Successfully reported this slideshow.
Your SlideShare is downloading. ×

Why internal pen tests are still fun

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Try harder or go home
Try harder or go home
Loading in …3
×

Check these out next

1 of 32 Ad

More Related Content

Slideshows for you (20)

Advertisement

Similar to Why internal pen tests are still fun (20)

Recently uploaded (20)

Advertisement

Why internal pen tests are still fun

  1. 1. Why Internal Pen-Tests are still FUN !
  2. 2. Why other pen-tests suck ! (not hating) • External – Unless your SE’ing someone its pretty boring. (nessus/qualys grepping human thou art l33t) • Web Apps – Unless you get SQLi or file upload or good business logic bugs. (Oh burp scanning/intruder ninja thou art l33t) • Mobile – Fun unlimited but limited by small threat surface
  3. 3. Internal Pen-Tests • SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness! • Nothing beats the joy of popping a box ! • If Local Admin get Domain admin – always a new challenge ! • Data – Oh delicious customer data ! • Mad respect from client “More pen-tests…more monnneeyyy” – Hans Michael Varbaek
  4. 4. Why we still own Internal Networks • Weak passwords – Welcome1 still works in 2013
  5. 5. Why we still own Internal Networks • No patching – MS08-67 still works in 2013
  6. 6. Why we still own Internal Networks • No access controls – RDP/SSH anywhere
  7. 7. Easy Pwnage • This stuff still works not because your l33t but because your customer is clueless about securing stuff. – Password attacks • SMB bruteforce from list of domain users (null sessions or using compromised host that gave you a domain user cred) • ^ check password policy before going haywire. • SSH, MSSQL etc (sa,sa still works in 2013) • Metasploit auxillary modules / Nmap scripts are your best friend. (you know most of the good ones r8 ?) • Run all of them if you’ve got time. You never know how low the fruit is hanging unless you bend down. • Nessus/Qualys generally are pretty bad at brueforcing stuff. • Use intelligent word lists – mixin company name
  8. 8. Easy Pwnage – Not Patching • Any vulnerable software that Qualys/Nessus finds - if metasploit has a module for it = easy win. – Web consoles (I like these – find them all the time!) • Jboss JMX consoles (setup shell.war and invoke) • Tomcat manager (deploy shell.war) – These usually run as SYSTEM on a windows box. • Any file upload from a web app that is internal (Don’t waste time on this, if you do see something interesting have a poke) – GPO cpassword (Group Policy Preference XML) • post/windows/gather/credentials/gpp – de base 64 and then decrypt using MS provided public AES key • Most likely local administrator password (re-used across all hosts that were deployed with GPPs)
  9. 9. Easy Pwnage Filebrowser -> when cmd.jsp gets picked up by AV http://www.vonloesch.de/filebrowser.html
  10. 10. Easy Pwnage Filebrowser
  11. 11. Laudanum • http://sourceforge.net/projects/laudanum/file s/laudanum-0.8/ • Bunch of good web shells for most languages
  12. 12. Easy Pwnage • Easy Pwnage =
  13. 13. Why are we doing all this anyway ?? • Get sensitive data and show customer the real risk of allowing “Mr.Evil” to connect to their internal network – Hunting for data : • Local admin -> Domain Admin -> Search for data everywhere (usually databases – unless they're really stupid and store it in unencrypted flat files) Lesson learnt – Some clients don’t even know what data is important to them. - CEO’s Mailbox is a good start
  14. 14. Super Secure Customer • Everything is patched • Super random awesomely strong passwords • Apps are secure coded – no SQLi and no file upload • AV everywhere – I mean everywhere • ^ AV cant be turned off unless you provide password • OMG ! – I should quit pen-testing.
  15. 15. Responder • Developed by Laurent Gaffié (Trustwave) • LLMNR and NBT-NS poisoning (Google for what this) – If DNS and hosts file fails, tool yells out saying I’ll resolve that for you and then steals your creds ! – DEMO – Hashes can be cracked via John or can be relayed: http://pen-testing.sans.org/blog/pen- testing/2013/04/25/smb-relay-demystified-and-ntlmv2- pwnage-with-python
  16. 16. Responder • Tons of other features – Google “responder trustwave” – Does ICMP re-direct (this is effing awesome – but only works for anything older than Vista/2k8) – Abuse WPAD (Another kool feature) – HTTP, FTP module. • Make sure you are on a workstation subnet for maximum hits.
  17. 17. OK – THAT DINT WORK ?? • Give up and go home ??
  18. 18. I SAY NO ! • Meet the angry, I will pwn you pentester !
  19. 19. Get your Ducky on • HID usb thingy that has a small programmable chip. • When user leaves desktop/laptop unlocked run and connect. (or walk if your not that enthusiastic) • Quickly add user, enable rdp, grab password hashes, system info etc and ship to ur ftp server. (whatever privs user has – ducky has) • Easy to write scripts – write, compile with java load onto Ducky. • ^ Way easier than teensy – Although teensy can be used in stealth/SE tactics. Teensy inside mouse, teensy inside keyboard etc.
  20. 20. DUCKY DEMO • If it quacks like a duck – it must be a duck • Video
  21. 21. SAFE PASSWORD DUMPING • Old school password dumping tools get picked by AV (cain, pwdump etc) • New ones are getting picked up as well (WCE, mimikatz etc) – These two can dump plain- text passwords from memory. • Disable AV ? • What if AV can only be disabled using a password ?
  22. 22. SAFE PASSWORD DUMPING • You don’t have to disable AV or trigger it. • Procdump from sysinternals – C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemplsassdump.dmp – Mimikatz can then chew the .dmp file and spit out passwords in clear text.
  23. 23. SAFE PASSWORD DUMPING • Some old methods still work and don’t get picked by AV – hashes from hives: • Reg copy (C:>reg.exe save HKLMSAM sam) • Shadow volume copy (good to grab NTDIS) • ^ Ops guy now do check logs for shadow volume copies and so I’d recommend using SAMEX. (http://www.josho.org/blog//blog/2013/03/0 7/samex/)
  24. 24. Searching for Domain Admin • So you popped a few boxes - got some hashes • What now ? • If one of those boxes : – had a domain admin logged in – you have his password in plain-text or got his hash -> game over. – had a service running as domain admin – move to process, pop shell -> game over. • Shares the same local administrator password across the network. – Spray the hash and look for boxes with processes running as domain admin.
  25. 25. Searching for Domain Admin #!/bin/sh for ip in $(cat ip.txt);do ./winexe -U Administrator%passwordhash //$ip "ipconfig" ./winexe -U Administrator%passwordhash //$ip "tasklist /v" Done • ^ Metasploit module auxiliary/admin/smb/psexec_command also works. Do not use windows/smb/psexec as this uploads an exe to the box and will trigger AV. • Login to box running the domain admin process – dump hash or read from lsass as plain text. • Replay hash or login as domain admin over RDP etc. • Game over. – Pro Stealth tip : Once you get a domain admin shell DO NOT CREATE a new domain admin user. • This will trigger Ops as a lot of organisations are alerted if a new domain administrator is created.
  26. 26. Looting • Go after SQL servers – you should have a list of these from your scans • Shares – Yes people still store heaps of confidential stuff unencrypted in shares • Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2 us ! • Metasploit – post exploitation modules – store loot in MSF DB for grepping later.
  27. 27. Firefox PTH • DEMO • https://code.google.com/p/passing-the- hash/downloads/list
  28. 28. Mitigations • You cant really stop a determined attacker • There are just way too many ways you could get hacked • Best bet is to detect • Check anomalies – New user creation (DA etc), Local admin logons, AV pickups etc • User education • Google’s new n/w architecture – All zones are untrust (Not a bad idea eh ?) • Obvious old school protections should still apply – Patching, strong passwords, access controls etc
  29. 29. Testing “Pro” tips • Don’t leave any accounts you create on customer’s network – delete everything (Finding DA account by pen-tester in last engagement = fail) • Bruteforce wisely – locking out an important service will not go down well with a customer (Bump down threads = increase stealth) • Don’t disable AV – Intelligent Ops are alerted if AV dies • Wipe your VM after every pen-test – A clean slate to work on is so much better • Snapshotting to have all your tools set-up and then reset also works • Script for linux is your best friend • Notes – always good for other eyes trying to read and understand what you did (doesn’t even have to be fancy - Vi or notepad works) • Videos for complex attacks – I’d highly recommend it (mind you this is gonna eat some disk space and sending this to a client might be difficult)
  30. 30. Music (Ignore slide if you don’t listen to music) • Messhugah, Lamb of God and Tool - when ur feeling effing awesome and pwning like a baws • Trying really hard for a breakthrough or fighting a problem – Really fast techno or dubstep • When you lose it and wanna break your laptop – Vitamin string quartet (trust me this works)
  31. 31. That’s it • Things I want to work on (any help will earn beers and respect): – Write more ducky scripts (hopefully run faster and grab more stuff, reverse shell etc) – Write post exploit modules (which can loot more efficiently) – Setup a Pi that can do all this over 3/4g to be sent to client so I can watch BSG and sip beer. – Hope this helped. Google for anything that I may have not provided a link or explained in detail Blog: http://psychsec.wordpress.com/

Editor's Notes

  • Windows =< 5.2 Domain members (XP, Windows server 2003 and above) have ICMP Redirect enabled by default. This functionality can be used to remotely add (with no authentication required) a new route for a given host.
     
    So basically, anything older than Windows Vista / Server 2008 is vulnerable. You just send it an ICMP redirect, and shiz gets redirected.

×