Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fade from Whitehat... to Black

When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?

In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

  • Login to see the comments

Fade from Whitehat... to Black

  1. 1. FA D E F R O M W H I T E H AT… T O B L A C K B E A U B U L L O C K
  2. 2. “Everyone is a moon and has a dark side which he never shows to anybody” ~ Mark Twain
  3. 3. K E Y F O C A L P O I N T S • Non-attribution • Target Acquisition • Reconnaissance • Exploitation • Profitization
  4. 4. W H O A M I • Beau Bullock • Pentester at Black Hills Information Security • Host of Hack Naked TV • Previously an enterprise defender • OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
  5. 5. S I D E N O T E
  6. 6. 2 0 1 4
  7. 7. I N T W O Y E A R S S I N C E T H E N I ’ V E … • Performed Pentests against 70 different companies • Recorded 20 Hack Naked TV episodes • Spoke at three different security conferences • Wrote eight blog posts • …now adding keynote to the list
  8. 8. Enough about me
  9. 9. N O N - AT T R I B U T I O N
  10. 10. D R E A D P I R AT E R O B E R T S ( D P R ) • How Ross Ulbricht got caught = Really bad OPSEC • Boasted about creating an “economic simulation” on LinkedIn • Put his real face on fake ID’s used to purchase servers • Asked for advice on Stack Overflow about coding Silk Road • Hired an undercover cop to perform a “hit” for him • TOR IP Publishing leak - Leaked Silk Road’s actual IP • Accessed Silk Road from Café half a block from residence
  11. 11. D E S I G N W I T H O P S E C I N M I N D • Let’s try to avoid DPR’s mistakes • Don’t trust humans • Build attack infrastructure with the most important element being OPSEC • Maintain anonymity in both the real and digital worlds
  12. 12. N O N - AT T R I B U TA B L E S E T U P • Necessities (rebuilt from scratch for each job) • A laptop to work from • Internet • VPN/proxies • CnC and attack servers • Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
  13. 13. L A P T O P P U R C H A S E
  14. 14. I N T E R N E T • Free WiFi at coffee shops, hotels, or my favorite… apartment complexes • Greater than 50 miles from residence • Never bring residence into circumference
  15. 15. N O T O P S E C S A F E
  16. 16. A B I T M O R E O P S E C S A F E
  17. 17. AT TA C K A R C H I T E C T U R E S E T U P • Never directly attacking an organization • Will need multiple virtual private servers (VPS) • In order to be non-attributable we will need a few things: • Alternate identities • Currency (Bitcoin, pre-paid VISA, etc.)
  18. 18. B U Y B I T C O I N F O R C A S H
  19. 19. V P S F O R B I T C O I N
  20. 20. P R I M A RY AT TA C K S Y S T E M S • VPS Network 1 • VPN server • Management server • Password cracking server • VPS Network 2 • Primary attack server • Command and Control server
  21. 21. C O N N E C T I V I T Y • VPN from base camp to VPS network 1 • SSH/RDP to management server • Route all traffic from management server through TOR • SSH from management server to VPS network 2 hosts
  22. 22. N O N - AT T R I B U T I O N D I A G R A M
  23. 23. 1. Live-booted off USB to Linux 2. Connected to free WiFi 3. VPN’d to VPS net 1 4. VNC to management server in VPS net 1 5. Route all traffic from management server through TOR 6. SSH from management server over TOR to attack server in VPS net 2 7. Mandatory Caffeination
  24. 24. TA R G E T A C Q U I S I T I O N
  25. 25. M O T I VAT I O N • Easy Targets • High Profile Targets • Contracted Targets • Vengeance
  26. 26. E A S Y TA R G E T S • Shodan - Unauthenticated VNC Servers
  27. 27. E A S Y TA R G E T S • Shodan - Vulnerable Services
  28. 28. H I G H P R O F I L E TA R G E T S
  29. 29. C O N T R A C T E D TA R G E T S
  30. 30. V E N G E A N C E
  31. 31. R E C O N N A I S S A N C E
  32. 32. I N F O R M AT I O N D I S C L O S U R E • Organization’s username structure • Credentials in previous breaches • External network ranges
  33. 33. M I N I M I Z E T H E N O I S E • Use sites like Shodan and Censys to discover open ports on the target’s systems • Again, look for low hanging fruit • Locate external login portals (we’ll get to why these are important shortly)
  34. 34. E X P L O I TAT I O N
  35. 35. AT TA C K 1 - C R E D E N T I A L R E U S E • How can we exploit credential reuse on personal accounts?
  36. 36. AT TA C K 1 - C R E D E N T I A L R E U S E • Publicly Compromised accounts
  37. 37. AT TA C K 1 - C R E D E N T I A L R E U S E • Pipl - locate employees based off their email address
  38. 38. AT TA C K 1 - C R E D E N T I A L R E U S E • Attempt to login to their corporate account using the creds recovered from previous breach
  39. 39. AT TA C K 2 - PA S S W O R D S P R AY I N G
  40. 40. AT TA C K 2 - PA S S W O R D S P R AY I N G • FOCA
  41. 41. AT TA C K 2 - PA S S W O R D S P R AY I N G
  42. 42. AT TA C K 3 - P H I S H I N G • The “golden ticket” to pretty much any network • Two types of phishing • Credential gathering • System compromise
  43. 43. AT TA C K 3 - P H I S H I N G • Credential gathering • Clone an external login portal • Phish users to login to gather creds • Redirect to actual portal
  44. 44. AT TA C K 3 - P H I S H I N G • Remote exploitation • Word doc macros, browser exploits, etc.
  45. 45. R E M O T E A C C E S S • VPN - is 2FA in play? • RDP? • Access to OWA - • Phishing across internal accounts = win • No physical attacks. If I can’t compromise the network remotely I move on.
  46. 46. P O S T- E X P L O I TAT I O N • PowerShell, and command line - no extra tools needed • GPP • Widespread local admin • Insecure perms on other systems (domain users in local admins) • Internal password spraying • PSexec/Mimikatz combo
  47. 47. L O O T • Pivot to DC, dump domain hashes • Locate vCenter servers, DB’s, etc.
  48. 48. P R O F I T I Z AT I O N
  49. 49. T U R N I N G C O M P R O M I S E I N T O C A S H • Carder? • Identity Theft? • Ransomware? • Hacktivist?
  50. 50. T H E T R I C K Y PA R T… "It's not that we find criminals like this through cyber- forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting credit cards is easy. Turning it into cash is hard.” ~ Bruce Schneier
  51. 51. T W O M A J O R P R O B L E M S • Bitcoin is not untraceable • Turning large amounts of Bitcoin into cash is not trivial
  52. 52. T R A C I N G B I T C O I N • •
  53. 53. B I T C O I N T O C A S H • This becomes a money laundering problem
  54. 54. R I P A N D R E P L A C E • Full teardown and removal of all testing systems • Rebuild from scratch for next job
  55. 55. FA D I N G B A C K
  56. 56. W H Y I D O N ’ T D O T H I S • Ethics • Inevitability of getting caught • Danger of entering the criminal world
  57. 57. W E C A N M A K E I T B E T T E R • Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.
  58. 58. D E F E N D E R S • Shift focus from attribution to detection and prevention • Increase logging to detect when attackers are performing attacks like password spraying • Ensure all external login portals are using 2FA • Increase length of password policies
  59. 59. AT TA C K E R S • Continue to highlight the importance and value of credentials • Attempt to locate credential reuse across accounts • On external assessments attempt to password spray portals that use domain-based authentication • Escalate internally & crack all the passwords
  60. 60. T H A N K Y O U • • • @dafthack