Saturday, 5 October 2013

Notes from Derbycon 2013 - Day #2

After drinking late into the night with Casey from Bugcrowd I wasn't feeling too sharp Saturday morning and missed the first two talks. *cough* But ummm, in the afternoon though there was plenty to see!


#########################################################
Title: Burning the Enterprise with BYOD
Link: https://github.com/georgiaw/Smartphone-Pentest-Framework
What was it about:
Pwning companies using mobile phone based attacks. Georgia highlighted multiple ways to exploit phones e.g. malicious apps, OS/app vulns and social engineering. After a funny 40 minute semi-drunk ramble through mobile problems, we got to the demo and it was awesome. Using the smartphone pentest framework she'd built, Georgia showed how easy it is to compile a malicious app and trick a user into installing it by sending a link via SMS. User opens link, installs app and now you've compromised the phone.


From there you can pivot into the internal network fire, off your ms08-067 exploit and get shell. What's more, because it's mobile all the data runs over the cell network and is impossible to detect or stop. Pwned.

Lessons learned:
There is no way to prevent phones from being compromised. Solution, don't allow BYOD? :)


#########################################################
Title: Malware Management Framework - a process you can use to find advanced malware 
Link: http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework
What was it about:
Finding malware can be like finding a needle in a haystack. So how do you find the needle? Well one approach is to remove the hay. The guys presenting achieved this by hashing all the files in sensitive folders (e.g. %temp%, windows, system32, wbem) and building a repository of known good hashes. Remove the good and you're left with the bad, essentially a form of whitelisting. Although it takes some time to build the repository, once you have it, you have a hell of a monitoring solution (and it's free!).

These guys had built a cloud platform that would receive and analyse hashes sent from an agent. This agent would be deployed on workstations and would regularly send back any new hashes. It was awesome but closed source!

Lessons learned:
Building a hash repository and using it to analyse files on your system is one of the silver bullets out there that people don't use enough.


#########################################################
Title: Browser Pivoting (FU2FA)
Link: http://blog.strategiccyber.com/2013/09/26/browser-pivoting-get-past-two-factor-auth/
What was it about:
Raphael Mudge presented an impressive new browser pivoting module for Armitage that allows you to browse from your own machine as if you were browsing from the target's machine. Compromise your target, run the post module which will inject a dll into IE, configure your local proxy settings and your local requests will be tunneled through the target's browser.

While it's always been possible to access internal sites using some port forwarding, by injecting into the browser you inherit all of the session data. E.g. If the user is logged into Facebook, when you browse you will be logged in on their account, awesome! It's a great tool for demonstrating to management how easily an attacker can access all your internal sites.

Lessons learned:
If you're an attacker, use browser pivoting. If you're a defender pray your boxes don't get popped! Also if you use single sign on you're making life a lot easier for the attacker.


#########################################################
Title: Taking the BDSM out of PCI-DSS Through Open Source Solutions
Link: http://urbanesecurity.com/research/openpci/
What was it about:
This was an interesting talk that highlighted the areas of PCI that people most commonly have problems with and how to fix them. The things people commonly do badly included:
  • AV on servers
  • Patching systems
  • Two Factor Authentication
  • Logging <- a lot of people fail here
  • Policies 
The presenters gave a few recommendations for each. For example you don't need AV if you do some kind of whitelisting. For logging they recommended a number of interesting open source solutions Fluentd, Logstash, Flume, I've never used them myself but looking over the sites got me interested. Also for file integrity monitoring they mentioned OSSEC.

The talk was quite funny as whenever Zack said "it depends" he had to drink, yeah he drank quite a lot, but hey that's Derbycon!

Lessons learned:
Check out Fluentd/Logstash/Flume for SIEM.


#########################################################
Title: Hacking Back Active Defense and Internet Tough Guys
Link: https://bitbucket.org/LaNMaSteR53/honeybadger
Link: https://github.com/trustedsec/artillery/
What was it about:
This talk was focused on the use of honey pages and honey files to trick an attacker into disclosing their location. Simply including an iframe on a hidden page that shouldn't usually be accessed, e.g. a fake /login.html, can transmit the attacker's ip as soon as they load the page. Even if the attacker is being extra sneaky using TOR for browsing you can try including a booby trapped doc or jar file that when run locally will grab wifi data and call back to you usually bypassing TOR.

And this is all legal as none of the activity involves illegally compromising the attackers machine. It was funny hearing that when the presenter had contacted law enforcement they didn't know how to respond and often wouldn't arrest the individual despite all the evidence.

Another defensive tool called Artillery was also mentioned, that does automatic host blacklisting and file integrity monitoring.

Lessons learned:
Internally and externally honey pots/pages/files can provide some great intel, "Honey Badger" is definitely worth checking out.


#########################################################
Title: Everything you ever wanted to know on how to start a credit union
Link: http://www.irongeek.com/i.php?page=videos/derbycon3/4208-everything-you-ever-wanted-to-know-on-how-to-start-a-credit-union-but-were-afraid-to-ask-jordan-modell
What was it about:
This talk was about one man's experiences setting up a credit union in the US. Although not security related it was interesting to hear about all the various hoops he had to jump through and the layer after layer of bureaucracy he had to deal with. His stay positive and shear determination was really impressive.

Lessons learned:
Don't be afraid to get out there and create something.


#########################################################
Title: Living Off the Land: A Minimalist's Guide to Windows Post Exploitation
Link: https://github.com/mattifestation/PowerSploit
Link: http://pen-testing.sans.org/blog/2013/07/12/anti-virus-evasion-a-peek-under-the-veil
What was it about:
The final talk of the day was about Powersploit and specifically in-memory only modules. The presenters talked about how nearly every single task from extraction of data, to lateral movement, to exfiltration can all be performed in memory using powershell/wmi/netsh.

I was particularly impressed by the lateral movement and how easy it was to connect to a target using powershell, execute the invoke-shellcode command which will connect back to you, pull meterpreter shellcode then execute it in memory.

Another tit-bit the guys mentioned was Veil. I'd not heard of it before but it's essentially an AV evasion framework that can compile some bad-ass python and powershell payloads.

Lessons learned:
If you're a pentester you should be using Powersploit and Veil if you aren't already.


#########################################################


Questions/comments/corrections - leave a message below.

Derbycon day #3
http://pwndizzle.blogspot.com/2013/10/notes-from-derbycon-2013-day-3.html

No comments:

Post a Comment