Thomas Mackenzie

Obfuscation methods and planning

Northumbria University

Web Application Testing

WordPress

upSploit

About Me

WINDOWS

METASPLOIT / METEPRETERNOTE

Based upon and continued work and research by Carlos Perez.

All about a new vector / idea / problem that needs to reported to a client

EARLY STAGES

15 minutes: Overview of what I want to find and some information about what I want to get out of it in the end

About The Project

Locard Exchange Principle

“WITH CONTACT BETWEEN TWO ITEMS, THERE WILL BE AN EXCHANGE”

Every action you take will always leave a trace. Even when the action is to cover or delete the trace of another action.

You will not only leave artefacts and traces on the target system but also on some of the devices you transit and communicate through.

?

Developers may create vulnerable code (always has and always will be a problem)

Another problem however, that I don’t believe is looked at is:

At what stage to SysAdmin’s know that their system is being attacked / is this early enough?

Problem?

Create part of a testing stage that the SysAdmin’s can join in with!

A low to high noise area of testing.

What does this mean?

Idea?

Checklist or Testing Guide.

Make sure that the SysAdmin is aware of what is going to happen and ask them to co-operate.

Plan a low – medium – high framework that can used.

See where the SysAdmin picks it up.

Incorporate this into the report.

Idea (2)?

It is all well and good know you have been attacked, but the fact you don’t know when is when you need to worry.

What information has been compromised.

Idea (3)?

Not all companies have IR Teams

Low hanging fruit with be checked first:

Processes, connections, EventLog and in some cases memory dumps

Knowing your enemy

Process lists that are specifically checked:

Time of Creation

Parent PID

Owner

Command Line

Knowing your enemy (2)

On connections things that stand out are obvious:

Why is notepad connecting to the web?

Why is Internet Explorer connecting to 1337

Once they believe there is a possible compromise they will create a timeline

Knowing your enemy (3)

Hide your connections

Connections from svchost.exe look normal is connecting to high ports

IE, Firefox, Chrome, AV, Dropbox and other 443 and 80

Meterpreter offers and API to read and clear Event Logs

What types of things can we do?

New methodology

Should be testing the security of knowledge as well as the security of the app or the infrastructure

Learn new ways to hide so that we can learn new ways to find!

Summary