Dr. Hnyps - Hw I Larnd Sp Wrrying and Lv My Enmis - Guillaum Arcas and Lukas Ris - Ocbr 2015
Agnda Inrducin Tchnlgy S-Up Cusmizain Daa Analysis Sznaris
wh ar w?
Lukas Ris Lukas is a sfwar nginr wih Blu Ca Nrway, dvlping h bhaviral malwar analysis and back-nd sysms usd cra an xnsiv hra inllignc daabas. Whnvr ha is n challnging nugh, h dlvs in h dphs f srucurd languags fr cybr hra inllignc rprsnain sigh, hnyp dvlpmn and rsarching ICS/SCADA hras undr h umbrlla f h Hnyn Prjc fr which h srvs as a dircr. Fl fr ping m @glasls
Guillaum Arcas Guillaum has wrkd as Scuriy & Nwrk Analys sinc 1997 primarily - bu n nly - in h Inrn & Banking indusris. Guillaum hn spcializd in Digial Frnsics & Incidn Rspns and jind Skia as CERT am ladr. Guillaum is als mmbr f h Hnyn Prjc s Frnch Chapr sinc 2010. Whn n huning fr ndangrd spcis hanging n h Inrn, Guillaum uss rad (hrillr, SF, Hisry & Philsphy in n paricular rdr as lng as i is prind) and walk his dg. H s als nurishs a crain nsalgia fr h shp.x sfwar hnc his Twir s avaar (@y0m).
Evryhing Yu Always Wand Knw Abu Hnyps Bu Wr Afraid Ask
A Brif Hisry f Hnyps
1986 A lng im ag in a nwrk far far away...
And s i happnd ha n my scnd day a wrk, Dav wandrd in my ffic, mumbling abu a hiccup in h Unix accuning sysm. Smn mus hav usd a fw scnds f cmpuing im wihu paying fr i. Th cmpur's bks didn' qui balanc; las mnh's bills f $2,387 shwd a 75-cn shrfall. Nw, an rrr f a fw husand dllars is bvius and isn' hard find. Bu rrrs in h pnnis clumn aris frm dply burid prblms, s finding hs bugs is a naural s fr a budding sfwar wizard. Dav said ha I ugh hink abu i.
"Hy Mik, rmmbr hs carrs I lf u fr bai in January?" "Yu man hs SDI fils yu cnccd?" "Yah," I said. "Wll, my dar, sw, nnxisn scrary jus rcivd a lr."
Png, wih his cnacs hackrs acrss Grmany, knw hw us Hss's infrmain. Carrying Hss's prinus, n f h Brlin hackrs crssd in Eas Brlin and m wih agns frm h Svi KGB. Th dal was mad: arund 30,000 Duschmarks $18,000 fr prinus and passwrds. Th KGB wasn' jus paying fr prinus, hugh. Hss and cmpany apparnly sld hir chniqus as wll: hw brak in Vax cmpurs; which nwrks us whn crssing h Alanic; dails n hw h Miln pras. Evn mr impran h KGB was baining rsarch daa abu Wsrn chnlgy, including ingrad circui dsign, cmpuraidd manufacuring, and, spcially, praing sysm sfwar ha was undr U.S. xpr cnrl. Thy ffrd 250,000 Duschmarks fr cpis f Digial Equipmn's VMS praing sysm.
1991
Hnyp.sh
1999
Th Hnyn Prjc Th Hnyn Prjc is a lading inrnainal 501c3 nn-prfi scuriy rsarch rganizain, ddicad invsigaing h las aacks and dvlping pn surc scuriy ls imprv Inrn scuriy. Wih Chaprs arund h wrld, ur vlunrs hav cnribud figh agains malwar (such as Cnfickr), discvring nw aacks and craing scuriy ls usd by businsss and gvrnmn agncis all vr h wrld. Th rganizain cninus b n h cuing dg f scuriy rsarch by wrking analyz h las aacks and ducaing h public abu hras infrmain sysms acrss h wrld. Our missin rads " larn h ls, acics and mivs invlvd in cmpur and nwrk aacks, and shar h lssns larnd" wih hr main pillars: - Rsarch - Awarnss - Tls hp://www.hnyn.rg/abu
Wha is a Hnyp?
Hnyn Prjc Dfiniin (2002) "A hnyp is a singl sysm cnncd an xising prducin nwrk in rdr lur aackrs."
Hnyn Prjc Dfiniin (2004) "A hnyp is a infrmain sysm rsurc whs valu lis in unauhrizd r illici us f ha rsurc."
ENISA Dfiniin (2012) "A hnyp is a cmpuing rsurc whs sl ask is b prbd, aackd, cmprmisd, usd r accssd in any hr unauhrizd way. Th rsurc can b f any yp: a srvic, an applicain, a sysm r a s f sysms r simply jus a pic f infrmain r daa."
Whr?
On h Inrn: - i will gnra and cllc a l f nis and fn uslss infrmain ; - i can b sn as a mrics f h hra lvl frm h Nrh f h Wall; - i can hlp cnvinc h p-managmn n dcras IT Scuriy budg.
On inrnal nwrk: - if smhing happns hn sh* hi h fan! - Early Dcin Sysms fr CERT/DFIR ams ; - If smhing happns hr, n nd argu, im ls, yu ar in rubl and nd invsiga.
hps://www.nisa.urpa.u/aciviis/cr/suppr/praciv-dcin/praciv-dcin-f-scuriy-incidns-ii-hnyps
Taxnmy
Typ f aackd rsurc - Srvr-sid hnyp - Clin-sid hnyp (hnyclin)
Lvl f inracin - high-inracin: ral sysm - lw-inracin: mulad sysm - hybrid: mix f lw & high
hp://www.mcs.vuw.ac.nz/cmp/publicains/archiv/cs-tr-06/cs-tr-06-12.pdf
hps://www.nisa.urpa.u/aciviis/cr/suppr/praciv-dcin/praciv-dcin-f-scuriy-incidns-ii-hnyps
hps://www.nisa.urpa.u/aciviis/cr/suppr/praciv-dcin/praciv-dcin-f-scuriy-incidns-ii-hnyps
Why?
Early Awarnss & Dcin Sysm wih Rducd Fals Psiivs
In a prducin nvirnmn, sm hings may b suspicius.
Smn succssfully cnncs a srvr a unusual im frm India: - i can b yur nwly appind ffshr IT managmn srvic prvidr prfrming usual asks; - i can b a SysAdmin cnncing frm his/hr vacain plac bcaus f an mrgncy.
Or sm Chins hackr frm h PLA Uni 61398
In a hnyp r a hnyn nvirnmn, vryhing is suspicius by naur.
Smn succssfully cnncs a hnyp frm anywhr a any im: - i can b an inrudr prfrming laral mvmns; - i can b an insidr r a curius auhrizd usr; - i can b yur inrnal Rd Tam.
Or sm Chins hackr frm h PLA Uni 61398
In a prducin nvirnmn, yu can n mnir/lg/sr vryhing: - cs & srag cnsrains - lgal cnsrains
In a hnyp r hnyn, yu mus and can mnir/lg/sr vryhing: - nwrk raffic - upladd fils - sysm lgs
Hnyps & h Inrusin Kill Chain
A hnyp can drasically hlp dcing advrsary s Rcnnaissanc acins.
Cunr-OSINT: - A fak LinkdIn prfil, Facbk pag, mail addrsss publishd n crpra wbsi (can b hiddn in HTML cmmns s n visibl frm usual visirs), fak "lakd crdnials" n pasbin, fak DB dumps psd n undrgrund frums, c. can incras visibiliy n hwh aackr fund his/hr args. - Fak passwrd hash ladd in mmry dc us f passwrd salrs lik Mimikaz.
Hw?
Criical pins - Mnir/Cllc/Sr Daa - Allw/Frbid/Rsric accss h Inrn
Cllcing Daa - Yu ll hav answr his qusin: Hw can I mnir an inrudr wih privilgd accss (aka: r/adminisrar sysm usrs righs) wihu bing dcd/dfad?
Inrn Acccss - Wha kind f Inrn accss will yu gran frm h hnyp? If Inrn accss is limid, h inrudr can find n inrs in saying any lngr.
