Bernardo Damele - http://goo.gl/wDpJHc Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” Block all “uncategorized” Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail. o  o 
Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. Stop leaving them out of the loop. o 
Thank you •  Heidi & Bruce •  Shmoo Staff •  And the countless people who listened to me practice this talk ahead of time in prep for today.
Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.

Recomendados

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 

Recomendados

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
Rob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
Michele Orru
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
Shakacon
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
Rob Fuller
 
Classification Station
Classification StationClassification Station
Classification Station
Jake Kotter
 

Mais conteúdo relacionado

Mais procurados

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
Rob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
Michele Orru
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 

Mais procurados (20)

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 

Destaque

Classification Station
Classification StationClassification Station
Classification Station
Jake Kotter
 
The COCH project
The COCH projectThe COCH project
The COCH project
askroll
 
Mobile Marketing
Mobile MarketingMobile Marketing
Mobile Marketing
saafro
 
Marketing management
Marketing managementMarketing management
Marketing management
sutrisno2629
 
Presentation1[1]
Presentation1[1]Presentation1[1]
Presentation1[1]
elsiegel
 
Paradox Of Our Times
Paradox Of Our TimesParadox Of Our Times
Paradox Of Our Times
sutrisno2629
 

Destaque (20)

Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
 
Classification Station
Classification StationClassification Station
Classification Station
 
The COCH project
The COCH projectThe COCH project
The COCH project
 
Mobile Marketing
Mobile MarketingMobile Marketing
Mobile Marketing
 
The Changing Landscape of Public Relations
The Changing Landscape of Public RelationsThe Changing Landscape of Public Relations
The Changing Landscape of Public Relations
 
Software development is hard
Software development is hardSoftware development is hard
Software development is hard
 
6. Games
6. Games6. Games
6. Games
 
Listings Update
Listings UpdateListings Update
Listings Update
 
Marketing management
Marketing managementMarketing management
Marketing management
 
Anger
AngerAnger
Anger
 
Self-Defense and the Roots of Black Power
Self-Defense and the Roots of Black PowerSelf-Defense and the Roots of Black Power
Self-Defense and the Roots of Black Power
 
Presentation1[1]
Presentation1[1]Presentation1[1]
Presentation1[1]
 
Innovating
InnovatingInnovating
Innovating
 
Public Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban AreasPublic Transport vs. Cars in Suburban Areas
Public Transport vs. Cars in Suburban Areas
 
3. Transformatie
3. Transformatie3. Transformatie
3. Transformatie
 
Callme
CallmeCallme
Callme
 
Paradox Of Our Times
Paradox Of Our TimesParadox Of Our Times
Paradox Of Our Times
 
Benvinguda al curs de Perl
Benvinguda al curs de PerlBenvinguda al curs de Perl
Benvinguda al curs de Perl
 
December 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-upDecember 2009 TeachStreet Teacher Webinar & Meet-up
December 2009 TeachStreet Teacher Webinar & Meet-up
 
Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs Becoming Accidental Entrepreneurs
Becoming Accidental Entrepreneurs
 

Semelhante a Attacker Ghost Stories - ShmooCon 2014

Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
F _
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 

Semelhante a Attacker Ghost Stories - ShmooCon 2014 (20)

Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł WachełkaPLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
PLNOG16: Ochrona AntiDDoS, lokalnie oraz w chmurze, Paweł Wachełka
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 

Mais de Rob Fuller

As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
Rob Fuller
 

Mais de Rob Fuller (7)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
 
GiTFO
GiTFOGiTFO
GiTFO
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Attacker Ghost Stories - ShmooCon 2014

