getting into infosec · daniel bohannon @danielhbohannon getting into infosec via pen source
TRANSCRIPT
Daniel Bohannon
@danielhbohannon
Getting Into InfoSec
via pen Source
http://insights.looloo.com/wp-content/uploads/2016/10/Latte-Art-in-Manila-Featured-FB.jpgn
https://opensource.org/node/442
https://demo.identihub.co/assets/OpenLabs_ICONS_48.svg
• Daniel Bohannon
• Title :: Principal Applied Security Researcher
• Team :: Advanced Practices Team
@Mandiant/@FireEye
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
2
bash$ who""am''{i..i}
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
W: java.lang.Throwable: stack dump
W: at school(undergrad.CompSci:2006-2010)
University of Georgia
W: at job.First(DBadmin:2010-2015)
W: at school(masters.InfoSec:2011-2013)
Georgia Institute of Technology
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
3
My Career Stack Dump
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif http://www.licensing.gatech.edu/visual/guidelines
4 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.https://autismuga.files.wordpress.com/2010/03/red-and-black.jpg http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif
https://www.gafollowers.com/5-things-expect-uga-football-year-2014/ncaa-football-louisiana-state-georgia-850x560/ https://www.balkaneu.com/albania-qualifies-time-european-football-championship/
W: java.lang.Throwable: stack dump
W: at school(undergrad.CompSci:2006-2010)
University of Georgia
W: at job.First(DBadmin:2010-2015)
W: at school(masters.InfoSec:2011-2013)
Georgia Institute of Technology
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
5
My Career Stack Dump
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif http://www.licensing.gatech.edu/visual/guidelines
6 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
https://github.com/logos
7 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://github.com/logos
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
Apr 2017
x33fconSep 2016
DerbyCon
8 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
https://github.com/logos
Sep 2016
DerbyCon
Apr 2017
x33fcon
Jul 2017
Black Hat USA
9 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
W: at job.Second(IncidentResponder:2015-2017)
Mandiant, consulting branch of FireEye
W: at job.Second(SecurityResearcher:2017-Present)
FireEye
https://github.com/logos
Sep 2016
DerbyCon
Apr 2017
x33fcon
Jul 2017
Black Hat USA
Mar 2018
Black Hat Asia
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.10
WORKSHOP: Developing Resilient Detections
(with Obfuscation & Evasion in Mind)
Oct 2018
BruCON
https://www.freeiconspng.com/img/2884
• Share my research at conferences while learning from others
• Keep writing and releasing open source code
• BUT…
11
GET /user/goals
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Share my research at conferences while learning from others
• Keep writing and releasing open source code
• BUT…focus more on:
• TEACHING & TRAINING others
• w/o costly conference admission
• LOCAL to the attendees
• Somewhere COMMUNITY is
already happening with shared
VISION
12
GET /user/goals
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Share my research at conferences while learning from others
• Keep writing and releasing open source code
• BUT…focus more on:
• TEACHING & TRAINING others
• w/o costly conference admission
• LOCAL to the attendees
• Somewhere COMMUNITY is
already happening with shared
VISION
13
GET /user/goals
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://imgur.com/gallery/uOR2b
14
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
15
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://hackaday.io/prishtinahackerspace
16
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://hackaday.io/prishtinahackerspace https://www.flossk.org/img/logo.png
17
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.png
18
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.pnghttps://www.patreon.com/OpenLabsAlbania
19
POST /query?community=hackerspace
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.pnghttps://www.patreon.com/OpenLabsAlbania
20 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://opensource.org/node/442 https://www.vexels.com/png-svg/preview/131264/lock-circle-icon-3
21 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://opensource.org/node/442 https://www.vexels.com/png-svg/preview/131264/lock-circle-icon-3
pen Source
22 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://opensource.org/node/442 https://www.vexels.com/png-svg/preview/131264/lock-circle-icon-3
InfoSec
pen Source
23 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://opensource.org/node/442 https://www.vexels.com/png-svg/preview/131264/lock-circle-icon-3
Getting Into InfoSecvia
pen Source
4 root Offense (Red Team)
4 root Defense (Blue Team)
4 root Open Source
4 root Q&A + Brainstorming
OUTLINE
bash$ ls -l
total 4
drwxrwxrwx
drwx------
drwxrw-rw-
drw-rw-rw-
24 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
4 root Offense (Red Team)
4 root Defense (Blue Team)
4 root Open Source
4 root Q&A + Brainstorming
OUTLINE
bash$ ls -l *Offense*
total 4
drwxrwxrwx
drwx------
drwxrw-rw-
drw-rw-rw-
25 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
26
bash$ unrar x -e ./offense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• define:hacking
• /ˈhakiNG/ noun
• the gaining of unauthorized access to data in a system or computer.
• define:hacker
• /ˈhakər/ noun
• a person who uses computers to gain unauthorized access to data.
27
bash$ unrar x -e ./offense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Intention & WRITTEN authorization are the deciding factor
https://talkroute.com/black-hat-seo-is-it-really-as-evil-as-they-say/
28
bash$ unrar x -e ./offense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Intention & WRITTEN authorization are the deciding factor
https://talkroute.com/black-hat-seo-is-it-really-as-evil-as-they-say/
https://sco.wikipedia.org/wiki/File:RedHat.svg
29
bash$ ls -l ./offense/README.txt
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Attack Lifecycle:
https://www.fireeye.com/content/dam/fireeye-www/blog/images/WMIvsWMI%20tim%20parisi/Fig1.png
30
bash$ ls -l ./offense/RECON
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• OSINT – Open Source INTelligence (passive vs active)
• Fingerprint the target’s:
• Business model (architecture, ethos, recent business news, etc.)
• Technology stacks
• Determine tech & version → Exploit-DB.com → execute exploit
• Search for tech partnerships (“<product> proudly used by <target>”)
• LinkedIn employees’ skills & experience
• Job posting requirement & preferred experience
• Internet scans (Shodan, Censys, etc.) & Google Dorking
• People
31 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
https://www.shodan.io/
32
bash$ ls -l ./offense/RECON
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• OSINT – Open Source INTelligence (passive vs active)
• Fingerprint the target’s:
• Business model (architecture, ethos, recent business news, etc.)
• Technology stacks
• Determine tech & version → Exploit-DB.com → execute exploit
• Search for tech partnerships (“<product> proudly used by <target>”)
• LinkedIn employees’ skills & experience
• Job posting requirement & preferred experience
• Internet scans (Shodan, Censys, etc.) & Google Dorking
• People
33
bash$ ls -l ./offense/RECON
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• OSINT – Open Source INTelligence (passive vs active)
• Fingerprint the target’s People:
• Social Media
• Vacation dates, personal & prof associations
• Future connecting points like hobbies, taste in clothing, favorite band, etc.
• Photo metadata
• Physical Eavesdropping
• Frequenting same coffee shop as the target’s employees
• Job posting requirements & preferred experience
34
bash$ ls -l ./offense/RECON
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• OSINT – Open Source INTelligence (passive vs active)
• Fingerprint the target’s People:
• Social Media
• Vacation dates, personal & prof associations
• Future connecting points like hobbies, taste in clothing, favorite band, etc.
• Photo metadata
• Physical Eavesdropping
• Frequenting same coffee shop as the target’s employees
• Job posting requirements & preferred experience
• Chris Hadnagy (@humanhacker) → social-engineer.org podcast
• https://www.youtube.com/watch?v=PWVN3Rq4gzw
35
bash$ ls -l ./offense/COMPROMISE
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Initial code execution in the target’s environment
• RCE – Remote Code Execution
• SQL Injection in mobile or web application
• https://www.hacksplaining.com/exercises/sql-injection#
• Phishing (and Spear Phishing, Vishing, Smishing, etc.)
• Physical access
• Teensy, Raspberry Pi implant, USB drop in parking lot
• How can you easily generate code to exploit a vulnerability on another computer?
• Open source tools, frameworks and entire distros!
36
bash$ ls -l ./offense/COMPROMISE
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• RATs (Remote Access Tools)
• Meterpreter / Metasploit Project (Ruby) [Free & paid versions]
• Empire (PowerShell) / Empyre (Python) [100% open source]
• Cobalt Strike [Closed source & paid]
• Payload generators
• Social Engineering Toolkit (100% open source)
• Unicorn (100% open source)
• Veil (Python) (100% open source)
• DotNetToJScript SharpShooter, CactusTorch
• Complete distro: Kali Linux (free) https://www.kali.org/
37
bash$ ls -l ./offense/README.txt
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Attack Lifecycle:
https://www.fireeye.com/content/dam/fireeye-www/blog/images/WMIvsWMI%20tim%20parisi/Fig1.png
38
bash$ cat ./offense/RESOURCES | grep “continued learning”
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Red team hacking or penetration testing
• https://www.kali.org/ (Kali Linux distro) + https://kali.training/lessons/introduction/
• CTF (Capture the Flag) – problem solving, onsite & online versions
• https://www.root-me.org/ (best place to start)
• https://vulnhub.com (more advanced, but walkthrough videos are fun)
• Bug Bounty – bug squashing for $$$
• https://bugcrowd.com
• ANYTHING security-related – free video-based training
• https://www.cybrary.it/
4 root Offense (Red Team)
4 root Defense (Blue Team)
4 root Open Source
4 root Q&A + Brainstorming
OUTLINE
bash$ ls -l *Defense*
total 4
drwxrwxrwx
drwx------
drwxrw-rw-
drw-rw-rw-
39 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
40
bash$ unrar x -e ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Just like offense, defense has MANY different areas (technical & non-technical)
• Secure coding practices
• Logging configurations
• Detection development
• SOC (Security Operations Center)
• DFIR (Digital Forensics & Incident Response)
• Policy creation and enforcement
• Personal data privacy & online safety advocates
41
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Secure coding practices
• SQL injection example
• Train developers about common vulnerabilities and secure coding practices
• Develop software for live code auditing to detect common vulnerabilities as code
is being developed
42
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Configure logs NOW so you have them when you need then ☺ (which is ALSO now)
• Collecting bash_history
• FIM (File Integrity Monitoring) for web servers world-readable directories (to
detect changes that could be webshells)
• Monitor sudoers file modifications
• Configure auditd logging
• The auditd subsystem is an access monitoring and accounting for Linux developed
and maintained by RedHat.
• Centralize the collection of the logs
• HELK – Hunting ELK (Elasticsearch, Logstash, Kibana)
• https://github.com/Cyb3rWard0g/HELK
43
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Detection development
• Host/Endpoint – YARA (https://github.com/VirusTotal/yara)
• Network – Snort (https://github.com/snort3/snort3)
• Distro – Security Onion (https://github.com/Security-Onion-Solutions/security-
onion)
https://raw.githubusercontent.com/malice-plugins/yara/master/logo.png https://www.snort.org/assets/snort-pig.png
44 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
alert tcp any any -> any any (msg:"HAPPY HACKER";content:"This hackerspace is great!";depth:1000;nocase;
)
happyHacker.snort
rule HAPPY HACKER {strings:
$coolComment = "This hackerspace is great!" nocase$lameComment = "Coffee is bad." nocase
condition:$ coolComment and not $lameComment
}
happyHacker.yara
45
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• SOC (Security Operations Center)
• Responding to alerts and investigating malicious activity in your environment
• “Hunting” through data sets to find malicious activity
• Developing run books and documentation for handling alerts
• Documenting everything you do ☺ (usually in a ticketing system)
46
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• DFIR (Digital Forensics & Incident Response)
• Forensic imaging of hard drives (data acquisition)
• Forensic analysis
• Distro: SIFT Workstation (https://digital-forensics.sans.org/community/downloads)
• Live Triaging of suspicious activity
• Active hunting through live data
• List running processes
• grep bash_history file for historical commands
• Query and group all network connections
47 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
osquery
https://github.com/facebook/osquery
48
bash$ ls -l ./defense/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Policy creation and enforcement
• Log management & retention
• Password complexity and aging enforcement
• Mandatory security training
• Personal data privacy & online safety advocates
• Phishing training
• HTTP vs HTTPS, VPN usage, TOR routing
• Password managers & 2FA/MFA (2-Factor Authentication, Multi-Factor Authentication)
• KeyPass – audited by EU Free and Open Source Software Auditing project (EU-FOSSA)
• andOTP (open source)
4 root Offense (Red Team)
4 root Defense (Blue Team)
4 root Open Source
4 root Q&A + Brainstorming
OUTLINE
bash$ ls -l *Defense*
total 4
drwxrwxrwx
drwx------
drwxrw-rw-
drw-rw-rw-
49 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
50
bash$ unrar x -e ./open_source/
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• A GREAT way to get into the InfoSec community is through CONTRIBUTING to
open source projects!
• Documentation (most hackers are bad at documentation, wikis, etc.)
• Small bug fixes (or adding language-specific or regional compatibility)
• Porting from Python2.7 to Python3.4
• Porting from PowerShell to Python
• Writing blog posts or walkthrough guides for using an open source security tool
• MERGING two tools ☺
• @cobbr_io (Ryan Cobb) merged Invoke-Obfuscation and Empire
4 root Offense (Red Team)
4 root Defense (Blue Team)
4 root Open Source
4 root Q&A + Brainstorming
OUTLINE
bash$ ls -l *Defense*
total 4
drwxrwxrwx
drwx------
drwxrw-rw-
drw-rw-rw-
51 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
52
bash$ cat ./shutdown.sh
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
• Faleminderit shumë!!!
• Daniel Bohannon
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
• Github: https://github.com/danielbohannon/
• Please feel free to ask me ANYTHING, ANYTIME, ANYWHERE
https://www.notey.com/blogs/cardistry