All your attack

vectors belong to us.

Chaining attacks, combining techniques to reach the endpoint.
Advanced Penetration Testing
The use of human factor when doing a pentest/security test

Tiago Henriques – Office D103C – Research room

MSc by Research Information Security and Computer Forensics
 Synopsis

 What is an attack vector

 Different Examples of attack vectors

 Tools

 Combining attacks

 Conclusion
 Who Am I?

 Tiago Henriques

 Student

 BSc Software Engineering

 Studying MSc by Research Information

Security and Computer Forensics
 Infosec lover
 Attack Vector

 An attack vector is the way/path that a hacker

uses to gain access to a server/computer
or other resource in order to obtain
information, deliver a payload or some
other malicious outcome.
 Attack Vectors

 Attack Vectors come in many ways:

 Network attacks – Man in middle, arp
poisoning, sniffing attacks, wireless
attack
 Viruses, Trojans, Malware DELIVERY
 Email
 Social Engineer attack
 Physical attacks


 Scenario

 Network has multiple servers and

workstations connected to it
 Network has an access point protected by
WEP
 Multiple users some ranging from average IT
knowledge helpdesk to System
administrators with Expert skills
 Several operating systems: Linux, Windows,
OS X

 Attack vector 1 – Entry
point


 The entry point it’s the first step the hacker

will use to get some sort of interaction with
one of the participants in the system being
targeted, these can be users, computers,
etc.
 Attack vector 1 – Entry
point


 If the hacker chose as an entry point the

human factor?
 A social engineering attack is the typical
entry point when “attacking” the human
factor, then it will pass into a
technological vector point.
 Attack vector 1 – Entry
point
Human
 The first step, reconnaissance! The hacker
could get information about the
receptionist, by getting her email address
he could reach for example her facebook
page, where he could see that she is a big
fan of Metallica.
 To any other person this could be useless
information, but where a normal person
sees no harm in information a hacker sees
an attack vector
 Attack vector 1 – Entry
point
Technological
 If the receptionist was smart and did not have
a facebook account (!!rare case!!) how
could we get access to a machine ?


 Multiple attacks could be used to get critical

information about the network
 Attack vector 1 – Entry
point
Technological
 DNS Attack – Look up DNS information and check if their
servers are vulnerable to a remote transfer attack.
This will disclosure a lot of network information which
could lead to other attack vectors
 Wireless attack – As explained on our scenario we have a
wireless access point protected by WEP. As you should
all now, WEP is easily hackable. Though even if it was
protected by WPA – we could chain 2 attacks (Social
attack on the Network administrator, create keyword
list based on everything related to his life such as
favorite hobbies, music, bands, daughter/son name,
wife name) and make a brute force attack. Other
keywords related to the company could also be used,
such as the name of the company or products it sells
( this information is usually available on the company
website).
 Attack vector 2 –
Taking control


 In this part we will discuss how a hacker

would exploit a computer within the
system to start taking control and getting
the information he is trying to access.
 Attack vector 2 – Entry point
Human + Email attack + PDF
Exploitation – Demo attack

 In this demo that you are about to see, a tool

named SET is used to create a a template
email, in which we will pretend to be the
company CFO, as people tend to open an email
straight way when it comes from the boss.

 The more information you obtain the better
result you will get

 The email will contain a pdf, which inside has code

that will exploit an error in adobe reader and
allow the hacker to take control over the
computer as soon as the user opens the pdf.

 Attack vector 2 – Entry point
Technological + Web Page Forgery +
Java Exploit + ARP Poisoning - DEMO

 In this case we will combine multiple attacks,

we will first crack the WEP password on the
access point then, we will use SET to
create a forged website and then deliver a
payload based on the Java exploit which
spoofs a Java certificate and delivers a
metasploit payload instead. We will then
use ettercap to redirect users into our
page, by doing an ARP poisoning attack on
the network.
 Conclusion

 There are many ways to defend a system, but

there are also many ways to attack it
 A key skill to have while testing a systems
security is “imagination”, being able to
think “outside the box”.
 The human factor is a very important one,
with lots of flaws and should always be
used when possible.
 Kudos

 David Kennedy – Creator of SET

 loganWHD – Creator of what of the demos

 Tokidoki – for creating the flying pony unicorn

image

Any questions?