Download to read offline
Uploaded byBangladesh Network Operators Group
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER by SHAHEE MIRZA ,Co-Founder & Chief Cyber Operations Officer, BEETLES Cyber Security
More Related Content
![Taking the Attacker Eviction Red Pill [updated]](https://cdn.slidesharecdn.com/ss_thumbnails/2018-06-26first-hommedalapt-eviction-red-pillfinal-v1-181123184926-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
![[Bucharest] Attack is easy, let's talk defence](https://cdn.slidesharecdn.com/ss_thumbnails/attackiseasyletstalkdefencev3-151026104559-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Bangladesh Network Operators Group
![Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]](https://cdn.slidesharecdn.com/ss_thumbnails/automatingispnetworksusingansibleandipamasasourceoftruthsot-v25-1-251124105117-d7d4ca24-thumbnail.jpg?width=640&height=640&fit=bounds)
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
- 1. OFFENSIVE OPERATIONS THE ANATOMYOF A NETWORK TAKEOVER
- 2. WHO AM I SHAHEE MIRZA ▪Co-Founder & Chief Cyber Operations Officer, BEETLES Cyber Security ▪ GIAC Advisory Board Member ▪ ISC2 Unified Body of Knowledge (UBK) - Lead Editor ▪ 20+ Years of Offensive Security Experience ▪ CISSP, GRTP, CISSO, CCISO
- 3. AGENDA • Understanding OffensiveOperations • Case Study of a Notable Operation • Tactics, Techniques and Procedures (TTPs) • Key Takeaways • Source of Knowledge
- 4. “If you knowthe enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself. You will succumb in every battle.” -Sun Tzu | The Art of War
- 5. Offensive Operations isthe art and science of thinking like an attacker to strengthen defense. It goes beyond vulnerability scanning or penetration testing. It is about emulating real adversaries, understanding how they move through networks, and uncovering the blind spots defenders miss. In simple terms, it is ethical hacking with a purpose. The goal is to identify, exploit, and demonstrate risks before real attackers do.
- 8. NETWORK: COMMON ATTACKVECTORS INITIAL ACCESS POINT • Phishing Attacks: Use of spear- phishing emails to gain initial access • Supply Chain Attacks: Compromising trusted vendors to infiltrate systems • Removable Media: Introduction of malware via USB drives LATERAL MOVEMENT • Network Traversal: Moving from corporate IT networks to OT environments • Exploiting Vulnerabilities: Leveraging unpatched systems and weak configurations
- 9. CASE STUDY OFAN OFFENSIVE OPERATION
- 10. A BASIC ENTERPRISENETWORK
- 11. “Appear at pointswhich the enemy must hasten to defend; march swiftly to places where you are not expected.” -Sun Tzu | The Art of War
- 12. Target Surface: TheWi-Fi Network • User/Vendor credential needed for access • Vendor accounts temporary & limited • Portal-based authentication in target environment
- 13. SlingRing Bypass • SlingRingcan bypass portal-based WiFi network authentication. • Once connected, we land into the internal network. • We scan network for identifying potential victims.
- 14. Printer Discovery &Abuse • We found a network printer. • Printers often does not respect Group policy objects (GPOs) • Modern Printers can access file sharing, send notification email through Embedded Web Service (EWS), etc. • Often not protected by EDRs and not well monitored by IDS. • Often left with Default credentials. • Once we gain access to the Administrative console there are lots of attacks can be done.
- 15. LDAP Redirection • LDAPhelps the printer to look up email addresses or allow access to files on the network. • Printer needs to have login credentials to access LDAP. • We changed the LDAP server location pointing to our Rogue server IP.
- 16. Rogue LDAP Server •We setup a Rogue LDAP server. • We clicked the “Test Connection” which is used to ensure the connectivity and authentication between printer and LDAP server. • Our Rogue server grabs the LDAP credential in Debug output.
- 17. Certificate Service Misconfiguration •We found AD CS service • We found vulnerable certificate service configuration in AD. • We used the credential against vulnerable certificate service to forge a new certificate against AD Admin user.
- 18. Domain Admin Takeover •Certificate used to authenticate as AD Admin • Dumped NTLM hashes & achieved full domain control
- 19.
- 20. Defensive Takeaways • MonitorGuest Wi-Fi segmentation & logs • Enforce least privilege and admin separation with dedicated jump hosts. • Require multifactor authentication for all admin consoles and network devices. • Harden Active Directory and AD CS enrollment rules. • Centralize and protect logs with immutability and rapid alerting. • Use EDR plus network detection to correlate host and network anomalies. • Apply strict egress control and DLP to detect covert exfiltration. • Run regular Red Team exercises and simulate these attack paths.
- 21.
- 22. MITRE ATT&CK® MATRIXFOR ENTERPRISE https://attack.mitre.org/matrices/enterprise/
- 23.
- 24.
- 25. May YOU CAN'T PROTECT WHATYOU DON'T KNOW
- 26.