Hacker Perspective: Maderas

Hacking and the hacker community have given me the means to build something that is mine.  I grew up abused in a dangerous city with every excuse to fail.  Completely self taught and with only a GED education, I have worked as the cybersecurity, penetration test, and vulnerability assessment lab manager for Schneider Electric.  While employed by Schneider Electric, I also served as the company's lead red teamer and penetration tester.  Through them, I completed projects for some of the most powerful organizations on Earth (Saudi Aramco was one).  I have also been employed by National Gridas a senior red team and penetration testing consultant.

By combining hard work with the knowledge so many of you have gifted to this world, I have forged so much for myself: a vocation, a purpose, and the means to make this world a better place.  Most of all, the hacker community has provided me with a place in this world...  I doubted that any such place existed for so long (shout out to 0x00sec.org, my digital home and family).

If you are reading this, it means I have written in article for 2600.  If you refuse to give up on yourself and your dreams, those dreams do come true.

What follows are anecdotes, opinions, and observations gained after a decade of hacking (including more than eight years red teaming and penetration testing).  No retreat.  No surrender.

1.)  For Me, Red Teaming and Penetration Testing are Hacking

When I take part in red team/penetration test engagements professionally, I am hacking; however, I use different vocabulary (red teaming/penetration testing) out of courtesy for clients/my employers.

During red teaming/penetration testing, I am still using the tools, techniques, and methodologies of my art (hacking).  It is the same challenging means of personal expression that leads me to develop a deeper understanding of myself and the world around me.  Restrictions on tools or other engagement parameters are just realities that govern the medium on which/by which I display my art.

This became my life's art when I began to let my mind get weird with the possibilities of what can be effective and what can be made to work for me.  To me, this has become a game won by strategy and creativity, not tools.

2.)  I Believe That Hacking Networks/Systems is the Art of Acquiring Advantages Through a Strategic and Creative Leveraging of Perception.

During an engagement, I am looking to acquire every possible advantage; these advantages are most often dependent on the resources that are native to the environment I am attacking.

Recognizing these resources, identifying how I may make them useful and/or strategizing toward maximizing this usefulness is what yields the advantages that lead to exploitation.

These advantages are a product of trained perception honed through study, practice, knowledge, and experience.  They are not gained through some application of tools.

The data a hacker perceives and the manner in which they act upon that data governs the probability of their success during any stage of an engagement.  The same holds true for the amount/degree of advantage that an attacker can perceive in and/or leverage from the data they enumerate.

There is a degree of perception generally outside of a hacker's control that also helps dictate what resources will be available to during an engagement...

Many times, a defender's best defense is their perception of the resources native to the digital spaces they are employed in defending: for instance, maybe some manner of business need impedes a defender's capacity to fix vulnerabilities or mount the best defense possible.  TIn these instances, the defender must perceive the ultimate cost their organization may pay for the presence of a given vulnerability.

The defender must also perceive the manner in which they may best relay/explain the possible/potential cost(s) to an organization.

The topography/composition of an engagement environment is almost always shaped by human perception; for example, perhaps an organization's cost-benefit analysis leads it to ignore patching vulnerabilities that they perceive to be "minor."

I believe that the degree of perception that matters most where the attacking or defending of an organization is concerned is the blind spots perception.

An organization that chooses to ignore a vulnerability (yet recognizes that the vulnerability is present) at least perceives some potential detriment that the vulnerability poses to its information infrastructure.  Yet ultimately, they should understand that their decisions decide what resources are at my disposal outside and inside of their networks.

My decisions rest in how I use those resources to defeat whatever defense they set against me; let's cover a couple examples of using what is offered in a creative fashion.

3.)  Digital Pickpocketing

The age of transferable, digital media has led to widespread implementation of Universal Plug and Play (UPnP) and UPnP-like programs and services for easy, quick movement of media between devices.

Most users do not understand these technologies fully; sometimes these users do not shut down the programs correctly (leaving UPnP/UPnP-like services up and the ports open/media readily available) or the program is poorly designed (which can also leave UPnP/UPnP-like services up and the ports open/media readily available).

