Your SlideShare is downloading. ×
0
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. D...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Husband & Father
• Accuvant ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Penetration Testing == Offen...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Wikipedia Definition:
• “a m...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
The All Powerful Shell
• What ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• We‟ve been uploading shells ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Why bother with a shell in the...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
The Answer Is DCE/RPC
Distribu...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Enter ‘psexec.rb’
• /exploit/w...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
DCERPC Requests:
The dcerpc.ca...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• This is what it looks like i...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• This is the format accepted ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• lpBinaryPathName [in, option...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
In order to provide accessibil...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Command Execution
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Current methods for dumping ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
1. Authenticate to the system ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Local & Cached Hash Extraction...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• The holy grail of most netwo...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
We can use the psexec_ntdsgrab...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• We‟ll need to use the „libes...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Uploading a binary shell to ...
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Any Questions?
10/9/201322
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
So, You Want To Be A “Security...
Upcoming SlideShare
Loading in...5
×

So you want to be a security expert

443

Published on

Talk from Texas State University Cyber Security Awareness Day.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
443
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 1.) My definition of a pen test is…2.)
  • Transition into what can we do with a shell, why upload one in the first place?
  • Transcript of "So you want to be a security expert"

    1. 1. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” Fun Tools For Penetration Testing
    2. 2. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Husband & Father • Accuvant LABS: Senior Consultant • (A.K.A Pen Tester) • Cofounder: http://www.pentestgeek.com • Author: jigsaw.rb • Twitter: @R3dy__ Who Is Royce Davis?
    3. 3. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Penetration Testing == Offensive Security • Uploading Shells Is No Good • Techniques to avoid shell upload • Metasploit Modules • Command execution • Local & Cached hash dumping • Fun With Domain Controllers What Are You Talking About?
    4. 4. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Wikipedia Definition: • “a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats.” What Is A Pen Test? Not that kind of pen…
    5. 5. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The All Powerful Shell • What is a shell exactly?
    6. 6. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ve been uploading shells to take control of remote hosts since the beginning of time so what‟s the big deal? • Shells contain binary signatures that can be recognized and blocked • Obfuscation only creates a different signature • Shells can die leaving us with no way back in • They can also leave remnants of themselves Uploading Shells Is No Good
    7. 7. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Why bother with a shell in the first place? • Command execution • Search the file system • Create users • Enumerate network resources • Upload/download files • Etc… • Grab local/cached password hashes • Dump all AD hashes from the DC • “password” = 8846f7eaee8fb117ad06bdd830b7586c • How can we do stuff without a shell??? What Can We Do With A Shell?
    8. 8. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The Answer Is DCE/RPC Distributed Computing Environment / Remote Procedure Calls Book: DCE/RPC Over SMB – SAMBA and Windows NT* Domain Internals Author: Luke Kenneth Casson Leighton • Remotely interact with Windows API • Supported by all versions of Windows • Often left unsecured
    9. 9. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Enter ‘psexec.rb’ • /exploit/windows/smb/psexec.rb • Creates & Uploads a binary payload to the target over SMB • Sends an RPC to the Service Control Manager (SCM) • UUID: „367abb81-9844-35f1-ad32-98f038001003‟ • Creates a service, starts it, cleans up after… • MSDN Documentation • http://msdn.microsoft.com/en- us/library/windows/desktop/ms685942%28v=vs.85%29.aspx Using Native Windows Functions
    10. 10. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. DCERPC Requests: The dcerpc.call instance method takes in two parameters. The first parameter is the opcode reference to the particular Windows function you wish to call. The second parameter is the function arguments in NDR (Network Data Representation) Format. • dcerpc.call(0x0f, stubdata) – OpenSCManager • dcerpc.call(0x0c, stubdata) – CreateService • dcerpc.call(0x0, svc_handle) – CloseServiceHandle • dcerpc.call(0x10, stubdata) – OpenService • dcerpc.call(0x13, stubdata) – StartService • dcerpc.call(0x02, stubdata) – DeleteService • dcerpc.call(0x0, svc_handle) - CloseServiceHandle Inside psexec.rb
    11. 11. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is what it looks like inside Metasploit‟s psexec exploit module written by HDM Psexec.rb Cont. exploit/windows/smb/psexec.rb (line 254)
    12. 12. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is the format accepted by the CreateService function • http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx CreateService Windows Func.
    13. 13. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • lpBinaryPathName [in, optional] • The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:my sharemyservice.exe" should be specified as ""d:my sharemyservice.exe"". • The path can also include arguments for an auto-start service. For example, "d:mysharemyservice.exe arg1 arg2". These arguments are passed to the service entry point (typically the main function). • If you specify a path on another computer, the share must be accessible by the computer account of the local computer because this is the security context used in the remote call. However, this requirement allows any potential vulnerabilities in the remote computer to affect the local computer. Therefore, it is best to use a local file. • psexec.rb looks like this: • C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload • What if we tried this instead: • C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat & C:windowssystem32cmd.exe /C launchfile.bat” lpBinaryPathName MSDN Definition
    14. 14. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. In order to provide accessibility to this functionality for other modules we created a mixin which has been graciously accepted into the MSF. lib/msf/core/exploit/smb/psexec.rb • Slightly modified version of the original psexec.rb code wrapped in a function which excepts a Windows command in the following format: • [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND] • The method is called like so „return psexec(command)‟ • Returns „true‟ if execution was successful • Major difference is it does not try to delete cmd.exe after execution • Also contains a „smb_read_file(smbshare, host, file)‟ method for convenient retrieval of command output The Psexec Mixin
    15. 15. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Command Execution
    16. 16. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Current methods for dumping password hashes • Post modules that require a meterpreter shell • Upload a standalone binary like pwdump/fgdump… • These methods extract specific registry key values from the SYSTEM, SECURITY, and/or SAM registry hive (This process can flag antivirus) • We need to somehow retrieve a copy of the registry hives and extract the hashes from them offline Dumping Password Hashes
    17. 17. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. 1. Authenticate to the system using a password/hash 2. Use the psexec mixin to execute the following Windows Commands: • reg.exe save HKLMSAM c:windowstempsam • reg.exe save HKLMSYSTEM c:windowstempsys • reg.exe save HKLMSECURITY c:windowstempsec 3. Download the registry hive copies to our attacking machine 4. Remove the registry hive copies from the target 5. Open the registry hive copies on our attacking machine and extract the password hashes Offline Password Hash Dumping
    18. 18. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Local & Cached Hash Extraction • Local Hashes • Domain Cached Hashes
    19. 19. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • The holy grail of most network pentests can be found inside an ESE (Extensible Storage Engine) database called NTDS.dit located on the Domain Controller • Protected by operating system • Requires inject into lsass and/or other black magics • Contains a BOAT LOAD of information about the system • Including password hashes and usernames for all AD accounts! Dumping All the Hashes
    20. 20. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. We can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and safely pull down a copy of NTDS.dit to our attacking machine. auxiliary/admin/smb/psexec_ntdsgrab.rb 1. Use psexec mixin to execute windows commands for creating a VSC • vssadmin create shadow /For=%SYSTEMDRIVE% 2. Query vssadmin for the path to the newly created VSC • vssadmin list shadows 3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory • copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit C:WINDOWSTempntds 4. Use reg.exe to make a copy of the SYSTEM registry hive 5. Download the „ntds‟ and „sys‟ files to attacking machine 6. Cleanup after ourselves Enter psexec_ntdsgrab.rb
    21. 21. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ll need to use the „libesedb‟ C library to extract the right tables from NTDS.dit • $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$ • $ tar xvzf libesedb-alpha-20120102.tar.gz • $ cd libesedb-20120102/ • $ ./configure • $ make && make install • Once libesedb is compiled we will use esedbexport located in the „libesedb-20120102/esedbtools‟ to export the datatable which contains the user account password hashes for AD • http://www.pentestgeek.com/2012/11/16/dumping-domain- password-hashes-using-metasploit-ntds_hashextract-rb/ Getting What We Want From NTDS.dit
    22. 22. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Uploading a binary shell to the target can be harmful to a penetration test • DCERPC allows us to do a lot of the functions we would ask of a binary shell without uploading one to the target • Metasploit modules already exist to achieve remote command execution, grab local/cached password hashes and dump AD hashes from a DC • The sky is the limit as to what else we could do if we all chose to adapt this style of thinking Closing
    23. 23. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Any Questions? 10/9/201322
    24. 24. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” 10/9/201323 Thank You! Royce Davis Accuvant LABS Senior Consultant – Attack & Pen Team royce.e.davis@gmail.com http://www.pentestgeek.com @R3dy__
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×