Part one of the DA trilogy Presented at BSides 2017 Edinburgh presentation The Hunt For The Red DA by Neil Lines https://youtu.be/pYErty7a5M8

1. Hunt for the red DA..

2. “Who am I?”

3. • Neil Lines - Pen Tester
• Involved in a range of security areas.
• Social Engineering (SE) is my favourite!

4. Part of
Team
Nettitude…

5. Quick Background..

6. The Media listed top nation-state
threats 2016!
Russia, China, Iran and North
Korea!
Source www.cbsnews.com

7. Cyber spying, or cyber espionage, is the act or
practice of obtaining secrets and information
without the permission and knowledge of the
holder of the information.
Source Wikipedia

8. Michael Daniel - Former US Special Assistant to the President and
Cybersecurity Coordinator.
“Your never be able to prevent all of them,
everything is penetrable eventually…”

9. What are the targets ?

10. • Transport
• Manufacturing / Retail
• Energy companies
• FINANCIAL companies
• Medical companies

11. Forget 0 days
Think
day zero!

12. After the power went it all
changed…

13. Last Sunday
02/04/2017

15. We are at war…

16. But To date No single act
of cybercrime has been
regarded as an act of
war?

17. Think Nation-State
Cyber threats
What do you think?

18. • Very costly;
• Massive global attacks;
• Highly sophisticated;
• The Pro’s…

19. An example…

22. What was taken…

23. • Personal information about Sony
Pictures employees.
• E-mails between employees.
• Salary information.
• Unreleased Sony films?

24. What did the #GOP do?

25. • Remote access to internal network.
• Exploited internal misconfigurations.
• Hunted out users of interest.
• Exploited to Domain Admin (DA).
• Stole data.

27. What's the
difference
between what
they did and
what a good
Pentester
does
?

28. we don’t Steal data…

29. What a good pentester does
• Gets Remote access to internal network.
• Exploits internal misconfigurations.
• Hunt’s out users of interest.
• Exploits to Domain Admin (DA).

30. So if pentestrs are doing this
How Highly sophisticated are the
spies?

31. Boiler plate stat time…

32. • Financial Firms take on average 98 days to
detect a breach.
• Retail take on average 197 days to detect a
breach.
• How long does it take to get access?

33. Source - Survey of 70 professional hackers at
DEFCON 2016.
• (88%) of hackers can break through
cybersecurity defences and into the systems
they target within 12 hours.
• Made me laugh - What are they sleeping??

34. “Got me thinking”
• Could a single person accomplished the
SONY hack;
• Was it sophisticated?
• And what would the cost be?

35. How much is a good
laptop these days?

36. The How to…

37. From the remote to internal..
Forget Zero day’s $$$
Macro, ole , HTA, or unc ??

39. UNC is amazing,
Another example…

41. Cred cracking!
“Rocktastic”
Lets not pretend we cant crack
hashes right?

42. But why not rules??

43. Rules do not
• add football teams.
• add towns or city names.
• add top 1000 male / female names.
• And are very slow…

44. “Slow Like I Care?”

45. Reality…

46. Final point before we go internal…
One word document can contain all of the
following not just one!
Macro,
OLE,
UNC..

47. Macro…
OLE…
UNC…

50. Rocking internals!
• Exploit internal
misconfigurations.
• Use credentials gained
from UNC.

52. How does this happen?
• Misconfigured services and shares on
local machines are common.

53. • PSExec is a light-weight telnet-replacement.
• lets you execute processes on other systems.
• The new MSF Psexec uses PS ;0)

54. • psexec > set rhost IP-Address
• psexec > set smbdomain Domain
• psexec > set smbuser Username
• psexec > set smbpass Password
• psexec > set share Writable-share

56. Run it twice.

57. Getsystem is not an exploit!
It attempts to impersonates a security context
with SYSTEM rights, if this works you get SYSTEM.

58. • meterpreter > getsystem
• [-] priv_elevate_getsystem: Opeation failed:
• [-] Named Pipe Impersonation

59. GETsystem fails, cry…

60. Hit up the exploits
MS16-032 - FuzzySecurity/PS
MSF ms14_058_track_popup_menu
MSF ms15_051_client_copy_image
don’t forget UAC Exploits HarmJ0y/PowerUp.

61. meterpreter > getsystem
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b5
1404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

62. Update 101..
• Remote access to internal network;
• Exploit internal misconfigurations. Got
creds got hash!

63. Meanwhile
Time to Hunt out users of
interest (DA)…

64. So why da?
• The keys to the castle.
• Highest privileges on a single domain.
• Access all domain resources.

65. 1. Logout of Nessus, if tempted to use
uninstall.
2. Start to listen to the traffic.
3. Know your tools.
The hunt begins!

