Time
25 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hey, everyone is Canada Hill Master Instructor a Sigh Berry. In this video, we're gonna talk about attacks and persistence.
00:06
So quick, pre assessment question here. What what type of us be attacked is actually used to create a power surge that attempts to destroy the target machine. It's not always successful, but that's the attempt that is doing
00:20
***. If he said, USB kill attack, that is correct. That's that type there on. We'll talk about that a little bit.
00:27
So we have different attack types. We, of course, have, De Dos said. A lot of people are familiar with just cause. They hear it in the media, and that's basically we're sending so many requests to a single machine or a grouping of machines that it it eats up. The resource is so going back to like to see a tree odd, for example, confidentiality, integrity, availability
00:43
that would fall under the availability aspect of it. So as somebody trying to visit your website,
00:48
I can't access it or as a ah user worker at your company trying to maybe access that database for a certain system. I can't access it because there's an attack in place.
00:59
We've got our poisoning. So basically that that what we're doing theirs were taken an incorrect Mac address. So, like maybe from our attacker machine, and then we're linking that to a legitimate I p address. So 11 common thing that happens is let's say I am able to compromise a like your domain controller, for example.
01:18
Um,
01:19
I do that. And then from there i e I do. Ah, you know, our attack and I essentially change the i P addresses for different the Mac address for different machines. So I say, Hey, yet you know this this beautiful attacker machine is actually, you know, 1 92.168 dot zero that one, right? What? You what you think is, you know, one of the machines on your network,
01:38
and then you connect to it.
01:40
Um,
01:41
you do. You do see it out there. You do see this type of attack, but there's a lot of devices out there in use that will prevent against this or at least mitigate it quite a bit. So it's kind of hidden, miss if you'll actually see it, but definitely something we should just bring up in this type of video
01:57
s and B attacks server message block. So most people are familiar or they've heard in the media probably like eternal blue. That's an S and B type of attack. There's a ton of S and B attacks. It's very vulnerable over the years.
02:10
Um, I think, Ah,
02:14
I went to see the details a while back and there's over, like 2000 S. O. C. V details dot com is so you can check out, um, and again all linked to that in the document. But there's there's several 1000 s and B vulnerabilities doesn't mean that all of them are things you can use on company because a lot of times people patch right. Hopefully they patch.
02:34
But those were different things you can use as well.
02:36
D N s U. S. B. We'll talk about this a little more in depth session hijacking. So basically, let's say that you are
02:44
what does use a banking banking example. There s So you're you're connecting to your banking website, right? So you've authenticated on your bank on, and then what I do there
02:53
is, I go ahead and I grab your user credentials, and my goal is to do a replay attack where I can go ahead and just replay your authenticated session credentials on then. That way, hopefully I can get on to your bank and, you know, get all your money, right? You know, we've all got millions, right? So I can get in there and get your money, huh?
03:13
Man in the middle. And this is kind of ah, differentiating factor. And they're really used interchangeably. A lot of people just kind of used these attacks interchangeably.
03:20
Men in the middle, kind of the difference. I would I would say there is that I'm just jumping in the middle of that communication. But I'm not actually taking over like you. I'm just kind of jumping in the middle. And then you send a you send a request to me. I review it and everything. I then send it on to your bank.
03:38
And then from there, the bank sends a request back through me. And then I sent it back to you.
03:43
That's kind of the difference in the factor. There again, Most people kind of use them interchangeably be, but that's kind of the difference is there?
03:52
All right, So do Eunice attacks we've got. There's many different types. I just listed some of the most common ones here. We got domain hijacking. So basically the, you know, the Attackers at you know, the hijacked our domain name or your domain server, so
04:06
they're essentially taking control of her Deena's records. So, as an example, let's say that you own a bank, right? Let's say you have a bank have a banking website on. Then what the Attackers do is still poison the D. M s. So that way, when I when I type in, you know, www dot you know your your bank dot com, right? As just as an example
04:25
instead of it taking me to the correct I P address for your server,
04:28
it's gonna take me to the Attackers, you know, fake What say they've said it right. It's
04:33
It's pretty. Well, I don't want to say it's pretty easy to defend against get, but it is. It is something that if you're not configuring your server correctly, that you could be vulnerable to using something like D N. A sec is probably a good idea to help mitigate against that. We've also got Deanna's flood attacks. I think of that is basically a Adidas attack, you know,
04:51
denial of service stuff. Attacker distributed to Donald Service
04:55
attack.
04:57
So the whole goal without us to just overload the d n. A server, I just kind of flooded with so many requests that it can't, um,
05:04
you know, go back. Can't effectively, like, take all those requests and process them, so especially shuts it down. We've seen that to some extent with all these
05:15
cloud attacks that we've seen out there, especially if you remember back to the mirror botnet. Think of it in that context where it was shutting down all these different servers across the world. Right. So, as an example, part of the Internet shut down
05:31
for a period of time. So doing those types of large scale attacks like that,
05:35
that's definitely a reason why we need to be concerned with these types of attacks. Right?
05:40
The other one here we have DNA's cash poisoning so similar to like how we portion like an art cash similar thing here, right? We're just basically saying like, yeah, this I p addresses, you know, to this website. Sure. You know so again, always go back to vulnerabilities, configurations you know, make sure you set things up properly, patching things.
05:59
So all the all these were the things
06:01
we can use to mitigate that now, also, with
06:04
the cash poisoning,
06:06
if a user is taking action, right, So, like, let's say User is opening like a malicious email of phishing email. You know, they click on links or whatever. That could potentially cause a system to be compromised.
06:18
But more so, a lot of the lines of, like the admin themselves that they're opening different things on that particular server and most sys admin czar are pretty good about that.
06:29
We've also got our USB attack, so we were going to talk about a couple of different types. So all these are essentially a social engineering top attack, right? We put something malicious on our USB. We then throw it out in the parking lot and hope some employees plugs it in, by the way, a cool way to get people to, uh, I don't know. It's cool way, but
06:46
but a way to get people to actually like, pick that up and plug it in and many companies as to
06:51
take the keys on ad and just throw the USB on a key ring with some keys and also kind of make them
07:00
like, for lack of better words, kind of girly, like putting that, you know, like, Oh, you know, like a pink thing. And I love my cat or something like that, like
07:09
that gets people to actually think they're legitimate. Like if you just drop a USB out in the parking lot these days, most people are kind of mindful they're not gonna like, take it and plug it in. But if you drop it with, like, keys and it looks like somebody just kind of dropped as they walk to their car fell out of the bag or something
07:23
that's more likely to get people to actually go ahead and click on that
07:26
all right sees me to go ahead and get the plug, plug into it and then you know, either click on links in there, click on a photo or just plug it in for us so you can run malicious code.
07:35
So H I d spoofing. That's basically ah ah ah ah ah specific USB. That's a what's called a human interface device who had mimics like keyboard strokes that sort of stuff. So when I plug it in and it does something right, it emulates a keyboard, performs pre programmed keystrokes on the machine.
07:54
And so it's basically pretending, as I mentioned, you know,
07:56
to be a human there, so we would use something like, you know, a duck, a script to allow us to emulate any type of action on a keyboard.
08:05
The malicious file code is probably more common thing that you'll see where, like for example, I put like a oh, check out this. You know, I give I give you a speedy you plug it in. You see that? Oh, funny cat pictures or something like that, right? So you go ahead and just start clicking on them once you click on them. Once you've got that user interaction there, that user action
08:24
from there, it's gonna launch that malicious code. And then, you know I go to town on your system
08:30
also links, you know. So in some cases, uh,
08:33
they'll be links to different websites that takes that probably takes some social engineering as well, like a plug in this USB. And then go click these links to these websites. So not necessarily the best type of attack there, but it might be something you try. And then we already talked about the kill attack. So again,
08:52
So we talk about that in the pre assessment question, the USB kill attack eso essentially here what the USB is doing when we plug it in, it's going to send
09:01
little. It's gonna basically, like harvest. Once this plugged in, it's gonna harvest the power that is getting through s o. The USB itself is going to store the power that's going getting through the data line there on. Then it's gonna go ahead and shoot that back at the machine to try to go ahead and, uh,
09:22
you know, essentially kill off the machine writes tryingto
09:24
kill off that machine.
09:26
It's not
09:28
always effective. Um,
09:30
but sort of the goal there is, you know, like I said, either destroy it or until the machine itself some plug to getyou thio basically unplug it, but it's not always effective, but it can be affected. So just just keep that in mind as well.
09:45
Minutespoint. It's another attack tool essential that we can use very common in the industries that is probably the most common tool. There's three different versions of it. There's also some Gu Ys that are very popular out there, but you've got the framework that a lot of people use. You've also got a community addition as well as a pro.