Avid Dcin
Skills
Wha skills d yu nd? - - Nwrk Frnsics Sysm Frnsics Rvrs Enginring Daa Analysis Cding
Hnyps Arsnal
High-Inracin Srvr-Sid Hnyps - Args - HiHAT - SSH: Bifrz, DckP, HnSSH
Lw-Inracin Srvr-Sid Hnyps - Gnral purps: Dinaa, Hnyd, Hnyrap Wb Applicain: Glaspf, GglHack Hnyp SSH: Kipp Scada: CnP VIP: Armisa Sinkhls: HnySink USB: Ghs USB hnyp
High-Inracin Clin-Sid Hnyps - Shlia - Capur-HPC NG Lw-Inracin Clin-Sid Hnyps - Thug - PhnyC
Hybrid Hnyps - HnySpidr - SURFcr IDS - SSH: Bifrz
Hnykns - a hnykn is a pic f daa ha shuld n b accssd hrugh nrmal aciviy, i.. ds n hav any prducin valu, any accss mus b inninal, which mans i is likly b an unauhrisd ac. (ENISA) - hp://www1.cs.clumbia.du/~angls/paprs/2009/dcydcumnsseccom09.pdf - hp://scliss.rg/fcus-ids/2003/fb/95
OTS Hnyps - hp://www.hnyn.rg/prjc
Firs sps wih a hnyp
L s play wih Kipp!
Kipp Kipp is a lw-inracin srvr hnyp mulaing h Scur Shll (SSH) srvic. I srs infrmain abu bru-frc lgin aacks agains h srvic and SSH sssin & acins h aackr launchd agains h srvr.
Kipp Accrding ENISA: Kipp is xrmly usful bcaus, in addiin h dcin f simpl bru-frc aacks agains SSH, i als allws yu gahr daa frm rminal sssin aciviy f an aackr in h mulad nvirnmn and cach fils dwnladd by h aackr.
hps://gihub.cm/dsasr/kipp
Kipp - Insall Kipp - hps://gihub.cm/dsasr/kipp/ - Cnnc kipp as an aackr. - Hw can yu dc yu r n n a ral sysm? - Hw can yu incras kipp's salh?
Kipp Kipp uss prdfind crdnials & passwrd fr r usr. - Chang ha cinmaic and mak kipp accp a cnncin afr X rials. - Wha pssibly can g wrng? - Hw fix ha?
Inrducin Why yu shuld b hr Gal f his raining Hands-n dfiniin Wha ar w n ding
Inrducin Why yu shuld b hr: r u s p y i r u c s a n m l p m l c b s a u l a p v y s i l Hn n i v i c u r s d n n f d n i k p y Any d n a y i l a u q a a d f g n a Wid r s p y n h I build
Inrducin Gal f his raining: s p y n h f u l a v h d n s a s r p y n Und h f g a s u h h i w n m p l Familiariz v d p y n h a s p G a glim
Inrducin Hands-n dfiniin: p y n h a n u r l l i Yu w n i a z i m s u c d n a S-up a a d m s a r c d n Lk a a
Inrducin Wha ar w n ding:!? a h W. p y n h a n u r d n a l l... Insa v a h w m i h d n a u y Up
Cncps Hnyp Evns Aribuin
Cncps Hnyp Evns s u i c i l a m y Pniall s i n f s L s c r u s s l a s Variu f n i a r g a h i w g n i h y r v Tak
Cncps Aribuin i y a l p s a l p, m a I s a fun g r b h a a d r m Th? i m r f g u y d Wha
Tchnlgy Glaspf L s build a hnyp Grads f inracin Cnp
Tchnlgy Glaspf p y n H n i a c i l p Wb Ap y r a s r v d a h g n i c a Ar n i a l u m E p y T y i l i Vulnrab
A Hnyp in 20 minus
hps://gis.gihub.cm/glasls/ac8c3290ba3301624
Tchnlgy L s build a hnyp: n i a m d a 1. G s s u q r 2. Handl 3.??? = $$$
Tchnlgy Grads f inracin: y i l i b a r n l u v a a l u ; ) L s m ' p h p. '. ] ' E M A N ' [ T E G _ $ ( d inclu b / m c. l i v / / : p?name=h * Abusing Sarch Engins.
Tchnlgy Glaspf Aracing h advrsary:? s u d n i f y h d w H s k r D l g G i a b h Crafing
Tchnlgy Cnp p y n H SCADA/ICS n m y l p d f s d Mh x l p m c G
S-Up This is a Hnyp! Fingrprining Hands-n
Cusmizain Why d yu wan? Basic cncps f dcpin Wh d yu wan cach?
Daa Analysis Wha is an vn? Evn rpring Wha d w s? Wha ar w n sing? Can w aribu?
Sznaris L s aack a hnyp Hw abus a hnyp
Summary Hnyps Dvlpmn Dplymn Usag
Snak Pak: Snar Y Anhr Wb App Hnyp Fcus n aack surfac Cnral vulnrabiliy Emulain Hnyp as a Srvic
Thanks! gihub.cm/mushrg @glasls - Lukas @y0m - Guillaum