Hybrid Kill Chain & Attack Methodology

Report by Miguel Bigueur & Les Davis

image2.png

Figure 1. Anatomy of a URL and Web Server Architecture.

The intent is to manipulate URL inputs as a method of infiltration by means of legitimacy. The goal here is to masquerade as legitimate traffic in an effort to penetrate firewalls uninhibited, while bypassing all pre-established defense mechanisms. Once this is achieved, an attacker is afforded the opportunity to escalate privileges with an opportunity to engage in lateral movements.

A few tools that can be used to help discover vulnerabilities in web and mail servers include:OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is the web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. It also performs a variety of scans and tests including port scanning, brute force scanning, and fuzzing in order to identify insecure code. Pen testers use an intuitive GUI similar to that of a Microsoft application or certain web design tools (such as Arachnophilia). Once you surf and perform activities on a website, you enter ZAP again to see the code and what transpired during those activities. When set as a proxy server, OWASP ZAP controls the web traffic that it processes. “This tool is newer than Burp Suite, is not as feature rich, but is free and open source. It provides a subset of features and a GUI that are useful for people who are just entering web application pen testing.

SQLmap

SQLmap automates the discovery of SQL Injection holes. It then exploits those vulnerabilities and takes complete control of databases and underlying servers.  SQLmap tests improperly coded sites and URLs attached to databases via python commands in a command line. If a malformed URL (link) to database information draws an error code, then the link is subject to attack. SQLmap installs on Ubuntu Linux, inside a VM. “Another script-friendly tool, SQLmap can determine such things as whether the programmer has parameterized the inputs.

HTTrack

it allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

BeEF (The Browser Exploitation Framework)

The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF provides penetration testers with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target.

BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

The framework contains numerous command modules that employ BeEF’s simple and powerful API. This API is at the heart of the framework’s effectiveness and efficiency. It abstracts complexity and facilitates quick development of custom modules.

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

  1. Intercept browser traffic using man-in-the-middle proxy.
  2. Automated crawls and scans.
  3. Clear and detailed presentation of web vulnerabilities.
  4. Automated custom attack using Intruder.

Wafw00f

WAFW00F is a Python tool to help you fingerprint and identify Web Application Firewall (WAF) products. It is an active reconnaissance tool as it actually connects to the web server, but it starts out with a normal HTTP response and escalates as necessary. You can override or include your own headers, it has SOCKS and HTTP proxy support and detects a whole bunch of WAF products from hosted solutions like CloudFlare and Incapsula to server side solutions like ModSecurity.

Hybrid Kill Chain Methodology

  1. Reconnaissance

Tools: Maltego, Zenmap, Recon-NG, Wafw00f

    • Information gathering on adversary. Acquisition of: IP address scheme, Domains, Open/Closed/Filtered Ports, email addresses.
    • Vulnerability scanning.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Weaponization
    • After collecting information regarding infrastructure and employees, establish attack vectors and technical profile of targets such as: logical and administrative security controls, infil/exfil points, etc.
    • Prepare offensive operation to specific targets utilizing information gathered during reconnaissance. This includes: configuring software/hardware Trojans, crafting malicious payloads, creating social engineering costumes, etc…
    • Select backdoor implants then weaponize the payloads.
  1. Delivery

Tools: Armitage, Telnet, SSH, Netcat, Netcraft, ID Serve, Hping3

    • Launch of the operation in totality. Carry out attacks based on Blue Team’s offensive strategies. Actions include: planting Trojans for remote access persistence, further cyber vulnerability analysis, etc…
    • Establish backdoors on adversary web/database/AD/SMTP servers.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Exploitation

Tools: BeEF, SQLmap, Armitage

    • Actively compromise adversary’s apps/servers/network, avert physical/logical/administrative controls, and exploit Red Team members using social engineering. This stage prepares for escalation during the installation phase.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Installation

Tools: Netcat, Telnet, SSH, ID Serve, OWASP ZAP

    • Persistence preparation phase. Activities include privilege escalation, malicious payload installation, establish reverse shells, etc… Webshell on web server, backdoor implants on adversary hosts, install persistence mechanism (ie: Cron Jobs, AutoRun keys, services, etc…), delete logs/files, and generate timestamps.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Lateral Movement

Tools: Armitage, Netcat, Telnet, SSH

    • Take actions on lateral movements within adversary’s network pivoting from one compromised system to the next.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Obfuscation, Anti-Forensics, and Anti-Incident Response

Tools: Alternate Data Streams, Event Handlers

    • Additional actions: privilege escalation, collection of user credentials, internal reconnaissance, destroy systems, overwrite or corrupt data, modify data.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Denial of Service

Tools: Armitage, LOIC, HOIC, Hping3

    • Overwhelm local computing resources rendering them unusable.
    • Exploits to include: Fork Bomb,
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Exfiltration
    • Tools:BDFproxy, Powersploit, Proxychains, Weevely, RainbowCrack, SamDump2, PWDump, Hashcat
    • Ultimate goal, to exfiltrate private sensitive data the target deems as critically sensitive.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)
  1. Covering Tracks

Tools: Armitage, clearev, clearlogs.exe -sec

    • Clear tracks and remain undetected. Detection avoidance and evidence removal. The concept behind this phase is remove all traces of attack activity against targeted systems. Quite often, this cleanup phase involves the manipulation or implanting of data on target systems to confuse and misdirect the adversary. The most successful APT actors are highly skilled at covering their tracks making it more difficult for the adversary to assess the impact of the intrusion.
    • Tools to possibly include an Apache log generator tool to cover and obfuscate our activities.
    • TOOL RESOURCES: (Links to Tutorial Videos / Documentation)

System Hacking (acquisition targets)

  1. SAM database (Windows Passwords)
  2. /etc/shadow (Linux Passwords)

Enumeration Actions

  1. Network resources
  2. Network shares
  3. Routing tables
  4. Audit and service settings
  5. SNMP and DNS details
  6. Machines names
  7. User and groups
  8. Applications and banners
  9. Passwords
  10. IP addressses of reachable systems
  11. TCP and UDP services running
  12. Access control mechanisms (including access control lists ACLs)
  13. Networking protocols
  14. IDSs running
  15. Authentication mechanisms

Ports to Enumerate

  1. TCP/UCP 53 (DNS Zone transfer)
  2. TCP/UDP 135 (Microsoft RPC Endpoint Mapper)
  3. UDP 137 (NetBIOS Name Service “NBNS”)
  4. TCP 139 (NetBIOS Sessions Service “SMB over NetBIOS”)
  5. TCP/UDP 445 (SMB over TCP “Direct Host)
  6. UDP 161 (Simple Network Management Protocol “SNMP”)
  7. TCP/UDP 389 (Lightweight Directory Access Protocol “LDAP”)
  8. TCP/UDP 3268 (Global Catalog Service)
  9. TCP 25 (Simple Mail Transfer Protocol “SMTP”)
  10. TCP/UDP 162 (SNMP Trap)

References

Devost, M. (2015, 10 22). 10 Red Teaming Lessons Learned over 20 Years. Retrieved from redteamjournal.com: https://redteamjournal.com/2015/10/10-red-teaming-lessons-learned-over-20-years/

Iversen, W. (20071, 6 14). Anatomy of a Red Team Attack. Retrieved from automationworld.com: https://www.automationworld.com/article/technologies/maintenance-reliability/anatomy-red-team-attack

Lockheed Martin. (2015). G A I N I N G T H E A D V A N T A G E. Retrieved from lockheedmartin.com: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/Gaining_the_Advantage_Cyber_Kill_Chain.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s