Attack all the layers secure 360

1,959 views

Published on

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,959
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
90
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Attack all the layers secure 360

  1. 1. INTRODUCTIONSScott Sutherland Security Consultant @ NetSPI Twitter: @_nullbindKarl Fosaaen Security Consultant @ NetSPI Twitter: @kfosaaenWe specialize in boththings and stuff!
  2. 2. OVERVIEW• Why do companies pen test?• Attacking passwords• Attacking protocols• Attacking applications• Bypassing AV• Windows Escalation• Conclusions
  3. 3. WHY DO COMPANIES PEN TEST?• Compliance requirements• Third party requests• Identify unknown security gaps• Validate existing security controls• Prioritize existing security initiatives• Prevent data breaches
  4. 4. PENETRATION TEST GOALS• Identify and understand the impact ofvulnerabilities at the application, system, andnetwork layers• Prioritize remediation• Understand ability to detect and respond toattacks
  5. 5. PENETRATION TEST OBJECTIVES• *Complete client specific objectives• Gain access to critical systems, sensitive data, andapplication functionality• Attack SurfacesApplicationsNetworksServers• Attack CategoriesConfiguration issuesCode vulnerabilitiesMissing patches
  6. 6. OVERVIEW• Attacking passwords• Attacking protocols• Attacking applications• Bypassing AV• Escalation
  7. 7. ATTACKING PASSWORDS• Dictionary Attacks• Dump Hashes and Crack• Dump Hashes and PTH• Impersonate• Dump in Cleartext!
  8. 8. ATTACKING PASSWORDS1997 2000s 2001 2007 2008 2010 2012
  9. 9. ATTACKING PASSWORDS: DICTIONARY• Dictionary AttacksEnumerate users- Null SMB logins, RPC, *SID BF,SNMP, LDAP, SharePoint, etcAttack!• Are users getting smarter?Sort of…- “Spring2013” meets passwordcomplexity requirements
  10. 10. ATTACKING PASSWORDS: CRACKING• Dumping Hashes and CrackingJohnRainbow TablesoclHashcat plus
  11. 11. ATTACKING PASSWORDS: CRACKING
  12. 12. ATTACKING PASSWORDS: PASSING• Dumping and Passing HashesPass the hash kitMetasploitPTH everything
  13. 13. ATTACKING PASSWORDS: IMPERSONATE• ImpersonateIncognitoWCE
  14. 14. ATTACKING PASSWORDS: CLEARTEXT• Dump in Cleartext!All the applications!- Egyp7’s scriptWCEMimikatz
  15. 15. OVERVIEW• Attacking passwords• Attacking protocols• Attacking applications• Bypassing AV• Windows Escalation
  16. 16. ATTACKING PROTOCOLS• ARP: Address Resolution Protocol• NBNS: NetBIOS Name Service• SMB: Server Message Block• DTP: Dynamic Trunking Protocol• VTP: VLAN Trunking Protocol• Honorable Mentions
  17. 17. ATTACKING PROTOCOLS: ARPAddressResolutionProtocol
  18. 18. ATTACKING PROTOCOLS: ARP• GeneralMAC to IP associationLayer 2• ConditionsIndependent of user actionBroadcast network• AttacksMITM MonitoringMITM InjectionDOS
  19. 19. ATTACKING PROTOCOLS: ARP
  20. 20. ATTACKING PROTOCOLS: ARPCommon ARP MITM attacks:• Intercept DataSSN, Credit Cards, Healthcare data, etcWhole file parsing with NetworkMiner• Intercept PasswordsCain will parse passwords for over 30 protocols• Injection ContentSQL injection – Web and direct database connectionsHTML injection – redirection, browser exploitsUNC path injection – Force authenticationProxy and modify HTTP traffic with Burp Suite
  21. 21. ATTACKING PROTOCOLS: ARPCommon ARP MITM tools:• Windows Tools Cain Ettercap-ng Interceptor-ng Nemesis• Linux Tools Ettercap Dsniff Subterfuge Easycreds Loki Nemesis
  22. 22. ATTACKING PROTOCOLS: ARPCommon mitigating controls:• Dynamic ARP Inspection• Port Security• Static Routes (not recommended)
  23. 23. ATTACKING PROTOCOLS: NBNSNetBIOS NameService
  24. 24. ATTACKING PROTOCOLS: NBNS• General IP to hostname association Layer 5 / 7• Constraints Dependent on user action Broadcast Network Windows Only• Attacks MITM Monitoring MITM Injection DOS
  25. 25. ATTACKING PROTOCOLS: NBNS
  26. 26. ATTACKING PROTOCOLS: NBNS
  27. 27. ATTACKING PROTOCOLS: NBNS
  28. 28. ATTACKING PROTOCOLS: NBNSCommon NBNS MITM attacks:• Intercept DataSSN, Credit Cards, Healthcare data, etcWhole file parsing with NetworkMiner• Intercept PasswordsCain will parse passwords for over 30 protocols• Injection ContentSQL injection – Web and direct database connectionsHTML injection – redirection, browser exploitsUNC path injection – Force authenticationProxy and modify traffic with Burp Suite
  29. 29. ATTACKING PROTOCOLS: NBNSCommon NBNS MITM tools:• Windows Toolsnbnspoof (python)Metasploit (nbns_response + other modules)Responder (python)• Linux Toolsnbnspoof (python)Metasploit (nbns_response + other modules)Responder (python)
  30. 30. ATTACKING PROTOCOLS: NBNSCommon mitigating controls:• Create a WPAD (Web Proxy Auto-Discovery)server entry in DNS• Disable NBNS (not highly recommended)• Disable insecure authentication to helplimit impact of exposed hashes• Enable packet signing to help preventSMB Relay attacks
  31. 31. ATTACKING PROTOCOLS: SMBServer MessageBlock
  32. 32. ATTACKING PROTOCOLS: SMB• GeneralSMB is the come back kid!Layer 7• ConstraintsDependent on user actionAny routable networkNo connecting backto originating host• AttacksCommand executionShells..aaand shells
  33. 33. ATTACKING PROTOCOLS: SMB
  34. 34. ATTACKING PROTOCOLS: SMBHistorically SMB Relay has been used to:• Execute arbitrary commands• Obtain shellsLately the community has been developing tools fordoing things like:• LDAP queries• SQL queries• Exchange services• Mounting file systems
  35. 35. ATTACKING PROTOCOLS: SMBMany tools support SMB Relay attacks:• Windows ToolsMetasploit (smb_relay and http_ntlmrelay)Interceptor-ng…this is a kind a pain in Windows• Linux ToolsMetasploit (smb_relay and http_ntlmrelay)Zack attackSubterfugeSquirtle
  36. 36. ATTACKING PROTOCOLS: SMBCommon mitigating controls:• Enable packet signing to help prevent SMB Relayattacks• Apply really old patches like if you missed out onthe last decade…
  37. 37. ATTACKING PROTOCOLS: DTPDynamicTrunkingProtocol
  38. 38. ATTACKING PROTOCOLS: DTP• General 802.1Q encapsulation is in use Layer 2• Constraints Independent of user action Trunking is set to enabledor auto on switch port• Attacks Monitor network traffic for allVLANs, because all VLANs areallowed on a trunk by default *Full VLAN hopping
  39. 39. ATTACKING PROTOCOLS: DTP
  40. 40. ATTACKING PROTOCOLS: DTP
  41. 41. ATTACKING PROTOCOLS: DTP
  42. 42. ATTACKING PROTOCOLS: DTP
  43. 43. ATTACKING PROTOCOLS: DTP• Intercept DataSSN, Credit Cards, Healthcare data, etcWhole file parsing with Network Minor• Intercept PasswordsCain will parse passwords for over 30 protocols
  44. 44. ATTACKING PROTOCOLS: DTPCommon DTP spoofing tools:• Windows Tools I got nothing…• Linux ToolsYersinia
  45. 45. ATTACKING PROTOCOLS: DTPCommon mitigating controls:• Use dedicated VLAN ID for all trunking ports• Disable all unused ports and place them on a nonroutable VLAN• Configure all user ports as access portsto prevent trunk negotiation• Configure frames with two 8021Q headers• Configure strong VACLs
  46. 46. ATTACKING PROTOCOLS: VTPVLAN TrunkingProtocol
  47. 47. ATTACKING PROTOCOLS: VTP• General802.1Q encapsulation is in useLayer 2• ConstraintsIndependent of user actionVLANs are IP or MAC based• AttacksAbility to directly attacksystems on other VLANs
  48. 48. ATTACKING PROTOCOLS: VTP
  49. 49. ATTACKING PROTOCOLS: VTP
  50. 50. ATTACKING PROTOCOLS: VTPCommon next steps after VTP tag forgery:• MITM attacks against remote VLAN systems• Intercept/Modify DataUsually limited to broadcast traffic (unlessMITM)
  51. 51. ATTACKING PROTOCOLS: VTPTools for VLAN hopping attacks:• Windows ToolsNative: Manually reconfigure via TCP/IP settings• Linux ToolsNative: Modprobe + ifconfigVoIP HopperYersinia
  52. 52. ATTACKING PROTOCOLS: VTPCommon mitigating controls:• Use dedicated VLAN ID for all trunking ports• Disable all unused ports and place them on a nonroutable VLAN• Configure all user ports as access portsto prevent trunk negotiation• Configure frames with two 8021Q headers• Configure strong VACLs
  53. 53. ATTACKING PROTOCOLS: OTHERSHonorable Mention:• Pre-Execution Environment (PXE)• Link-local Multicast Name Resolution (LLMNR)• Dynamic Host Configuration Protocol (DHCP)
  54. 54. OVERVIEW• Attacking passwords• Attacking protocols• Attacking applications• Bypassing AV• Windows Escalation
  55. 55. ATTACKING APPLICATIONS• Default and weak passwords for everything Tools: Nmap, Nessus, Web Scour, Manuals, Google• SQL injection Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit• RFI/Web Shells (JBOSS, Tomcat, etc.) Tools: Metasploit, Fuzzdb, and other web shellery• Web directory traversals Tools: Manually, web scanners, Fuzzdb, Metasploit,• MS08-067 Tools: Metasploit, exploitdb exploits, etc
  56. 56. OVERVIEW• Attacking passwords• Attacking protocols• Attacking applications• Bypassing AV• Escalation
  57. 57. BYPASSING AV• Weak Configurations• Source Code Tricks• Binary Modifications• Process/Thread Manipulation
  58. 58. BYPASSING AV: WEAK CONFIGURATIONS• Execute from share, UNC path, or external media• Disable via GUI• Create policy exceptions• Kill processes• Stop / Disable Services• Uninstall (not recommended)• Insecure service registration (c:program.exe)• Insecure file permissions (file replacement/mods)• Execute from a DLL• DLL pre loading, side loading etc• GAC poisoning (potentially)
  59. 59. BYPASSING AV: SOURCE CODE TRICKSCustomize everything…and be crazy• Migrate to and suspend or kill AV• Modify comments (web languages)• Replace variable names• Modify application logic• Use alternative functions• Remove or modify resources• Encode or encrypt payloads• Compress payloads• Add time delays• Call NTDLL.DLL directly
  60. 60. BYPASSING AV: BINARY MODIFICATIONSSame idea…be crazy• Simple string modification• Decompile/modify source• Disassemble / modify application logic• Disassemble /insert time delays• Modify resource table (ditto/cffexplorer)• Modify imports table (ditto/cffexplorer)• Pack (UPX, Mpress, iExpress etc)• Metasploit Pro Payloads:dynamic exe generation
  61. 61. BYPASSING AV: PROCESS/THREAD MODSInject, inject, replace…• Code injection (local and remote)• DLL injection (local and remote)• Process replacementCommon Tools:• Powershell: Powersploit, etc• Python and Py2exe• Any language that supportscalls to native DLLs
  62. 62. OVERVIEW• Attacking passwords• Attacking protocols• Attacking applications• AV evasion• Windows Escalation
  63. 63. WINDOWS ESCALATION: OVERVIEW• Local user  Local Administrator• Domain user Local Administrator• Local Administrator  LocalSystem• LocalSystem  Domain User• Locate Domain Admin Tokens• LocalSystem  Domain Admin
  64. 64. WINDOWS ESCALATION: LOCAL ADMIN• Local user  Local AdministratorExcessive local group privileges (admin or power users)Cleartext credentials• Sysprep (unattend.xml/ini/txt)• Config files, scripts, logs, desktop folders• Tech support calls filesWeak application configurations that allow:• Restarting or reconfiguring services• Replacing application files• DLL pre or side loading• Executable injection via poorly registered servicesC:Program Files (x86) vs “C:Program Files (x86)”Local and remote exploits (Metasploit: getsystem)
  65. 65. WINDOWS ESCALATION: LOCAL ADMIN• Domain user  Local AdministratorIssues from last slide and…Group policy: groups.xmlFile shares accessible to domain usersAbility to log into domain workstationsExcessive database privileges (xp_cmdshell etc)SMB Relay + cracking hashesOther systems and applications that use integrateddomain authentication…
  66. 66. WINDOWS ESCALATION: LOCAL ADMIN• Local Administrator  LocalSystemAt.exe (on older systems) – we still see it! Accessibility Options• Replace accessibility options like utilman.exe, osk.exe andsethc.exe with cmd.exe or other backdoorCreate a custom service to run as LocalSystem• Psexec –s –i cmd.exeMigrate to a system process• Remote process injection, MSF ps + migrate, andIncognitoLocal and remote exploits• Metasploit: getsystem etcSQL Server and Database links + xp_cmdshell
  67. 67. WINDOWS ESCALATION: FIND DA TOKENS• Locate Domain Admin tokensCheck locally ;)• incognitoQuery the domain controllers• netsess.exeScan remote systems for running tasks• native tasklist or smbexecScan old Windows systems for NetBIOSShell spraying for tokens (not advised)
  68. 68. WINDOWS ESCALATION: DOMAIN ADMIN• LocalSystem  Domain AdminPass-the-hash to target system• Local administrator account and shared service accounts• Manually via trusted connections or via MSF etcImpersonate authentication token• Custom application, Incognito, WCE, MetasploitDump clear text domain credentials• Mimikatz, WCE, or MetasploitKey loggingMITM + sniffing (http integrated auth etc)
  69. 69. CONCLUSIONSAll can kind of be fixedMost NetworksKind of brokenMost ProtocolsKind of brokenMost ApplicationsKind of broken
  70. 70. ATTACK ALL THE LAYERS!ANY QUESTIONS?
  71. 71. ATTACK ALL THE LAYERS!Scott SutherlandPrincipal Security ConsultantTwitter: @_nullbindKarl FosaaenSecurity ConsultantTwitter: @kfosaaen

×