Network Exploitation

CCTC - Networking

Outcomes


SKILL CCNE015: Communicate cyberspace operations methodologies

SKILL CCNE016: Define common frameworks for conducting cyberspace operations

SKILL CCNE017: Discuss methods to gain access

SKILL CCNE018: Describe network attacks



Hacker Methodology


- Reconnaissance (Footprinting, Scanning, Enumeration, Net Mapping)
- Gaining Access
- Privilege Escalation
- Post Exploitation
- Target Survey & Remote Forensics Analysis
- Cover Tracks (cleanup)
- Data Collection
- Establish Persistence

Cyber Threat Actors


Reference: SANS.org

- Cyber Criminals
- State Sponsored (Nation State)
- Hacktivist
- Insider Threats

Reference: JP3-12R

- Transnational Actor
- Individual Actors or Small Group


Threat Actions


- Malware
- Hacking
- Social Tactics
- Misuse
- Physical
- Error
- Environmental






Exploitation Methodologies


- Internal Exploitation vs. External Exploitation
- Commonly Compromised Assets
- Importance of Testing Tools








Exfiltration


Exfiltration done via outbound connections are very common, and hard to counter at the perimeter since this is an area that has been created to focus on incoming threats


Common protocols are used to mask data exfiltration: HTTP/HTTPS, FTP and DNS for example easily blend into normal outbound network traffic, thus obfuscating the attacker's actions



Exfiltration


- In-band vs. out-of-band
- Access
- Persistence
- Means
- Custom exfiltration tool vs Native utilities






Critical Systems


- Assess Operational Architecture
- What types of functions are controlled by systems?
- How are dependencies represented among systems?
- Geographic (i.e. Control over infrastructure or area)
- Physical (i.e. Router/hardware)
- Logical (i.e. DNS/software
- Cyber Persona (i.e. accounts/credentials/access to information)




Credentials


Common means for stealing credentials:
Social Engineering, reusing stolen passwords/shared credentials, brute force, security question reuse


Credentials can provide adversary with:
Remote Access - gain remote entry into networks using Virtual Private networks (VPN) or remote access protocols, like RDP and VNC




Credentials


Movement within a network: Stolen credentials (especially domain admin credentials) can allow an attacker to move laterally within a network, or potentially deeper into higher security areas


Cloud Access: Cloud services that can be accessed via domain credentials allow an attacker to easily access valuable data, especially as organizations move information into the cloud




Credentials


Admin/Domain Admin Credentials
- Need to be audited
- Should not have the ability to alter audit files
- Require secondary approval


Access Controls
- Behavioral analysis
- Context Awareness
- Multi-factor authentication



Gaining Access


Shellcode
- Machine code
- Exploit vulnerability; deliver payload





Resources:
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html
https://www.coresecurity.com/system/files/publications/2016/05/TheShellcodeGeneration.pdf

Gaining Access


Code Injection: exploitation of a computer bug that is caused by processing invalid data.


Injection is used by an attacker to introduce code into a vulnerable computer program and change/manipulate the course of execution

Resources:
http://phpsecurity.readthedocs.io/en/latest/Injection-Attacks.html
https://blog.udemy.com/php-injection/

Gaining Access


SQL Injection is a code injection technique that could destroy or compromise the integrity of a database


SQL Injection is one of the most common web hacking techniques


SQL Injection involved placing of malicious code within SQL statements, via a web page's unvalidated user input

Network Attack Strategies


- Cyber Criminals
- Internal vs External
- Packet Sniffing
- Man in the Middle
- Network Scanning
- DoS/DDoS
- Access Attack


Collateral Effects


Ashley Madison:

- Responsibility claimed by the "Impact Team"
- Approx. 9.7 Gb posted on Tor
- Site source code posted MANY git repositories
- Little hard evidence released; not clear whether this was an insider or external hacking


What are some of the collateral effects?




Collateral Effects


Yahoo Hacking:

- Yahoo's hacking has been measured as the largest data breach in history
- 2014 hack: 500 million accounts, 2014 hack: up to 1 billion accounts
- Not disclosed until 2016
- Two Russian FSB officials indicted
- US has no extradition treaty with Russia

What are some of the collateral effects?

Collateral Effects


OPM Hack:

- Breached December 2014
- 21 Million current/former Fed. Employees' PII leaked
- China is suspected of the breach
- SF-86's...foreign contacts?


What are some of the collateral effects?