  • 1. Attacker Ghost Stories Mostly free defenses that give attackers nightmares
  • 2. 20
  • 4. About me... Mubix “Rob” Fuller Father Husband NoVA Hacker Marine o  o  o  o 
  • 5. Why are we here?
  • 6.
  • 12. Why are we here?
  • 13. Why are we here? o  We want to learn how to attack or defend better. o  We want to hang out in “Lobby Con” o  We want to test our skills against the badge contest, GITS, Wireless CTF or Hack Fortress o  We are afraid of Heidi’s wrath if we don’t show up (staff) o  4 the lulz
  • 14. I’m a security tree hugger. I’m here to make the world a better place.
  • 15. Lets share the commonalities of attacks, and care about the effectiveness of our defenses.
  • 16.
  • 17. EMET (Enhanced Mitigation Experience Toolkit) What is EMET? o  http://www.microsoft.com/emet o  Think of it like a big bouncer that protects any kind of memory funny business, but only for things you tell it to protect Deployable by GPO Logs FREE o  o  o 
  • 19. What about EMET bypasses? http://goo.gl/QrJZdd
  • 20. Another good resource about EMET http://goo.gl/ELlBsi
  • 21.
  • 22. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 1
  • 23. Internet Explorer User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/ 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224
  • 24. Block Java UA at the Proxy Examples: JNLP/6.0 javaws/1.6.0_29 Java/1.6.0_26 Mozilla/4.0 (Windows 7 6.1) Java/ 1.7.0_45
  • 25. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 2
  • 26. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent STEP 3 This never happens if they can’t pull the code!
  • 27. Block Java UA at the Proxy o Java apps (exploits) require the use of Java, which uses it’s own User-Agent Pull a report of every domain your users went to using the Java User-Agent. Parse the list and make them the exclusions. FREE Stops java exploits loaded by a browser. Attacker cannot modify UA pre-exploit o  o  o  o 
  • 28. Update: Block Java UA at the Proxy And according to “Z” this works for SSL too http://goo.gl/4mtwqN
  • 29. Block Java UA at the Proxy Oh yea, it protects Macs too…
  • 30.
  • 31. Logging / Vuln Scanning / AV / HIPS o PWDump removed on an internal IIS box doesn’t mean the job is done. Logon alerting - ADAudit Plus (only product in this presentation simply because I can’t find anyone else who does it) (Netwrix?) HIPS (enable the prevention part) Vuln Scanning is what a tool does. Lets start Vuln Reporting. Get your pentester/red team involved! o  o  o  o 
  • 32.
  • 33. Crowdsourcing Security Security Incident / Phishing Incentive Program Reward “top” users for reporting malicious or “phishy” content. Make a big deal out of it (company / section wide emails) Every employee becomes an IDS Quarterly “Think Evil” games o  o  o  o 
  • 34. Crowdsourcing Security Internal Bug Bounty Program Developers Developers Developers …. Incorporate the entire company though, if anyone reports a bug in a system they don’t own, they’ll be entered in the bounty. o  o  o Make it _EASY_ o Payout in gift cards instead of incident response and forensics
  • 35.
  • 36. Port-forwarding Honeypots If you have public IP space, use it. 1.  Spin up a VPS (Like Linode) 2.  Add vulnerable looking software to the VPS 3.  Install snort / other sensor on the VPS 4.  Port forward 80, 1433, etc on your IP to the VPS via your firewall. 5.  Watch as attacks roll in without endangering your infrastructure at all. Note: Don’t share passwords from real infrastructure to VPS.
  • 37.
  • 39. WPAD o Make null routed (127.0.0.1) DNS entry for WPAD Make null routed (::1) for DNS entry WPADWPADWPAD Disable NetBIOS resolution domain wide. Your DNS servers can handle it. It’s also a privacy concern NetBIOS traffic is broadcasted to everyone FREE o  o  o  o 
  • 40.
  • 41. DNS o There is no reason a user needs to resolve Google.com internally Let your web proxies do all the DNS FREE Turn off forward lookups on your internal DNS servers. Point your proxies at DNS servers that only they are allowed to use. o  o  o  o 
  • 42.
  • 43. Dump your own hashes!
  • 44. Dump your own hashes! o Crackers o  o  John the Ripper Rockyou.txt o Dumpers o  o  o  o  Depends… Goes back to the, “don’t use code you don’t trust”. List by Bernardo Damele - http://goo.gl/wDpJHc Ask your Pentesters/Red Teamers to do the dump and maybe even the audit. They will jump at it. o  (under supervision)
  • 45.
  • 46. Authenticated Splash Proxies o Use a web form with fields other than “username=” and “password=” Block all “uncategorized” Splash page requirement (every domain is blocked every day, first person to go to the page is shown a big red button that says “approve this domain”) any automated C2 will fail. o  o 
  • 47. Authenticated Splash Proxies THIS DOMAIN HAS BEEN BLOCKED! Don’t worry, this could be the first time today someone is attempting to go there. Click on “UNBLOCK” to ALLOW THIS DOMAIN THROUGH UNBLOCK BLOCK
  • 48.
  • 49. Evil Canaries o  Domain User called “DomainAdmin_Temp” with password in the description, and actually in Domain Admins group. Logon hours was 0. CAUGHT o  Public share called “Password Audit 2014”, EXLS docs about 4 MB, but “Everyone:Deny” permission. CAUGHT o  Computer called BACKUPDB, with out of date version of MySQL on Windows. CAUGHT
  • 50. Evil Canaries o  Web developer made .htaccess file forward common scanner (ala /nikto.html) requests to custom 402 (Payment Required) page, correlated hits and alerted. CAUGHT o  Credit card database: http:// www.getcreditcardnumbers.com/ CAUGHT o  VPN main page edited to include “default” credentials in HTML source. CAUGHT
  • 51. Evil Canaries o  Web server had /admin/login.html and supposedly tied to AD which always returned “SUCCESS” but didn’t do anything except, report what creds were used, browser and IP information. CAUGHT o  Machine that does absolutely nothing, saw traffic to port 23 (not listening). CAUGHT
  • 52. Tell your helpdesk! o Most of your actionable security alerts go through your helpdesk. Stop leaving them out of the loop. o 
  • 53.
  • 54. Thank you •  Heidi & Bruce •  Shmoo Staff •  And the countless people who listened to me practice this talk ahead of time in prep for today.
  • 55. Contact Me Rob Fuller @mubix Blog - http://www.room362.com/ Wiki - http://pwnwiki.io/ Email - mubix@hak5.org Campfire image from http://campfirewtx.org/wp-content/uploads/2013/11/campfire-pic.jpg
  • 56. Appendix I - Psychology The attacker is on your turf. Hackers freeze when they think they are caught. Nation states have “visibility assessment protocols” that take time. The more you can cause a visibility score to go up either by perceived or actual detection will cause more intelligence opportunities on the defence side.
  • 57. Appendix II - Other free wins o  Monitor anything that is tied to AD and is accessible from the Internet. OWA / MDM / SharePoint / VPN, or your web site. o  Baseline internal network traffic. Spider patterns mean scanning. o  MAC addresses that aren’t in the same OUI class should be investigated. (DELL/HP/ Wewei)
  • 58. Appendix II - Other free wins o  Allow users a way to specify when they are on vacation. Or integrate your vacation system with the authentication alerting system. If the user isn’t there, there shouldn’t be authenticating to anything be email and maybe the VPN for you workaholics.