The Art and Science of Hacking Any Organization
Tyler Wrightson
Chapter 1 Introduction
Chapter 2 Empirical Data
Chapter 3 APT Hacker Methodology
Chapter 4 An APT Approach to Reconnaissance
Chapter 5 Reconnaissance: Nontechnical Data
Chapter 6 Spear Social Engineering
Chapter 7 Phase III: Remote Targeting
Chapter 8 Spear Phishing with Hardware Trojans
Chapter 9 Physical Infiltration
Chapter 10 APT Software Backdoors
Index
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
2.00 USD |
|---|---|
Pages
| 434 p |
File Size
|
10,835 KB |
File Type
|
PDF format |
ISBN
| 978-0-07-182837-6 |
Copyright
| 2015 by McGraw-Hill Education |
Tyler Wrightson is the author of Advanced Persistent Threats as well as Wireless Network
Security: A Beginner’s Guide. Tyler is the founder and president of Leet Systems, which provides
offensive security services such as penetration testing and red teaming to secure organizations against
real-world attackers. Tyler has over 13 years’ experience in the IT security field, with extensive
experience in all forms of offensive security and penetration testing. He holds industry certifications
for CISSP, CCSP, CCNA, CCDA, and MCSE. Tyler has also taught classes for CCNA certification,
wireless security, and network security. He has been a frequent speaker at industry conferences,
including Derbycon, BSides, Rochester Security Summit, NYS Cyber Security Conference, ISACA,
ISSA, and others. Follow his security blog at http://blog.leetsys.com.
About the Technical Editors
Reg Harnish is an entrepreneur, speaker, security specialist, and the chief security strategist for
GreyCastle Security. Reg has nearly 15 years of security experience, specializing in security
solutions for financial services, healthcare, higher education, and other industries. His security
expertise ranges from risk management, incident response, and regulatory compliance to network,
application, and physical security. Reg brings a unique, thought-provoking perspective to his work,
and he strives to promote awareness, establish security fundamentals, and reduce risk for GreyCastle
Security clients.
Reg attended Rensselaer Polytechnic Institute in Troy, New York, and has achieved numerous
security and industry certifications. He is a Certified Information Systems Security Professional
(CISSP), a Certified Information Security Manager (CISM), and a Certified Information Systems
Auditor (CISA). In addition, Reg is certified in Information Technology Infrastructure Library (ITIL)
Service Essentials. He is a member of InfraGard, the Information Systems Audit and Control
Association (ISACA), and the Information Systems Security Association (ISSA). In addition to deep
expertise in information security, Reg has achieved numerous physical security certifications,
including firearms instruction, range safety, and personal protection.
Reg is a frequent speaker and has presented at prominent events, including US Cyber Crime,
Symantec Vision, ISACA, ISSA, InfraGard, and more. His successes have been featured in several
leading industry journals, including Software Magazine, ComputerWorld, and InfoWorld.
Comrade has been in information security since the early 2000s. Comrade holds several industry
certifications, but believes the only one that really means anything in regard to this book is the OSCP
certification by the Offensive Security team. He currently performs penetration testing against all
attack vectors, network, application, physical, social, etc., for clients in all verticals, including many
Fortune 500 companies.
Acknowledgments
There are so many people I want to acknowledge and thank—whether you have helped me directly
with this book or are just a good friend, I’m glad to have you all share this with me. First, I have to
thank Erin. I love you so much, thank you for all of your unending support. I have to thank my mother
for being a great mother, a wonderful person and woman, super supportive and loving, always
understanding, and the best mom ever. I want to thank my stepfather for providing good stories, a
level head, and plenty of cognac to a much-younger Tyler.
I want to thank my father for being a great father, a role-model gentleman, and the best daddio
ever. Thank you to my future stepmother for making my dad very happy and being a genuinely great
person.
Thank you to Raeby for being the best little big sister, (usually) level headed, but always loving
and a little rock in my memory. Thank you to Donby for the endless artistic support, being a great
brother-in-law, and providing us with the best niece in the world.
