let’s play the game. - zenk - security - repository
TRANSCRIPT
Let’splaythegame.Yetanotherwaytoperformpenetra/ontest.Russian“redteamexercise”experiencefromQIWI.
Kirill ‘isox’ Ermakov
#:whoami?
• Knownas‘isox’• Webpenetra/ontester• QIWICTO/CISO• Memberof“hall-of-fames”(Yandex,Mail.ru,Apple,andsoon)
• JBFCpar/cipant^___^
Captainobvious
• Penetra/ontes/ng• Justawaytocheckyoursecuritycontrols• “Fastanddirtyassessment”• Performedbyqualifiedspecialists• PartofPCIDSScer/fica/onasexample• Independentsecurityreview• Need2doforsecurity-awarecompanies
Tradi=onalapproach
• Singleteam(2-5members)• External,Internalandsocial-technology• Restrictedvectorsandscenario• A]ackerswhitelist• Noprivateinforma/onaboutatarget• Sociala]acksareo^enprohibited• Limiteda]acksday/me
Pentesterpointofview
• Target-independentworkscenario• 1/3/meforwellknownvectors• 1/3/mefornewresearch• 1/3/meforautomatedscanners• Nophysicalsecuritybypass• Limitedsociala]acks• Samestoryevery/me
Redteamexercise
• Theycallit“Red-team”:• Securityteamisnotno/fied• Tryingtosimulate“real”a]ack• S/llalotofrestric/onsandlimits• Oneteam• Noinforma/onabouttheinternals
Anywaycoverisnotenough
• Blindzones• Timelimits• Doesnotuseallavailablevectors• Toomuchaccurateandethic• Doesnotreallylookslikerealhackersa]ack• Pentestteaminsufficientresources
Hackmeplz!
• Letsmakeabig(dream?)team• Letthemworkontheirown!• Nomore“secretpentesttechnique”• Forget“don’ta]ackthat”and“don’tbruteforceusa^er6PM”
• Scope=everything• Notkidding.Reallyeverything.
• Noprepara/onsfromsecurityteam
Norestric=ons
• Sociala]acks• Malware• Accountbruteforce• 0days• Night/weekenda]acks• Physicalpenetra/on• DOS• Drop-devices• Personaldeviceshijack• Employeebribe
Let’stherebeinsider
• Sharingprivateinforma/on• Networkmap• Cri/calassets• Securityspecialistasinsider• Hintsandadvises
Deeppenetra=on
• Physicalsecuritybypass• Drop-devices:
• Wi-FiandLANbackconnects• Cablemanipula/ons• USBFlashwithmalware
• Livesocialengineering• Stealinglaptops/pads/phones
Securityreac=ons
• Securityteamawarenesscheck• Realincidentinves/ga/on• Bansandaccountlockouts• Livesystemtuning• Coopera/onwithphysicalsecurity• Logs,cameras,eventsandalotoffun!
Challengeandgoals
• Forpenetra/onteam:• Applica/onorSYSaccountforDB• ADenterpriseadministratoraccount• *nixroot/adminaccount• Accesstoanycri/calsystem
• Forsecurityteam:• Defendyourhome
Andthereisonlyonerule:norules
QIWIRedTeamExercise
• A]ackers:#ONSEC&#DSEC• Defenders:#QIWIsecurityteam• Insider:CISO(me)• Timeline:2.5month• A]ackGoal:
• SYSDBA,root,EnterpriseAdministrator
• Securityteamgoal:• No/ceatleast90%a]acksandintrusions• Defend
Weeksofpain
• 7sociala]acksin2weeks• Few/mesof“emergency”• Systemcrashes• Ordinaryusersbu]hurt:
• Lockedaccounts• Spam/phishingemails• Viruses
• Malwareinves/ga/ons
Reallycoolvectors
• Successfulofficebuildingintrusion• Wi-Fi’edandLAN’edlaptopsgateways• MacOSXdomainissues• SmartHousehacking• PowerSupplytakeover• CompilingdsniffforDVR
…evenmorein@d0znpppresenta/ons
Andwelostthisgame
• Systemaccountswerecompromised• Socialengineeringasabesta]ackvector• SSHaccesstosecurityteammember’sMacbook• Downloadeddumpsofnetworkdeviceswithpasswordhashes
• Tonsofsuccessfulbrutes
Successfulvector
• Gainedcreden/alsusingsocialengineering• Lossofisola/oninguestWi-Finetwork• Laptops,connectedbothtocablenetworksandWi-Fi• BadMacOSac/vedirectoryconfigura/on,allowinganyADaccounttoconnectusingSSH
• Keepingsensi/vedataplaintextin~/• Insufficientmonitoringoftheofficetraffic
Results
• Be]erthanone-teamclassics• Simulatenearrealhackera]acks• Excellentscopefulfill• Tes/ngsecurityasitis,notasitwantstobe• Youwillbedisappointedinyoursecuritytoys• ‘Li]le’bitexpensive• Systemswillcrashsome/mes
Seeya!
• Thanksto@vidensforagoodtriptotheTroopers• Thanksto#DSECand#ONSECforagreatjob• Excusestomysecurityteamforthistwoandahalfmonthsofhell
• Anyques/ons?• Contact:[email protected]