Advanced Penetration Testing E-Book

Table of Contents

Cover

Title Page

Introduction

Coming Full Circle

Advanced Persistent Threat (APT)

Next Generation Technology

“Hackers”

Forget Everything You Think You Know About Penetration Testing

How This Book Is Organized

Chapter 1: Medical Records (In)security

An Introduction to Simulating Advanced Persistent Threat

Background and Mission Briefing

Payload Delivery Part 1: Learning How to Use the VBA Macro

Command and Control Part 1: Basics and Essentials

The Attack

Summary

Exercises

Chapter 2: Stealing Research

Background and Mission Briefing

Payload Delivery Part 2: Using the Java Applet for Payload Delivery

Notes on Payload Persistence

Command and Control Part 2: Advanced Attack Management

The Attack

Summary

Exercises

Chapter 3: Twenty-First Century Heist

What Might Work?

Nothing Is Secure

Organizational Politics

APT Modeling versus Traditional Penetration Testing

Background and Mission Briefing

Command and Control Part III: Advanced Channels and Data Exfiltration

Payload Delivery Part III: Physical Media

The Attack

Summary

Exercises

Chapter 4: Pharma Karma

Background and Mission Briefing

Payload Delivery Part IV: Client-Side Exploits 1

Command and Control Part IV: Metasploit Integration

The Attack

Summary

Exercises

Chapter 5: Guns and Ammo

Background and Mission Briefing

Payload Delivery Part V: Simulating a Ransomware Attack

Command and Control Part V: Creating a Covert C2 Solution

New Strategies in Stealth and Deployment

The Attack

Summary

Exercises

Chapter 6: Criminal Intelligence

Payload Delivery Part VI: Deploying with HTA

Privilege Escalation in Microsoft Windows

Command and Control Part VI: The Creeper Box

The Attack

Summary

Exercises

Chapter 7: War Games

Background and Mission Briefing

Payload Delivery Part VII: USB Shotgun Attack

Command and Control Part VII: Advanced Autonomous Data Exfiltration

The Attack

Summary

Exercises

Chapter 8: Hack Journalists

Briefing

Advanced Concepts in Social Engineering

C2 Part VIII: Experimental Concepts in Command and Control

Payload Delivery Part VIII: Miscellaneous Rich Web Content

The Attack

Summary

Exercises

Chapter 9: Northern Exposure

Overview

Operating Systems

North Korean Public IP Space

The North Korean Telephone System

Approved Mobile Devices

The “Walled Garden”: The Kwangmyong Intranet

Audio and Video Eavesdropping

Summary

Exercises

End User License Agreement

Pages

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

Guide

Table of Contents

Begin Reading

List of Illustrations

Chapter 1: Medical Records (In)security

Figure 1.1 Pharmattix network flow

Figure 1.2 User roles

Figure 1.3 VBA exploit code imported into MS Word.

Figure 1.4 Saving for initial antivirus proving.

Figure 1.5 This demonstrates an unacceptably high AV hit rate.

Figure 1.6 Additional information.

Figure 1.7 A stealthy payload indeed.

Figure 1.8 No, Qihoo-360 is not the Holy Grail of AV.

Figure 1.9 Blank document carrying macro payload.

Figure 1.10 A little more convincing.

Figure 1.11 Initial basic Command and Control infrastructure.

Figure 1.12 The completed attack with complete access to the medical records.

Chapter 2: Stealing Research

Figure 2.1 Permit all local Java code to run in the browser.

Figure 2.2 Java applet running in the browser.

Figure 2.3 The upgraded framework handles multiple hosts and operating systems.

Chapter 3: Twenty-First Century Heist

Figure 3.1 The beauty of this setup is that if your C2 is disrupted by security operations, you can point your DNS at another server.

Figure 3.2 A basic intrusion monitoring setup.

Figure 3.3 Mmmmmm. Stealthy.

Chapter 4: Pharma Karma

Figure 4.1 This image from cvedetails shows 56 code execution vulnerabilities in Flash in 2016 alone.

Figure 4.2 The number one issue on this AlienVault SOC alarm screen is vulnerable software, with that software being Flash.

Figure 4.3 This is clearly a large network that lacks a cohesive overall vulnerability management strategy.

Figure 4.4 Script output shows plugin data.

Figure 4.5 A LinkedIn invite comes as an HTML email message.

Figure 4.6 This is a remote command execution bug with reliable exploit code in the wild.

Figure 4.7 Metasploit does an excellent job at obfuscating the CVE-2015-5012 attack.

Figure 4.8 A simple XOR function can easily defeat antivirus technology.

Figure 4.9 The Meterpreter session is tunneled over SSH and looks innocent to network IDS.

Figure 4.10 Notepad cannot write to the C drive. It's a fair bet most desktop software programs have the same restrictions.

Figure 4.11 Armitage displays a list of plugins and their owners.

Figure 4.12 Process migration is a one-click process. Here we have migrated into lsass.exe.

Figure 4.13 In this example test.txt is uploaded from the attacker workstation.

Figure 4.14 Exploiting a vulnerability in the ScriptHost to escalate to the system.

Figure 4.15 Armitage makes a lot of tedious tasks a one-click affair.

Chapter 5: Guns and Ammo

Figure 5.1 Defense distributed ghost gunner. An open source CNC machine designed to manufacture AR-15 lower receivers restricted under Federal law.

Figure 5.2 The Soviet AT-4 (right) was a copy of the French MILAN system (Left).

Figure 5.3 Encryption process flow.

Figure 5.4 Decryption process flow.

Figure 5.5 Simplified covert C2 topology.

Figure 5.6 Veil-Evasion landing screen.

Figure 5.7 Veil with options set.

Figure 5.8 Veil can now generate a compiled Python executable from the raw shellcode.

Figure 5.9 The compiled executable is ready for use.

Figure 5.10 Once again, it's ready to use.

Figure 5.11 A Save As dialog box shows the file types Solid Edge works with.

Figure 5.12 Solid Edge application directory.

Figure 5.13 The victim will still have to Enable Content but that's a social engineering issue.

Figure 5.14 Lower receiver schematic in Solid Edge 3D.

Chapter 6: Criminal Intelligence

Figure 6.1 Not the most inviting message.

Figure 6.2 A basic HTML application.

Figure 6.3 That's a little bit better, but let's select something that fits the attack.

Figure 6.4 The inevitable VirusTotal example.

Figure 6.5 User Account Control dialog box. This can look however you want.

Figure 6.6 The XLS data contains bulletin names, severity, component KB, and so on.

Figure 6.7 Dependency Walker showing full DLL paths.

Figure 6.8 The Raspberry Pi 3B in all its glory.

Figure 6.9 A Raspberry Pi with a PoE HAT (hardware added on top).

Figure 6.10 Step one: connect with 3G.

Figure 6.11 Step two: select a USB device.

Figure 6.12 Step three: HUAWEI mobile.

Figure 6.13 Step four: interface #0.

Figure 6.14 Step five: business subscription.

Figure 6.15 Step six: you're good to go.

Figure 6.16 The KeyGrabber is an example of a WiFi-capable keylogger.

Figure 6.17 Caller ID can be easily spoofed.

Figure 6.18 Spoofing SMS messages likewise.

Figure 6.19 Keep these things simple but use whatever templates you have at hand.

Chapter 7: War Games

Figure 7.1 Compartmented U.S. secure communications center.

Figure 7.2 Not even the greenest jarhead is going to fall for this.

Figure 7.3 This creates the pretext.

Chapter 8: Hack Journalists

Figure 8.1 Initial beacon designated as Master node.

Figure 8.2 C2 uses Master for outbound connectivity.

Figure 8.3 A timeout on the Master node signals it is likely no longer functional or the host is switched off.

Figure 8.4 C2 Server nominates new Master node.

Figure 8.5 Agents nominate their own Master.

Figure 8.6 The Master functions as a gateway for other nodes as before.

Figure 8.7 Further elections are held as necessary.

Figure 8.8 The SDKPluginEntrypoint.cpp file.

Figure 8.9 Xcode build menu.

Figure 8.10 C2 agent extension payload.

Figure 8.11 Pre-flight packaging in InDesign.

Chapter 9: Northern Exposure

Figure 9.1 Red Star Desktop.

Figure 9.2 Getting a shell.

Figure 9.3 A shell.

Figure 9.4 Quicker and easier to work in English.

Figure 9.5 Red Star Linux in English.

Figure 9.6 Run rootsetting.

Figure 9.7 Enter the credentials you created for your user.

Figure 9.8 Now we have root access.

Figure 9.9 Disable Discretionary Access Control.

Figure 9.10 Disable monitoring processes.

Figure 9.11 Red Star Linux Install Screen.

