![Page 1: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/1.jpg)
HACKING TECHNIQUESand Mitigations
Brady Bloxham
![Page 2: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/2.jpg)
About Us• Services
• Vulnerability assessments• Wireless assessments• Compliance testing• Penetration testing
• Eat, breathe, sleep, talk,
walk, think, act security!
![Page 3: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/3.jpg)
Agenda• Old methodology• New methodology• Techniques in action• Conclusion
![Page 4: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/4.jpg)
The Old Way• Footprinting• Network Enumeration• Vulnerability Identification• Gaining Access to the Network• Escalating Privileges• Retain Access• Return and Report
![Page 5: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/5.jpg)
The Old Way (continued)
![Page 6: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/6.jpg)
The New Way (my way!)• Recon• Plan• Exploit• Persist• Repeat
• Simple, right?!
![Page 7: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/7.jpg)
The New Way (continued)
Recon
Plan
Exploit
Domain Admin?
No
Persist
Report!Yes
![Page 8: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/8.jpg)
Old vs. New• So what you end up with is…
![Page 9: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/9.jpg)
Recon• Two types
• Pre-engagement• On the box
![Page 10: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/10.jpg)
Recon – Pre-engagment• Target IT• Social Networking
• LinkedIn• Facebook• Google• Bing
• Create profile• Play to their ego• Play to desperation• Play to what you know
![Page 11: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/11.jpg)
Recon – Pre-engagment• Social Engineering
![Page 12: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/12.jpg)
Recon – On the box• Netstat
![Page 13: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/13.jpg)
Recon – On the box• Set
![Page 14: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/14.jpg)
Recon – On the box• Net
![Page 15: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/15.jpg)
Recon – On the box• Net
![Page 16: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/16.jpg)
Recon – On the box• Net
![Page 17: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/17.jpg)
Recon • Registry
• Audit Settings• HKLM\Security\Policy\PolAdtEv
• Dump hashes• Local hashes• Domain cached credentials• Windows credential editor• Application credentials (Pidgin, Outlook, browsers, etc.)
• RDP history• HKU\Software\Microsoft\Terminal Server Client\Default
• Installed software• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
![Page 18: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/18.jpg)
Recon• What do we have?
• High value servers (domain controller, file servers, email, etc.)• Group and user list
• Domain admins• Other high value targets
• Installed applications• Detailed account information• Hashes and passwords
![Page 19: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/19.jpg)
Plan
![Page 20: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/20.jpg)
Plan
![Page 21: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/21.jpg)
Plan• Test, test test!
• Real production environment!• Recreate target environment
• Proxies• AV• Domain
• Verify plan with customer
• Think outside the box!
![Page 22: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/22.jpg)
Plan
![Page 23: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/23.jpg)
Plan
![Page 24: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/24.jpg)
Exploit
![Page 25: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/25.jpg)
Exploit• The reality is…it’s much easier than that!
• No 0-days necessary!• Macros• Java applets• EXE PDFs
![Page 26: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/26.jpg)
Exploit• Java Applet
• Domain – $4.99/year• Hosting – $9.99/year• wget – Free!• Pwnage – Priceless!
• Macros• Base64 encoded payload• Convert to binary • Write to disk• Execute binary• Shell!
![Page 27: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/27.jpg)
Exploit• The problem? A reliable payload!
• Obfuscation• Firewalls• Antivirus• Proxies
![Page 28: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/28.jpg)
![Page 29: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/29.jpg)
![Page 30: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/30.jpg)
![Page 31: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/31.jpg)
Persist
![Page 32: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/32.jpg)
Persist• Separates the men from the boys!• Custom, custom, custom!• Nothing good out there…
• Meterpreter – OSS• Core Impact – Commercial• Poison Ivy – Private• DarkComet – Private• Who’s going to trust these?
![Page 33: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/33.jpg)
Persist• How?
• Registry• Service• Autorun• Startup folder• DLL hijacking
• What?• Beaconing backdoor• Stealthy• Blend with the noise• Modular
![Page 34: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/34.jpg)
Repeat?!
![Page 35: HACKING TECHNIQUES and Mitigations Brady Bloxham](https://reader033.vdocuments.mx/reader033/viewer/2022050905/5517e38d550346d0568b45fc/html5/thumbnails/35.jpg)
Conclusion• Old methodology is busted!• Compliance != Secure• It’s not practice makes perfect…