Owning One Rule All v2

8/13/2019 Owning One Rule All v2

1/50

Defcon 20 Owning One To Rule Them All

Dave DeSimone (@d2theave)Manager, Information Security

Fortune 1000

Dave Kennedy (@dave_rel1k)Founder, Principal Security Consultant

@TrustedSec


2/50

!"#$% %'( )*(+,(-

Founder, Principal Security Consultant at TrustedSec. Business guy, Penetration Tester, Exploit Writer. Creator of The Social-Engineer Toolkit (SET) and Artillery. Author of Metasploit: The Penetration Testers Guide. Back|Track Development Team Exploit-DB Team Social-

Engineer.org and ISDPodcast.


3/50

.'( /#01(*%

Compromise as few systems as absolutelynecessary without needing them all.

Repeatable to most companies (tested on anumber of pentests)

Attack systems that normally dont get attacked.


4/50

203(-4%+03506 .(1'0#7#68

A few concepts well dive into how they work andunderstand them.

Well cover step by step how to reproduce what we didhere.

Establish a methodology for doing this in a pentest.


5/50

9:;


6/50

=(+4#0 >#- 9:;

Allows you to load a corporate standard image on amachine through the network.

Usually have multiple types of images, such as Serverimages, Workstation images, etc.

Ability to streamline corporate images to any user on thenetwork.


7/50

.8*(4 #> 9:; )$**#-%(3 ?@+6506

Every vendor has a network imaging solution, mostpopular is Microsoft.

Light-Touch and Zero-Touch are the two most widely usedimaging software solutions out there.

There are others such Symantec, etc. that provide imagingas well.


8/50

A56'% .#$1'

Requires user interaction in order to successfully install thebase image.

Some require a password in order to load, this is only adomain user account typically (its all fileshare permissions tothe image).

Ability to load a full image preconfigured.


9/50

A56'% .#$1' )1-((04'#%4


10/50

A56'% .#$1' )1-((04'#%4


11/50

A56'% .#$1' )1-((04'#%4


12/50


13/50

B(-# .#$1' )1-((04'#%4


14/50

B(-# .#$1' )1-((04'#%4


15/50

B(-# .#$1' )1-((04'#%4


16/50

B(-# .#$1' )1-((04'#%4


17/50

B(-# .#$1' )1-((04'#%4


18/50

B(-# .#$1' )1-((04'#%4


19/50

B(-# .#$1' )1-((04'#%4


20/50

C5-4% 9'+4( #> !D+1,

Internal Penetration Test Boot into a PXE environment, loads base corporate image. Dump local admin hashes (automatically updated since its

joined to the domain) on the machine.


21/50

9577+6( ?0>#-@+E#0

When we did this for the first time, we noticed an SCCMagent.

Thought this an interesting avenue of attack and possiblyfruitful from an attack standpoint.


22/50


23/50

)//G !-1'5%(1%$-(

Left blank, need to show an architecture map

'D*JKK"7#64L@430L1#@K"K4'5%+04'$K+-1'5M(KNOPOKOQKPRK*'+4(SPS1#0F6$-+E#0S@+0+6(-SM5-%$+75T+E#0S50S@51-#4#US5%L+4*V


24/50

.'( !D+1, W 9'+4( N

On the compromised machine, the SCCM agent isalready deployed and preconfigured.

As a standard user, you can pull information from theSCCM agent that will enumerate the name of thecentral/primary server and other configurationproperties.

Review SCCM logs on the compromised machine togather information on how often package runs and alsoto determine site code, package name and ID.


25/50

)1-((04'#% #> )//G !6(0%


26/50

)1-((04'#% #> )//G A#64


27/50

)1-((04'#% #> )//G A#64 H1#0%X3LI


28/50

Y'+% Z( '+M( 4# >+-

Local admin credentials in most cases those are the sameon every system.

SCCM Management Server hostname Our target SCCM Package ID - Will be used during attack


29/50

.'( [#+7

Log onto an SCCM server withlocal administrator permissions.