Figure 9.12 Choose Desktop Manager.

Figure 9.13 Once again, better to work in English.

Figure 9.14 Insecure Squid Proxy.

Figure 9.15 Webmin Interface.

Figure 9.16 Toneloc output.

Figure 9.17 WarVOX Configuration.

Figure 9.18 Add targets to WarVOX.

Figure 9.19 Old School!

Figure 9.20 Yecon Tablet Device Information.

List of Tables

Chapter 5: Guns and Ammo

Table 5.1 The libgcrypt library contains all the crypto functions you will ever need.

Advanced Penetration Testing

Hacking the World’s Most Secure Networks

Introduction

There is an old yet erroneous belief that fortune favors the brave. Fortune has and always will favor the prepared. When your organization experiences a serious security incident (and it will), it's your level of preparedness based on the understanding of the inevitability of such an event that will guide a successful recovery. It doesn't matter if you're responsible for the security of a local community college or if you're the CISO of an international bank—this fact will always remain true.

To quote Howard Ruff, “It wasn't raining when Noah built the ark.”

The first step to being prepared is being aware.

Coming Full Circle

There has always been the impression that you have to patch your systems and secure your networks because hackers are scanning vast address ranges looking for victims who haven't done these things and they'll take whatever vulnerable systems they can get. In a sense that's true—there have always been those who are satisfied with low hanging fruit. It was true back in the 80s as well—war dialing on the PSTN and such attacks are usually trivial to guard against if you know what you're up against. However, if you are specifically targeted by someone with time and resources, you have a problem of an altogether different magnitude. Put simply, gaining access to corporate systems by patiently targeting the users was usually the best way to go in the 80s and it's usually the best way now. However, the security industry, like any other, is constantly looking to sell “new” products and services with different names and to do that, a buzzword is required. The one that stuck was advanced persistent threat.

Advanced Persistent Threat (APT)

What differentiates an APT from a more traditional intrusion is that it is strongly goal-oriented. The attacker is looking for something (proprietary data for example) and is prepared to be as patient as is necessary to acquire it. While I don't recommend breaking complex processes down into simple lists or flowcharts, all APTs generally have the following characteristics:

Initial compromise

—Usually performed or assisted by the use of social engineering techniques. An attack against a client will include a core technical component (such as a Java applet), but without a convincing pretext, such an attack is usually doomed to failure. A pretext can be anything but is successful when tailored to the target and its employees. Casting a wide net to catch the low hanging fruit (to mix my metaphors) is not an acceptable way to model APTs and is certainly not how your adversaries are doing things.

Establish beachhead

—Ensure future access to compromised assets without needing a repeat initial intrusion. This is where Command & Control (C2) comes in to play and it's best to have something that you've created yourself; that you fully understand and can customize according to your needs. This is a key point in this book that I make a number of times when discussing the various aspects of C2—it needs to be secure but its traffic has to look legitimate. There are easy solutions to this problem.

Escalate privileges

—Gain local and ultimately domain administrator access. There are many ways this can be achieved; this book will dedicate considerable space to the best and most reliable methods as well as some concepts that are more subtle.

Internal reconnaissance

—Collect information on surrounding infrastructure, trust relationships, and the Windows domain structure. Situational awareness is critical to the success of any APT.

Network colonization

—Expand control to other network assets using harvested administrative credentials or other attacks. This is also referred to as lateral movement, where an attacker (having established a stable base of operations within the target network) will spread influence across the infrastructure and exploit other hosts.

Persist

—Ensure continued control via Command & Control. Persistence essentially means being able to access your target whenever you want regardless of whether a machine is rebooted.

Complete mission

—Exfiltrate stolen data. The most important part of any APT. The attacker is not interested in vandalizing systems, defacing web pages, or stealing credit card numbers (unless any of these things advances the final goal). There is always a well-defined target in mind and that target is almost always proprietary data—the mission is completed when that data has been located and liberated.

I am a penetration tester by trade (a professional “hacker,” if you like) working for every possible kind of client and market vertical over the best part of two decades. This book speaks from that narrative. I want to show how conventional penetration testing is next to useless when attempting to protect organizations against a targeted APT attack. Only by going beyond the stagnant nature of contemporary penetration testing methodologies can this hope to be achieved. Potential adversaries today include organized crime and nation states—it's worth pointing out that foreign intelligence agencies (of any nation) are heavily invested in industrial espionage, and not just against hostile nations.

Next Generation Technology

There are numerous technologies available that claim to be able to prevent APTs, capable of blocking unknown malware. Some of these products are not bad and do indeed add another layer of security by providing some degree of behavioral analysis—for example catching a Metasploit callback by looking at what the .exe is doing rather than relying on an antivirus signature, which can be easily bypassed. However, that is trivial to model simply because the behavior of such tooling is very well understood. A genuine APT will be carried out by skilled threat actors capable of developing their own tools with a very strong understanding of how modern intrusion detection and prevention systems work. Thus, in describing modeling techniques, I make heavy use of the SSH protocol as it solves a lot of problems while masking activity from monitoring systems and at the same time gives the appearance of legitimate traffic. It is wise at this point to reflect on what an APT isn't and why. I've seen a number of organizations, commercial and otherwise, giving out advice and selling services based on their own flawed understanding of the nature of Advanced Persistent Threat. The following article published in InfoWorld is as good a place as any to rebut some myths I saw in a discussion online recently:

APT sign No. 1: Increase in elevated log-ons late at night

—This is nonsense. Once a target has been compromised (via whatever means), the attacker has no need to make use of audited login methods, as they will have deployed their own Command & Control infrastructure. You will not see elevated log-ons late at night or at any other time.

Auditing logs will most likely hit nothing when a skilled attacker has established his beach head. Most likely these mechanisms will be immediately circumvented by the attacker.

APT sign No. 2: Finding widespread backdoor Trojans

—Throughout this book I will be constantly drilling into you how ineffectual AV and other malware detection tools are for combating APTs. The “A” stands for advanced; the attackers are more than capable of developing their own tools or masking publicly available ones. If you find backdoor Trojans (widespread or otherwise) and they were put there by an advanced external actor, they're decoys and you were meant to find them.

APT sign No. 3: Unexpected information flows

—“I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.”

Any email system (or any other system for that matter) can record remote IP addresses and perform real-time analysis to detect aberrant behavior. However, if an attacker is in your network and chooses to access your users' email in this manner, the source address can and will originate within your own network. This is particularly the case as man-in-the-browser attacks become more common.

APT sign No. 4: Discovering unexpected data bundles

—Hoping that you might accidentally stumble across zip files containing valuable data (that have been conveniently left for you to find) is a poor way to approach information security. While such a find might well be an Indicator of Compromise (IoC), it is neither reliable nor repeatable. You should assume that if an attacker is able to enter your network and steal your most valuable data, they know how to use the Delete command.

APT sign No. 5: Detecting pass-the-hash hacking tools

—I'm not sure why “pass-the-hash” hacking tools were singled out for special attention—particularly as (generally) they don't tend to exist in isolation, but as part of hacking frameworks. Nonetheless, while the presence of any such tooling could be considered an IoC, you will learn in this book that leaving detectable hacking software lying around on compromised machines is simply not how this is done. Stealth and patience are the hallmarks of an APT.

“Hackers”

The demographic of what we consider to be “hackers” has changed beyond all recognition so this introduction will be the last time I use that word. It is outdated and outmoded and the connotations it conjures up are completely inaccurate. I prefer the more neutral terms, “attacker” or “external actor,” because as you will learn, there are far worse things out there than teenage anarchists with too much time on their hands. The “Golden Age” of hacking whose anti-heroes were Mark Abene, Kevin Poulsen, Kevin Mitnick, and others was an incredibly innocent time compared to today, where the reality is stranger than the cyberpunk fiction of the 1980s that inspired so many hackers of the day.

It's been a busy couple of years. The Snowden revelations shocked the world and directly led to wide-sweeping changes in the tech industry's attitude toward security. In 2013, I had a conversation with a client that would have been unthinkable prior to the leaks—a conversation where the NSA was the villain they wanted to be protected against. This was a globally respected Fortune 500 company, not the mob. Intellectual property theft is on the rise and increasing in scale. In my line of work I am in a unique position to say with certainty that the attacks you hear about are just the ones that are leaked to the media. They are the tip of the iceberg compared to the stuff that goes unreported. I see it on a daily basis. Unfortunately for the wider tech industry, breaking in to target systems (and I'd include penetration testing here, when it's conducted properly) is a lot easier than keeping systems secure from attack. The difference between secure and vulnerable is as simple as one individual in a company of thousands making one small mistake.

