IH Flashcards
What two documents should your IR plan hook into?
COOP, DR
Any observable occurrence on a system or network
an event
Examples of events
Anything that you can show happened. (measurable)
System boot sequence
A system crash (could be normal behavior)
Packet flooding (could be legit, bursty apps)
Six stages of incident handling
Grand Master PI-CERL Preparation Identification Containment Eradication Recovery Lessons Learned
Places to share incident information?
BUGTRAQ (securityfocus.com)
Internet Storm Center (isc.com)
Dshield sensor network, part of SANS
Reviewing contingency plans, DR plans, and testing the technology and user base (phishing) that protect systems/networks from incidents is done during what phase?
Preparation
Warning banners NEED to include what?
- Consent to monitoring the use of its networks and systems
- Prohibits unauthorized access, use, or modification of resources
- If monitoring reveals evidence of criminal activity, the company can provide records to law enforcement.
Privacy laws can impact the ability of incident responders to
Effectively monitor and record system activity. Can be a problem in Europe.
What are some of the broad reasons you may be obligated to notify law enforcement for an incident?
- Threat to public safety or health
- Substantial impact to a third party
- Legal requirement for your industry
What types of protected data may require notifying the public when breached?
PII, PHI
What is your obligation to provide evidence to Law enforcement as part of THEIR investigation?
None, without a court order; have to balance need to conduct YOUR investigation, with theirs.
(Without any evidence, you’ll significantly hinder their investigation)
What SANS resource is available to help with law enforcement coordination?
SANS SCORE (sans.org/score/law-enforcement-faq)
Smart practice for policy on employees connecting remotely
Make sure the VPN banner includes a consent for remote search by the org.
How to get management buy in for IR capabilities
- Have a formal plan (with “peer” reporting measures)
- Provide monthly or quarterly reports
- Graphically illustrate incidents (cartoons, easy to understand stuff)
- Collect historical support
- Get news articles on similar incidents and how they were handled
Membership of a good IR team should include
Physical Security Infosec Legal HR DR BCP
two key items for benchmarking and recovering systems
- A system specific (desktop, file server, app server) build plan/doc
- A windows image backup of these that can be diffed against an infected machine
Your incident handling team construction should have what pyramid-like scheme?
An emergency communications plan and on-site team construction.
Similar to a command post; identify who is the engagement lead, who is handling which remote site/function, and what the comms plan is. (and backups are)
What is important to hammer out regarding procurement before beginning an IR activity?
A) What the procurement permission looks like; what happens if something (like an extra H/D) needs to be procured on site (how to make govt purchase card decisions)
and
B) What the secured communications plan is?
B) What is the plan for food/lodging/etc in case of the engagement going longer than expected?
Top two training issues for IR responders
- Creating forensic images under fire
2. Keyboard skills under fire
Some tricks for training the IR team
Internal honeypots
“War games” (Surprise pen tests)
Quick “drills” for creating images or finding specific log files
Great tool for performing large-scale incident response and hunt team communication/coordination.
Why is this tool good?
GRR, by google. Free.
- Works with Rekall,
- can pull relevant data asyncronously as hosts come on and off network. (helps w/Laptops and mobile)
- Can use “flows” (Scripts that run on the server but execute tasks on a host, such as looking for a file with a specific hash)
Contents of a good “jump bag” (Flyaway kit)
- Fresh/blank media
- Evidence collection suite (DD, Imager)
- Forensics tools (SIFT, EnCase, Flare, etc)
- Network Taps/Montiors
- EVery type of network/connection cable
- PC repair toolkit
- Extra copy of forms
_____ should be set as the incident handler(s), and they should have ___ for tasking.
one person, usually with a helper…..with a discrete set of events on a specifically scoped system to look at.
Why should you control information/need to know for an incident?
Details change quickly
incomplete or inaccurate details could get posted online
Folks who are “in the know” might have to testify, and will have an incomplete set of information
Insider threats can be tipped off
Out of Band communications options in the event the system is compromised
Off-network phones (no VOIP)
Encrypted email (PGP or GnuPG, Gail Webcast)
Encrypted text
Faxes
Ham radios/walkie talkies
Encrypted cloud storage (Tresorit/Securesafe)
Share keys in advance!
Application logs are most useful from
Web apps
App Servers for thick-clients
Cloud based-services
“Net” commands used to look for suspicious activities
Net view: look at shares
Net session: look at inbound connections/smb sessions
net use: look at outbound smb sessions
nbstat -S: NetbBIOS over TCP, sorted by IP connection to our machine
Net commands for looking at TCP/IP activity
Netstat -na: Unusual TCP activity (continuous refresh)
netstat -naob: important: shows owning process id and associated DLL/executables
netstat -naob 5: same, but with auto refresh every 5 sec
netsh advfirewall show currentprofile: show built in firewall rules
commands to examine windows processes
WMIC
wmic process list (brief|full)
wmic process get name,parentprocessid, processid
wmic process where processid=pid, get commandline
commands to examine services on a windows machine
services.msc
net start: running services
sc query | more: get more details about each service
tasklist /svc: MAP EVERY SERVICE TO A PROCESS
command to map which services are running out of each process on your system
tasklist /svc
What are the registry and file locations that start software automatically
HKLM\Software\Microsoft\Windows\CurrentVersion:
Run
RunOnce
RunOnceEx
Settings for a registry key can be checked on the command line using
reg query regkey
Manipulating the computer and financial infrastructure of a target for political reasons
hacktivism
Allowing political dissidents to communicate on covert channels can be a form of
hacktivism
Some ways to use malicious code for profit
Scraping CC numbers out of RAM for POS terminals Keystroke loggers stealing financials DoS Extortion Cryptomining Spam advertising Ransomware
Breakout time is
The time from initial compromise to privilege escalation to additional internal network targets
Average time for APTs to breakout
20-309 mins
Average time to respond to a breach before you’ve got compromises
3.5 hrs
Cumulative (Collective representation) data known about a target online (person, org, etc)
OSINT
WHOIS data stopped being as useful in 2016 with the introduction of
European requirements for General Data Protection Regs (GDPR)
Used to gather limited domain info (name, creation data, registrar) using registrant name or email address
reverse whois (such as viewdns.info)
Who must publish the logs of all issued certificates, and what is this called?
CAs, via Certificate Transparency
How does certificate Transparency help attackers?
helps them collect information on an organization, such as the hostname/cname published in the cert. Clues you in on additional target data.
Open Source, GPL based OSINT data collection and analysis tool
Spiderfoot
When recon crosses the line into the target site (tools that start sending requests directly to the target organization)
Direct recon
tool to interrogate dns server (deprecated in Linux)
nslookup
Easiest way to get as much info from the DNS server as possible
zone transfer
Command to do a zone transfer and get all data
nslookup, set type any (will grab A, MX, HINFo, and NS records)
dig AXFR
DO against all associated name servers in an org
How to brute force DNS zone transfers
using nmap with the dns-brute switch, and using a word list
DNS Recon defenses
Dont allow zone transfers from any system
Limit XFR to DNS servers only
Secondary and Tertiary name servers should reject all xfrs
use split dns
Harden all DNS servers
Look for zone transfer in DNS logs
What is Split DNS?
Publish external name info to only external servers, internal name info to only internal servers
to identify DNS zone xfr activity in logs
look for packets going to and from TCP port 53 on DNS servers. (Queries use UDP port 53, transfers only use TCP)
The SEC has what tool that’s useful for OSINT
EDGAR: Data on publicly traded US companies (addresses, financial statements, etc)
Site that allows you to identify which social networking sites a target user account may be using
namechk
Powerful site that allows you to correlate internet presence of an identity
pipl.com
Social media geolocation tool that uses flickr, twitter and google photo metadata
pushpin
defense against website searching
tell your admins to look for aggro web spider/crawler activity
limit info available
make employment ads more general
determine what other sites are linked to your company
Current version of google hacks/dorks queries is stored at
exploit db
Difference in how google cache and archive.org handle images
Google cache does NOT save the images; it will load them from where they currently are stored, if they can.
Archive.org keeps a copy and uses the cached copy if they’re not located on the current site. If they’re on the current site, it will load them.
Tool that automates process of discovering files w/accessible metadata (pdf, xls, ppt) while also folding support for google hacking, sqli scanning, brute forcing subdirectories, and versions of vulnerable software
FOCA/GOCA
Tool used for combining google hacking with bing hacking, shodan, etc into one framework. Also includes modules for searching a site to see if it’s hosting malware, or if its vulnerable to data leakage (DLP)_
Search Diggity
Defenses against automated search engine recon, such as google dorks
Have google remove you
look for information leakage by using google hacks against yourself
remove pages, snippits, cahed pages via metadata tags (noindex, nofollow, nosnippit)
robots.txt
Tools for web based recon
Shodan
dnsstuff
network-tools.com
securityspace.com
What does network-tools.com do?
Web based tool that does dns lookups, email checkers, domain name conversion, internet ping, spam blacklist checker for domain names, whois, etc.
WarVOX is a tool for ______ that requires ________.
War dialing VOIP, IAX protocol
Tool that records MP3 audio files associated witern matchingth each number dialed and answered, for pat
Warvox
Defense against war dialing VOIP
war dial yourself
conduct training on effective phone passwords
find out-of-band or unlisted numbers
set a policy for out-of-band access. (Make sure you have a full inventory of all remote routers)
secure modems with strong authentication (token, crypto)
use scanning-detection functionality for a PBX system
difference between active and passive WIFI scanning
In active scan, the attacker sends probe requests on all channels of an SSID and observes responses;
Passive, the attacker just listens for beacon frames outbound from the AP.
Both return network info, encryption and auth methods, channels, and manufacturer info.
Difference between Kismet and SSIDer
Kismet is completely passive.
PCAP and WiFi analysis is found in what tool
Kismet; will produce full packets, pcap can be dumped into wireshark
What is Galois Counter Mode
A mode of encrypting data in WPA3 that is easy to accelerate in hardware
What are the 3 modes of authentication for WIFI
PSK (pre shared key)
EAP/TLS (Enterprise auth)
SAE (Simultaneous Auth of Equals: PSK, but eliminates offline password-guessing)
Why is PSK authentication for WIFI dangerous?
EVeryone uses the same pre-shared key for auth, so a stolen device compromises all devices)
Even without the device, offline password guessing attacks can be used on PSK.
How to offline guess a PSK password
Capture some packets with Kismet, try to match the hash with a password list
Best tool for password guessing wifi
Aircrack-ng
Impersonate and steal creds for WPA2 enterprise networks with a linux machine using
Hostpad WFE
Will “dumb down” auth attempts
tool for hijacking mouse and keyboards (and what it requires)
Jackit ; a crazyradio PA USB stick, or similar)
defense against wireless ap hacking
use WPA2+
deploy EAP/TLS auth or cert based auth
use TLS for critical data
NMAP 4 packets to identify up hosts
ICMP echo
TCP SYN to 443
TCP ACK to 80
ICMP timestamp
defense against network mapping (4)
Disable incoming ICMP echo requests
Disable outgoing ICMP time exceeds
IDS signatures for ping sweeps/tracert
temporarily block a frequent ping sweep
TCP RESET flag does
tears down a connection
TCP PUSH flag does
Data should be pushed through the TCP stack(?)
NMAP ack scans are useful to
Do network mapping instead of a ping sweep; good for finding sensitive internal servers.
CANNOT DO PORT SCAN
Tool that takes screenshots of websites and tries to quickly identify the purpose of it to find interesting stuff
Eyewitness. Looks for things like RDP, servers, indexed web directories, etc.
Four options for disabling a windows service listening on a port
kill the process with task manager
kill the process with WMIC
disable the service in control panel
disable the service using sc cmd (best, versatile)
Best two ways to see listening ports on linux
lsof
netsat -nap
disable linux processes listening on ports (5 methods)
first, try to stop it with systemctl
then try to kill it if you cant use the first command
disable the service in /etc/rc.d
disable service using systemd
disable service in inetd/xinetd (/etc/*.conf)
Excellent bypass for IDS uses a ______ packet in the middle of an attack
TCP reset; tricks the way a target OS/firewall handles TCP checksums.
Defense against IDS/IPS evasion (5)
Up to date/resourced devices Implement behavioral analytics used Host-based systems as well block odd packet fragments harden ports
Nessus client-server comm port, language
8834, HTML 5 (uses HTTPS)
Nessus plugin to block dangerous plugins
Safe checks
SMB ports (2 kinds)
445
used to use netbios ports, TCP/UDP 135-139
Establishing an SMB session from cmd line
net use \targetIP
Can connect to most SMB shares as long as you
Have a non-admin username and password. (Can use this to connect to IPC$)
command to get a list of smb shares once you’re connected to an IP
net use \ip
net view \ip
command to get the list of all domain users
net user /domain > output.txt
Tool to bypass authentication and hijack password libraries so that they accept any password
Konboot
Attack a computer that it’s suspended or hibernate state with this tool to unlock it it. (Requires firewire/thunderbolt)
Inception
Use this hardware dongle to surreptitiously steal logs using responder, for these services.
Lan Turtle
Steals things like kerberos traffic, LLMNR, DNS, etc.
Physical attack medium that Looks like a use thumb drive, but can act as a keyboard and inject strings, scripts, malware
Rubber ducky
defense against physical access attacks
Full disk encryption Train users to power down systems Restrict access to USB ports to only pre approved devices Password protect BIOS Disable USB boot Disable LLMNR
Takes original netcat tool and makes it capable of communicating over pipes. devices, sockets, SSL, and Raw IP
Socat
Netcat that can communicate over data frames
Linkat
Client mode Netcat traffic is passed by:
Send ______ to standard in
Send ______ to standard out
Send _______ to standard err
Keyboard, redirect data from a file or piped from an application to standard in (input)
All data sent back across the network to standard out (response)
All messages from the tool sent to standard err
Listener mode netcat traffic is passed by:
Send _____ to standard in
Send ______ to standard out
Send ______ to standard err
Sends received data to standard in
Sends data to client over standard out
all messages from the tool are sent to standard err
Uses of netcat
Data transfer Port scanning Vuln SCanning Making connections to open ports Backdoors relays
How to backpipe a netcat relay
use the mknod command (common to linux and unix) to create a special FIFO (first in, first out) file as a “backpipe” for information to flow through. Acts as intermediary, carry data back and forth on the command line.
the 0backpipe at the end (receiver sending data to standard in) is important! drawing on 3:19
For name resolution, systems will use ARP, and then what series of name resolution services?
ARP –> Dns –> LLMNR –> Netbios Name Service (NBT-NS)
Tool that scrapes images out of network flow/PCAP
netminer
DNS spoofing is possible as long as you (the attacker) are located
on a network somewhere between the attacker and the DNS server
How does SSLSTRIP work?
It intercepts the request (via MITM positioning) of a server redirecting http traffic to “jump” to HTTPS, and interprets all HTTP traffic, sniffs it, and then sends it out to where it goes VIA SSL connection the attacker establishing its own SSL tunnel.
Responder is capable of hijacking what types of requests
Netbios Name Service (NBT-NS), DNS, and Proxy requests
Why does responder try to force a victim onto LANMAN authentication methods?
Easier to crack auth creds
What is a PAC file, and why do we want to hijack it?
A PAC file is something the browser uses to easily identify a Proxy server. Once manipulated, it will cause a browser to send requests through the victims machine
defenses against hijacking attacks
Active port security on switches
use dynamic arp inspection w/DHCP snooping
Disable LLMNR
Disable WPAD
Encrypt sessions w/strong auth (SSH ver 2+)
Buffer Overflows give an attacker the ability to
execute arbitrary commands on a system
take over system or escalate priv
Buffer overflows must be executed locally (T/F)
False; some work over network, too
The cyber equivalent of stuffing too much into a box that isn’t large enough to fit it
Buffer overflows. Cramming too much data into parts of memory that aren’t sized/conditioned to accept it. (Non-validated input)
May include overflowing integer types or storing the wrong kind of data (string when expecting #’s, etc)
A memory stack stores and returns things from memory in what fashion?
Push/Pop, LIFO.
Push things onto the stack, pop things from the top of the stack.
Variable space that’s allocated in memory to store function variables as part of subroutines
The Buffer. (sits on top of the return pointer; when a subroutine is called, it sticks a bookmark (Return pointer) at that place in the stack and then allocates a buffer above it for the subroutine’s function)
Two metasploit modules that can scan code, looking for patterns that are sometimes weak to buffer overflow type attacks (string copy, scanf, fgets, get, etc)
Msfelfscan
msfpescan
Those commands are usually used for moving data around between memory buffers
Finding a buffer overflow vuln in ____________ on linux or _____ on windows is a premium, because….
root/SUID/UID 0 level in *nix, and SYSTEM level for Windows. Let sht euser run with the admin level priv, not just program privs.
Exploits are tailored for
the processor and OS type. Intel (Linux) or Sparc (Solaris) etc
Why should buffer overflow exploit code be kept small?
to fit in the buffer
These characters will be filtered by the OS and wont be loaded fully into the stack for a buffer overflow exploit
filtered characters. (Something that, when translated into ASCII, that means something. For example, a 0x00 code is a null characyer, and drops everything received after in the function)
What is it when an attacker uses NOPs in front of exploit code, so that if the pointer lands on a NOP, it funnels down to the correct pointer?
NOP sled
What is the NOP sled, attacker machine code, and return pointer called, when all together
an egg
4 parts of metasploit
exploit
payload
auxillary modules (scanning, DoS, Fuzzing)
post module (post exploitation)
MSF can sometimes be used just to check if vulnerability and scan (T/F)
true
General purpose metasploit payload that carries a DLL to the target box to give specialized command level access
meterpreter
Why is meterpreter nice?
Doesnt create a separate process when executing a shell; runs on the exploited process
Doesnt touch the HD, stays in memory
Incloudes its own set of commands, so doesnt use the target systems commands
Can load new modules and dynamically cahnge its functionality all from the memory of the affected process
Meterpreter works on what OS?
Windows, PHP (web server, web client w/php) JRE and Linux. MacOSX is under dev.
what application discussed in class can generate NOP sleds?
Metasploit
What application can generate wrappers for shellcode?
metasploit
Marks certain pages, such as the stack, as non-excutable as well as marking memory areas where legit code is present as non-excutable
MS Data Execution Prevention (DEP)
Helps agaionst buffer overflows
Two kinds of Data Execution Prevention
Hardware based- only works on machines that support it.
Software based - works in essential windows programs and services, such as RPC locator.
Little chunks of OS code an attacker wants to execute as part of a buffer overflow is called a _____-
gadget
Used to orchestrate attack steps using legit OS libraries instead of trying to insert code into the stack.
3 types of code canaries
Random - uses random values to protect the return pointer
Terminator - Throws null bytes to protect return pointers, because it will render payloads moot when appended to them`
XOR - Uses non-predictable values for return pointers
Grab data from the network (such as python scraping tool) and parse it for an application.
Protocol parsers: dangerous
Why are protocol parsers dangerous?
Its hard to get right
The code that breaks the data down into fields is rife with buffer overflows
Lot of coping things around in memory
Bad bounds checking
How can protocol parsers “lie in wait”
An attacker can flood a bunch of machines with an exploit for a service that the parser is vulnerable to, and wait for the application to use the protocol parser to view data grabbed from the network
Defense against protocol parser vulns
Use protocol parsers as little as possible
Pay extra attention to sniffer tools (Wireshark, Snort, Bro, Suricata, tcpdump, etc) Patch these regularly!
How do you inject malicious macros in PPT?
Key is to have them run the macro when the file opens and when a user interacts with the presentation.
How do we trick users with malicious powerpoints?
Inject the code we want to run via “Veil-Evasion” MSF module, broken up into digestible bites (macrosafe.py) and then enable the script to run when the user interacts with a slide, using “Run_on_open” or “on mouse click” or “on mouse over” actions. Boom. Evades AV, too.
what is ghost writing?
Changing assembly code (adding junk) to change signatures and evade AV
Easy way to change a files code signature via assembly
Create an exe
Convert it to an .asm file
edit the .asm file (add anything)
convert it back to .exe`
Easiest thing to add to assembly to just add something (avoiding AV signatures)
add a push, pop any time something XOR’s itself (meaning the register is empty)
would look like this:
push eax
pop eax
xor eax, eax
Using lesser known languages to write payloads may help them execute because…
signatures are more common against known payloads
What is an environmentally keyed payload?
Where malware searches the runtime environment for strings, such as a directory name, and attempts to decrypt the binary with each, which makes the signature unique.
Whats an example of adjusting how malware is executed that can evade AV?
Have the malware payload trigger on uninstall, not by execute.
Sharpview and Enum tools do what?
Enumerate users, groups, etc via SMB/findstr
What is Powershell empire?
Backdoor for Powershell
Post-exploit; can scan for vulnerabilities and systems to compromise. Enumerate shares and users across domains.
What is bloodhound?
Tool that finds the quickest way to get domain admin privileges. GRAPHICS!
Defenses against manipulation of SMB
Block at boundaries/local firewall:
TCP 445, 135, 137, 139
UDP 445, 137, 138
Explicitly allow SMB only from specific places you want it to come from
Check IDS/IPS logs
Trying to guess a small number of potential passwords against a large number of target machines (1-2 passwords against a large user base)
password spraying
determining a password when you only have the password file/ciphertext representation
password cracking
matching output of guess+algorithm and comparing against encrypted passwords
Unix/Linux friendly password guessing tool
Hydra
Fastest method for cracking passwords
Dictionary
3 methods of password cracking
Brute force
Dictionary
Hybrid (dictionary with numeric/symbols) baked in
Why you shouldn’t use password cracks for migrating users to new platforms
non-repudiation. (cant prove its only the user w/a password)
Weak password hashing mechanism still in regular use
Windows LANMAN. converts everything to UC, padded with null bytes to a fixed length (14 bytes)
Split and used for keys for DES, a weak encryption al;g.
Replacement for LANMAN
NT Hash: still not great.
Why is NT Hash better than LANMAN (2 reasons)
Case is preserved
Doesn’t store a LANMAN hash if it’s greater than 14 chars**
Why are NT Hashes and LANMAN both inherently insecure?
They don’t use salts
What is a password Salt
A short, randomly selected string added to a password before hashing, adding randomness to the hash
Feature that defeats ranbox tables attack
Salts
built in windows tool that lets you get a backup of AD, which can be used to get hashes (exec and command)
ntdsutil.exe
activate instance ntds, ifm
What is in NTDS.dit? How is it decrypted?
DC Hashes, use the registry hive keys to extract the hashes
Empty values in password dumps are easy to recognize by
Specific values
aadbb (first letters, LANMAN): Am All Day Baffled By
dcfed (first letters, nthash) Difficult Choices for Encrypted Data
The password hash is ______ in /etc/passwd or /etc/shadow
How do you know what hash type is used?
The second field, colon delimited
Will be $#, and the number corresponds to a specific type. ($1 is MD5, $5 is SHA-256, no indicator is DES)
Order of fields in /etc/shadow
user:
$hash type
salt (4 or 8 chars)
hash value.
Hashing is still insecure if it doesn’t feature
Multiple rounds, salts
How to mitigate GPU based powerful password crackers
Use PBKDF2, BCRYPT, SCRYPT
Uses multiple rounds, HMAC,
Little used powerful (new) hashing algorithm
Argon2
You must feed John a…
encrypted password file
For Linux systems you’re cracking with John, if they use /etc/shadow, you must…
merge /etc/passwd and /etc/shadow via “unshadow” command
How to handle LANMAN hashes being stored
Stop storing LANMAN hashes by changing the LSA registry key. (add a “NoLMHash” key. LANMAN goes away next password change)
Audit passwords with….
Group policy, DOmain Password Audit tool
Adds password complexity and additional capability to *Nix systems
PAM modules. Works with Kerberos, Radius, etc. Enforces password complexity.
Rather than cracking a original passwords once the hashes are stolen, this technique lets you just reuse the hash to authenticate via Challenge/Response, NTLM, or NTLM V2
Pass the Hash
Pass the hash attacks are usable once the attacker loads the hashes into his memory space and then utilizes….
SMB based access, like net use
Windows Credential Editor gives you what capability upgrade from a standard from Pass the Hash
Pass-the-Ticket
Windows 10 defense against pass-the-hash and hash theft
Credential guard; virtualization containers abstract from the main operating system.
Can do what locally to disable PTH style attacks?
Change the TokenFilterPolicy in HKLM\Software\MS\etc to ‘0’ which denies remote users the ability to execute commands on a target system.
Disable the local admin account.
What is kerberoasting?
Kerberoasting is a technique which exploits a weakness in the Kerberos protocol when requesting access to a service. (Such as IIS)
Doesn’t need to be an active service, just needs to have a service account. (Uses the SPN: Service Principal Name)
Attack gets you a service ticket, which has a portion of the service accounts password hash included.
What’s the important artifact to get in a kerberoasting attack?
the important part is that the service ticket is encrypted with the hash of the service account, which allows any authenticated user on a Windows domain with the ability to request a service ticket from the TGS to perform an offline bruteforce attack.
Tool to extract password hashes from service tickets gained from kerberoasting
Impacket and Mimikatz
Defenses against pass the hash/kerberoasting
Host Firewalls to block SMB in client/client comms (restrict inbound to admins)
Use LAPS to manage unique and complex local admin passwords. (Keeps one admin hash from being used on multiple machines)
Use TPM
Use Credential guard
Look for unusual admin activity/use of Net (use, sessions) commands
attack tools that carry multiple exploits and can spread themselves using all of them (and an example)
Multi exploit worms, such as Conficker
Mechanisms for Conficker to spread
Buffer overflow for Windows
Copying itself to a thumb drives
guessing passwords for SMB shares and moving between shares
Why was Stuxnet considered a multi platform worm
Attacked Windows, but pivoted to Siemens ICS sW, Scada systems
Worm that exploited Windows LSASS vulns
Sasser
Exploits a UPnP flaw
Zotob
Uses for Bots
Maintaining Backdoor control of a machine Controlling an IRC channel* Mail Relays Providing anonymizing HTTP proxies DoS floods
Collection of bots under the control of a single attacker is called a
botherder
Bots are particularly useful for spreading through
infected web sites that can compromise browser vulnerabilities
Attackers communicate with bots via
IRC (6667 standard, but can use anything)
HTTPs
DNS
Social networking sites
Modern bot comms techniques utilize
Non standard IRC ports
3rd party websites (http)
Social networking sites via HTTP (bot surfs to popular sites over port 80 and parses commands from specific profiles)
DNS
Bots stay persistent/hidden by (6 methods)
Morphing the code for infection Run commands with system privs add/remove file shares FTP files add autostart scan for other vulnerable systems
What is GRE?
Generic route Encapsulation: lets you set up a direct PTP tunnel, like IPSEC. (used by bots)
Defense against bots
- Harden systems
- Set specific plans for quick patching/testing patches
- Encrypt hard drives (so stolen data cant be read easily)
- EDR tool
- App whitelist
- Host based IPS
Defense against account harvesting
Auth messages should be consistent as to not give away whether accounts are valid
Use account lockouts (times
Have “canaries” for multiple bad passwords on different accounts being hit in succession
Time inference confirmation is what?
Looking at the time delay on command injection when you cant see the response
Defense against command injection
Fix flaws in code Use a WAF Dont have applications launch shells or execute commands Validate input Sanitize input
Filter output characters from a website output with this tool
Modsecurity for Apache, IIS, and Nginx
Server defenses against XSS
HttpOnly flag set (limits cookie accessibility)
use COntent Security Policy (CSP) to set what dynamic resources are allowed to load in the browser
Report sanitized content to a specific url if detected
What browser is vulnerable due to a lack of content security policy (CSP)
IE
Where and how can you support browser XSS flaws with CSP turned on?
An external URL, via report-uri feature
Ways web sites track state (sessions)
Sending back a user ID/credential
Hidden form elements on the page
cookies
How does a DNS amplification attack work?
Utilizes EDNS, a standard that lets DNS packets be bigger than normal DNS packet size.
Attacker gets DNS server to store a 4000 byte txt file, as part of normal DNS operations. (Recursion)
An attack sends fake (spoofed) DNS requests on behalf of the victim, with the EDNS flags set, which amplifies the size (by sending the 4000 byte txt file) of the response by over 60 times. Floods (and DDoS) the victim.
How does a DDoS packet flood work?
Attacker (via compromised client) sends a bunch of spoofed SYN packets to a high-bandwith server; that server then responds w/SYN-ACK to victim.
Why are HTTP floods harder to detect than SYN floods?(DDOS)
Syn floods never complete the 3 way handshake, which creates an abormal comms state to track.
HTTP floods (where the attack finishes the request and then executes a command) are normal comms state, and are easier to track (and harder to identify/stop!)
Defenses against DoS style attacks
- Keep DDoS off your machines (IDS/IPS/AV)
- Antispoof Egress filtering at border routers
- Ensure adequate BW
- ISP controls
- Use traffic shaping tools against floods
How do you secure VNC?
Tunnel it through SSH:
ssh -L 5901:localhost:5901 REMOTE_IP
VNC servers passively listen on what port, connect outbound on what port?
5900, 59001 (management ports)
VNC servers can also listen on ports 5800, and can shovel a session to clients using a small java applet. Clients can listen on port 5500 for a GUI session to be “shoveled” to them.
Two modes for VNC
App mode (shows up in tools tray) Service mode (shows up in service list)
Standard capabilities of remote control backdoors (like Poison Ivy, Rat, etc) (7)
- Keystroke logger
- Create dialogue boxes with customizable text/action
- Lock up/reboot system
4, Get system info - Access files
- Create VPNs to outbound system
- Camera and Audio capture
What is scareware?
What bob got infected with; “Install our security monitoring software” which is just a trojan.
what is a packer?
Originally used to just compress code and deliver more in a smaller package for malware, it’s now used to make reversing much harder.
Why does a packer make reversing harder?
It cant be directly disassembled and doesn’t reveal many interesting strings
memory file for virutal vmware hosts
.vmem file
things you can look at with Rekall
Network connections
Processes
Map processes (PIDs) to network connections (netscan)
DLL’s loaded by a process
Rootkits dont let a user GET root access, they let an attacker…
MAINTAIN root access by affecting existing programs/OS modules on the underlying system.
Examples of linux rootkit methods
Replace the login, rshd, sshd, inetd, tcpd with ones that have backdoor access built in
Re-write commands to include root level backdoors, like changing the SU process.
4 categories of hiding tools found in rootkits
Process hiding (changes to processes like ps/top) Network Hiding File Hiding (ls/find commands) Event Hiding (syslogd, to keep attackers activity from producing events)
How does a rootkit DLL injection attack get its code onto a system (4 steps)
- Allocates space in the process’ memory space, using “VirtualAllocEx” windows process
- Writing the name and code of the injectable DLL into the memory space of the victim process (writeProcessMemory)
- Create a thread in the victim process to run the new DLL
- Free up resources in the victim process after execution (cover tracks)
What is API hooking?
When an attacker undermines and running process in its interactions with the Windows itself
The memory space that privileged (sensitive) software runs at, where it cannot be accessed by code running at less privileged level
Ring 0 (most sensitive)
Ring 3 is normal user mode
To interact with a kernel, user-mode processes use
System calls
How do system calls work?
A user level process calls a system library, which is full of code and tables. The tables are just arrays mapping system calls to the corresponding kernel parts needed to handle each call. (Collection of pointers)
How do you implement a kernel mode rootkit?
Loadable kernel modules (*nix) and device drivers (windows)
Altering kernels in memory
Changing out a kernel file on HD
virtualizing systems** (not seen often
Windows defense against loading kernel components via drivers
Mandatory device driver signing
How to circumvent windows device driver signing
Steal the private keys for a legitimate software componany
Bypass by manipulating the memory
Manipulating the paging file allows what rootkit style attacks?
What does this bypass?
- Hog system memory
- System offloads its functionality to the system page file
- Manipulate page file
- Release memory, allowing page file to be sucked back up into memory.
(bypasses the driver device signing processes)
location of linux and windows kernels. (Where they’d be overwritten by malicious code)
Linux: vmlinuz
Windows: ntoskrnl.exe and win32k.sys
What other file must be manipulated to get an altered windows kernel file to load?
