Scribd Logo
Upload

Welcome to Scribd!

  • 264 views

    Blackhat Hacking

    Uploaded by

    Richter Benjamin
    This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Blackhat Hacking

    Uploaded by

    Richter Benjamin
    264 views39 pages
    This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    264 views39 pages

    Blackhat Hacking

    Uploaded by

    Richter Benjamin
    This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 39

    Blackhat Hacking

    How to hack and not get caught

    Brady Bloxham
    Silent Break Security
    [email protected]
    Overview

    ▪ What is OpSec?
    ▪ Methodology
    ▪ TTPs (Tactics, Techniques, and Procedures)
    ▪ Conclusion
    What is OpSec?
    What is OpSec?

    ▪ First things first


    – Examine your activities from
    an adversary’s point of view
    – Way of life
    – NOT a set of rules
    – Best of all…it’s free!

    ▪ Above all  Shut Your Mouth


    What is OpSec?

    ▪ Proactive paranoia
    – It doesn’t work retroactively!
    What is OpSec?

    ▪ Stay paranoid…and cover your webcam!


    What is OpSec?

    ▪ Work alone
    ▪ Avoid being blackmailed
    ▪ No one is going to jail for you!
    Methodology
    Methodology

    ▪ The Old Way


    Methodology

    ▪ The New Way


    Methodology

    ▪ Money trail
    – PATRIOT Act

    – Various types
    ▪ Pre-paid credit cards
    ▪ Pre-paid credit cards + Paypal
    ▪ Western Union
    ▪ Bitcoin
    – Not truly anonymous!
    – Every transaction is publically logged
    – So…use bitcoin mixing/eWallet
    Methodology

    ▪ Covert Infrastructure
    – VPS
    ▪ Careful of payment

    – TOR
    ▪ Slow

    – VPN
    ▪ Torguard.net
    ▪ Btguard.com

    – Create your own!


    ▪ SOHO routers
    ▪ Hack onto other servers
    Methodology

    ▪ Covert Infrastructure
    Methodology

    ▪ Don’t be a hoarder
    – Principle of least use
    ▪ Don’t collect what you don’t need
    ▪ Don’t hoard data
    ▪ Delete it when you’re done

    – Be smart about it
    ▪ Dedicated infrastructure
    ▪ Truecrypt containers
    ▪ VMs with snapshots
    ▪ Qube-OS
    TTPs (Tactics, Techniques, and Procedures)
    TTPs

    ▪ Spear phishing
    – Click rate ~ 25-35%

    ▪ Countermeasure
    – End user training but…it should reflect
    current threat environment.
    – Configure spam filter!
    – Use proxy to block!
    TTPs
    TTPs

    ▪ Pop and pivot!

    ▪ Be strategic!
    – Don’t pop…just to pop
    – Find high value targets
    ▪ Tasklist of remote systems
    ▪ Net use for remote dir of c:\Users
    ▪ Query AD for logon events
    TTPs

    ▪ “Work” during the day


    – Blend in with the noise
    – Harder to filter logins
    – Easier to identify key targets

    ▪ Countermeasures
    – Monitor, monitor, monitor…especially
    privileged accounts
    – Create user accounts for domain
    admins
    TTPs

    ▪ Cover your tracks


    – Clean the logs
    – Watch the prefetch
    – Registry MRUs
    – Change time stamp!
    – Remove tools!

    ▪ Risk = Threat x Vulnerability x Cost


    – The best way to not get caught, is to not leave tracks.
    TTPs

    ▪ MRUs
    – HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\FindComputerMRU
    – HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\PrnPortsMRU
    – HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\RunMRU
    – HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\StreamMRU

    ▪ Audit Policy
    – HKLM\Security\Policy\PolAdtEv

    ▪ Clean Logs
    – Windows Defender
    ▪ Binary logs! Check out MPDetection.txt
    – McAfee
    ▪ BufferOverflowProtectionLog.txt
    ▪ AccessProtectionLog.txt
    – Symantec
    ▪ \Docume~1\AllUse~1\Applic~1\Symantec\Symantec Endpoint Protection\Logs
    TTPs

    ▪ Test, test, test, test, test, test, test, test, test, test, test, test, test
    ▪ Modifying the target is for n00bs
    – Modify your tools instead
    – Packers, crypters, modifying the source, etc., etc.
    TTPs
    TTPs
    TTPs
    TTPs

    ▪ Environmental awareness
    – Network
    ▪ SYN vs Connect scan
    ▪ ping –n 1 <ip>
    ▪ SSL where possible
    – System
    ▪ Avoid domain accounts
    ▪ Build a profile

    ▪ Countermeasures
    – Create baselines (SIEM, netflow, etc.)
    – Don’t ignore anomalies or alerts
    TTPs

    ▪ Data exfiltration techniques


    – Archive files (usually .rar)
    – Stage on separate box
    ▪ Recycle bin
    ▪ System volume information

    ▪ Data exfiltration channels


    – Compromise server in the DMZ
    – Transfer via RDP
    – Base64 en/decode to/from target via shell
    – HTTP/S

    ▪ Countermeasures
    – Block outbound all, lock down proxy, block outbound SYN in DMZ
    TTPs
    TTPs
    TTPs

    ▪ Persistence APT style


    – Nothing good out there…
    ▪ Meterpreter – OSS
    ▪ Core Impact – $$$$$
    ▪ Poison Ivy – Private
    ▪ DarkComet – Private
    – Who’s going to trust these?

    ▪ Techniques
    – DLL hijacking
    – Service
    – AppInit registry
    – DLL wrapper
    TTPs

    ▪ Go custom or go home…
    TTPs
    Conclusion
    Conclusion

    ▪ Know your network


    – That means monitor the traffic
    ▪ Netflow, signatures, baselines

    ▪ Egress Filtering
    – Like it is going out of style

    ▪ Proxy or die!
    – Proxy all traffic
    – Break & Proxy HTTPS traffic
    – Look out for base64 encoding
    – If you can’t inspect it…
    ▪ You just made someone’s b-day 
    Conclusion

    ▪ It’s not the appliance / server /


    IDS / IPS / software / device’s
    fault…

    ▪ Expecting your network


    devices to identify unknown
    traffic is like expecting your
    AV to detect a 0-day.
    Conclusion

    ▪ Testing should be modeled after threats


    – Vulnerability scans don’t cut it
    – Correct practice makes perfect
    Conclusion

    ▪ Offense is sexy, defense is lame


    – We need to change the way we think about the problems.
    Conclusion

    ▪ The attackers have them, do you?


    The End!

    ▪ Questions?

    ▪ Contact Information
    – Brady Bloxham
    – Silent Break Security
    [email protected]
    – www.silentbreaksecurity.com
    – (801) 855-6599

    You might also like