A scenario on basic incident response and showing how Microsoft uses a service that automatically creates a Man in the Middle incident. It also covers an overview on some inherent tools and how to use them for security operations

1. How Microsoft Will
MiTM Your Network
And how to use tools
without a toolkit!

2. 601 AOC / 101 ACOMS
Tyndall AFB, FL
Active Defense - July 2017
(FY18 Pathfinders)
(FY19 Pathfinders)
Brandon DeVault
GCIA, GCED, Sec+

3. Aaron Rosenmund - @Arosenmund
aaron.rosenmund@gmail.com
https://github.com/arosenmund
https://www.pluralsight.com/profile/author/aaron-rosenmund

4. Overview
Event Scenario & Discovery
Microsoft Wake-Up Proxy Service
Tools that aren't tools?
Key Takeaways

5. Scenario Details
- Upgrading Windows XP to 7!
- 3 or more Windows 7 Machines
- Offending MACs matched peer Win 7 devices
- Reoccurred in unpredictable patterns
- Occurred after the post install script
- Related to the SCCM agent?
Layer 2 Switch
00:00:0A 00:00:0B 00:00:0C

6. Netstat - Scenario
“netstat –ano”
UDP [IP]:25536 *:* 3480

8. Tasklist - Scenario
“tasklist /svc /fi “PID eq 3480”
svchost.exe 3480 ConfigMgr Wake-up Proxy

9. Using PowerShell and WMI - Scenario
• “get –wmiobject -class win32_service |
?($_.name -like “ConfigMgr Wake-up Proxy”)” |
select *”
PathName : “C:windowsCCMSleepAgentService.exe”

10. Log Files
• <![LOG[Not becoming a guardian because we are the only machine in
the subnet running WakeUp Proxy Service]LOG]!><time=“x:x:x.xxx”
component=“SleepAgent” … >
• <![LOG[Sending a port-grabbing frame for x.x.x.x / xxMACxx from
xxMACxx]LOG]!><time=“x:x:x.xxx” component=“SleepAgent” … >

11. Microsoft Wake-Up Proxy Service
• SCCM 2012 SP1
• “Configuration Manager supports traditional wake-up packets to wake up
computers in sleep mode when you want to install required software, such as
software updates and applications.”
• “…on a network that uses 802.1X network access control, wake-up proxy will not
work and can disrupt the network service.”
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/plan-wake-up-clients

12. SCCM Settings

13. Layer 2 Switch
00:00:0A 00:00:0B 00:00:0C
Wake-up
Proxy Service

14. 00:00:0A
00:00:0B
00:00:0C

15. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
SCCM
Server

16. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
Hello,
Guardian
Hello,
Guardian
Hello,
Guardian
.255 Broadcast
DCERPC

17. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
B & C are
awake
A & C are
awake
A & B are
awake
ECHO

18. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
Nothing
from C?
Nothing
from C?
ECHO

19. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
Who has
C’s MAC?
x5

20. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
I got you
bro!
A’s MAC = A’s IP
C’s MAC = A’s IP

21. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router

22. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Layer 3
Router
New Guardian
Nomination

23. 00:00:0A
00:00:0B
00:00:0C
Layer 2
Switch
Existing User OR
Malicious System

24. Microsoft
Wake-Up
Proxy Service
Monitor and parse traffic from
attached VLAN
Undetected scanning of peer
computer listening ports
Craft custom packets for service
exploits
Ability to wake-up sleeping or
powered off computersCompromised
Box Anywhere in
Domain

25. Tools that aren't tools?

26. netstat
•Displays all active TCP connections and the TCP/UDP ports on which the
computer is listening“-a”
•Displays active TCP connections, however, addresses and port numbers
are expressed numerically and no attempt is made to determine names“-n”
•Displays active TCP connections and includes the PID for each connection
“-o”
•(admin) Displays the binary program’s name involved in creating each
connection or listening port“-b”

27. tasklist
• Specifies the name or IP address of a
remote computer“/s <Computer>”
• Lists all the service information for each
process without truncation“/svc ”
• Specifies the types of processes to include
in or exclude from the query“/fi <Filter>”

28. tcpdump
•“tcpdump –nn –c 1000 | awk ‘{print $3}’ | cut –d. –f1-4 | sort –n | uniq
–c | sort –nr”
Top talkers after
1,000 packets:
•“tcpdump –n –A –s0 port http or port ftp or port smtp or port imap or
port pop3 | egrep –I
‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=
|passwd=|password=|pass:|user:|username:|password:|login:|pass
|user ‘ –color=auto --line-buffered –B20”
Clear text
protocol
passwords:

29. WMI
objects &
PowerShell
• Searches through sysvol on your domain for passwords,
files, usernames and anything else that may be
erroneously stored in a publicly readable space.
Domain_File_Search.ps1
• Domain Active directory queries from PowerShell using
native .net libraries only for LDAP connections.Native AD-SCAN
• Scan common ports of every endpoint of a give subnet. In
progress to build out enumeration of adjacent networks
by hop for additional enumeration and scanning.
Power-SCAN

30. What is a
toolkit anyway?

31. Key Takeaways!
• Understand the ports and protocols on your network!
• Server + Network Administration knowledge is a must!
• Expensive Tools

32. Questions?
• 601AOC.MDT.OMB@us.af.mil
• Office: (850) 283-5280
• https://github.com/1dentified/
• Brandon DeVault - @SolderSwag
• brandondevault@gmail.com
• brandon.devault@us.af.mil