Jenners, for always being excited and supportive, and the best little sister. Corby, for being a good
and kind person and a great brother. Bren, for being a little punk, but a good person and a great
brother. I love you all.
Thank you to all my friends who I couldn’t hang out with on more than a few occasions.
Thank you, Reg, for all of the help to make this book what I wanted it to be and all the fun and
education working together. I really did learn a lot working with you. Thank you, Stamas, for all the
good times, being a great teammate, and being a really sweet guy no matter how much you try to hide
it. We’ll definitely work together in the future.
Thank you, Steve and Bob, for being a huge help in so many different ways. I really can’t thank you
enough. You’ve gone well beyond what was necessary so many times, and it’s been really awesome
working with you.
I have to thank Stacks Espresso for not only providing a great place to do an absurd amount of the
writing for this book, but also providing the necessary caffeine to do it. Thank you to my new team at
Stacks: Ron, Lacy, Kevin, Jess, Jammella and John for being awesome and making this a really
enjoyable experience.
Thank you, Elo, for all the direct and indirect help. I’m so glad the fear of losing a vital organ
didn’t stop us from becoming friends. It’s been awesome sharing this love for hacking and this
awesome security journey with you. I love you no matter how much of a pain in the ass you are.
Last but absolutely not least, I have to thank everyone at McGraw-Hill Education who helped
make this book. Amy Jollymore, for seeing the vision and concept very early on. Brandi Shailer, for
truly helping me through so many issues and deadlines; many, many phone calls; and an absurd amount
of e-mails. Amanda Russell, for all your help and support. Thank you all so much.
Table of Contents
Acknowledgments
Introduction
Chapter 1 Introduction
Defining the Threat
Threats
Attacker Motives
Threat Capabilities
Threat Class
Threat History
APT Hacker: The New Black
Targeted Organizations
Constructs of Our Demise
The Impact of Our Youth
The Economics of (In)security
Psychology of (In)security
The Big Picture
The Vulnerability of Complexity
All Together Now
The Future of Our World
Don’t Forget
Chapter 2 Empirical Data
The Problem with Our Data Set
Threat Examples
Techno-Criminals Skimmer Evolution
Techno-Criminals: Hacking Power Systems
Unsophisticated Threat: Hollywood Hacker
Unsophisticated Threat: Neighbor from Hell
Smart Persistent Threats: Kevin Mitnick
APT: Nation-States
Stuxnet and Operation Olympic Games
Duqu: The APT Reconnaissance Worm
Flame: APT Cyber-espionage Worm
APT: RSA Compromise
APT Nation-State: Iran Spying on Citizens
Cell Phone Spying: Carrier IQ
Don’t Forget
Chapter 3 APT Hacker Methodology
AHM: Strong Enough for Penetration Testers, Made for a Hacker
AHM Components (Requirements, Skills, Soft Skills)
Elegant, Big-Picture Thinkers
Advanced: Echelons of Skill
Preparation
Patience
Social Omniscience
Always Target the Weakest Link
Efficacious, Not Elite
Exploitless Exploits
The Value of Information
APT Hacker’s Thought Process
Think Outside the Box
A Side Note
A Vaudeville Story
Look for Misdirection
Think Through the Pain
Avoid Tunnel Vision
No Rules
Keep It Simple, Stupid (KISS)
Quote
APT Hacking Core Steps
Reconnaissance
Enumeration
Exploitation
Maintaining Access
Clean Up
Progression
Exfiltration
APT Hacker Attack Phases
APT Hacker Foundational Tools
Anonymous Purchasing
Anonymous Internet Activity
Anonymous Phone Calls
APT Hacker Terms
Don’t Forget
Chapter 4 An APT Approach to Reconnaissance
Reconnaissance Data
Data Categories (Technical and Nontechnical)
Data Sources (Cyber and Physical)
Data Methods (Active and Passive)
Technical Data
Registrant Information
DNS Information and Records
DNS Zones
Border Gateway Protocol: An Overview
System and Service Identification
Web Service Enumeration
Large Data Sets
Geolocation Information
Data from the Phone System
Don’t Forget
Chapter 5 Reconnaissance: Nontechnical Data
Search Engine Terms and Tips
Search Engine Commands
Search Engine Scripting
Search Engine Alerts
HUMINT: Personnel
Personnel Directory Harvesting
Directory Harvesting: HTTP Requests
Directory Harvesting: Stateful HTTP
Analyzing Results
Directory Harvesting HTML Tables
Personnel Directory: Analyzing the Final Results
E-mail Harvesting
Technical E-mail Harvesting
Nontechnical E-mail Harvesting
Geographical Data
Reconnaissance on Individuals
Nontraditional Information Repositories
Automated Individual Reconnaissance
Our Current View
Don’t Forget
Chapter 6 Spear Social Engineering
Social Engineering
Social Engineering Strategies
Assumptions
Do What Works for You
Preparation
Legitimacy Triggers
Keep It Simple, Stupid
Don’t Get Caught
Don’t Lie
Be Congruent
Social Engineering Tactics
Like Likes Like
Personality Types
Events
Tell Me What I Know
Insider Information
Name Dropping
The Right Tactic
Why Don’t You Make Me?
Spear-Phishing Methods
Spear-Phishing Goals
Technical Spear-Phishing Exploitation Tactics
Building the Story
Phishing Website Tactics
Phishing Website: Back-End Functionality
Client-Side Exploits
Custom Trojan Backdoor
Don’t Forget
Chapter 7 Phase III: Remote Targeting
Remote Presence Reconnaissance
Social Spear Phishing
Wireless Phases
APT Wireless Tools
Wireless Reconnaissance
Active Wireless Attacks
Client Hacking: APT Access Point
Getting Clients to Connect
Attacking WPA-Enterprise Clients
Access Point Component Attacks
Access Point Core Attack Config
Access Point Logging Configuration
Access Point Protocol Manipulation
Access Point Fake Servers
Don’t Forget
Chapter 8 Spear Phishing with Hardware Trojans
Phase IV Spear Phishing with Hardware Trojans
Hardware Delivery Methods
Hardware Trojans: The APT Gift
APT Wakizashi Phone
Trojaned Hardware Devices
Hardware Device Trojans with Teensy
Don’t Forget
Chapter 9 Physical Infiltration
Phase V Physical Infiltration
APT Team Super Friends
It’s Official – Size Matters
Facility Reconnaissance Tactics
Example Target Facility Types
Headquarters
Choosing Facility Asset Targets
Physical Security Control Primer
Physical Infiltration Factors
Physical Security Concentric Circles
Physical Social Engineering
Physical Social Engineering Foundations
Physical Congruence
Body Language
Defeating Physical Security Controls
Preventative Physical Controls
Detective Physical Controls
Hacking Home Security
Hacking Hotel Security
Hacking Car Security
Intermediate Asset and Lily Pad Decisions
Plant Device
Steal Asset
Take and Return Asset
Backdoor Asset
Don’t Forget
Chapter 10 APT Software Backdoors
Software Backdoor Goals
APT Backdoor: Target Data
APT Backdoors: Necessary Functions
Rootkit Functionality
Know Thy Enemy
Thy Enemies’ Actions
Responding to Thy Enemy
Network Stealth Configurations
Deployment Scenarios
American Backdoor: An APT Hacker’s Novel
Backdoor Droppers
Backdoor Extensibility
Backdoor Command and Control
Backdoor Installer
Backdoor: Interactive Control
Data Collection
Backdoor Watchdog
Backdooring Legitimate Software
Don’t Forget
Index
Bookscreen
Introduction
Writing this book was a far more difficult task than I realized when I first set out.
This book has actually been well over a decade in the making.
Starting out as a simple thought experiment to determine how I might be able to hack into any organization, over the years, it turned into more of an obsession.
Finally, after many years of penetration testing, I felt that not only did I have a solid game plan to
successfully hack even the most secure organizations, but I also had plenty of firsthand experience that
gave me my own unique perspective.
Why This Book?
This book was written with one crystalized purpose: to prove that regardless of the defenses in place,
any organization can have their most valuable assets stolen due to the complete immersion of
technology with our world. The truly alarming fact is that not only is this possible, but it is probably
far easier than most people realize.
Who Should Read This Book?
This book was originally written for anyone tasked with ensuring the security of their organization,
from the CSO to junior systems administrators. However, much of the book will provide enlightening
information for anyone even remotely interested in security.
The people who will most likely gain the most from this book are the foot soldiers who must make
tactical security decisions every day. People like penetration testers, systems administrators, network
engineers, even physical security personnel will find this book particularly helpful. However, even
security managers and C-level personnel will find much of this information enlightening.
What This Book Covers
This book starts out at a very high level and quickly gets into the nitty-gritty of attacking an
organization and exploiting specific vulnerabilities. These examples are meant to be actionable,
hands-on examples that you can test yourself. However, it’s critical to understand that in no way
should this book be considered to contain every detail that is necessary to hack any organization.
Hopefully, every reader understands that to contain every detail, this book would quickly reach a size
that would not fit on any bookshelf. Instead, in an attempt to find balance, many things that are
believed to have been covered adequately by other books or that are assumed to be known by a
reader with a moderate understanding of hacking have been left out of this book.
In an attempt to give the most real, unabashed, and meaningful perspective, there has been no
tiptoeing around sensitive subjects, and nothing has been held from this book for fear of being too
controversial. This book has been written from the perspective of a criminal, with no other goal than
to take your organization’s most meaningful assets by any means necessary (aside from violence).
It is only with this perspective that we can meet Sun Tzu’s tenet of knowing thy enemy. And with
that perspective begin to adequately defend against these types of threats.
It is also important to understand the difference between the typical use of the word APT and the
meaning in this book. In this book, I attempt to commandeer the term APT to define a new type of
hacker able to infiltrate any organization despite a very small budget and surprisingly with very
accessible skills. As always with everything I do, there may be a small dash of tongue-in-cheek humor.
How Is This Book Organized?
In the first part, we stick to the high-level concepts that make every organization vulnerable.
In Chapter 2, we discuss a few interesting real-world examples of both unsophisticated and
sophisticated threats.
In Chapter 3, we discuss the methodology you must follow to become capable of hacking any
organization. This methodology includes a few hard-set technical skills that you must obtain;
however, it is primarily dominated by the correct system and mental constructs necessary to hack any
organization.
Chapters 4 and 5 dive into the first tactical steps in the methodology and cover in detail the
technical and nontechnical types of data you should attempt to obtain about your target through active
and passive reconnaissance.
Chapter 6 begins with an in-depth discussion of strategic and tactical components of effective
social engineering. This is followed by tactical examples of spear phishing a target through remote
technical means such as e-mail and building effective phishing websites.
Chapter 7 moves on to targeting remote users at their homes and other locations. This chapter
focuses primarily on exploiting wireless vulnerabilities that can allow us to easily and anonymously
exploit these users. This includes targeting wireless networks and vulnerabilities, as well as creating
the most effective rogue access points and exploiting wireless clients and communications.
Chapter 8 demonstrates how to create and use traditional audio, video, and GPS bugs to monitor
key locations and individuals. This is followed by details on how to create and program nextgeneration
hardware-based backdoors such as the Teensy device, as well as backdoored hardware
such as laptops and smart phones.
Chapter 9 goes in depth into circumventing many of the most common physical security controls
and physically infiltrating target locations.
Copious examples and useable tools and techniques are covered in detail.
Finally, Chapter 10 closes with a discussion of the types of software backdoors that can be used
throughout all of the previous attack phases to maximize the effectiveness of any attack. This includes
code examples as well as functionality that may seem somewhat low tech but will provide great results.