Advanced Penetration Testing: Hacking the World's Most Secure Networks

Wil Allsopp 

e-books shop
e-books shop
Purchase Now !
Just with Paypal

Book Details
 3.00 USD
 297 p
 File Size
 6,447 KB
 File Type
 PDF format
 2017 Wiley   

There is an old yet erroneous belief that fortune favors the brave. Fortune has
and always will favor the prepared. When your organization experiences a
serious security incident (and it will), it's your level of preparedness based on the
understanding of the inevitability of such an event that will guide a successful
recovery. It doesn't matter if you're responsible for the security of a local
community college or if you're the CISO of an international bank—this fact will
always remain true.
To quote Howard Ruff, “It wasn't raining when Noah built the ark.”
The first step to being prepared is being aware.

Coming Full Circle
There has always been the impression that you have to patch your systems and
secure your networks because hackers are scanning vast address ranges looking
for victims who haven't done these things and they'll take whatever vulnerable
systems they can get. In a sense that's true—there have always been those who
are satisfied with low hanging fruit. It was true back in the 80s as well—war
dialing on the PSTN and such attacks are usually trivial to guard against if you
know what you're up against. However, if you are specifically targeted by
someone with time and resources, you have a problem of an altogether different
magnitude. Put simply, gaining access to corporate systems by patiently
targeting the users was usually the best way to go in the 80s and it's usually the
best way now. However, the security industry, like any other, is constantly
looking to sell “new” products and services with different names and to do that,
a buzzword is required. The one that stuck was advanced persistent threat.

Advanced Persistent Threat (APT)
What differentiates an APT from a more traditional intrusion is that it is strongly
goal-oriented. The attacker is looking for something (proprietary data for
example) and is prepared to be as patient as is necessary to acquire it. While I
don't recommend breaking complex processes down into simple lists or
flowcharts, all APTs generally have the following characteristics:
Initial compromise—Usually performed or assisted by the use of social
engineering techniques. An attack against a client will include a core
technical component (such as a Java applet), but without a convincing
pretext, such an attack is usually doomed to failure. A pretext can be
anything but is successful when tailored to the target and its employees.
Casting a wide net to catch the low hanging fruit (to mix my metaphors) is
not an acceptable way to model APTs and is certainly not how your
adversaries are doing things.
Establish beachhead—Ensure future access to compromised assets without
needing a repeat initial intrusion. This is where Command & Control (C2)
comes in to play and it's best to have something that you've created yourself;
that you fully understand and can customize according to your needs. This is
a key point in this book that I make a number of times when discussing the
various aspects of C2—it needs to be secure but its traffic has to look
legitimate. There are easy solutions to this problem.
Escalate privileges—Gain local and ultimately domain administrator access.
There are many ways this can be achieved; this book will dedicate
considerable space to the best and most reliable methods as well as some
concepts that are more subtle.
Internal reconnaissance—Collect information on surrounding infrastructure,
trust relationships, and the Windows domain structure. Situational awareness
is critical to the success of any APT.
Network colonization—Expand control to other network assets using
harvested administrative credentials or other attacks. This is also referred to
as lateral movement, where an attacker (having established a stable base of
operations within the target network) will spread influence across the
infrastructure and exploit other hosts.
Persist—Ensure continued control via Command & Control. Persistence
essentially means being able to access your target whenever you want
regardless of whether a machine is rebooted.
Complete mission—Exfiltrate stolen data. The most important part of any
APT. The attacker is not interested in vandalizing systems, defacing web
pages, or stealing credit card numbers (unless any of these things advances
the final goal). There is always a well-defined target in mind and that target
is almost always proprietary data—the mission is completed when that data
has been located and liberated.
I am a penetration tester by trade (a professional “hacker,” if you like) working
I am a penetration tester by trade (a professional “hacker,” if you like) working
for every possible kind of client and market vertical over the best part of two
decades. This book speaks from that narrative. I want to show how conventional
penetration testing is next to useless when attempting to protect organizations
against a targeted APT attack. Only by going beyond the stagnant nature of
contemporary penetration testing methodologies can this hope to be achieved.
Potential adversaries today include organized crime and nation states—it's worth
pointing out that foreign intelligence agencies (of any nation) are heavily
invested in industrial espionage, and not just against hostile nations.

Table of Contents
Title Page
Coming Full Circle
Advanced Persistent Threat (APT)
Next Generation Technology
Forget Everything You Think You Know About Penetration Testing
How This Book Is Organized
Chapter 1: Medical Records (In)security
An Introduction to Simulating Advanced Persistent Threat
Background and Mission Briefing
Payload Delivery Part 1: Learning How to Use the VBA Macro
Command and Control Part 1: Basics and Essentials
The Attack
Chapter 2: Stealing Research
Background and Mission Briefing
Payload Delivery Part 2: Using the Java Applet for Payload Delivery
Notes on Payload Persistence
Command and Control Part 2: Advanced Attack Management
The Attack
Chapter 3: Twenty-First Century Heist
What Might Work?
Nothing Is Secure
Organizational Politics
APT Modeling versus Traditional Penetration Testing
Background and Mission Briefing
Command and Control Part III: Advanced Channels and Data
Payload Delivery Part III: Physical Media
The Attack
Chapter 4: Pharma Karma
Background and Mission Briefing
Payload Delivery Part IV: Client-Side Exploits 1
Command and Control Part IV: Metasploit Integration
The Attack
Chapter 5: Guns and Ammo
Background and Mission Briefing
Payload Delivery Part V: Simulating a Ransomware Attack
Command and Control Part V: Creating a Covert C2 Solution
New Strategies in Stealth and Deployment
The Attack
Chapter 6: Criminal Intelligence
Payload Delivery Part VI: Deploying with HTA
Privilege Escalation in Microsoft Windows
Command and Control Part VI: The Creeper Box
The Attack
Chapter 7: War Games
Background and Mission Briefing
Payload Delivery Part VII: USB Shotgun Attack
Command and Control Part VII: Advanced Autonomous Data
The Attack
Chapter 8: Hack Journalists
Advanced Concepts in Social Engineering
C2 Part VIII: Experimental Concepts in Command and Control
Payload Delivery Part VIII: Miscellaneous Rich Web Content
The Attack
Chapter 9: Northern Exposure
Operating Systems
North Korean Public IP Space
The North Korean Telephone System
Approved Mobile Devices
The “Walled Garden”: The Kwangmyong Intranet
Audio and Video Eavesdropping
End User License Agreement

e-books shop

How This Book Is Organized
In this book, as stated, I'm going to examine APT modeling in the real world, but
I'm also going to go a little further than that. I will present a working APT
testing framework and in each chapter will add another layer of functionality as
needed to solve different problems and apply the result to the target
environments in discussion. In doing so, I will be completely code-agnostic
where possible; however, a solid knowledge of programming is essential as you
will be required to create your own tools—sometimes in languages you may be
unfamiliar with.
Each of the chapters of this book discusses my experience of APT modeling
against specific industries. As such, each chapter introduces new concepts, new
ideas, and lessons to take away. I believe it's valuable to break this work down
by industry as environments, attitudes to security, and indeed the competence of
those performing network defense varies widely across different sectors. If you
are a pen tester, you will learn something. If you have the unenviable task of
keeping intruders out of your organization's system, you will learn things that
will keep you up at night but also show you how to build more resilient defenses.
Rather than approach the subject matter as a dry technical manual, each chapter
follows a similar format—the context of a wide range of separate industries will
be the background against which new technologies, attacks, and themes are
explored. This includes not only successful vectors of attack but such vital
concepts as privilege escalation, avoiding malware detection, situation
awareness, lateral movement, and many more skills that are critical to a
successful understanding of both APT and how to model it. The goal is not
simply to provide a collection of code and scripts, although many examples are
given, but to encourage a broad and organic understanding of the problems and
their solutions so that the readers will think about them in new ways and be able
to confidently develop their own tools.

Chapter 1, “Medical Records (In)Security,” discusses attacks to hospital
infrastructure with concepts such as macro attacks and man-in-the-browser
techniques. Introduction to Command & Control (C2) is explored.
Chapter 2, “Stealing Research,” will explore attacks using Java Applets and
more advanced C2 within the context of an attack against a research university.
Chapter 3, “Twenty-First Century Heist,” considers ways of penetrating
high-security targets such as banks and highly advanced C2 techniques using
the DNS protocol.
Chapter 4, “Pharma Karma,” examines an attack against a pharmaceutical
company and against this backdrop introduces client-side exploits and
integrating third-party frameworks such as Metasploit into your C2.
Chapter 5, “Guns and Ammo,” examines ransomware simulation and using
Tor hidden services to mask the physical location of the C2 infrastructure.
Chapter 6, “Criminal Intelligence,” uses the backdrop of an intrusion against
a police HQ to illustrate the use of “creeper” boxes for long-term
engagements where temporary physical access is possible. Other concepts
such as privilege escalation and deploying attacks using HTML applications are introduced.
Chapter 7, “War Games,” discusses an attack against a classified data
network and explains concepts such as open source intelligence gathering
and advanced concepts in Command & Control.
Chapter 8, “Hack Journalists,” shows how to attack a publisher and use their
own technologies and workflows against them. Emerging rich media content
and experimental C2 methodologies are considered. Advanced concepts in
social engineering are introduced.
Chapter 9, “Northern Exposure,” is a hypothetical attack against a hostile
rogue state by a government Tailored Access Operations (TAO) team. North
Korea is used as a convenient example. We discuss advanced discreet
network mapping and means of attacking smartphones, including the
creation of hostile code for iOS and Android phones.
So, without further ado—on with the show.
Loading... Protection Status