Many times, these protocols are allowed through firewalls/network appliances (thus they are utilized by malware pretty often, especially Remote Access Trojans [RATs]) as many network/system administrators do not fully perceive the infosec implications of protocols like UPnP (along with similar protocols like DLNA and SSDP, which are often incorporated into its stack) or perceive these protocols/services as a possible threat, thereby creating an exploitable blind spot.

During an internal engagement against a heavily secured facility in the industrial/energy sector, I was allowed a restricted workstation (laptop) and low-privilege user credentials.

Ignoring the Ethernet connected laptop, I used the credentials to connect to the corporate/facility Wi-Fi with a customized Nexus 7 2013 LTE (all of this was within scope of the engagement).

Utilizing an application called ControlDLNA, I was able to browse and download multiple gigabytes of actionable data from an administrator's laptop within the first hour of the engagement.

These findings provided confirmation that an administrator account on at least one network segment connected to the corporate/facility Wi-Fi network; most of the users/accounts with the highest levels of privilege connected to the corporate/facility Wi-Fi connection during that engagement.

Eventually, the administrator connected to the facility Wi-Fi with their company iPhone when they were in a section of the facility that received a poor mobile signal.  An IM/messaging service on their company IPhone used UPnP/UPnP-like protocols that stored the discussions on the device as media files that I was able to access.

This was not shadow IT, as the application in question was loaded on every company Iphone...  Within the first hour of the engagement, I had access to media on this administrator's workstation and their company iPhone due to blind spots in how the organization perceived the threat posed by file sharing/IoT protocols.

Metadata could be stripped from these materials (via tools like ExifTool or FOCA), thereby allowing me to gain personal/private data about the target(s).  For example: by stripping GPS and other geolocation data/tags from photos accessed, I could find or narrow down the physical location of a target's home address.  After locating a target's home address via this metadata, perhaps I could crack the employee's Wi-Fi or access their residence physically to exploit machines in their home.

Perhaps this trespass could lead to spying/surveillance on the employee and their family...  Or implants could be introduced to home electronics in the hopes that they could be taken to work and connected to systems/machines within otherwise inaccessible areas of the facility.

Also, what if someone using this attack had found material on the administrator's/an employee's device(s) that was sensitive, illegal, deeply personal, embarrassing, or could lead to their termination?

Could these materials be leveraged to successfully blackmail the administrator/employee into carrying out physical attacks (maybe via a USB drive or some other physical media) against tightly secured areas within the facility?

Remember, this facility was within the industrial/energy sector.  Historically, these facilities have a high probability of gaining the attention of state actors with sufficient financial means, logistical resources, and motivation to accomplish/attempt the aforementioned attacks.

During the engagement, I also used ControlDLNA to access corporate media shares.  These shares were full of materials that could have proved useful in conducting social engineering attacks, as a source of recon, or as a direct attack vector (example: by encoding payloads into files within the media shares for use in attacks).

This was not an isolated case: I regularly utilize ControlDLNA and other UPnP/IoT applications that allow me to detect and/or interact with protocols/services like Bluetooth and HID appliances.  Digital pick-pocketing is one of my go-to techniques.

4.)  The Burning House Principle

Passive reconnaissance is asymmetrical intelligence gathering in a manner that does not directly interact with the resources of your target (an example of these resources is a target's IP space).

I strongly believe in the value of passive reconnaissance.

I believe that in the future, passive reconnaissance will become an absolute necessity where most hacking is concerned for a few reasons:

• Technologies like AI and Machine Learning will continue to improve; the increasing amounts of money being spent/generated by information security solutions will see these technologies continue to find their way into defensive solutions (AV, AM, etc.) as they improve.
• The expense of running systems with powerful processors that are dedicated solely toward threat intelligence is rapidly decreasing.
• A continued reliance on digital networks to sustain the infrastructure of human civilization means that most sectors of IT security are growing and sharing research, findings, and threat intelligence.  I perceive the value of passive reconnaissance through a principle I call "The Burning Building Principle."

Basically, you are only likely to enter a burning building if there is something of immense value inside (for this metaphor, the valuables are the objectives of an engagement with the burning building being the engagement environment itself).

The further away from the burning building you are, the further away from harm you are (detection, failing to meet engagement objectives, etc.), yet you are also further away from valuables that you can only retrieve through entering the unpredictable inferno inside the burning house (establishing some manner of session or connection within and/or to the engagement/target environment).

The closer you are to the burning house, the longer you are in the burning house or the further inside the burning house you are, the greater the chance of catastrophic failure.

Once inside, the more actions you are forced to take increases the duration that you are amongst the flames, gradually raising the probability of catastrophic failure... and eventually the building is going to collapse (failure could be your means of persistence being detected, being detection by IT before establishing a means of persistence, etc.).

Before you engage a target, you want to gain as much reconnaissance about the target as is possible while maintaining the most minimal chance of incurring detection or catastrophic failure.  If you do not directly engage or connect to any of the target's IP space in some way, the probability of your being detected is as close to zero as possible.

However, once you connect to or engage a target's internal network (entering the burning house), the probability that you will not be detected (and for some hackers prosecuted) never falls back to zero percent again.  In all actuality, once you connect or interact with a target's IP space (even if using Tor or VPN/proxy chaining), the probability you will be detected is also never zero percent again.

Ideally, you want to enter the burning building with as much data as possible and you want to have gained that data while incurring as little risk as possible.  When you finally enter, you want to have a plan, utilizing an economy of action balanced by decisive, effective actions.  Running up and down burning staircases or in and out of the burning building to meet your objectives may not be the best plan.  Why scout the burning building from feet away when you gain the same insight from behind cover?

• Instead of using repeated ping sweeping or port scanning to understand the extent of a target's internal IP space, use Hurricane Electric's BGP Toolkit to get a better understanding of their digital holdings.
• Running SpiderFoot against a target domain name (though maybe not the target's IP space directly) using various obfuscation methods like agent/request randomization and a combination of VPN chaining plus SSH tunneling may be my favorite means of enumeration for external engagements (and is some of the best passive reconnaissance available).
• Pagodo is an excellent tool (and a personal favorite of mine) for employing Google Dorking; the tool will scrape Exploit Database for their current list of Google Dorks.  You can then feed it a domain name to search against.
• The roaring noise of today's Internet may provide some cover for you while enumerating a target's perimeter, but why not use urlscan.io to help identify the resources used to construct their web pages or ZoomEye to help find vulnerabilities present in their Internet-facing resources?  (Though Shodan now does this as well, ZoomEye can show you how those holdings have evolved over the years while providing a better description of a target's Internet-facing devices.)
• Instead of brute-forcing SMTP to gain email addresses, use hunter.io instead; PenTest-Tools.com can handle some of the brute-forcing used in DNS subdomain enumeration for you.
• Subverting Cloudflare's IP obfuscation through Crimeflare.com is yet another possible solution.  Of course, these are only a few examples and your mileage may vary depending on your circumstances.  For instance, sharing client data with sites that conduct site/resource scanning may not be in there (and thus your) best interest.

The point is, once you gain ingress or directly touch a target's IP space, the probability of detection never falls to zero.  Eventually, you will have to (or at least you should) engage the target's IP space manually (this does not mean without obfuscation obviously).

Why not keep that probability low or as close to zero as possible for as long as possible?

5.)  And Finally

I am huge on manually engaging and penetrating networks.  You cannot trust vulnerability scanners or other automated tools, and you shouldn't be trusting them anyway.  My job at work is to find the gaps that these tools do not find - to exploit those holes that the scanner monkeys missed.  I fear that the industry I work in will become saturated by scanner monkeys who "have all the certifications and can run all the tools."

This is not hacking.  Paint by numbers can still be an art like painting if the person moving the brush chooses the colors for themselves and improves on what is set before them.

Hacking is the creative solving of problems.  Our world needs people who can creatively solve problems now more then ever.  Choose your colors and improve what is set before you.