ratamaq doc
Onslaught Inc
RISE of LEGION
807
   |
Posted - 2014.08.31 16:13:00 -
[1] - Quote
**disclaimer don't take any if this information and try this at home unless you have full consent of your target**
Hacking and Hacker tools are only part of the equation. It's more important to understand the entire kill chain of an attack, then you can understand which tool to apply at which stage of the chain.
The chain is: Recon > weaponization > delivery > exploit > install > command and control > action.
As with most things, it's better to start at the beginning and hone your skills in the recon phase. Here, you can use many multi purpose tools for information gathering that don't always look suspicious because they are not pure 'Hacker Tools'. These include tools like ping, nslookup, Whois, and good old google with advanced search operators. Also other tools that must be installed, but no less suspicious if used correctly such as dnsmap, fping, nmap, or Nessus. These tools are used to find out simple information that will prepare you for the next stage of your attack such as:
What am I attacking (OS level, software running and version)? Where is it located(both geo and network location)? Who owns it(is it a mom and pop shop or a corporation that can afford high end ids/ips and staff to support it)? How well is it maintained(can be gather by looking at both what it is and it's forward facing pages last update)?
The primary point of recon is to find the soft target. Depending on how soft the target, you can often skip many other steps in the kill chain, or at least, find automated ways to get around them with very little effort. If you are looking to attack a specific target, you will spend most of the time in your recon phase either trying to find that targets weak point or waiting or a zero day to utilize.
I'll skip weaponization for now because this is the most complicated part that I myself can only speak to conceptually, but this stage is usually handled outside of the attacker himself and is only obtained. Much like a solider doesn't actally build his gun.
Delivery is sometimes skill, sometimes luck, sometimes both. It can be a well crafted email that causes a user to install a tool on their workstation, or an improperly setup web facing server that allows writes to it ./
Install usually goes hand and hand with delivery, but keep in mind that a successful delivery does not equal a successful install. This is the most common place the chain is killed due to endpoint AV. This is why exploit is between the two. Exploit can mean exploiting the vulnerability you identified in your recon phase, exploiting a users ignorance, or exploiting a common vulnerability that you only guess, assume, or really just hope is there.
C&C is the first real scary part. At this point you are actually 'there' most of the time. This of this as the point in a B&E where you're standing in the living room, but haven't taken anything yet. You hope that you've reconed well and know that nobodies home, but the owner could still be in the next room holding a 38, or moments away from driving up.
Action is what you do from this point. It's usually either moving files, destruction, or using your current access to gain even higher access to a later attack.
Often overlooked is repudiation. This isn't represented well in the kill chain model but is covered in STRIDE. Repudiation can be thought of as covering your tracks, and is getting harder and harder as companies invest in log aggregator tools like Splunk. Even if you manage to fully own a box as a stage point for other attacks, if it's logging to an aggregator in real time, modding or wiping logs on the box you own isn't going to be enough.
Hope this helps!
YouTube
|