Week 3

Week 3: [Attack] Summary of Pre-Attack Phase(s) and Start of Attack Phase(s)

Lecture

This week we’ll dedicate the first hour to everything covered in week 1 and 2. The second hour will cover the topic of enumeration/scanning.

We will not be moving into an actual attack phase for the power grid attack. However, for the second half of our scenario a sample site will be used to simulate an attack on the Dominion Power website.

Goals
  • Summarize our first two weeks.
  • Cover nmap and nikto. Discuss being ‘noisy’
  • Cover OWASP Top 10.

Lab

Hour 1: Summary and Practice
Finding your ‘Why’

Attacks happen for a reason. Understanding that reason quickly will help you predict and respond to the various phases of the attacks.

Picking the attack vectors and strategy

Bad actors (even state sponsored ones) will rarely start from scratch. Using previously successful attacks and payloads means campaigns an be conducted more quickly with less exposure.

In our scenario we are emulating the Stuxnet attack in Iran, and the power grid attacks in the Ukraine.

Recon and Profiling Targets

In our example we chose a Dominion Power substation as our target. By googling ‘dominion power software vendor’ we found this link on the second page of results. * http://dvigridsolutions.com/

By looking at the career page we know they employ Field Support Engineers. These engineers should have direct access to various Dominion systems. Our goal is to find an employee that can be compromised. They will then act as our payload courier into a substation.

Conducting Phishing Campaigns
Selection of secondary targets

It’s not a smart idea to use a computer you own to launch attacks. We assume bad actors are at least this smart. For this example we’ll try to find a Wordpress site. Wordpress accounts for > 20% of websites globally. Based on this information we can be reasonablly sure that a few things are true: * There are wordpress instances that are unpatched. * Well developed exploits already exist. * There should be a large number of instances which are online but not actively maintained or reviewed.


  • Finding Wordpress Sites
  • Using IoT Devices Internet of Things (IoT) devices are useful secondary targets to exploit. Some of these include.

    • Devices running on the targets home network
    • Cameras in place near and around our primary target.
    • The Shodan service can be used to find interesting IoT devices.
  • Finding Vulnerabilties Once we have our primary and second targets identified, profiled, and fingerprinted be can begin looking for exploits. The following sites are easy places to start:

Hour 2: Enumeration, Footholds and Web Exploits

Once the (passive) planning and preparation is complete we can start our (active) attack phases.

Since we don’t actually want to attack live sites we will limit our efforts to online tools designed for education and research.