This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Axa Assurance Maroc - Insurer Innovation Award 2024
Attack all the layers secure 360
1.
2. INTRODUCTIONS
Scott Sutherland
Security Consultant @ NetSPI
Twitter: @_nullbind
Karl Fosaaen
Security Consultant @ NetSPI
Twitter: @kfosaaen
We specialize in both
things and stuff!
3. OVERVIEW
• Why do companies pen test?
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
• Conclusions
4. WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Third party requests
• Identify unknown security gaps
• Validate existing security controls
• Prioritize existing security initiatives
• Prevent data breaches
5. PENETRATION TEST GOALS
• Identify and understand the impact of
vulnerabilities at the application, system, and
network layers
• Prioritize remediation
• Understand ability to detect and respond to
attacks
6. PENETRATION TEST OBJECTIVES
• *Complete client specific objectives
• Gain access to critical systems, sensitive data, and
application functionality
• Attack Surfaces
Applications
Networks
Servers
• Attack Categories
Configuration issues
Code vulnerabilities
Missing patches
19. ATTACKING PROTOCOLS: ARP
• General
MAC to IP association
Layer 2
• Conditions
Independent of user action
Broadcast network
• Attacks
MITM Monitoring
MITM Injection
DOS
21. ATTACKING PROTOCOLS: ARP
Common ARP MITM attacks:
• Intercept Data
SSN, Credit Cards, Healthcare data, etc
Whole file parsing with NetworkMiner
• Intercept Passwords
Cain will parse passwords for over 30 protocols
• Injection Content
SQL injection – Web and direct database connections
HTML injection – redirection, browser exploits
UNC path injection – Force authentication
Proxy and modify HTTP traffic with Burp Suite
25. ATTACKING PROTOCOLS: NBNS
• General
IP to hostname association
Layer 5 / 7
• Constraints
Dependent on user action
Broadcast Network
Windows Only
• Attacks
MITM Monitoring
MITM Injection
DOS
29. ATTACKING PROTOCOLS: NBNS
Common NBNS MITM attacks:
• Intercept Data
SSN, Credit Cards, Healthcare data, etc
Whole file parsing with NetworkMiner
• Intercept Passwords
Cain will parse passwords for over 30 protocols
• Injection Content
SQL injection – Web and direct database connections
HTML injection – redirection, browser exploits
UNC path injection – Force authentication
Proxy and modify traffic with Burp Suite
30. ATTACKING PROTOCOLS: NBNS
Common NBNS MITM tools:
• Windows Tools
nbnspoof (python)
Metasploit (nbns_response + other modules)
Responder (python)
• Linux Tools
nbnspoof (python)
Metasploit (nbns_response + other modules)
Responder (python)
31. ATTACKING PROTOCOLS: NBNS
Common mitigating controls:
• Create a WPAD (Web Proxy Auto-Discovery)
server entry in DNS
• Disable NBNS (not highly recommended)
• Disable insecure authentication to help
limit impact of exposed hashes
• Enable packet signing to help prevent
SMB Relay attacks
33. ATTACKING PROTOCOLS: SMB
• General
SMB is the come back kid!
Layer 7
• Constraints
Dependent on user action
Any routable network
No connecting back
to originating host
• Attacks
Command execution
Shells..aaand shells
35. ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the community has been developing tools for
doing things like:
• LDAP queries
• SQL queries
• Exchange services
• Mounting file systems
36. ATTACKING PROTOCOLS: SMB
Many tools support SMB Relay attacks:
• Windows Tools
Metasploit (smb_relay and http_ntlmrelay)
Interceptor-ng
…this is a kind a pain in Windows
• Linux Tools
Metasploit (smb_relay and http_ntlmrelay)
Zack attack
Subterfuge
Squirtle
37. ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay
attacks
• Apply really old patches like if you missed out on
the last decade…
39. ATTACKING PROTOCOLS: DTP
• General
802.1Q encapsulation is in use
Layer 2
• Constraints
Independent of user action
Trunking is set to enabled
or auto on switch port
• Attacks
Monitor network traffic for all
VLANs, because all VLANs are
allowed on a trunk by default
*Full VLAN hopping
44. ATTACKING PROTOCOLS: DTP
• Intercept Data
SSN, Credit Cards, Healthcare data, etc
Whole file parsing with Network Minor
• Intercept Passwords
Cain will parse passwords for over 30 protocols
46. ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non
routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
48. ATTACKING PROTOCOLS: VTP
• General
802.1Q encapsulation is in use
Layer 2
• Constraints
Independent of user action
VLANs are IP or MAC based
• Attacks
Ability to directly attack
systems on other VLANs
51. ATTACKING PROTOCOLS: VTP
Common next steps after VTP tag forgery:
• MITM attacks against remote VLAN systems
• Intercept/Modify Data
Usually limited to broadcast traffic (unless
MITM)
52. ATTACKING PROTOCOLS: VTP
Tools for VLAN hopping attacks:
• Windows Tools
Native: Manually reconfigure via TCP/IP settings
• Linux Tools
Native: Modprobe + ifconfig
VoIP Hopper
Yersinia
53. ATTACKING PROTOCOLS: VTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non
routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
62. BYPASSING AV: PROCESS/THREAD MODS
Inject, inject, replace…
• Code injection (local and remote)
• DLL injection (local and remote)
• Process replacement
Common Tools:
• Powershell: Powersploit, etc
• Python and Py2exe
• Any language that supports
calls to native DLLs
64. WINDOWS ESCALATION: OVERVIEW
• Local user Local Administrator
• Domain user Local Administrator
• Local Administrator LocalSystem
• LocalSystem Domain User
• Locate Domain Admin Tokens
• LocalSystem Domain Admin
65. WINDOWS ESCALATION: LOCAL ADMIN
• Local user Local Administrator
Excessive local group privileges (admin or power users)
Cleartext credentials
• Sysprep (unattend.xml/ini/txt)
• Config files, scripts, logs, desktop folders
• Tech support calls files
Weak application configurations that allow:
• Restarting or reconfiguring services
• Replacing application files
• DLL pre or side loading
• Executable injection via poorly registered services
C:Program Files (x86) vs “C:Program Files (x86)”
Local and remote exploits (Metasploit: getsystem)
66. WINDOWS ESCALATION: LOCAL ADMIN
• Domain user Local Administrator
Issues from last slide and…
Group policy: groups.xml
File shares accessible to domain users
Ability to log into domain workstations
Excessive database privileges (xp_cmdshell etc)
SMB Relay + cracking hashes
Other systems and applications that use integrated
domain authentication…
67. WINDOWS ESCALATION: LOCAL ADMIN
• Local Administrator LocalSystem
At.exe (on older systems) – we still see it!
Accessibility Options
• Replace accessibility options like utilman.exe, osk.exe and
sethc.exe with cmd.exe or other backdoor
Create a custom service to run as LocalSystem
• Psexec –s –i cmd.exe
Migrate to a system process
• Remote process injection, MSF ps + migrate, and
Incognito
Local and remote exploits
• Metasploit: getsystem etc
SQL Server and Database links + xp_cmdshell
68. WINDOWS ESCALATION: FIND DA TOKENS
• Locate Domain Admin tokens
Check locally ;)
• incognito
Query the domain controllers
• netsess.exe
Scan remote systems for running tasks
• native tasklist or smbexec
Scan old Windows systems for NetBIOS
Shell spraying for tokens (not advised)
69. WINDOWS ESCALATION: DOMAIN ADMIN
• LocalSystem Domain Admin
Pass-the-hash to target system
• Local administrator account and shared service accounts
• Manually via trusted connections or via MSF etc
Impersonate authentication token
• Custom application, Incognito, WCE, Metasploit
Dump clear text domain credentials
• Mimikatz, WCE, or Metasploit
Key logging
MITM + sniffing (http integrated auth etc)
70.
71. CONCLUSIONS
All can kind of be fixed
Most Networks
Kind of broken
Most Protocols
Kind of broken
Most Applications
Kind of broken