Successfully reported this slideshow.
Your SlideShare is downloading. ×

Breadcrumbs to Loaves: BSides Austin '17

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 53 Ad

Breadcrumbs to Loaves: BSides Austin '17

Download to read offline

Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi

Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.

Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi

Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Breadcrumbs to Loaves: BSides Austin '17 (20)

Advertisement

Recently uploaded (20)

Breadcrumbs to Loaves: BSides Austin '17

  1. 1. Copyright © FireEye, Inc. All rights reserved.1 Brandon Arvanaghi @arvanaghi Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
  2. 2. Copyright © FireEye, Inc. All rights reserved.2 Brandon Arvanaghi (@arvanaghi) • Security Consultant at Mandiant • Webshell detection, post-exploitation, sandbox detection tools • Researched automated attack plan generation at Vanderbilt University
  3. 3. Copyright © FireEye, Inc. All rights reserved.3 Breadcrumbs • Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation • Types of breadcrumbs: • Open Source Intelligence Gathering (OSINT)/External • Wireless • Internal (physical connection connection) • Post-exploitation – Bulk of Talk • SessionGopher – tool I developed to discover Unix systems and jump boxes https://github.com/fireeye/SessionGopher
  4. 4. Copyright © FireEye, Inc. All rights reserved.4 OSINT/EXTERNAL BREADCRUMBS
  5. 5. Copyright © FireEye, Inc. All rights reserved.5 Crumb #1: SPF Records • Sender Policy Framework • You own example.com • Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying headers • Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from @example.com from the following IP addresses: ….” • Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
  6. 6. Copyright © FireEye, Inc. All rights reserved.6 Crumb #1: SPF Records • As an attacker, SPF records provide insight into third parties • Sometimes, companies want third parties to be able to send mail on their behalf • E.g. example of LinkedIn trusting DocuSign to send emails from https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf- records • https://hackertarget.com/quietly-mapping-the-network-attack-surface/
  7. 7. Copyright © FireEye, Inc. All rights reserved.7 Crumb #2: Subsidiaries • Company only as strong as its weakest link • Mergers and Acquisitions • Due diligence • Cyber insurance
  8. 8. Copyright © FireEye, Inc. All rights reserved.8
  9. 9. Crumb #3: Unauthenticated SMTP Server • If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that server to internal employees • Without authentication, you can spoof any internal email address! http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp- commands-via-gmail
  10. 10. Copyright © FireEye, Inc. All rights reserved.12 INTERNAL BREADCRUMBS
  11. 11. Copyright © FireEye, Inc. All rights reserved.13 Crumb #1: LLMNR • LLMNR = Link-Local Multicast Name Resolution • Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server • Peer-to-peer, decentralized • Fast • Multicast • Implicitly trust everyone • Responder by SpiderLabs
  12. 12. Unicast Example I’m a PC DNSStandard DNS query
  13. 13. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 Great! I’m coming to: I’m a PC
  14. 14. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 ✅I’m a PC
  15. 15. Multicast Example LLMNR Hi everyone! Where’s confluence.corp.com? That’s me! 10.1.40.15, come over! 10.1.40.15 I’m a PC
  16. 16. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15 Great! I’m coming to:
  17. 17. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15
  18. 18. Copyright © FireEye, Inc. All rights reserved.20 Crumb #2: IT HelpDesk/Intranet • Company helpdesk sites often lack authentication • Real examples from engagements: • “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3” • Excel file storing Unix system passwords
  19. 19. Copyright © FireEye, Inc. All rights reserved.21 Crumb #2: IT HelpDesk/Intranet 1. Nmap scan across subnets 2. Run EyeWitness by Christopher Truncer
  20. 20. Copyright © FireEye, Inc. All rights reserved.22 Crumb #3: Anonymous Shares • Publically available shared folders that do not require any form of authentication • Often out of perceived necessity • Contractors, vendors • Result: plaintext password files
  21. 21. Copyright © FireEye, Inc. All rights reserved.23 Crumb #4: When Hostnames Make Sense • Use PowerView or ADExplorer to get lists of hostnames • Nonintrusive way to understand the role of each system without doing Nmap scans • SQLWIN7.CORP.COM • MAIL01.CORP.COM • MEDIA-BKUP.CORP.COM
  22. 22. Copyright © FireEye, Inc. All rights reserved.24 WIRELESS BREADCRUMBS
  23. 23. Copyright © FireEye, Inc. All rights reserved.25 Crumb #1: Guest Network Host Visibility • Guest networks should be segregated. This is not always done properly. • Visible hosts with visible services can lead to lateral movement onto corporate network • Pivot!
  24. 24. Copyright © FireEye, Inc. All rights reserved.26 Crumb #2: Remembered Networks • Your device probes for every single access point it remembers having associated • Yells out known SSID names indiscriminately • WiFi Pineapple responds any probe, automatically connecting you • Direct your traffic to internet while reading all unencrypted traffic • Quietly changing HTTPS requests to HTTP
  25. 25. Copyright © FireEye, Inc. All rights reserved.27 Remembered Networks: Real Mandiant Engagement
  26. 26. Copyright © FireEye, Inc. All rights reserved.28 Remembered Networks: Real Mandiant Engagement
  27. 27. Copyright © FireEye, Inc. All rights reserved.29 Remembered Networks: Real Mandiant Engagement associated!
  28. 28. Copyright © FireEye, Inc. All rights reserved.30 Remembered Networks: Real Mandiant Engagement associated! Visible to two different networks PsExec, WMIExec, etc.
  29. 29. 31
  30. 30. Copyright © FireEye, Inc. All rights reserved.32 POST-EXPLOITATION SessionGopher: Finding Unix Systems and Jump Boxes https://github.com/fireeye/SessionGopher
  31. 31. Copyright © FireEye, Inc. All rights reserved.33 The Registry • On many engagements, consultants are tasked with exploiting Unix systems • Intellectual property on Macbook Pros • Point of sale terminals running Linux • Etc. • Often not domain-joined! • Would be so much easier if they were • Use PowerView • How can we find & exploit them?
  32. 32. Copyright © FireEye, Inc. All rights reserved.34 The Registry • Current methodology 1. Nmap for live hosts not found in Active Directory a. Open Unix ports 2. netstat domain-joined systems, look for active connections over Unix ports 3. Search Active Directory for groups like “Linux Admins” & “Mac Admins” a. Find their members’ workstations, active sessions • Methodology relies on luck and active sessions. Better way?
  33. 33. Copyright © FireEye, Inc. All rights reserved.35 The Registry • HKEY_USERS • Persistent storage of saved session for any user who has logged in! • Users don’t have to be currently logged in • Though Unix systems not domain-joined, they are often managed by domain-joined Windows systems • Valuable artifacts on these hosts • Solves our “active session” problem • But what can we find in this magical hive that helps us exploit Unix systems?
  34. 34. Copyright © FireEye, Inc. All rights reserved.36 The Registry
  35. 35. Copyright © FireEye, Inc. All rights reserved.37 Solution 1. Find artifacts left by tools typically used to access Unix systems. 2. If they exist, then saved sessions might exist. Extract ’em.
  36. 36. Copyright © FireEye, Inc. All rights reserved.38 Tools • WinSCP • FileZilla • PuTTY • SuperPuTTY • VNC • RDP • More!
  37. 37. Copyright © FireEye, Inc. All rights reserved.39 Paths to Sessions Stored in Registry • PuTTY • HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions • WinSCP • HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions • Microsoft Remote Desktop • HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers Non-registry (assumes filename/location unchanged) • FileZilla • <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml • SuperPuTTY • <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
  38. 38. Copyright © FireEye, Inc. All rights reserved.40 WinSCP HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName> HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
  39. 39. Copyright © FireEye, Inc. All rights reserved.41
  40. 40. Copyright © FireEye, Inc. All rights reserved.42 WinSCP
  41. 41. Copyright © FireEye, Inc. All rights reserved.43 Paths to Sessions • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
  42. 42. Copyright © FireEye, Inc. All rights reserved.44 FileZilla <Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
  43. 43. Copyright © FireEye, Inc. All rights reserved.45 SuperPuTTY <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml • ExtraArgs field can contain plaintext password
  44. 44. Copyright © FireEye, Inc. All rights reserved.46 PuTTY .ppk Files • One-click PuTTY logins • Key can be plaintext (as in here) or encrypted
  45. 45. Copyright © FireEye, Inc. All rights reserved.47 Microsoft .rdp Files • Executable, can be read by dragging into text editor • Plethora of arguments, many optional • Host, if admin, prompt for credentials, etc. • Fieldname:TypeOfField:Value • TypeOfField = Integer or String
  46. 46. Copyright © FireEye, Inc. All rights reserved.48
  47. 47. Copyright © FireEye, Inc. All rights reserved.49
  48. 48. Copyright © FireEye, Inc. All rights reserved.50 Windows Management Instrumentation (WMI) • Rather than running SessionGopher on each computer (impractical), we can use WMI • Built-in “Invoke-WmiMethod” command in PowerShell • Remote registry querying ability
  49. 49. Copyright © FireEye, Inc. All rights reserved.51
  50. 50. Copyright © FireEye, Inc. All rights reserved.52 Write to CSV (Invoke-SessionGopher –o) • Create a physical mapping of the network • Aggregate all session data across entire domain or targeted computers • Essentially, see the physical infrastructure of network!
  51. 51. Copyright © FireEye, Inc. All rights reserved.53 QUESTIONS? Twitter: @arvanaghi Github: https://github.com/fireeye/SessionGopher Brandon Arvanaghi

Editor's Notes

  • SessionGopher: https://github.com/fireeye/SessionGopher
  • https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records

    The receiving mail server automatically checks the SPF record for the domain, if they exist.
  • Social engineering opportunities arise from seeing third-party relationships all from a DNS record!
  • SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  • SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  • SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.

    Primary target for attacking a large organization: small, lesser-known subsidiaries.
  • Command-line syntax:
    HELO <domain>  prepares the SMTP server for use
    MAIL FROM <email address>  Mail sender
    RCPT TO <email address>  Mail recipient
    DATA  Message headers from, to, subject, and content.

    Image source: http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-commands-via-gmail
  • Source: http://www.myintranetdashboard.com/graphics/screen2b.gif
  • EyeWitness by Christopher Truncer: https://github.com/ChrisTruncer/EyeWitness

    EyeWitness automatically screenshots all HTTP/HTTPs ports discovered from Nmap for you, and makes an attempt at classifying the kind of site it is. When EyeWitness recognizes a credentialed page, it will provide you default credentials typically used for that service.

    Photo taken from https://www.christophertruncer.com/eyewitness-triage-tool/
  • Wired-in network on the left with Ethernet. These hosts should, in theory, not be visible to any system not physically connected to their network. Security guards at the door, physical access controls, monitoring all wall ports, etc.
  • On one of our engagements, we saw the physically-connected computers were still probing for remembered SSIDs because they had their WiFi turned on. Most people do not turn off their WiFi even when they are wired in, which can make them visible to the outside world!
  • We spoofed the “gogoinflight” SSID and established an association between our TP-Link access point and the system. Now, we could see the system on our own spoofed subnet, see what services it was running, and tools against it.
  • By running Responder or a social engineering campaign, we could use PsExec or WMIExec to exploit that system from our new subnet. Once we’ve gained access to that system, we could pivot to the wired internal network, since it is dual-homed!

    Essentially, we get access to the same wired-in benefits as any system physically connected. Despite this company not having any remote portal access or VPN, this physical security measure failed due to keeping WiFi enabled.
  • System Preferences  Network  Advanced

    Used to be such that a more “preferred” association would make you drop your current association! E.g. if you are connected to CompanyWiFi, but had gogoinflight as a more preferred network and a gogoinflight SSID appeared, your system would automatically switch!
  • https://github.com/fireeye/SessionGopher
  • SID structure: S-1-5-21-Domain-User
    Query all these for domain users who have logged on!

    The Registry has both volatile and static data. As an example, HKEY_LOCAL_MACHINE\HARDWARE fills its subkeys at boot time after analyzing the hardware under the Windows system.

    HKEY_USERS has persistent information about domain users who have logged onto a system. HKEY_CURRENT_USER is actually a symlink to the HKEY_USERS subkey of the currently logged in user!


  • Persistent artifacts from all these tools can help get a network mapping not just for Unix systems, but also jump boxes. Jump boxes can be difficult to find, but when extracting all saved RDP sessions from each host, you can see to where these servers RDP. Once you find a saved RDP session with a hostname you know to be a segmented environment, you know which server can communicate with that host!
  • The saved password string above for WinSCP sessions is not encrypted by default. That is obfuscation, and it is easily reversible. The “key” is the session hostname + username.

    The password will only be encrypted when the “UseMastrPassword” value in the second registry subkey is set to 1. If this is set, then you can only extract the encrypted password, and attempt to bruteforce it.
  • As seen here, WinSCP’s password obfuscation algorithm uses a sequence of bitwise operation that is xor’d with a magic value. The password obfuscation algorithm has been reverse engineered across several languages, but never before in PowerShell.
  • SessionGopher’s built-in WinSCP deobfuscator
  • HKEY_USERS\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Default contains most recent RDP attempts
  • FileZilla stores its password in an XML file, not in the registry. By default, the saved password is only base-64 encoded, and not encrypted.
  • SuperPuTTY is used to manage simultaneous PuTTY sessions, and has the added benefit of storing passwords for one-click SSH sessions. PuTTY does not store passwords, so many clients use SuperPuTTY as a wrapper.

    SuperPuTTY sessions are saved in a Sessions.xml file, and not in the registry. The password gets placed in the “ExtraArgs” argument, which can contain a multitude of additiona arguments. SuperPuTTY interprets anything following ”-pw” as the password argument for the SSH session.
  • Stored sessions as .rdp files can be used for one-click logins. These files are executable and can also be dragged into a text editor like Sublime Text and read.
  • SessionGopher synthesizes the .ppk and .rdp files and makes sense of them. It return the private key, private MAC, and whether or not the key is encrypted.
  • . .\SessionGopher.ps1
    Invoke-SessionGopher -Thorough
  • Invoke-WmiMethod allows you to use WMI to read the remote registry of a different system using the –Class ‘StdRegProv’. From your own attack computer connected to the network, you can read the persistent registry artifacts of HKEY_USERS for each box using WMI. Quiet, quick, and effective!


  • Invoke-SessionGopher –iL inputlist.txt
    Invoke-SessionGopher –AllDomain
    Invoke-SessionGopher –Target winbox.company.com

    After running SessionGopher across a domain or set of computers, you will essentially have a network mapping of the entire corporate infrastructure! Jump boxes, Unix systems, and other non-domain hosts should all be revealed to you along with the path to get there.

×