SlideShare a Scribd company logo

Attack all the layers secure 360

Scott Sutherland
Scott Sutherland

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Technology
1 of 73
Download to read offline
INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
ATTACKING PASSWORDS: CRACKING
ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
ATTACKING PROTOCOLS: ARP Address Resolution Protocol
ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
ATTACKING PROTOCOLS: NBNS NetBIOS Name Service
ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
ATTACKING PROTOCOLS: SMB Server Message Block
ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
ATTACKING PROTOCOLS: DTP Dynamic Trunking Protocol
ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
ATTACK ALL THE LAYERS! ANY QUESTIONS?
ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen

Recommended

Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 

Recommended

Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the applicationMatthew Saltzman
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 

More Related Content

What's hot

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the applicationMatthew Saltzman
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 

What's hot (20)

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Open Audit
Open AuditOpen Audit
Open Audit
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 

Viewers also liked

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Viewers also liked (10)

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 

Similar to Attack all the layers secure 360

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2rayborg
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 

Similar to Attack all the layers secure 360 (20)

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
LAN Security
LAN Security LAN Security
LAN Security
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 

More from Scott Sutherland (12)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 

Recently uploaded

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Attack all the layers secure 360

  • 1.
  • 2. INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
  • 4. WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
  • 5. PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
  • 6. PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
  • 7. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 8. ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
  • 9. ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
  • 10. ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
  • 11. ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
  • 13. ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
  • 14. ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
  • 15. ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
  • 16. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 17. ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
  • 19. ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
  • 21. ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
  • 22. ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
  • 23. ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
  • 25. ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
  • 29. ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
  • 30. ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
  • 31. ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
  • 33. ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
  • 35. ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
  • 36. ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
  • 37. ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
  • 39. ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
  • 44. ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
  • 45. ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
  • 46. ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 47. ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
  • 48. ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
  • 51. ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
  • 52. ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
  • 53. ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 54. ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
  • 55. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 56. ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
  • 57. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 58. BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
  • 59. BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
  • 60. BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
  • 61. BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
  • 62. BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
  • 63. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
  • 64. WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
  • 65. WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  • 66. WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
  • 67. WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
  • 68. WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
  • 69. WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
  • 70.
  • 71. CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
  • 72. ATTACK ALL THE LAYERS! ANY QUESTIONS?
  • 73. ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen