SlideShare uma empresa Scribd logo

Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI.

Transferir como PPTX, PDF
Kirill Ermakov
Kirill Ermakov

My talk from ZeroNights 2015 about QIWI Red Team Exercise penetration test.

Apresentações e oratória
1 de 21
Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI. Kirill ‘isox’ Ermakov
#:whoami? • Known as ‘isox’ • Web penetration tester • QIWI CTO/CISO • Member of “hall-of-fames” (Yandex, Mail.ru, Apple, and so on) • JBFC participant ^___^
Captain obvious • Penetration testing • Just a way to check your security controls • “Fast and dirty assessment” • Performed by qualified specialists • Part of PCI DSS certification as example • Independent security review • Need2do for security-aware companies
Traditional approach • Single team (2-5 members) • External, Internal and social-technology • Restricted vectors and scenario • Attackers whitelist • No private information about a target • Social attacks are often prohibited • Limited attacks daytime
Pentester point of view • Target-independent work scenario • 1/3 time for well known vectors • 1/3 time for new research • 1/3 time for automated scanners • No physical security bypass • Limited social attacks • Same story every time
Red team exercise • They call it “Red-team”: • Security team is not notified • Trying to simulate “real” attack • Still a lot of restrictions and limits • One team • No information about the internals
Anyway cover is not enough • Blind zones • Time limits • Does not use all available vectors • Too much accurate and ethic • Does not really looks like real hackers attack • Pentest team insufficient resources
Hack me plz! • Lets make a big (dream?) team • Let them work on their own! • No more “secret pentest technique” • Forget “don’t attack that” and “don’t bruteforce us after 6PM” • Scope = everything • Not kidding. Really everything. • No preparations from security team
No restrictions • Social attacks • Malware • Account bruteforce • 0days • Night/weekend attacks • Physical penetration • DOS • Drop-devices • Personal devices hijack • Employee bribe
Let’s there be insider • Sharing private information • Network map • Critical assets • Security specialist as insider • Hints and advises
Deep penetration • Physical security bypass • Drop-devices: • Wi-Fi and LAN back connects • Cable manipulations • USB Flash with malware • Live social engineering • Stealing laptops/pads/phones
Security reactions • Security team awareness check • Real incident investigation • Bans and account lockouts • Live system tuning • Cooperation with physical security • Logs, cameras, events and a lot of fun!
Challenge and goals • For penetration team: • Application or SYS account for DB • AD enterprise administrator account • *nix root / admin account • Access to any critical system • For security team: • Defend your home And there is only one rule: no rules
QIWI Red Team Exercise • Attackers: #ONSEC & #DSEC • Defenders: #QIWI security team • Insider: CISO (me) • Timeline: 2.5 month • Attack Goal: • SYSDBA, root, Enterprise Administrator • Security team goal: • Notice at least 90% attacks and intrusions • Defend
Weeks of pain • 7 social attacks in 2 weeks • Few times of “emergency” • System crashes • Ordinary users butthurt: • Locked accounts • Spam/phishing emails • Viruses • Malware investigations
Really cool vectors • Successful office building intrusion • Wi-Fi’ed and LAN’ed laptops gateways • Mac OS X domain issues • Smart House hacking • Power Supply takeover • Compiling dsniff for DVR … even more in @d0znpp presentations
Some memos
And we lost this game • System accounts were compromised • Social engineering as a best attack vector • SSH access to security team member’s Macbook • Downloaded dumps of network devices with password hashes • Tons of successful brutes
Successful vector • Gained credentials using social engineering • Loss of isolation in guest Wi-Fi network • Laptops, connected both to cable networks and Wi-Fi • Bad MacOS active directory configuration, allowing any AD account to connect using SSH • Keeping sensitive data plaintext in ~/ • Insufficient monitoring of the office traffic
Results • Better than one-team classics • Simulate near real hacker attacks • Excellent scope fulfill • Testing security as it is, not as it wants to be • You will be disappointed in your security toys • ‘Little’ bit expensive • Systems will crash sometimes
See ya! • Thanks to @videns for a good trip to the Troopers • Thanks to #DSEC and #ONSEC for a great job • Excuses to my security team for this two and a half months of hell • Any questions? • Contact: isox@qiwi.com

Recomendados

Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
Kirill Ermakov
 
QIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyQIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team story
Mona Arkhipova
 
Positive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсsPositive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
Mona Arkhipova
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
Mona Arkhipova
 
SOC training
SOC trainingSOC training
SOC training
Kirill Ermakov
 
How to get a well done penetration test
How to get a well done penetration testHow to get a well done penetration test
How to get a well done penetration test
Kirill Ermakov
 

Recomendados

Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
Kirill Ermakov
 
QIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyQIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team story
Mona Arkhipova
 
Positive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсsPositive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
Mona Arkhipova
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
Mona Arkhipova
 
SOC training
SOC trainingSOC training
SOC training
Kirill Ermakov
 
How to get a well done penetration test
How to get a well done penetration testHow to get a well done penetration test
How to get a well done penetration test
Kirill Ermakov
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
Greg Foss
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 

Mais conteúdo relacionado

Mais procurados

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 

Mais procurados (20)

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Destaque

App Penetration Test
App Penetration TestApp Penetration Test
App Penetration Test
Aung Khant
 
Psychometric Test & Personality Evualuation
Psychometric Test & Personality EvualuationPsychometric Test & Personality Evualuation
Psychometric Test & Personality Evualuation
sdusane1
 
Amazing prediction, Know yourself
Amazing prediction, Know yourselfAmazing prediction, Know yourself
Amazing prediction, Know yourself
Sunita Gupta
 
Ssct interpretation and scoring
Ssct interpretation and scoringSsct interpretation and scoring
Ssct interpretation and scoring
Bless Maramag
 
Get to know yourself, you'll see the world
Get to know yourself, you'll see the worldGet to know yourself, you'll see the world
Get to know yourself, you'll see the world
Renny
 

Destaque (20)

Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
App Penetration Test
App Penetration TestApp Penetration Test
App Penetration Test
 
BackBox Linux: Simulazione di un Penetration Test e CTF
BackBox Linux: Simulazione di un Penetration Test e CTFBackBox Linux: Simulazione di un Penetration Test e CTF
BackBox Linux: Simulazione di un Penetration Test e CTF
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
 
Psychometric Test & Personality Evualuation
Psychometric Test & Personality EvualuationPsychometric Test & Personality Evualuation
Psychometric Test & Personality Evualuation
 
Amazing prediction, Know yourself
Amazing prediction, Know yourselfAmazing prediction, Know yourself
Amazing prediction, Know yourself
 
Ssct interpretation and scoring
Ssct interpretation and scoringSsct interpretation and scoring
Ssct interpretation and scoring
 
Sentence completion test
Sentence completion testSentence completion test
Sentence completion test
 
Personality Test "Select a Shape"
Personality Test "Select a Shape"Personality Test "Select a Shape"
Personality Test "Select a Shape"
 
Sack s sentence completion test report
Sack s sentence completion test reportSack s sentence completion test report
Sack s sentence completion test report
 
Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]Dr. Phils Personality Test [Amazing]
Dr. Phils Personality Test [Amazing]
 
Get to know yourself, you'll see the world
Get to know yourself, you'll see the worldGet to know yourself, you'll see the world
Get to know yourself, you'll see the world
 
H-T-P (House Tree Person)
H-T-P (House Tree Person)H-T-P (House Tree Person)
H-T-P (House Tree Person)
 
Team Building Activities
Team Building ActivitiesTeam Building Activities
Team Building Activities
 
Personality Test
Personality TestPersonality Test
Personality Test
 
What Makes a GreatTeacher
What Makes a GreatTeacherWhat Makes a GreatTeacher
What Makes a GreatTeacher
 
Personality test
Personality testPersonality test
Personality test
 
Team Building: Creating Effective Teams
Team Building: Creating Effective Teams Team Building: Creating Effective Teams
Team Building: Creating Effective Teams
 
Team Building & Team Work
Team Building & Team WorkTeam Building & Team Work
Team Building & Team Work
 

Semelhante a Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI.

What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
Beau Bullock
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
EC-Council
 

Semelhante a Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI. (20)

All about Hacking
All about HackingAll about Hacking
All about Hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 

Mais de Kirill Ermakov

Mais de Kirill Ermakov (8)

Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
 
Под капотом Vulners
Под капотом VulnersПод капотом Vulners
Под капотом Vulners
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.com
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheel
 
Почему вам не нужен SOC
Почему вам не нужен SOCПочему вам не нужен SOC
Почему вам не нужен SOC
 
Подход QIWI к проведению тестирования на проникновение
Подход QIWI к проведению тестирования на проникновениеПодход QIWI к проведению тестирования на проникновение
Подход QIWI к проведению тестирования на проникновение
 

Último

If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 

Último (20)

If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 

Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI.

  • 1. Let’s play the game. Yet another way to perform penetration test. Russian “red team exercise” experience from QIWI. Kirill ‘isox’ Ermakov
  • 2. #:whoami? • Known as ‘isox’ • Web penetration tester • QIWI CTO/CISO • Member of “hall-of-fames” (Yandex, Mail.ru, Apple, and so on) • JBFC participant ^___^
  • 3. Captain obvious • Penetration testing • Just a way to check your security controls • “Fast and dirty assessment” • Performed by qualified specialists • Part of PCI DSS certification as example • Independent security review • Need2do for security-aware companies
  • 4. Traditional approach • Single team (2-5 members) • External, Internal and social-technology • Restricted vectors and scenario • Attackers whitelist • No private information about a target • Social attacks are often prohibited • Limited attacks daytime
  • 5. Pentester point of view • Target-independent work scenario • 1/3 time for well known vectors • 1/3 time for new research • 1/3 time for automated scanners • No physical security bypass • Limited social attacks • Same story every time
  • 6. Red team exercise • They call it “Red-team”: • Security team is not notified • Trying to simulate “real” attack • Still a lot of restrictions and limits • One team • No information about the internals
  • 7. Anyway cover is not enough • Blind zones • Time limits • Does not use all available vectors • Too much accurate and ethic • Does not really looks like real hackers attack • Pentest team insufficient resources
  • 8. Hack me plz! • Lets make a big (dream?) team • Let them work on their own! • No more “secret pentest technique” • Forget “don’t attack that” and “don’t bruteforce us after 6PM” • Scope = everything • Not kidding. Really everything. • No preparations from security team
  • 9. No restrictions • Social attacks • Malware • Account bruteforce • 0days • Night/weekend attacks • Physical penetration • DOS • Drop-devices • Personal devices hijack • Employee bribe
  • 10. Let’s there be insider • Sharing private information • Network map • Critical assets • Security specialist as insider • Hints and advises
  • 11. Deep penetration • Physical security bypass • Drop-devices: • Wi-Fi and LAN back connects • Cable manipulations • USB Flash with malware • Live social engineering • Stealing laptops/pads/phones
  • 12. Security reactions • Security team awareness check • Real incident investigation • Bans and account lockouts • Live system tuning • Cooperation with physical security • Logs, cameras, events and a lot of fun!
  • 13. Challenge and goals • For penetration team: • Application or SYS account for DB • AD enterprise administrator account • *nix root / admin account • Access to any critical system • For security team: • Defend your home And there is only one rule: no rules
  • 14. QIWI Red Team Exercise • Attackers: #ONSEC & #DSEC • Defenders: #QIWI security team • Insider: CISO (me) • Timeline: 2.5 month • Attack Goal: • SYSDBA, root, Enterprise Administrator • Security team goal: • Notice at least 90% attacks and intrusions • Defend
  • 15. Weeks of pain • 7 social attacks in 2 weeks • Few times of “emergency” • System crashes • Ordinary users butthurt: • Locked accounts • Spam/phishing emails • Viruses • Malware investigations
  • 16. Really cool vectors • Successful office building intrusion • Wi-Fi’ed and LAN’ed laptops gateways • Mac OS X domain issues • Smart House hacking • Power Supply takeover • Compiling dsniff for DVR … even more in @d0znpp presentations
  • 18. And we lost this game • System accounts were compromised • Social engineering as a best attack vector • SSH access to security team member’s Macbook • Downloaded dumps of network devices with password hashes • Tons of successful brutes
  • 19. Successful vector • Gained credentials using social engineering • Loss of isolation in guest Wi-Fi network • Laptops, connected both to cable networks and Wi-Fi • Bad MacOS active directory configuration, allowing any AD account to connect using SSH • Keeping sensitive data plaintext in ~/ • Insufficient monitoring of the office traffic
  • 20. Results • Better than one-team classics • Simulate near real hacker attacks • Excellent scope fulfill • Testing security as it is, not as it wants to be • You will be disappointed in your security toys • ‘Little’ bit expensive • Systems will crash sometimes
  • 21. See ya! • Thanks to @videns for a good trip to the Troopers • Thanks to #DSEC and #ONSEC for a great job • Excuses to my security team for this two and a half months of hell • Any questions? • Contact: isox@qiwi.com