APT Hacking Core Steps PDF

Summary

This document provides an overview of the stages involved in an APT (Advanced Persistent Threat) hacking attack. It details the core steps of the attack process, including reconnaissance, enumeration, exploitation, maintaining access, cleanup, progression, and exfiltration. The document also covers related topics such as anonymous purchasing and internet activity.

Full Transcript

APT Hacking Core Steps

 There are seven major steps within each phase of
AHM:
 Reconnaissance
 Enumeration
 Exploitation
 Maintaining Access
 Clean up
 Progression
 Exfiltration

 Although these phases are performed in this order, they can be
iterative, and can be performed in a different order, or many
times within one attack
Public
Reconnaissance

 Most critical step for an APT hacker
 Performing proper reconnaissance is one of the core
differences between a smart threat and an advanced threat.
 This phase can not be rushed or undervalued.
 Asan APT hacker, you must take all the time
necessary to fully understand:
 Your target
 Its business
 Its people
 The technologies in place

Public
Enumeration

 Considered the final part of reconnaissance where you
focus on identifying specific details about a particular
piece or system within an organization
 For example, identifying:
 Specific software version
 User name structure
 Responsible parties for specific systems

Public
Exploitation

 It
is the phase everyone’s minds go straight to
when discussing hacking
 Thisis where you take advantage of the vulnerabilities you
have identified in the previous two phases of
reconnaissance and enumeration.
 Itwill typically get you some foothold into a target
organization

 The key to success during the exploitation phase is to
have prepared properly

Public
Clean Up

 Clearing up takes many different forms during an attack
 It may involve cleaning up evidence of successful:
 Exploitation
 Removing evidence of the method used to maintain access to a
system
 Completely removing all traces of enumeration and
reconnaissance

Public
Progression

 Progression can also take on many different forms
 It may be gaining more rights to the system that was
compromised during the exploitation phase
 Or gaining access to more systems on the targeted network
 Some people refer to parts of this phase as:
 Lily-padding
 Leapfrogging
 Pivoting

 In which we use the compromised system to target other systems on the internal
network
 Whatever you call it, progressing deeper into the target organization until we reach our
intended goal or asset presents its own unique challenges

Public
Exfiltration

 As
an APT hacker, you must consider the most effective
way to get the data you need from your target
 Whatever that data is:
 Small as a user name and password to another target system
 Large as a multi-terabyte archive

Public
APT Hacker Attack Phases

 There are five major phases that we will systematically go
through when targeting and attacking a specific organizations:
 Reconnaissance: all available information regarding the target is
obtained and analyzed
 Spear social engineering: specific individuals who are likely to be
exploitable and who are likely to have some level of access to the target
asset are manipulated via purely digital methods into disclosing:
 Sensitive information
 Credentials
 Obtaining remote access to the user’s system

 Digital methods including e-mail, instant messaging systems, USB drives, and
others

Public
APT Hacker Attack Phases

 Remote and wireless: based on reconnaissance data,
remote locations, wireless systems, and remote end
users are targeted due to less restrictive security
controls being in place.
 Wireless networks and wireless vulnerabilities are
targeted to provide as much anonymity as possible
while still within close physical proximity to systems
owned by the target organization.
 End-user wireless clients are also targeted using
specially designed and extensible rogue wireless access
points

Public
Hardware spear-phishing

 Endusers and key physical locations are targeted
using Trojan hardware devices
 Purpose-built
hardware devices that can compromise an
attached computer system or remotely accessible
bugging systems

Public
Physical infiltration

 Target specific physical locations including:
 Facilities owned by the target organization
 Homes of target users
 Remote third-party facilities
 Remote workers at hotel rooms

 We will combine our physical infiltration with attacks designed to
compromise:
 key technical systems
 Bug y physical areas
 Obtain access to intermediate
 Target physical assets

Public
ATP Hacker Foundational Tools

A few tools and techniques will be necessary within
almost every phase of attack
 Primarypurpose of these tools is to maintain as much of
our anonymity as possible
 Ofcourse, in digital world, we always leave small traces
of our existence
 These traces will not only be extremely small, but they
will ultimately lead investigators on a wild goose chase
to a place that will not be associated with us

Public
Anonymous Purchasing

 There will be tools, both digital and physical, that we will need to
purchase
 To keep our purchases anonymous, we have few primary options
besides cash.
 You can purchase any tools or services we need using:
 Credit card gift cards
 Digital currencies

 Credit card gifts cards do not require any personal information for activation,
when checking out, you can simply choose any name and address as the credit
card owner
 Digital currency also known as crypto-currency, such as Bitcoin or Litecoin. They
are made to keep all of your transactions anonymous, and many on-line retailers
are accepting them.

Public
Anonymous Internet Activity

 When performing any activities on the internet, we must
be careful to keep all of our activities anonymous and
untraceable
 We will accomplish this by tunneling all of our
communications through an intermediate system, which
will then appear to be the source of our network
communication
 Three primary technologies:
 Open, free, or vulnerable wireless networks
 Virtual private server pivots
 Web and socks proxy

Public
Anonymous Internet Activity

 The most basic example, we can use an open wireless network to probe and
attack our target organization. The logs in the target server would show the IP
address of the Free_Wifi_Hotspot public IP address
 Another example, by pivoting through a server in London and probing a server in New
York, the logs on the server would show the source coming from London.
 Or pivoting through countries that may be unfriendly to the country of our target
organization. For example, if our target organization is an American company, we could
pivot through servers in China
 We also can chain together as many of these systems as we choose. Thus, to make it as
difficult as possible to trace our activities back to us.

 The purpose is to use these methods to delay investigators for any
unreasonable amount of time, and move to another place.
 These pivot systems can be purchased in another country using the anonymous payment
system we mentioned

Public
Anonymous Phone Calls

 When we specifically need to use phone system for example to perform
reconnaissance by calling individuals or performing social engineering
attacks, we do not want to use a phone that has any connection to us
 You must use a burn phone, a phone used temporarily and then
discarded when we are finished
 They are inexpensive and do not require a contact and are perfect burn
phones
 You also can use the cash or any of the two methods of payments we
mentioned before
 Its is necessary to spoof your caller ID through inexpensive services such
as SpoofCard. Law enforcement can trace the physical location of the user
 There are also Internet-based Voice Over IP (VOIP) system that we
can use to place phone calls.
 There are also hardware – and software-based voice changing
systems that can actually work quite well.

Public
APT Hacker Terms

 Target Asset: our ultimate intended asset at the target
organization (i.e. trade secrets, intellectual property, valuables)
 Intermediate asset: any asset that will help us reach our
intended target asset (e.g., a compromised computer,
compromised phone, bugged phone)
 Beachhead: the first compromised host asset at the target
organization
 Lily Pad: any intermediate asset that is used to progress
toward a target asset
 Pivot: similar to lily pad, a pivot is an intermediate asset to
target an otherwise inaccessible intermediate asset

Public