They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention

Presented at Black Hat USA 2017, July 26, 2017, 10:30 a.m. (25 minutes)

Several popular attack tools and techniques remain effective in the real world, even though they are well understood and documented. Consequently, many attackers and other individuals within the professional penetration testing community have not grown beyond their tools, partially because of the effectiveness of several widely available attack scripts. In this talk, we hope to offer a more active approach toward intrusion prevention that enables defenders to use simple network software applications to seek out these attacks. By using active intrusion detection strategies, administrators can create a situation where attackers who are overly reliant on their tools will expose themselves to detection and other significant complications.<br> <br> The examples developed to demonstrate this approach allow administrators to:<br><ul><li>Hijack other people's shells from the Metasploit Framework's Meterpreter control channel</li><li>Detect and disrupt NBNS/LLMNR injection attacks, such as the attacks made popular by the "Responder" script</li><li>Detect and/or complicate common attacks against wireless networks in multiple ways</li></ul><br> Passive (or mostly passive) intrusion detection and prevention systems have been around for decades. However, these systems can be computationally intensive and their responses rarely go very far. We have implemented methodologies for detecting and disrupting common attacks by generating tailored network traffic. Unlike most expensive "magic box" solutions, lightweight programs targeting real world attack techniques can improve security by using inexpensive embedded hardware.<br> <br> This talk is intended for both defensive and offensive security. Attackers or penetration testers who rely blindly on their toolkits leave themselves vulnerable not only to detection, but also exploitation. Conversely, network administrators can manipulate their own network traffic to detect and complicate several common attacks. Security professionals can use the software written during the course of this research on cheap lightweight (even embedded or virtual) hardware to protect themselves against real world attack scenarios. We hope to inspire others to take this approach and develop more affordable yet effective security solutions. We also hope to demonstrate how penetration testers who rely on mysterious tools without learning how they work endanger themselves.

Presenters:

  • John Ventura - Practice Manager for Applied Research, Optiv Security, Inc.
    John Ventura is the Practice Manager for Applied Research at Optiv, where he works with a talented group of researchers on projects that enhance the security of real world products and services. He has worked across multiple computer security fields, including forensics, network penetration testing, and web application security for a diverse set of clients.

Links:

Similar Presentations: