SlideShare a Scribd company logo

Bsidesnova- Pentesting Methodology - Making bits less complicated

Download as PPTX, PDF
O
Octavio Paguaga

Slides from Pentesting Methodology

Technology
1 of 36
Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
OSINT https://generated.photos
Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Azure domain front photos go here
Azure Domain Fronting
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Commands used
Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
Manual Enumeration • Description Field • Get-DomainUser | select Description
Bloodhound & ACLs
GenericWrite permissions
Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
Delegation • https://adsecurity.org/wp-content/uploads/2015/08/Visio-KerberosDoubleHop-Visio.png
Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
Unconstrained Delegation Demo
DPAPI Data Protection API
• The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
Getting creds from Chrome
Getting creds from Chrome
Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
Access Credential Manager Vault
• https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential- manager-saved-credentials • https://www.harmj0y.net/blog/redteaming/operational-guidance- for-offensive-user-dpapi-abuse/
Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

Recommended

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 

Recommended

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 

More Related Content

What's hot

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

What's hot (20)

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Vault 101
Vault 101Vault 101
Vault 101
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Similar to Bsidesnova- Pentesting Methodology - Making bits less complicated

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themKarl Ots
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 

Similar to Bsidesnova- Pentesting Methodology - Making bits less complicated (20)

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Bsidesnova- Pentesting Methodology - Making bits less complicated

  • 1. Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
  • 2. Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
  • 3.
  • 5. Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
  • 6. Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
  • 7.
  • 8. Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
  • 9. Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
  • 10. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 11. Azure domain front photos go here
  • 13. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 15. Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
  • 16. Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
  • 17. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 18.
  • 19. KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
  • 20. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 21. Manual Enumeration • Description Field • Get-DomainUser | select Description
  • 24. Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
  • 26. Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • 28.
  • 30. • The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
  • 33. Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
  • 36. Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)