10:03
There's a link you can get it. It's developed in and, uh,
10:07
hosted by Robin's Rapping seven. But
10:11
again, this link will be in the resource is sections. You can just go ahead and downloaded from there. Take a look around the frame. We're framework and the community are both free on The Pro actually has a 14 day free trial, so I definitely recommend you check that out as well, especially if you want to get into the offense of side of things.
10:30
So I talked about maintaining persistence is, well, right. So what's the point of doing all this work to attack a machine or grouping machines were a network and not actually like stay there and do what we want to write? Like, what's the point? If the if the admiral can just come reboot the machine and we're done right, we have to go back and attack and trying to find new vulnerabilities and all that stuff
10:48
so what we do as as an attacker,
10:52
Um, we'll try to do things to maintain that access. So it might be something as simple that's creating a new user account. And then, from there we can use those credentials to log back into the different machines. More commonly, we can use something like a remote Access Trojan and that allows us to maintain the persistence and do whatever we want to.
11:09
And
11:09
what happens, though with a lot of like the common rats, is like antivirus Santa Mail where we'll detect those, right. So it's pretty easy for the system. Enter network admin or security engineer to identify those. So what we could do with that as we can
11:24
use what's called a root kit. So the root kit essentially is gonna bypass the traditional operating system. So it's gonna be generally speaking at, like the colonel, a firmware level in some cases, you know, at the hardware level by design. So that's not as prevalent.
11:43
But definitely, you know, just using any root kit will get it down below the operating system level on so we can we can go ahead and percent maintain persistence because it's always gonna lost root kit. You know, in event rockets, by the way, are very difficult to get to get rid of.
12:00
Um, definitely takes some work to get rid of. So, uh, prevention is always the best minute medicine there.
12:05
Um,
12:05
as a part of all those as a part of our rat in a root kit weaken,
12:11
we can do callbacks to our attacker. Machines are like our command control server. So we do that through things like, you know, s h. He's probably most common there, but also already p tell Mitt that sort of stuff. Those are encrypted. So we probably would be using sssh in most cases on that kind of business into the natural progression of shells. Right.
12:30
So a couple different types of shells we've got the binding shell
12:33
where we can
12:35
essentially binding to a specific port specific network port. So it's binding from
12:41
the, uh, the target system to ah, to the port. Right. So, like, port 23 port 123 Whatever the case might be s o, it's gonna bind a bash. L you know, too. That is as an example, we could use a tool called Net cat to do that, you know, So we could run, you know, like an and C Dash L p
13:00
specify the port number, Do dashi.
13:03
And then, you know, do our our shell itself. You know, it's 1/4 slash band forthe last essay. So if you're not familiar with that, don't worry about jumping in that too much. But,
13:15
um, one of the, ah, one of the problems with that is it's pretty easy for, you know, for, like, the sys admin to get rid of that type of thing. What we really would want to do is, um,
13:26
do a reverse shell. That's probably the most common thing that you'll see people doing out there. That's definitely what we would prefer to do their and essentially what the reverse shell is. You know, once we compromise the target machine,
13:39
we then have the target machine communicate with our attack machine.
13:45
That's listening on a specific port. So basically, the the victim is
13:50
calling out to our attacker machine for lack of better words. They're they're calling out to our attacker machine on, and so that's what we want to do to make pertain persistence there. It gives us a lot more control laws is to do a lot more things. And it's unless the less likely you stabbed or some knows we're being attacked
14:09
and and isolates this machine and pulls off the network,
14:11
we can usually maintain persistence pretty well with a reverse shell.
14:18
We could also do scheduled tasks. So, like, you know, every day it runs a specific scan and then doesn't call back out to our attacker machine. So all these are just, you know, again kind of tools in our arsenal.
14:31
Quick post assessment question here. James is a security researcher. He's attempting to maintain persistence on a target device. So if he wants to maintain persistence, wall circumventing antivirus anti Mel where? What should he do?
14:46
So we talked about root Kits writes a. Root kits are away again that can circumvent antivirus anti Mel where eso those allow us to jump around those and potentially maintain our persistence on the machine

Up Next

Attacks and Persistence for Incident Handlers

Attacks and Persistence for Incident Handlers covers several different types of attacks, with a focus on DNS attacks and USB attacks. Ken Underhill also walks you through a session hijacking lab to simulate an attacker exploiting an established session to harvest user login credentials.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor