The document outlines common vulnerabilities and misconfigurations that can lead to successful domain compromises during penetration tests, highlighting issues like unpatched vulnerabilities, group policy preferences, and weak password policies. It emphasizes the importance of conducting thorough vulnerability assessments and outlines preparatory steps for securing networks before undergoing penetration tests. The document also includes a checklist for organizations and pentesters to identify and address these vulnerabilities effectively.

1. PENTEST PREPPERS

2. BACKGROUND
• Complete domain
compromise has been too
easy
• Rarely detected
• Unprivileged user to DA in <
60 seconds
• Fix the common issues and
low hanging fruit first
• Who needs a zero-day?

3. WHOAMI
• Beau Bullock
• Pentester at Black Hills
Information Security
• OSCP, OSWP, GXPN,
GPEN, GCIH, GCFA, and
GSEC
• Previously an enterprise
defender
• Host of Hack Naked TV
• Guitarist/Audio Engineer

4. WHAT ARE YOU BUYING?
• Penetration test vs.
vulnerability
assessment
• If your scanner results
look like this you
probably don’t need a
pentest.

5. VULNERABILITY ASSESSMENT
• Help identify low-hanging fruit
• Typically broader in scope
• Locate and identify assets
• Opportunity to tune detection
devices
• Helps an organization improve
overall security posture

6. PENETRATION TEST
• Goal driven
• Targeted escalation tactics
• Typically try to avoid detection
• Can your security posture
withstand an advanced
attacker?

7. LET’S TALK ABOUT SOME COMMON ISSUES

8. 1 - PATCHES

9. 1 - PATCHES
• Vulnerabilities we still find all the time that should be patched:
• MS08-067
• MS14-068
• PsExec Patch
• ColdFusion Patches
• ShellShock
• Heartbleed

10. LOOKING FOR VULNERABLE SYSTEMS
• Get-ExploitableSystem from PowerView by @harmj0y
• Queries Active Directory for hostnames, OS versions, and service
pack levels
• Cross-references those with common Metasploit modules
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

11. PATCHES WON’T FIX EVERYTHING

12. 2 - GROUP POLICY PREFERENCES (GPP)
• Extensions of Active Directory
• Configurable settings for use
with Group Policy Objects
• Advanced settings for folders,
mapped drives, and printers.
• Deploy applications
• Create a local administrator
account
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

13. 2 - GPP (CONTINUED)
• Passwords of accounts set by
GPP are trivially decrypted!
• …by ANY authenticated user
on the domain
• Located in *.xml files on
SYSVOL
• Microsoft’s AES encryption key
is publicly available
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/

14. 2 - GPP (WHAT DOES THE PATCH DO?)
• May 13, 2014 – MS14-025
• MS14-025 removes the ability
to create local accounts with
GPP
• Doesn’t remove previous
entries!
• You need to manually delete
these accounts

15. 2 - GPP (SUMMARY)
• First thing I check for on an
internal assessment
• Almost always find an admin
password here
• Find it with:
• PowerSploit - Get-GPPPassword
• Metasploit GPP Module
• Or…
C:>findstr /S cpassword %logonserver%sysvol*.xml
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp

16. 3 - WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT
• Makes it easy to pivot from workstation to workstation
• Using creds found elsewhere:
• SMB_Login Metasploit Module
http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
@FOR /F %s in (systems.txt) DO @net use %sC$ /.Administrator
AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use
/delete %sC$ > NUL

17. 3 - WIDESPREAD LOCAL ADMIN (CONTINUED)
• What’s next?
• Hunt for Domain Admins –
JoeWare NetSess, Veil-
PowerView UserHunter
• PsExec_psh Metasploit
Module
• RDP?
• If we don’t have cleartext creds:
• Pass-the-hash
http://www.joeware.net/freetools/tools/netsess/index.htm
https://www.veil-framework.com/hunting-users-veil-framework/
http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh

18. 4 - PASSWORDS
• Default Passwords
• admin:admin
• tomcat:tomcat
• Pwnedlist or Have I Been
Pwned
• Credentials from previous data
breaches
• Weak domain password policy?
• Password spraying
http://splashdata.com/press/worst-passwords-of-2014.htm

19. 4 - PASSWORD SPRAYING
• Domain locks out accounts after a
certain number of failed logins
• Can’t brute force a single users
password
• Solution:
• Try a number of passwords
less than the domain lockout
policy against EVERY account
in the domain

20. 4 - PASSWORD SPRAYING (CONTINUED)
• Lockout Policy = Threshold of
five
• Let’s try one
• What passwords do we try?
• SeasonYear (Summer2016)
• Password123
• Companyname123
• Etc.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use
DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 && @echo [*]
%n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL
http://www.lanmaster53.com/
https://github.com/lukebaggett/powerspray

21. 4 - PASSWORD SPRAYING (CONTINUED)

22. 4 - PASSWORDS (CONTINUED)
• Increase password length
• Don’t make ridiculous policies
• Remember…
correcthorsebatterystaple
• Check haveibeenpwned
• Password spray
http://xkcd.com/936/

23. 5 - OVERPRIVILEGED USERS (LOCAL HOST)
• Are your standard users
already local admins?
• This takes out a major step
of privilege escalation
• Only grant admin access
where necessary, not
globally

24. 6 - OVERPRIVILEGED USERS (OTHER HOSTS)
Occasionally, admins get lazy… and do things like add “Domain
Users” group to the “Local Administrators” group

25. 6 - OVERPRIVILEGED USERS (OTHER HOSTS)
• This means EVERY domain user is now is an administrator of that
system
• PowerView Find-LocalAdminAccess
• PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/

26. WHAT INFORMATION CAN YOU LEARN FROM
USERS ON THE NETWORK?

27. 7 - FILES ON SHARES
• Sensitive files on shares?
• Find them with more PowerView
awesomeness…
• Use list generated by ShareFinder
with FileFinder
• FileFinder will find files with the
following strings in their title:
• ‘*pass*’, ‘*sensitive*’, ‘*admin*’,
‘*secret*’, ‘*login*’, ‘*unattend*.xml’,
‘*.vmdk’, ‘*creds*’, or ‘*credential*’
https://www.veil-framework.com/hunting-sensitive-data-veil-framework/

28. 8 - INFORMATION DISCLOSURE ON INTRANET
• Knowledge Bases are helpful to
employees… and attackers
• Helpdesk tickets
• How-to articles
• Emails
• Search functionality is our best
friend
• Search for <insert critical
infrastructure name, sensitive data
type, or ‘password’>

29. 9 - NETBIOS AND LLMNR POISONING
• LLMNR = Link-Local Multicast Name Resolution
• NBT-NS = NetBIOS over TCP/IP Name Service
• Both help hosts identify each other when DNS fails
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

30. 9 - NETBIOS AND LLMNR (CONTINUED)
• SpiderLabs Responder
• Poisons NBT-NS and LLMNR
• The result is we obtain NTLM challenge/response hashes
• Crack hashes
https://github.com/Spiderlabs/Responder
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/

31. 10 - LOCAL WORKSTATION PRIVILEGE
ESCALATION
• PowerUp!
• Another awesome Veil tool
• Invoke-AllChecks looks for potential privilege escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/

32. SUMMARY (10 COMMON ISSUES)
• 1. Missing Patches
• 2. Group Policy Preference Passwords
• 3. Widespread Local Administrator Accounts
• 4. Weak Password Policy
• 5. Overprivileged Users (admin of local host)
• 6. Overprivileged Users (admin of other hosts)
• 7. Sensitive Files on Shares
• 8. Information Disclosure on Intranet Sites
• 9. NetBIOS and LLMNR Poisoning
• 10. Local Workstation Privilege Escalation

33. NOW TO PREP YOUR PENTEST BUG OUT BAG

34. TUNE DETECTION DEVICES
• Test your network security
devices prior to a pentest for
common pentester activities
• Meterpreter shells
• Portscans
• Password spraying
• Use of Windows cmd line
tools like ‘net’, or ‘whoami’

35. PERFORM EGRESS FILTERING
• Block outbound access except
where needed
• Implement an authenticated
web proxy and force all web
traffic through it
• Block ‘uncategorized’ sites
• Portscan AllPorts.Exposed
from the inside of your network
• See what ports are allowed
outbound

36. THINGS THAT MAKE OUR JOB HARD
• Application whitelisting
• Disabling PowerShell
• Network access control
• Network segmentation
• Two-Factor authentication
• Locking down outbound access
• Strong password policies
• Fixing the other items
mentioned earlier

37. THINGS NOT TO DO DURING A PENTEST
• Inform your teams that the test
is happening
• Monitor, but don’t interfere during a
pentest
• Enforce different policies on the
pentester than “normal” users
• Alert users to an upcoming
phishing test

38. PENTEST PREPARATION GUIDE

39. PENTEST PREP GUIDE
• Details the 10 issues I
talked about today
• How to identify
• How to remediate
• Hopefully this will help
organizations prepare for an
upcoming penetration test
• …or help a pentester to
pivot more easily

40. CHECKLIST!

41. DOWNLOAD HERE
http://bit.ly/1Uk6fKS

42. THANK YOU!
• Contact info:
• beau@blackhillsinfosec.com
• beau@dafthack.com
• Twitter - @dafthack