66. Administrator:500:aad3b435b51404eeaad3b435b5
1404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
The clone (PTH)…

67. Microsoft do not salt local hashes.
• “It is difficult to alter the password processing algorithms
without impacting a lot of subsystems and potentially
breaking the backward compatibility, which is the driving
force of the Windows ecosystem.”

70. Criminals catching up - slowly
• 2016 reports of Ransomware starting to use
PTH.
• Pentest Used to discover more shares.

73. When should a DA
account be used?

74. So you found DA
how do you exploit?

77. Win 10 no fun!
MSF lockout_keylogger

78. Common password
choices for da?

79. Recap
• Got external access in
• Got user creds
• Enumerated misconfigurations
• Got DA
Now what?

84. On average during a test it
takes from 30 min’s – 4
hours…

85. (88%) of hackers can break through cybersecurity
defences and into the systems they target within
12 hours.
WHY I asked if they are sleeping!!

86. Quicker ways to pwn!

87. MS14-025: Vulnerability in Group Policy…
1. Any user has rights!
2. DNS Servers . . . : 10.1.20.220
3. 10.1.20.220sysvolNAMEPolicies
4. groups.xml, scheduledtasks.xml, & services.xml
services.xml
5. Microsoft published the AES encryption key on
MSDN

90. KB2962486 - prevents new credentials from
being placed in Group Policy Preferences…
It does not delete any previous added scripts!

91. Kerberoast…
Tim Medin revealed “Kerberoasting“
To the world.
1. Any user has rights!
2. Targets service accounts.
3. Used to be complex to exploit…

92. Kerberos provides secure user
authentication with an industry standard
that permits interoperability.
Kerberos Version 5 added to Win2k – Still
used today.

94. Invoke-Kerberoast -OutputFormat HashCat|Select-
Object -ExpandProperty hash
@benpturner and @davehardy20

95. Kerberoast - Using poshc2
1. Email a macro in;
2. Select your implant;
3. Run Invoke-Kerberoast;
4. Get hash;
5. Hashcat + Rocktastic;
6. DA…

96. • I took a look back over a few months tests.
• 14 internal infrastructure tests.
• 7 remote social engineering tests.
• I’m not lazy also did Web app and external inf
tests ;0)

97. • 17 out of 21 tests DA was gained.
• 81% of my tests resulted in DA?
• Why not 100%
• Hardening, not windows (PCI), Maybe offday?

98. remote SE failed, time to travel…

99. • Remote vs Internal SE?
• Why risk it when you can send an email?
• If time was no problem remote will always win.
• But if pressed for time maybe another way?

100. Before we go all internal!
Look at another route…

101. • Internals often include wireless testing.
• Segmentation the common concern.
• Corporate WIFI vs Guest WIFI.

102. • guest networks are common.
• Guest networks if secured often have Weak PSK
or PINS 4 digi (burp).
• If Segmented correctly where's the risk?

103. • Common to find corporate users on Guest WIFI.
• Microsoft does not forget.
• Reasons why they use Its quick and easy.
• We don’t broadcast wifi far ;0)

104. • Parbolic Grid 24 dBi Directional Antenna.
• From £37
• Plugs into an ALFA.

105. Apparently can work up to 8 miles?

106. • Yagi 14dBi Directional 2 miles.
• Plugs into an ALFA.
• More realistic, easier to hide.

107. • Corporate users on Guest WIFI.
• Responder, hashes, Rocktastic.
• Fierce DNS reconnaissance tool.
• SSL VPN, OWA or Office 365.

108. When it
just
doesn’t
work!

109. • Remote + wireless fails.
• Walk in off the street.
• Tailgating at 8:45am often works great.
• 12:00 – 2:00pm turnstiles “Sorry I nipped out
for lunch and forgot my pass”

110. So on site.
• Find a place to hide, fire up responder…
• mapped drives cause broadcasts!

112. • Responder is not receiving any hashes?
• I quite enjoy this it’s a challenge.

113. • Cold boot attacks.
• People encrypt laptops not PC’s.
• BIOS boot settings often standard.
• Why do people not stop you?

114. 1. Boot Kali.
2. C:WindowsSystem32config
3. Copy SAM/SYSTEM
4. Pwdump
5. Hash

115. Bios protection
Easy to
bypass…

116. Grabbing SAM Bypass the following stages
• Responder.
• Domain user password cracking.
• Domain user share rights.
• Slight feels like cheating.

117. If all this fails then you can always fire up Nessus
lol…
Any questions?

118. @myexploit2600