Attack all the layers secure 360

Scott Sutherland
Scott SutherlandPrincipal Security Consultant - CISSP, QSA at NetSPI
Attack all the layers secure 360
INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
ATTACKING PASSWORDS: CRACKING
ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
ATTACKING PROTOCOLS: ARP Address Resolution Protocol
ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
ATTACKING PROTOCOLS: NBNS NetBIOS Name Service
ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
ATTACKING PROTOCOLS: SMB Server Message Block
ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
ATTACKING PROTOCOLS: DTP Dynamic Trunking Protocol
ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
Attack all the layers secure 360
CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
ATTACK ALL THE LAYERS! ANY QUESTIONS?
ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen
1 of 73

Attack all the layers secure 360

Download to read offline
Technology

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Scott Sutherland
Scott SutherlandPrincipal Security Consultant - CISSP, QSA at NetSPI

Recommended

Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
1.2K views58 slides
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
2K views58 slides
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
1.2K views58 slides
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
8K views87 slides
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
2.5K views39 slides
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
2K views28 slides

More Related Content

What's hot

What's hot(20)

CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne1.3K views
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI4.7K views
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado8.7K views
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers7.8K views
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne152 views
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council1.7K views
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing390 views
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash2.6K views
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne793 views
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne1.3K views
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
Sam Bowne378 views
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne90 views
Going outside the applicationGoing outside the application
Going outside the application
Matthew Saltzman641 views
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen1.3K views
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
Sam Bowne483 views
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council1.7K views
Open AuditOpen Audit
Open Audit
ncspa2.3K views
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid26853.7K views
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne1.1K views
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente434 views

Viewers also liked

Viewers also liked(10)

Similar to Attack all the layers secure 360

LAN Security LAN Security
LAN Security Syed Ubaid Ali Jafri
1.1K views28 slides

Similar to Attack all the layers secure 360(20)

Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI1.3K views
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP3.8K views
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed1.4K views
LAN Security LAN Security
LAN Security
Syed Ubaid Ali Jafri1.1K views
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group1.9K views
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg3.3K views
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura359 views
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar1.1K views
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne485 views
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne1.2K views
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc6124.3K views
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks1.2K views
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne1K views
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado106 views
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
rayborg601 views
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne480 views
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego2.2K views
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore1.2K views
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum653 views
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
DefconRussia850 views

More from Scott Sutherland

More from Scott Sutherland(12)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland1.4K views
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland426 views
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland1.1K views
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland831 views
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland1.2K views
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland793 views
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland4K views
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland10.9K views
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland2.5K views
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland1.5K views
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland1.9K views
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland606 views

Recently uploaded

Recently uploaded(20)

"Fast Start to Building on AWS", Igor Ivaniuk"Fast Start to Building on AWS", Igor Ivaniuk
"Fast Start to Building on AWS", Igor Ivaniuk
Fwdays34 views
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk82 views
MemVerge: Past Present and Future of CXLMemVerge: Past Present and Future of CXL
MemVerge: Past Present and Future of CXL
CXL Forum110 views
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray1094 views
MemVerge: Gismo (Global IO-free Shared Memory Objects)MemVerge: Gismo (Global IO-free Shared Memory Objects)
MemVerge: Gismo (Global IO-free Shared Memory Objects)
CXL Forum112 views
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
NUS-ISS37 views
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk85 views
Micron CXL product and architecture updateMicron CXL product and architecture update
Micron CXL product and architecture update
CXL Forum23 views
AMD: 4th Generation EPYC CXL DemoAMD: 4th Generation EPYC CXL Demo
AMD: 4th Generation EPYC CXL Demo
CXL Forum123 views
CXL at OCPCXL at OCP
CXL at OCP
CXL Forum203 views
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman161 views
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
Fwdays25 views
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman22 views
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
Fwdays38 views
GigaIO: The March of Composability Onward to Memory with CXLGigaIO: The March of Composability Onward to Memory with CXL
GigaIO: The March of Composability Onward to Memory with CXL
CXL Forum122 views
ThroughputThroughput
Throughput
Moisés Armani Ramírez31 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation24 views
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad..."Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
Fwdays38 views
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...
BookNet Canada106 views
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier25 views

Attack all the layers secure 360

  • 2. INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
  • 4. WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
  • 5. PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
  • 6. PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
  • 7. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 8. ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
  • 9. ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
  • 10. ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
  • 11. ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
  • 13. ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
  • 14. ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
  • 15. ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
  • 16. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 17. ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
  • 19. ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
  • 21. ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
  • 22. ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
  • 23. ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
  • 25. ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
  • 29. ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
  • 30. ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
  • 31. ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
  • 33. ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
  • 35. ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
  • 36. ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
  • 37. ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
  • 39. ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
  • 44. ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
  • 45. ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
  • 46. ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 47. ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
  • 48. ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
  • 51. ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
  • 52. ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
  • 53. ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 54. ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
  • 55. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 56. ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
  • 57. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 58. BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
  • 59. BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
  • 60. BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
  • 61. BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
  • 62. BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
  • 63. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
  • 64. WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
  • 65. WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  • 66. WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
  • 67. WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
  • 68. WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
  • 69. WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
  • 71. CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
  • 72. ATTACK ALL THE LAYERS! ANY QUESTIONS?
  • 73. ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen