how i “pwn” your network
TRANSCRIPT
![Page 1: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/1.jpg)
How I “Pwn” Your Network: A Chat with a Social Engineer and
Facility Breach Expert
Kai Axford
<Insert lots of letters and stuff here>
![Page 2: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/2.jpg)
**DISCLAIMER**
All demonstrations are examples of
techniques currently used in social
engineering and facility breach exercises,
with express permission from the client, by
trained professionals.
Do not try this at home.
![Page 3: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/3.jpg)
“It’s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link, the human element.”
- Dave Kennedy (ReL1K), Developer of the Social Engineering Toolkit (SET)
![Page 4: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/4.jpg)
• Why would I fight your: – Security Information Event Management (SIEM)
– Anti-Virus
– HIPS/NIPS/IPS/IDS
– Web Application Firewalls
– Secure Coding Practices
– Patch Management
• Why would I fight everything you’ve built into your entire security program….when I can just walk in and take your data?
![Page 5: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/5.jpg)
We exploit the gap between:
![Page 6: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/6.jpg)
Corporate Security
Information Security
![Page 7: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/7.jpg)
Network
Web Applications
Wireless Facility
Users
![Page 8: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/8.jpg)
• Google-Fu + Bing-Fu => FTW!
– Facility layout and surroundings
– Job openings
– Telco providers
• Corporate website - Investor relations,
corporate officers, contact info, etc.
• Social networking sites (LinkedIn,
Facebook, Twitter, etc.)
![Page 9: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/9.jpg)
Social Engineer’s Toolkit (SET)
• Is a toolkit “specifically designed to perform advanced attacks against the human element” that is built on top of the MSF. – Developed by David Kennedy (ReL1K)
• Will conduct the following attacks: – Spear-Phishing – Spoof or utilize already established email
addresses to do spear-phishing attacks with file format attack vectors.
– Web Attacks – Multiple attack vectors including Java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester.
– Infectious Media Generator – Creates a CD/DVD which allows you to deploy MSF payloads in a simple autorun.
– Arduino / Teensy USB HID Attack Vector – Multiple payload selection for the USB keyboard HID attacks.
– And so much more!
![Page 10: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/10.jpg)
DEMO: BackTrack 5
![Page 11: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/11.jpg)
Breaking In: For us, it’s all about
style…
• Numerous ways to accomplish my goals:
– Technical and Non-Technical methods
– Point and Area Targets
• Point Targets – Targeting an individual
– This means YOU!
– Phone, email, social networking, face-to-face
• Area Targets – Targeting a site
– Tailgating, baiting, “Red Team” exercise, lockpicking,
dumpster diving, etc.
![Page 12: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/12.jpg)
Point Targets
![Page 13: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/13.jpg)
Phone Domination
• Let’s have a listen…
![Page 14: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/14.jpg)
DEMO: Spoof Card
![Page 15: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/15.jpg)
• Social networking is my dream and your nightmare.
• TMI = Too Much Information about you and your company.
• Why do IT guys like to just “tell it all” on these sites?
![Page 16: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/16.jpg)
![Page 17: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/17.jpg)
Face to Face
• Sometimes this is actually easier for a social engineer.
– Easier to gauge reaction.
– Harder to dismiss someone in front of you.
• Relies completely on the skill of the social engineer
– Must react to the situation immediately
– Know when to push and when to retreat
![Page 18: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/18.jpg)
Face to Face
• It’s not as easy as you think to avoid…
• Let’s take at what happens when you are successful….
![Page 19: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/19.jpg)
Area Targets
![Page 20: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/20.jpg)
• No lock is perfect
• Various types
– Pin Tumbler locks
– Wafer locks
– Cipher locks
– Code and card
operated locks
– Padlocks
• Only a delaying
mechanism
![Page 21: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/21.jpg)
DEMO: Lock Picking
![Page 22: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/22.jpg)
Tailgating
• A frequently used attack vector
• Why?
– It works and requires almost no skill
– (I bet you’ve used it before yourself!)
![Page 23: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/23.jpg)
![Page 24: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/24.jpg)
DEMO: The PwnPlug
![Page 25: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/25.jpg)
![Page 26: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/26.jpg)
![Page 27: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/27.jpg)
![Page 28: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/28.jpg)
Programmable HID USB
Keystroke Dongle • USB device that emulates a USB keyboard and drivers and
will execute commands (i.e. install malware, reverse shell,
shutdown A/V, etc.)
• Why do I use it?
– Types faster than I can, without errors
– Works even if autorun is disabled
– Draws less attention
– Can be set to go off on a timer…e.g. when my target is logged on
![Page 29: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/29.jpg)
**Important Safety Tip**
An individual information gathering technique
or attack vector is rarely successful. It is the
combination of these techniques that make
this a credible threat to your infrastructure.
![Page 30: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/30.jpg)
Defeating the Social Engineer
![Page 31: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/31.jpg)
We’ll make this real simple…
1. What I love to see and hear
2. What I hate to see and hear
![Page 32: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/32.jpg)
What I LOVE to see and hear
• “You won’t get in….according to the audit
committee…we’re compliant.”
• A contract security guard who is busy with
non-security tasks
• “The Beige Plastic Gambit”
• Nice employees
• “The Cameraman of Security Theater”
![Page 33: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/33.jpg)
What I HATE to see and hear
• A nosy workforce with regular security
awareness training
• Rapid and effective incident response
• Patch management that patches
• Physical Security Information Management
(PSIM)
• Visitor management
• Turnstiles & Anti-Passback devices
• Tech controls that work, but aren’t sexy
![Page 34: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/34.jpg)
Questions? Kai Axford, MBA-IA, CPP, CISM, CISSP, QSA
Director of Strategic Services
FishNet Security
Twitter: @kaiax33
![Page 35: How I “Pwn” Your Network](https://reader033.vdocuments.mx/reader033/viewer/2022041701/625365d31efa4931af257897/html5/thumbnails/35.jpg)
Resources
• Social-Engineer.org (http://www.social-engineer.org/)
• Social Engineering: The Art of Human Hacking. Hadnagy,
Christopher. 2011. Wiley Publishing.
• PwnieExpress (http://pwnieexpress.com)
• Deviant Ollam’s Site (http://deviating.net/lockpicking/)
• BackTrack Linux.org (http://www.backtrack-linux.org/)
• Crenshaw, Adrian. “Programmable HID USB Keystroke Dongle:
Using the Teensy as a pen testing device” IronGeek.com
(http://www.irongeek.com/i.php?page=security/programmable-
hid-usb-keystroke-dongle)