FA D E F R O M W H I T E H AT… T O B L A C K
B E A U B U L L O C K
“Everyone is a moon and has a dark side which he never shows to anybody”
~ Mark Twain
K E Y F O C A L P O I N T S
• Non-attribution
• Target Acquisition
• Reconnaissance
• Exploitation
• Profitization
W H O A M I
• Beau Bullock
• Pentester at Black Hills Information Security
• Host of Hack Naked TV
• Previously an enterprise defender
• OSCP, GXPN, GPEN, GCIH, GCFA, OSWP, & GSEC
S I D E N O T E
2 0 1 4
I N T W O Y E A R S S I N C E T H E N I ’ V E …
• Performed Pentests against 70 different companies
• Recorded 20 Hack Naked TV episodes
• Spoke at three different security conferences
• Wrote eight blog posts
• …now adding keynote to the list
Enough about me
N O N - AT T R I B U T I O N
D R E A D P I R AT E R O B E R T S ( D P R )
• How Ross Ulbricht got caught = Really bad OPSEC
• Boasted about creating an “economic simulation” on LinkedIn
• Put his real face on fake ID’s used to purchase servers
• Asked for advice on Stack Overflow about coding Silk Road
• Hired an undercover cop to perform a “hit” for him
• TOR IP Publishing leak - Leaked Silk Road’s actual IP
• Accessed Silk Road from Café half a block from residence
D E S I G N W I T H O P S E C I N M I N D
• Let’s try to avoid DPR’s mistakes
• Don’t trust humans
• Build attack infrastructure with the most important element being OPSEC
• Maintain anonymity in both the real and digital worlds
N O N - AT T R I B U TA B L E S E T U P
• Necessities (rebuilt from scratch for each job)
• A laptop to work from
• Internet
• VPN/proxies
• CnC and attack servers
• Non-attributable currency (i.e. Bitcoin, pre-paid VISA’s)
L A P T O P P U R C H A S E
I N T E R N E T
• Free WiFi at coffee shops, hotels, or my favorite… apartment complexes
• Greater than 50 miles from residence
• Never bring residence into circumference
N O T O P S E C S A F E
A B I T M O R E O P S E C S A F E
AT TA C K A R C H I T E C T U R E S E T U P
• Never directly attacking an organization
• Will need multiple virtual private servers (VPS)
• In order to be non-attributable we will need a few things:
• Alternate identities
• Currency (Bitcoin, pre-paid VISA, etc.)
B U Y B I T C O I N F O R C A S H
V P S F O R B I T C O I N
P R I M A R Y AT TA C K S Y S T E M S
• VPS Network 1
• VPN server
• Management server
• Password cracking server
• VPS Network 2
• Primary attack server
• Command and Control server
C O N N E C T I V I T Y
• VPN from base camp to VPS network 1
• SSH/RDP to management server
• Route all traffic from management server through TOR
• SSH from management server to VPS network 2 hosts
N O N - AT T R I B U T I O N D I A G R A M
1. Live-booted off USB to Linux
2. Connected to free WiFi3. VPN’d to VPS net 1
4. VNC to management server in VPS net 1
5. Route all traffic from management server through TOR
6. SSH from management server over TOR to attack server in VPS net 2
7. Mandatory Caffeination
TA R G E T A C Q U I S I T I O N
M O T I VAT I O N
• Easy Targets
• High Profile Targets
• Contracted Targets
• Vengeance
E A S Y TA R G E T S
• Shodan - Unauthenticated VNC Servers
E A S Y TA R G E T S
• Shodan - Vulnerable Services
H I G H P R O F I L E TA R G E T S
C O N T R A C T E D TA R G E T S
V E N G E A N C E
R E C O N N A I S S A N C E
I N F O R M AT I O N D I S C L O S U R E
• Organization’s username structure
• Credentials in previous breaches
• External network ranges
M I N I M I Z E T H E N O I S E
• Use sites like Shodan and Censys to discover open ports on the target’s systems
• Again, look for low hanging fruit
• Locate external login portals (we’ll get to why these are important shortly)
E X P L O I TAT I O N
AT TA C K 1 - C R E D E N T I A L R E U S E
• How can we exploit credential reuse on personal accounts?
AT TA C K 1 - C R E D E N T I A L R E U S E
• Publicly Compromised accounts
AT TA C K 1 - C R E D E N T I A L R E U S E
• Pipl - locate employees based off their email address
AT TA C K 1 - C R E D E N T I A L R E U S E
• Attempt to login to their corporate account using the creds recovered from previous breach
AT TA C K 2 - PA S S W O R D S P R AY I N G
AT TA C K 2 - PA S S W O R D S P R AY I N G
• FOCA
AT TA C K 2 - PA S S W O R D S P R AY I N G
AT TA C K 3 - P H I S H I N G
• The “golden ticket” to pretty much any network
• Two types of phishing
• Credential gathering
• System compromise
AT TA C K 3 - P H I S H I N G
• Credential gathering
• Clone an external login portal
• Phish users to login to gather creds
• Redirect to actual portal
AT TA C K 3 - P H I S H I N G
• Remote exploitation
• Word doc macros, browser exploits, etc.
R E M O T E A C C E S S
• VPN - is 2FA in play?
• RDP?
• Access to OWA -
• Phishing across internal accounts = win
• No physical attacks. If I can’t compromise the network remotely I move on.
P O S T- E X P L O I TAT I O N
• PowerShell, and command line - no extra tools needed
• GPP
• Widespread local admin
• Insecure perms on other systems (domain users in local admins)
• Internal password spraying
• PSexec/Mimikatz combo
L O O T
• Pivot to DC, dump domain hashes
• Locate vCenter servers, DB’s, etc.
P R O F I T I Z AT I O N
T U R N I N G C O M P R O M I S E I N T O C A S H
• Carder?
• Identity Theft?
• Ransomware?
• Hacktivist?
T H E T R I C K Y PA R T…
"It's not that we find criminals like this through cyber-forensics. We get them in the real world when they do something stupid, it's invariably how it works: Getting
credit cards is easy. Turning it into cash is hard.”
~ Bruce Schneier
T W O M A J O R P R O B L E M S
• Bitcoin is not untraceable
• Turning large amounts of Bitcoin into cash is not trivial
T R A C I N G B I T C O I N
• blockchain.info
• blockseer.com
B I T C O I N T O C A S H
• This becomes a money laundering problem
R I P A N D R E P L A C E
• Full teardown and removal of all testing systems
• Rebuild from scratch for next job
FA D I N G B A C K
W H Y I D O N ’ T D O T H I S
• Ethics
• Inevitability of getting caught
• Danger of entering the criminal world
W E C A N M A K E I T B E T T E R
• Enterprise Defenders, Pentesters, Security Engineers, Developers, Forensicators, Network Engineers, SysAdmins, DBA’s, etc.
D E F E N D E R S
• Shift focus from attribution to detection and prevention
• Increase logging to detect when attackers are performing attacks like password spraying
• Ensure all external login portals are using 2FA
• Increase length of password policies
AT TA C K E R S
• Continue to highlight the importance and value of credentials
• Attempt to locate credential reuse across accounts
• On external assessments attempt to password spray portals that use domain-based authentication
• Escalate internally & crack all the passwords
T H A N K Y O U
• @dafthack