Hacking without exploits

1. Authenticated Code
Execution by Design
Or Making Zen and the Art of How I Learned to Stop
Worrying and Love the Password for Fun and Profit
Great Again

2. $ whoami
@egyp7
Penetration tester
Metasploit contributor
• Former community manager
Erstwhile security researcher
2

3. What is ACEbD?
3

4. 1) Authenticated
● There’s some sort of login involved
What is ACEbD?
4

5. What is ACEbD?
B) Code Execution
● To include OS commands, etc.
● I might get a little fuzzy on this one
5

6. What is ACEbD?
IV) By Design
● Using the service for its intended purpose
6

7. Disclaimer
None of this is meant to
disparage the tools I’m going
to talk about
7

8. Why ACEbD?
8

9. Why ACEbD?
Intrusion Prevention Systems
can’t block a password
9

10. Why ACEbD?
Passwords will always work
10

11. Why ACEbD?
Passwords are the best form
of persistence
11

12. Login Services
The obvious stuff
12

13. Telnet
Direct network interface to login(1)
Old af
13

14. 14

15. 15

16. 16

17. Remote Desktop
a.k.a. Terminal Services
Graphical login
8.1 and newer allow PtH in limited scenarios
17

18. VNC
“Virtual Network Computing”
Remote Frame Buffer (RFB) protocol
Graphical login
Can be passwordless
● Unauthenticated code execution =)
Often unrelated to system authentication
18

19. Helpdesk things
Amyy Admin
Dameware
LogMeIn
PCAnywhere
19

20. Filesystem Access
20

21. The standards
• FTP
• NFS
• WebDAV
• etc.
21

22. SMB
22

23. Server Administration
23

24. Tomcat
Manager application to deploy new applications
HTTP Basic by default
24

25. WebSphere
Application server cluster manager
Deploy to all app servers at once
25

26. VSphere / VCenter
26

27. Proxmox
27

28. Various cloud thingers
Amazon, et al
28

29. 29

30. WinRM
Enter-PSSession -ComputerName <computer>
winrs -r:<computer> command to run
30

31. SMB + RPC
31

32. Service Control Manager
sc.exe
PsExec
32

33. Task Scheduler
at.exe
33

34. Remote Registry
Run, RunOnce keys
Debugger
PATH
AppInit_DLLs
34

35. DCOM objects
MMC20.Application DCOM
● MMC snapin object thingy
● Has an ExecuteShellCommand() method
Excel.Application
● Has a Run() method that runs macros
35

36. Content Management
36

37. 37

38. 38

39. Wordpress
Themes
39

40. Wordpress
Plugins
40

41. 41

42. 42

43. Before Drupal 8
+
43

44. 44

45. Miscellaneous
Stuff that didn’t fit elsewhere
45

46. Splunk
Plugin system is straight-forward code execution
• Python or anything that runs on Linux
Supports PAM, RADIUS, LDAP for auth
• But the free version doesn’t support auth at all
• More unACEbD
46

47. Nagios
It’s a security monitoring thingamajig
47

48. 48

49. 49

50. phpMyAdmin / phpPgAdmin
Not code execution on the OS, but SQL
50

51. Jenkins
51

52. Metasploit Pro
52

53. How Screwed Am I?
i.e., how do I defend against this?
53

54. Best block – no be there
54

55. 55

56. 56

57. Bob in Finance shouldn’t log into production servers
Sally in Engineering shouldn’t log into Finance systems
No one should ever log into 100 systems in 5 seconds
Audit Logins
57

58. Conclusions
58

59. Exploits convert illegitimate
access into legitimate access
59

60. 60

61. Logging in is better than
exploiting vulns
61

62. Passwords will always work
62

63. You don’t always need a shell
63

64. Think about where you can
find this stuff
64

66. Questions
@egyp7
egypt@blackhillsinfosec.com
66