Forget Everything You Think You Know About Penetration Testing

Nothing is really secure. If there is one lesson to take away then it should be that—a determined attacker is always going to be at an advantage, and (with very few exceptions) the larger an enterprise gets, the more insecure it becomes. There's more to monitor, more points of ingress and egress, boundaries between business units become blurred, and naturally there are more users. Of course, that doesn't mean you should give up hope, but the concept of “security through compliance” is not enough.

Despite the obvious benefits of this kind of holistic or open-scope testing, it is rarely performed in the real world, at least in comparison to traditional penetration testing. The reason for this is twofold: it is perceived to be more expensive (it isn't) and organizations rarely want that level of scrutiny. They want to do just enough to comply with their security policies and their legal statutory requirements. You hear terms like HIPAA-, SOX-, or PCI-compliant bandied about by vendors as though they mean something, but they exist only to keep lawyers happy and well paid and it is an easy package to sell. You can be PCI compliant and be vulnerable as hell. Ask T.J. Maxx or Sony: it took the former years to recover brand confidence; the vast amount of data leaked means that the damage to the latter is still being assessed. Suffice it to say that a compliance mentality is harmful to your security. I'm really driving the point home here because I want to make sure it is fully understood. Compliance with a security policy and being secure are not the same thing.

How This Book Is Organized

In this book, as stated, I'm going to examine APT modeling in the real world, but I'm also going to go a little further than that. I will present a working APT testing framework and in each chapter will add another layer of functionality as needed to solve different problems and apply the result to the target environments in discussion. In doing so, I will be completely code-agnostic where possible; however, a solid knowledge of programming is essential as you will be required to create your own tools—sometimes in languages you may be unfamiliar with.

Each of the chapters of this book discusses my experience of APT modeling against specific industries. As such, each chapter introduces new concepts, new ideas, and lessons to take away. I believe it's valuable to break this work down by industry as environments, attitudes to security, and indeed the competence of those performing network defense varies widely across different sectors. If you are a pen tester, you will learn something. If you have the unenviable task of keeping intruders out of your organization's system, you will learn things that will keep you up at night but also show you how to build more resilient defenses.

Rather than approach the subject matter as a dry technical manual, each chapter follows a similar format—the context of a wide range of separate industries will be the background against which new technologies, attacks, and themes are explored. This includes not only successful vectors of attack but such vital concepts as privilege escalation, avoiding malware detection, situation awareness, lateral movement, and many more skills that are critical to a successful understanding of both APT and how to model it. The goal is not simply to provide a collection of code and scripts, although many examples are given, but to encourage a broad and organic understanding of the problems and their solutions so that the readers will think about them in new ways and be able to confidently develop their own tools.

Chapter 1

, “Medical Records (In)Security,” discusses attacks to hospital infrastructure with concepts such as macro attacks and man-in-the-browser techniques. Introduction to Command & Control (C2) is explored.

Chapter 2

, “Stealing Research,” will explore attacks using Java Applets and more advanced C2 within the context of an attack against a research university.

Chapter 3, “Twenty-First Century Heist,” considers ways of penetrating high-security targets such as banks and highly advanced C2 techniques using the DNS protocol.

Chapter 4

, “Pharma Karma,” examines an attack against a pharmaceutical company and against this backdrop introduces client-side exploits and integrating third-party frameworks such as Metasploit into your C2.

Chapter 5

, “Guns and Ammo,” examines ransomware simulation and using Tor hidden services to mask the physical location of the C2 infrastructure.

Chapter 6

, “Criminal Intelligence,” uses the backdrop of an intrusion against a police HQ to illustrate the use of “creeper” boxes for long-term engagements where temporary physical access is possible. Other concepts such as privilege escalation and deploying attacks using HTML applications are introduced.

Chapter 7

, “War Games,” discusses an attack against a classified data network and explains concepts such as open source intelligence gathering and advanced concepts in Command & Control.

Chapter 8

, “Hack Journalists,” shows how to attack a publisher and use their own technologies and workflows against them. Emerging rich media content and experimental C2 methodologies are considered. Advanced concepts in social engineering are introduced.

Chapter 9

, “Northern Exposure,” is a hypothetical attack against a hostile rogue state by a government Tailored Access Operations (TAO) team. North Korea is used as a convenient example. We discuss advanced discreet network mapping and means of attacking smartphones, including the creation of hostile code for iOS and Android phones.

So, without further ado—on with the show.