Advanced Persistent PenTesting: Fighting Fire with Fire

Jonathan Cran

Wed, 7th November 2012


Max, Concise Courses:
Good afternoon everybody, we have Jonathan Cran with us today. Jonathan is the CTO at Pwnie Express. Thank you so much for joining us,if you could give us some background about yourself and Pwnie Express and then jump into the presentation titled: Advanced Persistent PenTesting: Fighting Fire with Fire.” Thanks and Go for it!

Jonathan Cran:
Hi All, my name is Jonathan Cran, I’m the CTO at Pwnie Express, I have a strong background in security, and I’ve been doing this for a little while now. This is a presentation that I gave recently at Hacker Halted in Miami, and without further ado let’s just jump straight into it!

Really the goal of this is to brinf out a difference view of pentesting and a difference look at it. When we put this together and named it [the presentation] “Fighting Fire with Fire”, what does that really mean? For us, Jason and I – Jason Malley who put this presentation together with me – it was an analogy of keeping the uncontrollable, i.e. hackers, in a semi-controlled environment and reall creating boundaries that they can work with. And really finding issues before they find you. Also – testing the defenses a little bit more than is usually done in pentesting.

From 1:55 minutes onwards: So, what we will do today, is I’ll bust through this really quickly and look at APT’s in 2012, the threat landscape and look at some compromised case-studies from a few years back. So the process to gather information for this presentation was from Breach Reports and a lot of IR Reports. So we went through a lot of Threat Reports and tried to find commonalities and similarities between breach reports, so Mandiant, Trustwave, Verizon, Shadowserver, everyone who puts information out there we really appreciate it because it gives us pentesters something to work within.

From 2:35 minutes onwards: The threat landscape in 2012, really what the breach reports talk about are, Hacktivists, Financially Motivated Attackers, State-Sponsored Attackers and to a lesser extent Employees and Casual “Attackers” – there has not been much mention of the last two, instead most of the focus has been on the State-Sponsored Attackers, so let’s focus on that for this presentation.

Intuitively, if you think about it, Hackers are people too – they have a personality, a limited set of knowledge. When they are in your environment they less visibility than you, so walking into an environment as a Penetration Tester, you sort of have to feel your way around. There are some very common patterns that emerge as you walk around in the new environment.

In 2012 it came to light that Barnes and Noble, just recently with their keyboards which are run on Linux Servers, global payments – 1.5 million credit card payments were stolen. VeriSign, a “Broker of Trust” was hacked repeatedly and successfully. This focuses more on espionage than the Breach Reports. RSA, Northrup Grumman, L3 and Lockheed are the most commonly talked about state sponsored hacks that we know about. Interesting to note that public disclosure is very rarely discussed. There are interesting reports out there: six percent of attacks were self-detected in 2011, typical attacks go undetected for a year, 100% of those attacks had credentials stolen, typically those are windows credentials – targeted attackers going straight for the windows SAM, the SAM being the credential store for windows.

From 5:08 minutes onwards: What we have here is some case studies. It’s a little difficult to see on the Hangout, at the very bottom you see external network access, gathering a list of names, constructing an email with a backdoor [with the intention] of getting the backdoor executed through a work station which gives you access to the internal network where you can look for vulnerabilities. Once there you can look for a windows workstation which if you have system access you can drop local system admin hashes, an administrator token, and eventually get all the way up here to the top and grab access to their secure infrastructure like their firewalls etc.

The attack process is the phishing attack, install the Remote Access Tool, enter and find the domain administrator, grab your data and get out. Same thing here, down at the bottom: physical access, getting access to a building, getting access to an internal network, and then getting access to the domain administrator and scale the network.

So again, initial access, Remote Access to install, Pass-the-hash, domain access, and then exfil. These were actually from a set of pentests that I did in 2008-2011 – they are almost always the exact same pattern. Phishing first, Pass-the-hash by using improper network segmentation to get access and from there you have access to a windows network. Once there you can access Linux servers and find credentials stored. During these pentests, there was basically a zero detection rate, which was interesting. Once you have an initial piece of access, we go into find holes but we are rarely given an opportunity to work with defenders to detect you and to help them what an attack plan looks like. Collaboration is very superficial, they say [the company employing the Professional Pentester], “OK, you guys are doing a pentest this week, don’t break anything just give us a report at the end of the week.

From 8:13 minutes onwards: With that in mind, lets take a look at APT’s in 2012. This is actually ripped from a Mandiant manual, so this should look very familiar to penetration testers, get initial access, get an initial foothold, escalate privileges and “rinse and repeat” that process, get access to whatever you want then get out.

This is from the RSA breach, which was an APT/ State Sponsored Attack. A phishing email was sent, they got remote access to the VPN Server then remotely logged in and no one noticed this. Attackers are more likely to stay in the environment to install multiple access points, they are more interested in remaining stealthy and more likely to install multiple backdoors using PoisonIVY.

From 9:27 minutes onwards: Infiltration. We consider infiltration as that initial compromise, which we will call phishing. APT Infiltration is usually a client side attack now, whether it is common office application or whether is is a browser application, you have to get them to view a webpage or web application that belongs to you, the connect back can often happen via HTTPS. You can do this – this is what you test for. There are lots of commercial tools out there; Phishme and SaaS services are generally neutered and good for user training.

As far as detecting this, you will notice a common theme here, windows event logging and event logging – this is really the core here, you want to have enabled. Often Pentesters aren’t actually checking for logging detection, whether or not they seeing it in real time. Another intrusion detection tip is monitoring DNS for rogue domains and email filtering. Egress filtering is one of those things that is such good practice – i.e. breaking HTTPS and DNS at the perimeter so that you can essentially monitor the traffic and see what is going on.

From 11:05 minutes onwards: Escalation. Once we have that initial foothold, how do we escalate privileges from that workstation? You really want to be local admin, there’s really such a wide array of ways to do this, whether its SMTP relay, or using a local exploit on windows, you’ll need to bypass UAC and there are often credentials stored there that you can get access to. Typically what you are going to do to test this is Metasploit and Meterpreter, use PSExec to authenticate to other machines, use “pass the hash”.

How you going to do that [detect from a pentesters point of view]. Maybe through a Network Intrusion Detection System or Windows event logging to see who has logged in when and how?

From 12:06 minutes onwards: Internal Recon. This is a process of working through the environment, most of the file attackers want are on desktops or a network share or an email. It can be a pain to get access to these, but getting access to these using pass the hash and tokens, not “token impersonation” but grabbing stored local admin tokens stored in the local system is pretty easy using metepreter.

From 12:40 minutes onwards: RAT. You often see the APT using different RAT, Remote Access Tools, giving you the ability to upload to a remote server, search the hard drive and take a screenshot. You can read this as this is a remote access tool, or this is metapreter.

VPN or RDP is sometimes necessary to get access to email. How are you going to monitor that? Again, monitoring access to resources and event logging.

Persistence. Event logging is a common theme, detecting these types of attacks is very crucial. What I would like to see happen is that pentesters don’t focus on the holes they find but rather the monitoring as well. APT is using built in tools or VPN and you may install a root kit. How do you do this? Get hold of VPN accounts, use RDP is if it available, you can backdoor several systems using not only metasploit but also a remote access tool, you can build your own RAT tools. Using a C&C server is also a common pattern.

How to infect this stuff, persistence right? Somewhat you can detect this through local anti-virus or monitoring DNS as it connects back-out, but it is a difficult thing to detect, especially if there are multiple access tools installed.

From 14:55 minutes onwards: Exfiltration. Three to four years ago, I was using FTP, IRC, today its all HTTPS or DNS. Interesting to note that work that in many [breach] reports, 46% of infected machines didn’t even have malware installed [the attacks] came from RDP and VPN. Again! Event logging. As far as testing for it, a really great way to test is using the Pwn Plug. This is a really great way to test if your pentesting is working, you can certainly use metasploit or metapreter which has a really strong HTTP and HTTPS protocol that can be used to pentest this and to exfil.

As far as detecting it [the Pwn Plug] don’t allow outbound DNS or HTTP/HTTPS without monitoring and filter everything because it breaks everything at the perimeter.

From 15:51 minutes onwards: Lessons Learned. So great, what have we learned? The focus on the pentest is typically on a binary result, “yes or no”. Yes – we passed the pentest or no, we didn’t. I am thinking that this is wrong in a few ways, we should be focusing on the fact that a pentest is really replicating a process of the threat, and we should be simulating the threat.

And we should be working closely with defenders and be close to them, and working with them to improve the process of this. There is a ton of stuff to be learned about IR data. You need to be IR read, having the ability to detect odd thing of the network.

Don’t stop the threat entirely, we talked about the “strike zone” – better to define everything in the environment before remediating and shutting off access for example looking for multiple backdoors. Jason added this slide, “My NFL team is awesome in practice, they only suck in the game” – the goal of that is practice, practice, practice. The process is “testing and detecting, testing and detecting etc”.

Be IR ready – there’s an awesome presentation at the bottom [of the slide Jonathan was showing] – the core here is centralized robust logging, should anything or when it happen. Everyone has a plan until you get punched in the face. A good sort of goals to work with here are, “classify and count security incidents and measure time from detection to containment.”

Those are so keen to any pentest that anyone who is not measuring those will have problems – you need to know those to better defend your network. It’s so critical because there are going to be incidents and it is going to take you time to remediate those, and if you can lower that then you will be safer. Do you know where your sensitive data is? If we gave you a hostname and said, “Could you tell me within a few hours whether it had sensitive data on it?” Could you say within a minute, or an hour or a week that it has sensitive data on it?

From 18:24 minutes onwards: So, a couple of ideas, pentesting should not be a binary result, the process itself is a product, a better product is better capability. Better capability is measurably lower response times. You can also gamify the results a little bit, pick and choose, pick and choose certain targets within that. Give access to a pentester and see where they can get to. Pentesting is really and should be looked at more as “incidence response training”. Its one thing to tell your target [client] that they have something wrong and another to actively work with them.

Not if but when? Lets recap, the ultimate goal of this presentation is to work more closely with events and make sure that logging if actually happening as you are doing an attack because that will lower the cost and the time to detect malicious activity within the environment.


Questions and answers


Max, Concise Courses:
Thank you so much for that. Couple of questions for you, They are more product related I guess. “Can anyone buy your products, because the products could be used for nefarious reasons? Is there a filter at Pwnie Express for who can buy the products?

Jonathan:
Sure, what we do is pretty good verification based on credit cards, we don’t sell countries that we can export crypto to, but we do sell to anyone around the world. We look at it very similar like an education thing, much like metasploit. Is it better than nothing has been happing for ten years or do we do something about it or better that we brought it to light?


Max, Concise Courses:
Now we had a show yesterday, with DJ Palombo, who has created a string of uses for the Raspberry Pi. The question is, are you planning on integrating the Raspberry Pi on any of your products?

Jonathan:
As soon as the Raspberry Pi came out we took a look at it and, this thing is like super-powerful and super-cheap and we love it. We actually published some scripts about it on our github, so if you go to our github, there is a process that you can use to turn it into a Raspberry Pwn. Are we looking at integrating it? Not right now, its one of those things that, its got some very awesome uses, but its not exactly what we are focusing on right now. Expect to see more of this to happen in the next few months and next year. One of the things I have been able to do since I have been here is to take a lot of what is happening on the Pwnie Plug and extract that into other hardware devices, you’ll see some announcements of that next month.


Max, Concise Courses:
Would you like to share any R&D with us. Any new products?

Jonathan:
Hey we should definitely do another interview where we just talk about the products – that would be awesome.


Max, Concise Courses:
That’s so much for your time and we will be in touch and we will get you on ASAP for a product focus event

Jonathan:
I’d love to, thanks very much.