Pages

Tuesday, August 13, 2013

BlackHat 2013 - Adaptive Red Team Tactics

I recently attended a fantastic training titled Adaptive Red Team Tactics put on by the Veris Group at BlackHat. Red Team is a term often used by white-hat hackers and the US army to describe a structured team built on challenging an organizations defenses and inner detection systems by attempting to infiltrate and move around undetected. This class took you through information gathering to spear phishing for credentials to eventually escalating to system privileges on the DC (domain controller) and from that point the sky was the limit. Eventually they showed they were able to manipulate the company's public web pages for the company, read ceo emails and rummage through anything and everything. Because of the nature of the attacks used all the attacks and activities they taught can be accomplished right under the nose of a security minded company with alerting systems in place.   

Tools

Here's a list of both free and commercialized tools used during the whole process. 
Tool
Uses
Free
MetasploitTool used for executing exploit codex
Cobalt StrikePenetration Test tool used to execute targeted attacks and take over systems
Veil AV Evasion ToolGenerates payloads that bypass antivirus tools.x
FOCAInformation gatheringx
MetagoofilInformation gathering from customer's websitex
theHarvester
Information gathering emails, usernames and hosts domains from public sources
x
Core Impact
Information gathering off LinkedIn
MaltegoInformation gathering focused on gathering email transforms
MimiKatzGather user credentials for a given machinex
The idea of a red team penetration (pen) test is to take a company that's unaware they are about to be attacked, gain entry into their systems and begin taking over one machine at a time and see what things they were able to do along the way without being detected. This helps the victim company measure many things like their defenses, levels of detection and effectiveness of response. Typically, a pen test consists of a handful of attackers with minimal knowledge about a system and provided around a month's time span to administer their tests.
  1. Where to start?
  2. The pen team usually will begin by spending a few days just gathering information. They will navigate: google searches, the victim company public sites, blogs, job listings, partner relationships, points of contact, resumes,  business articles, and of course social media sites. During this intel gathering they are trying find out things like who is part of the company and what their positions are. Possibly what events are relevant to the company and what partnerships have been recently created.  What a user email/username might look like and how its constructed.  In our class we noticed a recent company had been acquired by the main company we wanted to attack. We assumed the new company would lack security practices and would be a better means of gaining access and attacking the main company. 


  3. Intel Gathered, Now what

  4. After enough intelligence has been gathered they will begin attacking the company. This can vary based on what information is gain but usually it'll begin with a spear phishing attack. This may be targeted to a particular user or set of users. The more convincing the email sent the better response is given. On average 20-60% of companies will click on the malicious link placed in the phishing email. Recently emails talking about how IT will be installing new phone apps on company phones have created the best click rate.  In our class we quickly created convincing phishing emails with malicious links using Cobalt Strike and sent them out to a list of user emails we deduced based on member names and a few email listings. (example: Jsmith@company.com we concluded their emails were first letter in first name followed by last name)

  5. Basic User's Account Compromised, Let's begin.

  6. After compromising a single basic user's account we started information gathering on the machine to see what's available to us. This can be done by trying to finger print the network. Using whois gives you the range of ips available for a particular network. Use fixedorbit.com to find ASNs then apply ASN to www.cidr-report.org to get host provider details. Inside the system look for shared network folders and credential files. Attempt to run port scanners to see what other machine are on the network and what they might be running. Running key loggers on the infected user's machine is a good way to gain information without the user's knowledge. Usually the attacker is trying to be quite in their attack but one thing they can do after they have a keylogger running is produce a lot of noise on a systems machine like kicking the victim out of their session or restarting the machine. This will cause concern for the victim and they will most likely contact IT. IT may then log in to the system and try to fix the problem. During this login process an attacker can then record the IT's credentials which will most likely have admin access of the machine and privileged access on other systems. In our class we ended up finding a file share internal network system and in the folders we found a credentials file with an account that had admin level access on a machine.
    Useful command lines used to gather info are the following):
    netstat
    ipconfig /all
    tasklist /v
    whoami
    net users
    net localgroup
    net localgroup "Administrators"
    net start
    net share
    net user /domain
    net view


  7. More Escalation

  8. Next we continued to escalate from just admin on the system to system access on the DC (domain controller). DC level access is often a good stopping point for Red Team pen testing since at that point you have such an escalated privileges account that you can attack a large set of systems and eventually take complete control. To get to this point we had to do a few things. Once on our new machine we realized we were logged in as a use with local admin privileges. This allowed us to open a remote desktop into another computer capturing access to it. By placing our veil payload onto the machine and running it we opened complete access to that machine. Next we ran MimiKatz which is a tool that can grab all user passwords and user names of individuals that have logged into the machine. This provided us with a system level access account. We then targeted the DC and logged in with this system level access and were in control of the DC on the acquired company's network. One trick we used to escalate privileges on a system was first see what processes are being run with admin privileges.
    1.Using Meterpreter shell we run "ps" listing all processes
    2.This gave us a pid like explorer.exe that was running under an admin account. Using "migrate <pid>" this took over this process and with it the escalated privileges which can only be done when you have system level access. Metasploit also has a getsystem command that will try a few tricks to gain system level access on a machine.

  9. Access to Acquired Company's DC so what?

  10. Since access at this level is so high we were able to find and access a user's account in our network that was the direct contact with the main company we wanted to origianlly attack. Their account had dual access between this acquisition and the main company. This allowed us an entry point into the main company and from there we combined numerous similar attacks to gain full exploitation of their system. One trick we used in gaining access to a machine once we had gain significant access we were able to use a copy command to copy a malicious file to user's machine. Then running the  at \\<ip address> <time> <command> we were able to schedule a task to run this executable on the machine which provided us with entry into the machine.

  11. Finally

  12. Eventually having full access of our victim's network we were able to read the CEO's emails, manipulate the public company site and steal any information in databases and email accounts, anything was possible. 

    Conclusion


    Whether it be from a disgruntled employee to an accidental click on an email to careless browsing, an attacker will find a way onto your system. It is up to your security team to have appropriate detection systems in place and proper reactive strategies for removing attackers when discovered on your system. A smart attacker will not only take their time and most likely work silently, but also have numerous ways of maintaining access in the case they are discovered. Some mitigation tactics are:
  1. Limiting the access levels of your employees and refrain from logging into machines with system level access. 
  2. Do not leave credentials files on available on your machine. 
  3. Be proactive and warn employees of any possible phishing attack emails that have gotten past your email filters. 
  4. Use logging tools like Splunk to capture logs on machines and hopefully warn users when odd active is happening.

No comments:

Post a Comment