Scribd
Upload
691 views39 pages

Blackhat Hacking Guide

This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

Uploaded by

Richter Benjamin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
691 views39 pages

Blackhat Hacking Guide

This document provides information on how to hack systems without getting caught by discussing operational security (OpSec) tactics, techniques, and procedures (TTPs). It recommends maintaining covert infrastructure, carefully covering tracks, and blending hacking activities with normal network traffic to avoid detection. The document concludes by stressing the importance of monitoring all network traffic, implementing egress filtering, and gaining a thorough understanding of the network to detect and prevent unauthorized access by attackers.

Uploaded by

Richter Benjamin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

Blackhat Hacking

How to hack and not get caught

Brady Bloxham
Silent Break Security
brady@silentbreaksecurity.com
Overview

▪ What is OpSec?
▪ Methodology
▪ TTPs (Tactics, Techniques, and Procedures)
▪ Conclusion
What is OpSec?
What is OpSec?

▪ First things first


– Examine your activities from
an adversary’s point of view
– Way of life
– NOT a set of rules
– Best of all…it’s free!

▪ Above all  Shut Your Mouth


What is OpSec?

▪ Proactive paranoia
– It doesn’t work retroactively!
What is OpSec?

▪ Stay paranoid…and cover your webcam!


What is OpSec?

▪ Work alone
▪ Avoid being blackmailed
▪ No one is going to jail for you!
Methodology
Methodology

▪ The Old Way


Methodology

▪ The New Way


Methodology

▪ Money trail
– PATRIOT Act

– Various types
▪ Pre-paid credit cards
▪ Pre-paid credit cards + Paypal
▪ Western Union
▪ Bitcoin
– Not truly anonymous!
– Every transaction is publically logged
– So…use bitcoin mixing/eWallet
Methodology

▪ Covert Infrastructure
– VPS
▪ Careful of payment

– TOR
▪ Slow

– VPN
▪ Torguard.net
▪ Btguard.com

– Create your own!


▪ SOHO routers
▪ Hack onto other servers
Methodology

▪ Covert Infrastructure
Methodology

▪ Don’t be a hoarder
– Principle of least use
▪ Don’t collect what you don’t need
▪ Don’t hoard data
▪ Delete it when you’re done

– Be smart about it
▪ Dedicated infrastructure
▪ Truecrypt containers
▪ VMs with snapshots
▪ Qube-OS
TTPs (Tactics, Techniques, and Procedures)
TTPs

▪ Spear phishing
– Click rate ~ 25-35%

▪ Countermeasure
– End user training but…it should reflect
current threat environment.
– Configure spam filter!
– Use proxy to block!
TTPs
TTPs

▪ Pop and pivot!

▪ Be strategic!
– Don’t pop…just to pop
– Find high value targets
▪ Tasklist of remote systems
▪ Net use for remote dir of c:\Users
▪ Query AD for logon events
TTPs

▪ “Work” during the day


– Blend in with the noise
– Harder to filter logins
– Easier to identify key targets

▪ Countermeasures
– Monitor, monitor, monitor…especially
privileged accounts
– Create user accounts for domain
admins
TTPs

▪ Cover your tracks


– Clean the logs
– Watch the prefetch
– Registry MRUs
– Change time stamp!
– Remove tools!

▪ Risk = Threat x Vulnerability x Cost


– The best way to not get caught, is to not leave tracks.
TTPs

▪ MRUs
– HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\FindComputerMRU
– HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\PrnPortsMRU
– HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\RunMRU
– HKCU\SW\Microsoft\Windows\CurrentVer\Explorer\StreamMRU

▪ Audit Policy
– HKLM\Security\Policy\PolAdtEv

▪ Clean Logs
– Windows Defender
▪ Binary logs! Check out MPDetection.txt
– McAfee
▪ BufferOverflowProtectionLog.txt
▪ AccessProtectionLog.txt
– Symantec
▪ \Docume~1\AllUse~1\Applic~1\Symantec\Symantec Endpoint Protection\Logs
TTPs

▪ Test, test, test, test, test, test, test, test, test, test, test, test, test
▪ Modifying the target is for n00bs
– Modify your tools instead
– Packers, crypters, modifying the source, etc., etc.
TTPs
TTPs
TTPs
TTPs

▪ Environmental awareness
– Network
▪ SYN vs Connect scan
▪ ping –n 1 <ip>
▪ SSL where possible
– System
▪ Avoid domain accounts
▪ Build a profile

▪ Countermeasures
– Create baselines (SIEM, netflow, etc.)
– Don’t ignore anomalies or alerts
TTPs

▪ Data exfiltration techniques


– Archive files (usually .rar)
– Stage on separate box
▪ Recycle bin
▪ System volume information

▪ Data exfiltration channels


– Compromise server in the DMZ
– Transfer via RDP
– Base64 en/decode to/from target via shell
– HTTP/S

▪ Countermeasures
– Block outbound all, lock down proxy, block outbound SYN in DMZ
TTPs
TTPs
TTPs

▪ Persistence APT style


– Nothing good out there…
▪ Meterpreter – OSS
▪ Core Impact – $$$$$
▪ Poison Ivy – Private
▪ DarkComet – Private
– Who’s going to trust these?

▪ Techniques
– DLL hijacking
– Service
– AppInit registry
– DLL wrapper
TTPs

▪ Go custom or go home…
TTPs
Conclusion
Conclusion

▪ Know your network


– That means monitor the traffic
▪ Netflow, signatures, baselines

▪ Egress Filtering
– Like it is going out of style

▪ Proxy or die!
– Proxy all traffic
– Break & Proxy HTTPS traffic
– Look out for base64 encoding
– If you can’t inspect it…
▪ You just made someone’s b-day 
Conclusion

▪ It’s not the appliance / server /


IDS / IPS / software / device’s
fault…

▪ Expecting your network


devices to identify unknown
traffic is like expecting your
AV to detect a 0-day.
Conclusion

▪ Testing should be modeled after threats


– Vulnerability scans don’t cut it
– Correct practice makes perfect
Conclusion

▪ Offense is sexy, defense is lame


– We need to change the way we think about the problems.
Conclusion

▪ The attackers have them, do you?


The End!

▪ Questions?

▪ Contact Information
– Brady Bloxham
– Silent Break Security
– brady@silentbreaksecurity.com
– www.silentbreaksecurity.com
– (801) 855-6599

You might also like