Have to manipulate the NTLDR program, which checks the kernel integrity at bootup. (Use a few language instructions to skip the integrity check)
How does network forensic tools (like Security Onion) look for patterns reflective of malware activity?
Look for large amounts of client-client traffic, server-server traffic, worm traffic (large bursts of activity)
Eradication techniques for rootkits
Wipe/reformat
Reinstall O/S
Apply all patches
change all passwords
Easiest way to hide files in *.nix
renaming files space, ., or ..
places to hide files on linux systems
/dev
/etc (bad place, usually monitored)
/tmp
OR
Complex/random place on file system, like /usr/man or /usr/src
How will sophisticated attackers hide tracks in linux logs?
Edit out individual log entries, vice wiping logs
Edit shell history/bash history
How to completely kill the shell history file
- Kill the shell, which prevents the recent shell history from being written
Kill all bash shells, to do the same - Change the SIZE of the bash history file to zero (unset HISTFILE)
- add a space before a command to keep bash from logging it in the first place
what do you have to do to edit utmp files, and what do they do?
Contain information about logged in users, current and historical
Shows login successes and failures
Need a specific editor that can work with those files, like remove.c or wzap.c, etc.
What do tools like wtmped.c, marry.c, cloak.c. ,etc do?
Wipe user activity logs on linux, such as /var/run/utmp(current logins) , var/log/btmp (bad logins)
WHat are NTFS file streams?
Extra “drawers” (like a dresser) that you can throw data into, that are attached to a file. Stream 1 is the contents of the file, Stream 2+ is added streams. Stream 1 is the only thing that will show in windows explorer
What file structure is required to write data streams in Windows?
NTFS. Doesnt work with FAT, etc.
What type of streams does windows store that are visible in windows explorer?
Only the main stream (stream 1, the file contents) Additional streams dont show.
Do streams copy with a file?
yes
How do you see alternate streams on NTFS systems? (2 ways)
dir /r
Get-Item powershell with -property stream option
some AV can detect it if theres malicious code in it)
How do remove an Alternate Data Stream (ADs)
move it to a fat partition
no built in windows tool
Tool dedicated to finding alternate data streams on NTFS
LADS
Log file format for windows logs
EVT files (not editable directly)
Tools for manipulating windows log files?
NSA Danderspritz tool, with the evetlogsedit
Metasploit clearev log file wiping utility
What is the normal state of windows event logs
Immutable files, write protected and cannot be altered by normal means on a running system (but tools are available to do it)
Best way to defend manipulation of event logs
Use a separate logging server
Use Windows event Forwarding to throw logs to an alternate location
Add integrity checking software to keep an eye on windows log file locations
Some behavior analytics toools
MS Advanced Threat Analytics Rapid7 InsightIDR Exabeam JPCERT (open source)
Open Source threat hunting tool
LogonTracer from JPCERT
Hiding network activity
Carry one protocol on top of another (encapsulate one protocol inside another)
How does a reverse HTTP shell work
Connection is established over HTTP from WITHIN the victims network, on a pull basis. At set intervals, the reverse shell reaches out over the internet and tries to connect to the attackers internal machine. Attacker then sends commands back to the origin as HTTP responses.
Tools that allow you to tunnel traffic inside ICMP
Ptunnel (TCP over echos/replys: Windows or Linux)
Loki (*linux shell)
PingChat (Windows Chat Program)
ICMPCmd (Windows cmd access)
Tool that would let you communicate on a network that heavily filters tcp and udp packets
ICMP comms via PTUNNEL or PingChat
Two components to Ptunnel
Client and Proxy
Client listens on a given TCP port, Proxy funnels traffic over ICMP. (has to be reachable by ping)
The proxy sends the ICMP packet outbound with the TCP data in the payload to any TCP based server on the net, and also communicates with the Client on a normal TCP port.
Ptunnel uses what for authentication?
MD5 challenge/response
SCTP and QUIC are good protocols to use for tunneling covert traffic because…
they are multiplixed/multihomed, which means multiple hosts can be used as failover.
Not many signatures for newer protocols
FUll C+C backdoor where all commands flow over gmail
GCAT
Defenses against covert channels being used
Investigate odd processes, especially with admin privs
Network IDS set to analyze:
Shell commands over HTTP
unusual ICMP messages/size
Unusual changes in IP ID/Seq/Ack fields for TCP covert tunneling
Tool for finding stego
StegExpose - java utility looks at the Least Significant Bit for techniques where this is a tell
Defense against stego
get familiar with the tools
File integrity checks
look at hashes for changes in data w/original
Netstat command for getting processes and connections
netstat -naob
What is lsof -i going to produce?
Find out if a service is running?
Using powershell, creates a stacked analysis of the installed software in your environment
Kansa
