Threat Dissection - Alberto Soliño Testa Research Director, Core Security
-
Upload
core-security -
Category
Software
-
view
29 -
download
0
Transcript of Threat Dissection - Alberto Soliño Testa Research Director, Core Security
![Page 1: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/1.jpg)
THREAT DISSECTION
![Page 2: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/2.jpg)
L E A R N M O R E
Alberto G. SolinoDirector Of Research, Core Security
Geek me• Microsoft ASM first programming language (by luck)• Starting playing with MS-‐DOS viruses when I was 10• Hooked into a security research group at BA University when I was 15• Special Projects Security Group for Arg. Tax Agency • Joined Core as security consultant• Managed the Security Consulting Team for 11 years• Switched to PM (Core Impact) for 5+ years• Now Director of Research J
Not so geek mePiano, tennis, scuba diving and skydiving (above all). Surfing in the ToDo list.
![Page 3: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/3.jpg)
Some big software fails and their consequences
MS08-‐067
MS14-‐068
MS10-‐067 + MS10-‐046
![Page 4: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/4.jpg)
Hacking Team Hack
• Founded in 2003.• Develop and sells hacking tools to governments.• Remote Control System (a.k.a. Galileo) is their main solution.
• In July 2015, Hacking Team was hacked. • Hacked dump available at https://github.com/hackedteam.• Includes RCS for Linux, Android, the common backend and a set of exploits (some
of them 0-‐day back then).• Emails dumped available through Wikileaks at
https://wikileaks.org/hackingteam/emails/.• Full dump (~400Gb) released as torrent.• Hack claimed to be done by Phineas Fisher.
![Page 5: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/5.jpg)
Hacking Team Hack – Step 1
Initial Information Gathering / Recon:• Whois lookups• OS stack fingerprinting• Port Scanning• Web Application Fingerprinting
Results:• Main WebSite (Joomla)• Mail/AntiSpam Server (PostFix)• VPN Appliances (embedded)
External Recon
![Page 6: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/6.jpg)
Hacking Team Hack – Step 2
Initial Foothold• No phishing / client side• 0-‐day in embedded device
Uploaded toolkit• Python• Nmap• Responder.py• Tcpdump• Socat• SOCKS proxy (proxychains)
Pivoting
Compromised Machine
![Page 7: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/7.jpg)
Hacking Team Hack – Step 3
Internal Information Gathering:• Traffic analysis (w/Responder)• Slow port scan• OS Fingerprinting
Results:• MySQL databases (patched)• Opened MongoDB w/o authentication (RCS Audio records)• iSCSI Devices w/o authentication (for backups)
Internal Recon
![Page 8: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/8.jpg)
Hacking Team Hack – Step 4
Local Privilege Escalation:• iSCSI remote mount (Exchange VM backup)• Registry hives download.• Dump registry secrets (lsadump, creddump
secretsdump, etc)
Results:• Local Administrator account (besadmin) plaintext password in service
Privilege Escalation
Compromised Creds.
![Page 9: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/9.jpg)
Hacking Team Hack – Step 5
Pivoting / RCE /Compromise Creds :• Using besadmin to log into servers• Install Meterpreter agent.• Scrape memory for creds (mimikatz)
RCE Pivoting Local IG (Creds)
![Page 10: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/10.jpg)
Hacking Team Hack – Step 5b
Results:
Domain Admin Creds
Domain Dominance
![Page 11: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/11.jpg)
Hacking Team Hack – Step 6
Local IG / Exploit / Pivoting :• Mounting Truecrypt volume.• Text file pointing to Nagios Server creds.• OS Command Injection in WebApps.• Nagios connected to source code network.
Result:• Access to source code network as admin.
Local IG
Pivoting
Exploit / RCE
![Page 12: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/12.jpg)
Hacking Team Hack – Conclusions
Data Exfiltration / Persistence:• Method unknown (probably just TCP)• No persistence set (Duqu style)
Results:• All emails• Source code for most applications• Company’s Twitter account
Persistence
Data Exfiltration
![Page 13: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/13.jpg)
High level cycle of a compromise
https://blogs.technet.microsoft.com/enterprisemobility/2017/01/24/cyber-‐security-‐attackers-‐toolkit-‐what-‐you-‐need-‐to-‐know/
![Page 14: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/14.jpg)
Core Security Solutions
![Page 15: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/15.jpg)
Core Impact – Pentesting / Red Teaming solution
Multi-‐Threat Surface Investigation
Commercial-‐Grade Framework
Actionable, Customized Reports & Results
Security Awareness & Evidence
![Page 16: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/16.jpg)
Vulnerability Insight -‐ Attack Path Simulation
Identify “Attack Path” • Learning what an attacker can do to your network today• Identifying dangerous trust relationships between components
Remove false positives and less relevant vulnerabilities
![Page 17: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/17.jpg)
Network Insight
![Page 18: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/18.jpg)
Access Insight
![Page 19: Threat Dissection - Alberto Soliño Testa Research Director, Core Security](https://reader031.fdocuments.net/reader031/viewer/2022030318/5a6e76b77f8b9a70728b4ebb/html5/thumbnails/19.jpg)
VULNERABILITIES & ATTACK PATHFOR INFECTED DEVICES
SUSPECTED & INFECTED HOST INFORMATION
NetworkInsight
VulnerabilityInsight
AccessInsight
ACTIONABLE INSIGHT
& RESPONSE
AIR
Putting it all together