Hacking, Breaking In

@ChrisTruncer

What’s this talk about?● Who I am

● How I got started in the industry● What is “red teaming” and/or “pen

testing”● What’s a pen test look like?

○ Demos, lots of them● How can you start learning this?● Questions

uid=0(@ChrisTruncer)●Christopher Truncer (@ChrisTruncer)

○Hacker○Open Source Software Developer

■Veil Framework Developer○Florida State Seminole○Random certs… blah

●Red Teamer and Pen Tester for Mandiant

How I Started● College

○ College computer security class○ Hack my roommate

■ “Wow, hacking is real”○ Took a security class○ Decided this is what I wanted to do

■ …. is this even a job?

How I Started● Start off in a technical role

○ Wanted to get a technical foundation before moving into security

● First job, not what I wanted● Became a Sys Admin at Northrop

Grumman○ Stayed for about 2 years

● Began my plunge into security, and haven’t looked back

What is Penetration Testing or Red

Teaming?

Different Job Descriptions● Vulnerability Assessment/Assessor

○ Scan a network for vulnerabilities with a tool

● Penetration Tester○ Take that output, exploit findings, hack

into systems● Red Team

○ Adversary emulation, objective oriented, don’t get caught

But that’s it…Kind of boring right?

Red Teaming is a little different, but similar

Phishing Our Way In● Lots of different ways to get in, but

phishing is easiest○ IT Department rolling out iPad’s for use○ User selected for development

environment○ Meeting minutes from managers

discussing layoffs…■ … then telling everyone not to read it

● We can forge it to come from anyone

Don’t Get Caught

Minor Background Slides

What is a vulnerability?

What is an exploit?

What’s really used?● We do use exploits, but less and less each

year○ What happens if the exploit doesn’t work?○ What happens if it does?

● Misconfigurations are the way to go○ Why hack something when we can just log

in?○ Path of least resistance

What’s the goal?● Well, let’s first own the domain

○ Get the domain administrator account● Demonstrate business impact

○ IT Admins understand domain admin, but does a manager, or a CEO?

○ Target something the business cares about■ The Coke recipe, database with SSNs?

● Report/Outbrief with fixes

What’s the goal (Red Team)?● All of the above

● Add to value by working with their blue team○ Teach them what you did○ Help them try to detect it○ Make them up your game

● Soft skills really help here○ Be able to talk to people and explain you

work to tech and non-tech (muggles) audience

On to the fun stuff

How’s a test work?● First we get our “get out of jail free” card

signed○ Only thing that keeps it legal, and us not

in jail● We’ll likely get some sort of a scope

○ IP address range○ Domain Names

● On our marks, get set, go!

Finding Live Systems● So, we may have thousands of IP

addresses…○ Let’s find the real computers

● Once we have a list of live computers what’s running on them?○ Web server?○ E-mail?○ Database server?

● NMap to the rescue

Port Scanning with NMap● NMap finds open ports with services running

on it● It will scan for the top 1000, or whatever you

specify● It can guess:

○ Service running○ Operating System

● It can run scripts too!

Sweet, what’s next?● Now we know open ports and the services

running○ Research vulnerabilities for those versions○ Or run a vulnerability scanner

● MS08-067○ Basically everyone’s first exploit○ Get Windows XP stock, and test against it

● We have an exploit for the system, use it!

What about Websites?● We test these too!

● Probably at least half of what we’re testing○ Everyone has a website○ Internal to a network, can be hundreds, or

thousands● Let’s get breaking into them!

What I wish I knew● Programming

○ Use it all the time for scripts, tools, Veil, etc.

● Mentor○ You’re always one step in front and one

step behind someone● Build a lab and play with it

○ You can’t break anything that costs money!

What I wish I knew● Be prepared to be uncomfortable at times

○ Always in a new environment with new “stuff” and you’re expected to break it

○ Perk of the job too :)

● Build your process○ Learn how you best approach networks,

web apps, etc.○ Use this to face what you don’t know

How to Learn● Go to security conferences!

○ Might be anywhere from $10 - $300○ BSides Conferences are local and almost

always free, or super cheap● Build your own lab

○ VMWare is your best friend○ VulnHub

● Try free CTFs● Twitter!

?Chris Truncer

○ @ChrisTruncer○ CTruncer@christophertruncer.com○ https://www.christophertruncer.com○ https://github.com/ChrisTruncer