Gain access to the sourcerepository which is typically onthe central management server.

Pack/backdoor a valid package,then deploy to the entirecompany.


30/50

)%(* P

Log into the SCCM server as a local administrator. Need to find the source repository on the system

Query WMI Root/SMS/!Permissions Check Application Logs within Event Viewer for source

directories

This is typically a file share on the machine, usually markedsource$ or sccmsource$.


31/50


32/50

Building a Simple Reverse Shell


33/50

.'( =(M(-4( )'(77

Connects out to the attacker (reverse shell).


34/50

/#@*57506


35/50

G+,506 5% (+48 W *8"$573L*8

All code and samples will be released on the TrustedSecwebsite soon.


36/50

DEMO: Building a Shell


37/50


38/50

)%(* Q

Take one of the source packages, replace it with thebackdoored version of it.

Example, grab our reverse shell executable, and use thebackdoor functionality with msfvenom.

Now you have a new malicious package ready to bedeployed.


39/50

9-#"7(@

Package will not deploywithout a proper

signature/hash.

Need a way to update thesignature in order tocomplete the deployment.


40/50

)1(0+-5# P

New script being released today,goes in the startup directory ofany user on the machine.

Automatically updates thepackage using the SCCM adminscredentials and creates a newsignature for the file.

Forces a package source refreshand initiates packagedeployment to associated clients.


41/50

)1-5*%

strSMSServer = " Server Name Found within Client Configuration Manager)strPackageID = " Package ID Found within Client logs)Set objLoc = CreateObject("WbemScripting.SWbemLocator")Set objSMS= objLoc.ConnectServer(strSMSServer, "root\sms")Set Results = objSMS.ExecQuery _

("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")

For each Loc in ResultsIf Loc.ProviderForLocalSite = True Then

Set objSMS2 = objLoc.ConnectServer(Loc.Machine, "root\sms\site_"& _Loc.SiteCode)

strSMSSiteCode = Loc.SiteCodeend if

Next

Set objPkgs = objSMS2.ExecQuery("select * from SMS_Package where PackageID = '" & strPackageID & "'")for each objPkg in objPkgsobjPkg.RefreshPkgSource(0) Refreshes the package source at all distribution pointsNext


42/50

)1(0+-5# N

If you have databaseaccess on the machine,you can use acombination of database

+ wmi and others tocreate a package andupdate the signature.

New tool being releasedwithin the next fewweeks (still fixing bugs).


43/50

G+,506 %'5064 (+45(-

SCCM 2012 simplifies a lot ofthese steps for us automatically.

Rights are easier to manage andmakes it less complex for ourneeds (hackers) to enumeratebefore performing this attack.

SCCM 2012 SP1 alsoincorporates patching for thirdparties, Unix/Linux, OSX, etc.


44/50

.'( !D+1,

PXE boot into Windows Image, dump local adminhashes or cached credentials.

Enumerate SCCM location and log into server with localadministrator rights. Locate the source directory for the packages of SCCM.


45/50

.'( !D+1, H1#0%X3I

Grab one of the source files, or all of them. Backdoor withmalicious code.

Update the startup scripts for logged in users, boot themoffif you want so they re-establish. Wait for the shells =) Pop a box.


46/50

DEMO 1 Manual Attack


47/50

DEMO 2 Using SET


48/50

Y-+**506 2*

This attack seems to work for us on 90% of our internalpenetration tests.

Easy to do, takes less than an hour. Hard to protect against, everyone is using PXE and SCCM.


49/50

9-#%(1E06 !6+504% .'54

Ensure that PXE is limited only to help desk / imagingsubnets.

Monitor the SCCM servers for malicious traffic. Monitor source files for unwanted changes. Detective controls will be your biggest savior on this

one.

Separate credentials for SCCM.


50/50

Defcon 20 Owning One To Rule Them All

Dave DeSimone (@d2theave)Manager, Information Security

Fortune 1000

Dave Kennedy (@dave_rel1k)Founder, Principal Security Consultant

@TrustedSec

Documents

Owning One Rule All v2