Social-Engineering. Adaptive Pentesting. Kevin Mitnick (@kevinmitnick) Dave Kennedy (@Dave_ReL1K) http://mitnicksecurity.com. http://www.secmaniac.

Social-Engineering Adaptive Pentesting Kevin Mitnick (@kevinmitnick) http://mitnicksecurity.com Dave Kennedy (@Dave_ReL1K) http://www.secmaniac.com

About Kevin Check out the new book Ghost in the wires CEO of Mitnick Security Consulting Penetration tester Social-Engineering?..He s learning J

About Me Creator of the Social-Engineer Toolkit Founder of DerbyCon Co-Author of book from NoStarch Press on Metasploit Back Track Development Team Exploit-DB Development Team Exploit Writer Penetration Tester Chief Information Security Officer, Fortune 1000 Social-Engineer podcast, ISD Podcast I give hugs..

Brief Introduction

The Basics of Penetration Testing We have to explain this. Penetration testing continues to morph into different interpretations. The Penetration Testing Execution Standard We continue to see vuln + exploit smash and grab useless pentests going on.

Have we forgotten? Have we forgotten the reason why we do penetration testing? We are truly attempting to simulate an adversary and go after something that is important to the organization. Hackers are creative, it s their nature, it s our nature. We get into standard methodologies, pre-canned penetration tests, and loose complete focus on what we re really going after.

Something is obviously wrong 2008 354 reported public data breaches 2009 251 reported public data breaches 2010 604 reported public data breaches 2011 499 reported public data breaches (we re not done yet) Source: http://www.privacyrights.org

We spend more. So we went more and more money on protecting our infrastructure. We buy that latest technology company that can protect us against zero-days.

We are the only industry that I know of that can take more resources, more capital expenditures, more expense, and get worse. 9

This brings us to our point. We strongly believe that penetration testing is a portion of the answer to secure your infrastructure. 10

Security breaches are the best thing that can happen to a company. 11

Option 1 A real breach Company A experiences a breach. Security up until that point was extremely difficult to implement. Company is bleeding cash at this point. Won t go bankrupt (in most cases), but it hurts. Company rebounds and depending on how its sold, can be the best thing that ever happened to the company.

Option 2 A simulated breach Maybe not AS effective as a real breach however if conducted properly can show a true breach. The ability to simulate a breach on the bottom line. If sold right, should have a positive effect on advancement of the security program.

Penetration Testing It s something MORE than a smash and grab. It s more then finding exposures. It s more than a pre-canned assessment you slap junior consultants on. It s suppose to be something that benefits the customers, not a 400 page report on vulnerabilities.

Adaptive Pentesting The reason we wanted to do this talk was to explain how we need to think during penetration testing. The tests need to impact the companies ability to generate revenue. You can t always do the same attack, you need to be creative. Think outside of the box. Think as a hacker.

The rest of this talk. The rest of this talk is going to focus on real-world examples that we ve used in the past. Will focus on how we did it. Not saying its perfect, but you need to frame your mind around being creative and doing something different.

Company 1 Windows 7

December 2010 Penetration test for a large international company with over 5000 employees. Several days spent on developing pretext and socialengineering campaign. Initial probing of organization identified that Windows 7 was in use. FOCA, targeted emails, and pretext calls helped with identification of operating system.

System Profiler Leveraged a javascript-based profiling application that identified operating system, version numbers, adobe versions, media players, Java, etc. Used for identification around what the organization would be susceptible to.

Setting the Stage Customized A/V evasive meterpreter shell was successfully created. Windows 7 fully patched confirmed. Unsure of Windows User-Access Control but highly likely.

Profiling the target User was compromised via social-engineering leveraging the social-engineer toolkit. Running under a limited user account. Two options, pivot further into the network and find other bugs or circumvent UAC. After some deliberation, UAC needed to be bypassed.

Bypassing Windows UAC Working together, we spent about a week researching how UAC worked and potential methods around. Through leveraging an exploit (still unpatched) through trust relationships with Trusted Publisher Certificates, UAC was successfully bypassed. Further penetrating into the network, eventually obtained future trade projections, access to financial systems, and source code for the next software release.

DEMO

Lessons Learned During the penetration test there were a lot of hurdles around persistence, UAC, and others. Being adaptive to the surroundings led to a successful penetration test. In conjunction with the external testing, a physical test was also launched. Showed significant value to the customer by hitting future projection margins, intellectual property, and impact the companies ability to generate revenue.

Company 2 Malicious Media

September 2011 Yep this month. Fortune 1000, international financial institution. Customer requested to deploy malicious items through parking lot.

Some things to think about How many times have we seen on an RFP Must do this and this. We were bored with the standard USB or DVD/CD deployment. Everyone has done this before. We decided to take a new approach.

The attack Customized fancy keyboard. Who wouldn t want this thing Sent to five systems administrators at the company.

The Teensy Attack Added a small chip, called the Teensy device.

Teensy, Teensy ++, Customized

In-Line attack Soldered the teensy to act as a keyboard repeater. Can detect when the victim is not at the keyboard. Moves mouse 1 pixel (undetectable to human eye). During offline hours, deploys malicious payload.

The Results Nine shells. Which was strange, we only sent 5. My only guess is that the other sysadmins were jealous and ganked it as we do in IT. Jokes on them J Further penetrated the network. In this instance we breached the source code repository for the entire company. Yep It hurt.

DEMO

Lessons Learned The USB/DVD may have worked. We thought we had a much higher success rate on this. Huge impact to the organization by taking the life-blood of the company, their software.

Company 3 Dead end. WAIT!

March 2011 External and wireless penetration test for large customer. Profiling organization, social engineering was deemed somewhat risky and a more direct avenue was quickly detect. SQLi on a front web application.

Penetrating the Network MSSQLi yielded local customized A/V safe reverse meterpreter. Pivoting attack yielded we were in a significantly segmented DMZ zone with minimal connections back. Unable to breach internal network. Small external footprint, other avenues were not found.

More information on exporting certs Check out the whitepaper written by Jason Geffner around exporting non-exportable RSA Keys. Tool written by isecpartners that exports the keys. Called JBStore (jailbreak store)

Ding ding ding. Pillaging system yielded a private certificate signed by the internal CA. After war-walking, the organization was leveraging 802.1x WPA2. Fake access point crafted leveraging a valid private certificate from the internal CA (web server certificate). Successfully had clients connect to access point.

Lessons Learned Although one area was a dead end, the ability to take something from information obtained and leverage it somewhere else is what makes us hackers. We HAVE to think like this as we re doing our penetration testing or else we are loosing focus on what we are there to do.

Company 4 Powerlines Rock.

August 2011 Physical penetration test on armed guard facility. Reconnaissance performed on camera system and using bathrooms inside could see model numbers for motion sensors. Company was leveraging powerlines for communication of protocols for security system, cameras, and much more.

Coming up with an attack After researching specific brand names, X10 was the protocol being leveraged. X10 leverages powerline communication

Being creative Decided to try something new and come up with an attack avenue to disrupt the security systems and go into the building without detection.

X10 Kit

Testing the jammer/sniffer

The Arduino Device

Modifying the TW523

Too much voltage/current

The working Jammer

DEMO

The Results Night-operation. Security systems disarmed. Lockpicked back entrance door. Alarm system never fired. Full access to facility.

What we wanted out of this Think creative Do something unexpected Be a hacker! Give some real value to the customer versus some 400 page report.

The Social-Engineer Toolkit v2.1 Getting released today. Over 27 new features, 22 bug fixes, and 18 enhancements. Fast-Track is now apart of SET. Completely recoded from scratch.

DEMO