Attacks and Persistence

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
25 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:00
>> Hey, everyone.
00:00
It's Ken Underhill Master Instructor in Cybrary.
00:00
In this video we're going to talk
00:00
about attacks and persistence.
00:00
Quick pre-assessment question here.
00:00
What type of USB attack is actually used
00:00
to create a power surge
00:00
that attempts to destroy the target machine?
00:00
It's not always successful, but
00:00
that's the attempt that it's doing.
00:00
Sophie said USB kill attack.
00:00
That is correct, that is the type there,
00:00
and we'll talk about that a little bit.
00:00
We have different attack types.
00:00
We, of course, have DDoS that a lot of people are
00:00
familiar with just because they hear it in the media,
00:00
and that's basically we're sending
00:00
so many requests to a single machine or
00:00
a grouping of machines that it eats up the resources.
00:00
Going back to like the CIA triad,
00:00
for example, confidentiality, integrity,
00:00
availability, that will fall under
00:00
the availability aspect of it,
00:00
so as somebody trying to visit your website,
00:00
I can't access it.
00:00
Or as a user worker
00:00
at your company trying to maybe access
00:00
a database or a certain system,
00:00
I can't access it because there is an attack in place.
00:00
We've got ARP poisoning.
00:00
Basically what we're doing there is we're taking
00:00
an incorrect MAC address maybe from our attacker machine,
00:00
and then we're linking that to a legitimate IP address.
00:00
One common thing that happens is,
00:00
let's say I'm able to compromise
00:00
a liquor domain controller, for example,
00:00
I do that and then from there I do ARP
00:00
attack and I essentially change
00:00
the MAC address for different machines.
00:00
I say this beautiful attacker machine
00:00
is actually 192.168.0.1,
00:00
which you think is one of
00:00
the machines on your network and then you connect to it.
00:00
Out there you do see this type of attack,
00:00
but there's a lot of devices out there
00:00
in use that will prevent
00:00
against this or at least mitigate it quite a bit.
00:00
It's hit and miss if you'll actually see it,
00:00
but definitely something we should just bring up in
00:00
this type of video.
00:00
SMB attacks, server message block.
00:00
Most people are familiar or they've heard
00:00
in the media probably like EternalBlue.
00:00
That's an SMB type of attack.
00:00
There's a ton of SMB attacks.
00:00
It's very vulnerable over the years.
00:00
I went to CVE details a while back.
00:00
There's over 2,000,
00:00
cvedetails.com is a site you can check out.
00:00
Again, I'll link to that in the document.
00:00
But there's several thousand SMB vulnerabilities.
00:00
It doesn't mean that all of them are things you can use
00:00
on a company because a lot of times people patch.
00:00
Hopefully they patch.
00:00
But those are different things you can use as well.
00:00
DNS, USB,
00:00
we'll talk about this a little more in-depth.
00:00
Session hijacking.
00:00
I want us to use a banking example there.
00:00
You are connecting to your banking website.
00:00
You've authenticated on your bank,
00:00
and then what I do there is
00:00
I go ahead and I grab your user credentials and my goal
00:00
is to do a replay attack
00:00
where I can go ahead and just replay
00:00
your authenticated session credentials and then
00:00
that way hopefully I can get onto
00:00
your bank and get all your money.
00:00
We've all got millions. I can
00:00
get in there and get your money.
00:00
Man-in-the-middle, and this is
00:00
a differentiating factor and
00:00
they're really used interchangeably,
00:00
a lot of people just use these attacks interchangeably,
00:00
man-in-the-middle, a difference,
00:00
I would say there is that I'm
00:00
just jumping in the middle of that communication,
00:00
but I'm not actually taking over like you.
00:00
I'm just jumping in the middle and then you
00:00
send a request to me,
00:00
I review it and everything.
00:00
I then send it on to your bank,
00:00
and then from there the bank
00:00
sends a request back through me,
00:00
and then I send it back to you.
00:00
That's the differentiating factor there.
00:00
Again, most people use them interchangeably,
00:00
but that's the differences there.
00:00
DNS attacks, there's many different types.
00:00
I just listed some of the most common ones here.
00:00
We've got domain hijacking.
00:00
Basically the attackers,
00:00
they've hijacked your domain name, your domain server.
00:00
They're essentially taking control of your DNS records.
00:00
As an example, let's say that you own a bank,
00:00
let's say you have a bank,
00:00
you have a banking website.
00:00
Then what the attackers do is still poison the DNS so
00:00
that way when I type in www.yourbank.com,
00:00
just as an example,
00:00
instead of it taking me to
00:00
the correct IP address for your server,
00:00
it's going to take me to
00:00
the attacker's fake website they've set up.
00:00
I don't want to say it's pretty easy
00:00
to defend against it,
00:00
but it is something that if you're not
00:00
configuring your server correctly
00:00
that you could be vulnerable to,
00:00
using something like DNSSEC is probably
00:00
a good idea to help mitigate against that.
00:00
We've also got DNS flood attacks.
00:00
Think of that as basically a DDoS attack,
00:00
denial-of-service attack or
00:00
distributed denial-of-service attack.
00:00
The whole goal with that is to just
00:00
overload the DNS server,
00:00
just flood it with so many requests that
00:00
it can't go back.
00:00
It can't effectively take
00:00
all those requests and process them,
00:00
it just basically shuts it down.
00:00
We've seen that to some extent with
00:00
all these Cloud attacks
00:00
that we've seen out there, especially,
00:00
if you remember back in the mirror botnet,
00:00
think of it in that context
00:00
where it was shutting down all
00:00
of these different servers across the world.
00:00
As an example, part of the Internet shut
00:00
down for a period of time.
00:00
Doing those types of large-scale attacks like that,
00:00
that's definitely a reason why we need to be
00:00
concerned with these types of attacks.
00:00
The other one here we have DNS cache poisoning.
00:00
Similar to how we portion
00:00
like an ARP cache, similar thing here.
00:00
We're just basically saying this IP
00:00
addresses to this website.
00:00
Sure. Again, always go back to vulnerabilities,
00:00
configurations, making sure you set things
00:00
up properly, patching things.
00:00
All these are the things we can use to mitigate that.
00:00
Now, also with the cache poisoning,
00:00
if a user is taking cache,
00:00
let's say a user is opening a malicious email,
00:00
a phishing email, they click on links or whatever,
00:00
that could potentially cause a system to be compromised.
00:00
But more so along the lines of like the admin themselves,
00:00
if they're opening different things
00:00
on that particular server
00:00
in most sysadmins are pretty good about that.
00:00
We've also got our USB attack.
00:00
We're going to talk about a couple of different types.
00:00
All these are essentially
00:00
a social engineering top attack.
00:00
We put something malicious on our USB,
00:00
we then throw it out in
00:00
the parking lot and hope some employee plugs it in.
00:00
By the way, a cool way to get people to,
00:00
why I don't know if it's cool way,
00:00
but a way to get people to actually pick
00:00
that up and plug it in at many companies is
00:00
to take keys and just throw
00:00
the USB on a key ring with some keys and also make them,
00:00
for lack of better words, girly like putting that
00:00
like a pink thing
00:00
and I love my cat or something like that.
00:00
That gets people to actually think they're legitimate.
00:00
If you just drop a USB out on the parking lot,
00:00
these days most people are mindful.
00:00
They're not going to take it and plug it in.
00:00
But if you drop it with
00:00
keys and it looks like somebody just
00:00
dropped as they walk to
00:00
their car and fill out their bag or something,
00:00
that's more likely to get people to actually go ahead
00:00
and plug into it and then either click on links in there,
00:00
click on a photo, or just plug it
00:00
in for you so you can run malicious code.
00:00
>> HID spoofing, that's basically a specific USB,
00:00
that's a what's called the human interface device.
00:00
It mimics keyboard strokes, that sort of stuff.
00:00
When I plug it in, it does something.
00:00
It emulates a keyboard and it
00:00
performs pre-programmed keystrokes on the machine.
00:00
It's basically pretending, as I
00:00
mentioned, to be a human there.
00:00
We would use something like a ducky script
00:00
to allow us to emulate any type of action on a keyboard.
00:00
Well, the malicious file code is probably
00:00
a more common thing that you'll see, where,
00:00
for example, I give you a USB, you plug it in.
00:00
You see that funny cat pictures or something like that.
00:00
You go ahead and just start clicking on them.
00:00
Once you click on them, once you've
00:00
got that user interaction there,
00:00
that user action, from there,
00:00
it's going to launch that malicious code and
00:00
then I go to town on your system.
00:00
Also links. In some cases,
00:00
there'll be links to different websites.
00:00
That probably takes some social engineering as well,
00:00
like, hey, plugging this USB and
00:00
then go and click these links to these websites.
00:00
Not necessarily the best type of attack there,
00:00
but it might be something you try.
00:00
Then we already talked about the kill attack.
00:00
We talked about that in the pre-assessment question,
00:00
the USB kill attack.
00:00
Essentially here what the USB
00:00
is doing, once it's plugged in,
00:00
it's going to harvest the power that is getting through.
00:00
The USB itself is going to store the power
00:00
that's going to be getting through the data line there.
00:00
Then it's going to go ahead and shoot that back at
00:00
the machine to try to go ahead
00:00
and essentially kill off the machine.
00:00
It's trying to kill off that machine.
00:00
It's not always effective,
00:00
but the goal there is,
00:00
like I said, either destroy it or until
00:00
the machine itself is unplugged to
00:00
get you to basically unplug it.
00:00
But it's not always effective,
00:00
but it can be effective,
00:00
just keep that in mind as well.
00:00
Metasploit is another attack tool
00:00
essentially that we can use.
00:00
A very common in the industry.
00:00
It's probably the most common tool.
00:00
There's three different versions of it.
00:00
There's also some GUIs that are very popular out there.
00:00
But you've got the framework that a lot of people use.
00:00
You've also got a community edition as well as a pro.
00:00
There's a link you can get it's developed
00:00
and hosted by Rapid7.
00:00
Again, this link will be in the resources section.
00:00
So you can just go ahead and download it from
00:00
there and take a look around.
00:00
Our framework and the community are both
00:00
free and then the pro actually has a 14 day free trial.
00:00
I definitely recommend you check that out as well,
00:00
especially if you want to get into
00:00
the offensive the side of things.
00:00
I've talked about maintaining persistence as well.
00:00
What's the point of doing all this work to
00:00
attack a machine or grouping of machines or
00:00
a network and not
00:00
actually stay there and do what we want to?
00:00
What's the point if the admin can
00:00
just come reboot the machine and we're done?
00:00
We have to go back, and attack,
00:00
and try to find new vulnerabilities and all that stuff.
00:00
What we do as an attacker,
00:00
we'll try to do things to maintain that access.
00:00
It might be something as simple
00:00
as creating a new user account,
00:00
and then from there, we can use those credentials
00:00
to log back into the different machines.
00:00
More commonly, we can use
00:00
something like a remote access Trojan,
00:00
and that allows us to maintain
00:00
the persistence and do whatever you want to.
00:00
What happens with a lot of the common rats
00:00
is like anti-virus or anti-malware will detect those.
00:00
It's pretty easy for the sysadmin,
00:00
or network admin, or security engineer
00:00
to identify those.
00:00
What we can do with that is we
00:00
can use what's called a rootkit.
00:00
The rootkit essentially it's going to
00:00
bypass the traditional operating system.
00:00
It's going to be, generally speaking
00:00
at the kernel or firmware level,
00:00
in some cases, at the hardware level by design.
00:00
That's not as prevalent,
00:00
but definitely just using
00:00
any rootkit will get it down below
00:00
the operating system level and so we can go ahead and
00:00
just maintain persistence because it's always
00:00
going to launch rootkit in there.
00:00
Rootkits, by the way, are very difficult to get rid of.
00:00
Definitely takes some work to get rid of.
00:00
So prevention is always the best medicine there.
00:00
As a part of all of those, as
00:00
a part of our retina rootkit,
00:00
we can do callbacks to our attacker machines,
00:00
like our command control server.
00:00
We do that through things like
00:00
SSH is probably the most common there,
00:00
but also RDP, Telnet, that sort of stuff.
00:00
Those are encrypted. We probably
00:00
would be using SSH in most cases.
00:00
That moves us into the natural progression of shells.
00:00
A couple of different types of shells.
00:00
We've got the binding shell,
00:00
where it's essentially binding
00:00
to a specific network ports.
00:00
It's binding from the target system to the port,
00:00
like port 23, port 123,
00:00
whatever the case might be.
00:00
It's going to bind a bash shell to that as an example.
00:00
We can use a tool called Netcat to do that,
00:00
so we can run the nc-lp,
00:00
specify the port number or do dash E,
00:00
and then do our shell itself.
00:00
So /band/SH. If you're not familiar with that,
00:00
don't worry about jumping into that too much.
00:00
But one of the problems with that,
00:00
is it's pretty easy
00:00
for the sysadmin to get rid of that type of thing.
00:00
What we really would want to do is do a reverse shell.
00:00
That's probably the most common thing that
00:00
you'll see people doing out there.
00:00
That's definitely what we would prefer to do there.
00:00
Essentially, what the reverse shell is,
00:00
once we compromise the target machine,
00:00
we then have the target machine communicate with
00:00
our attack machine that's listening on a specific port.
00:00
Basically, the victim
00:00
is calling out to
00:00
our attacker machine, for a lack of better words.
00:00
They're calling out to our attacker machine and so
00:00
that's what we want to do to maintain persistence there.
00:00
It gives us a lot more control,
00:00
allows us to do a lot more things.
00:00
Unless the sysadmin or
00:00
something knows they're being attacked,
00:00
and isolates this machine,
00:00
and pulls it off the network,
00:00
we can easily maintain persistence
00:00
pretty well with a reverse shell.
00:00
We can also do scheduled tasks.
00:00
Every day it runs a specific scan,
00:00
and then does a call back out to our attacker machine.
00:00
All of these are just, again, tools in our arsenal.
00:00
Quick post assessment question here.
00:00
James is a security researcher.
00:00
He's attempting to maintain
00:00
persistence on a target device.
00:00
If he wants to maintain persistence,
00:00
wall circumventing antivirus anti-malware
00:00
, what should he do?
00:00
We talked about rootkits.
00:00
Rootkits are a way, again,
00:00
that can circumvent antivirus anti-malware.
00:00
Those allow us to jump around those
00:00
and potentially maintain our persistence on the machine.
Up Next