SlideShare una empresa de Scribd logo

Pentesting an unfriendly environment: bypassing (un)common defences and mate the king

Sandro Zaccarini
Sandro Zaccarini

Watched an hacking tutorial, followed the steps and pwnd every host in your VirtualBox lab. Felt like a blackhat, you started an engagement in real life and it goes like the Titanic. Want to see some (un)common defence and a way to bypass them? During this talk, you’ll follow the path from no-access to checkmating the king, dodging and going past unexpected pitfall using well and maybe less known tricks and tools.

Tecnología
1 de 61
Descargar para leer sin conexión
Sandro "guly" Zaccarini PENTESTING AN UNFRIENDLY ENVIRONMENT: BYPASSING (UN)COMMON DEFENCES AND MATE THE KING some visibility to the sponsors of course
once upon a time in a high school 2 1995, dade murphy used his hacking skill to seduce kate libby
looking for help to learn ▸ caught up in excitement, a decision was taken: ▸ have to learn to hack ▸ ...must ask for mentorship from that weirdy^Wquirky guy who lives in the CLI 3 sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/ youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
looking for help to learn ▸ caught up in excitement, a decision was taken: ▸ have to learn to hack ▸ ...must ask for mentorship from that weirdy^Wquirky guy who lives in the CLI 3 sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/ youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
brain overflow ▸ too much work, not enough time 4
brain overflow ▸ too much work, not enough time ▸ lazyweb to the rescue: !google hacking tutorials 4
▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
whoami ▸ Sandro "guly" Zaccarini ▸ proud father ▸ martial&security artist ▸ wine&food taster 6 ▸ @theguly ▸ happy to build and secure ▸ hungry to break ▸ born purple
of course everything seen in real life is protected by NDA, no really-real stuff will be showed
let's start ▸ full scope pentest ▸ OSINT, then nmap all the things ▸ found some websites, an Exchange and nothing more: ▸ https://www.bigcorp.it ▸ http://timesheet.bigcorp.it:8080 9
let's start ▸ full scope pentest ▸ OSINT, then nmap all the things ▸ found some websites, an Exchange and nothing more: ▸ https://www.bigcorp.it ▸ http://timesheet.bigcorp.it:8080 9 VERIFY /MANAGER/HTML DIG!
tutes chapter 1 ▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn ▸ bruteforce is slow, and this looks like a custom website ▸ won't find anything, even forgotten backups 10 "dirbuster" in background, because it's cheap, and move to tomcat
tutes chapter 1 ▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn ▸ bruteforce is slow, and this looks like a custom website ▸ won't find anything, even forgotten backups ▸ tomcat: upload bypass, weak credentials ▸ ./msfconsole, use, set, exploit, pwn 10 "dirbuster" in background, because it's cheap, and move to tomcat
tomcat manager 02 ▸ see video at https://www.youtube.com/watch? v=YMfK_xq2iAc 12
our tool of choice: reGeorg ▸ all we can use was 8080/tcp inbound: let's proxy it ▸ The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. ▸ https://github.com/sensepost/reGeorg 13
TOMCAT 14 8080/TCP DROP a semplification of what's happening
TOMCAT 14 8080/TCP DROP REGEORG a semplification of what's happening
TOMCAT 14 8080/TCP DROP REGEORG socks5 a semplification of what's happening
TOMCAT 14 8080/TCP DROP REGEORG socks5 a semplification of what's happening
tutes chapter 2 - linux privesc ▸ ./linux-priv-esc.sh && ./LinEnum.sh ▸ lots of *possible* kernel exploit ▸ sudo/sudoedit local root ▸ ...and many more 15
tutes chapter 2 - linux privesc ▸ ./linux-priv-esc.sh && ./LinEnum.sh ▸ lots of *possible* kernel exploit ▸ sudo/sudoedit local root ▸ ...and many more ▸ ...but we heard about that somethingc0w universal root 15
easy root ▸ after a quick search/edit at dirtycow exploit list: 16 for example, exploit at 3 backups passwd to /usr/bin/passwd.bak what happens if you run it twice? :)
confirm the reason of the oops ▸ we have a clue about that tomcat ops: 17 again, this is a semplification. of course the network is filtered on the gateway and not just here with iptables
local file inclusion ▸ crawling, found what looks like the backup of a website: 18 very easy local file inclusion, let's pwn the webserver!
tutes chapter 3 - PHP+LFI+RCE ▸ ?page=/proc/self/environ ▸ include(/proc/self/environ): failed to open stream: Permission denied ▸ ?page=/var/log/httpd/access_log ▸ include(/var/log/httpd/access_log): failed to open stream: Permission denied ▸ ?page=/var/lib/php/session/sess_ID ▸ are you sure you can write arbitrary data to sessions? ▸ upload and ?page=/tmp/`mkstemp` ▸ if you can upload there is a race to win, if you can't there's no race at all ▸ ?page=expect://ls ▸ include(): Unable to find the wrapper "expect" ▸ ?page=php://input data:// etc ▸ allow_url_include anyone? :) 19
local file inclusion oops... ▸ rules of thumb: YMMV ▸ PHP LFI to RCE is more difficult nowdays ▸ chain bugs and business logic, there is (almost) always a path to RCE 20
back to the plan ▸ now, back to the plan: there are possible low hanging fruit ▸ what have been pwnd: ▸ bastion host (root dance here) ▸ webapp ▸ mysql database 21 once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
back to the plan ▸ now, back to the plan: there are possible low hanging fruit ▸ what have been pwnd: ▸ bastion host (root dance here) ▸ webapp ▸ mysql database ▸ tutes say: Responder.py FTW! 21 once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
tutes chapter 4 - Responder.py ▸ steps: ▸ Responder.py ▸ smbrelayx.py ▸ psexec ▸ win 22
Respond all the things!...or not 23 nothing happens here...
tutes chapter 5 ▸ and nobody should be LA if not really needed...(ok, ok :) ) ▸ but: our server is in a DMZ and we don't have any access to smb/wmi in LAN ▸ and we shouldn't even see any usefull traffic 24
back to the plan[2] ▸ what we have: ▸ an Exchange ▸ a timesheet app (maybe they also collect reports?) ▸ teh timesheet interface itself!1 25
capture passwords for teh glory 26 this is auth.jsp we saw on mysql config that timesheet auth at LDAP, a.k.a. (hoply) valid domain creds therefore we add an unNoticedRoutine that logs creds
while unNoticedRoutine works unnoticed ▸ lurk into the timesheet database: no useful info, just hrs and customers' name ▸ still no logins (a.k.a. domain creds) so far ▸ maybe we could also tamper login.jsp for the lulz 27 "for the lulz" of course means BeEF
let's BeEF it! ▸ quite dirty but handy 28
TOMCAT 29 8080/TCP DROP INDEX.JSP BEEF TRUSTED WEBSITES
TOMCAT 29 8080/TCP DROP INDEX.JSP BEEF HOOK BEEF TRUSTED WEBSITES
TOMCAT 29 8080/TCP DROP INDEX.JSP BEEF HOOK BEEF TRUSTED WEBSITES
TOMCAT 29 8080/TCP DROP INDEX.JSP BEEF HOOK BEEF TRUSTED WEBSITES
BeEF oops... 30 timesheet logs shows accesses, but no hook in here we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy) but wait, if we saw log it means that we have credentials!
BeEF oops... 30 timesheet logs shows accesses, but no hook in here we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy) but wait, if we saw log it means that we have credentials!
meantime our unNoticedRoutine()... ▸ logged some credentials! ▸ how to (ab)use those creds? ▸ Exchange maybe? ▸ something more than email lurking? 31 hold on, overexitement here
let's rule it out! ▸ Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/ HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely. ▸ drops a shell by abusing scripting at: ▸ outlook rules ▸ outlook forms ▸ outlook home page ▸ https://github.com/sensepost/ruler 32
because we're talking about pitfalls... ▸ outlook rules: patched 06/2017 ▸ outlook forms: patched 10/2017 ▸ outlook home page: patched 10/2017 33 "work for sure", isn't it? no, patched :)
never overlook lurking ▸ MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). ▸ also GAL, too-open mailboxes, password spray ▸ https://github.com/dafthack/MailSniper 34
never overlook lurking ▸ MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). ▸ also GAL, too-open mailboxes, password spray ▸ https://github.com/dafthack/MailSniper ▸ what's not *that* explicit is that she needs a valid "domain session" OR an Exchange admin account...oops... ▸ will keep this for next session maybe :) 34
back to BeEF oops... 35 back to that possible web proxy, start with assumption
with a little help from a friend ▸ Domain Fronting A.K.A. High Reputation Redirectors ▸ CDN anyone? 36original pictures from https://blog.cobaltstrike.com/ a very good read is here: https://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/
with a little help from a friend... ▸ cloudfront, like lot of other CDNs, lets us to bypass reputational filter and hook the target ▸ note: ALL the traffic goes through the CDN, both the hook and the following communications between the browser and BeEF service ▸ oops warning: they also do some basic malware analysis 37 ED now, back to beef that hooked a browser
BeEFed ▸ see video at https://www.youtube.com/watch? v=lCT6dJHO1vc 38
time's almost gone ▸ we already stumbled^Wdodged lots of stones ▸ prepare to evade an eventual (NextGen)AntiVirus ▸ no more chances to fail, AKA no chances to test even a part of the FUD tutorial plethora 39 FUD of course means fully undetectable, NOT fear/uncertainty/doubt :)
last chance, shellter the exe ▸ see video at https://www.youtube.com/watch? v=6v20_gNRD4I 40
approoved by Bob: ShellterPro ▸ Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. ▸ One-stop-shop for AV evasion ▸ ShellterPro introduces some extra features: ▸ Dynamic Payload Injection In DLLs ▸ Multi-Payload Chaining ▸ donates part of the fee 41 pro means $$, but it's very cheap :)
last oops, at least for today ▸ meterpreter supports domain fronting since nov 2017 42 because i'm not that lucky, also meterpreter/reverse_https looks broken when i'm working on this presentation :)
with a little help from a friend... ▸ see video at https://www.youtube.com/watch?v=- Wu23uDsLDo 43
we're in LAN, jig dance! 44
time's gone, but Domain Admin isn't that far... ...to be continued? 45 thanks!
45 ▸ Acta est fabula, plaudite! ▸ Wait wait, any question? ▸ feedback please! ▸ guly@guly.org ▸ @theguly time's gone, but Domain Admin isn't that far... ...to be continued? thanks!

Recomendados

GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017
sascha_klein
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
sascha_klein
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
HTTP/3
HTTP/3HTTP/3
HTTP/3
Daniel Stenberg
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 

Recomendados

GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017
sascha_klein
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
sascha_klein
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
HTTP/3
HTTP/3HTTP/3
HTTP/3
Daniel Stenberg
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
Jeremy Brown
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on Cryptography
Martijn Grooten
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
Daniel Stenberg
 
RustなNATSのClientを作ってみた
RustなNATSのClientを作ってみたRustなNATSのClientを作ってみた
RustなNATSのClientを作ってみた
wallyqs
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
Alexandre Masselot
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
Daniel Stenberg
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015
ice799
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
Daniel Stenberg
 
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz KitaOrganizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
AEM HUB
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
Daniel Stenberg
 
Tec doc catalog 2q 2016 full
Tec doc catalog 2q 2016 fullTec doc catalog 2q 2016 full
Tec doc catalog 2q 2016 full
Стеван Церовина
 
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
Ozh
 
More developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestrationMore developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestration
Giulio De Donato
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
curl better
curl bettercurl better
curl better
Daniel Stenberg
 
20111107 ns2-required cygwinpkg
20111107 ns2-required cygwinpkg20111107 ns2-required cygwinpkg
20111107 ns2-required cygwinpkg
Teerawat Issariyakul
 
Puppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionPuppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG edition
Joshua Thijssen
 
Github github-github
Github github-githubGithub github-github
Github github-github
fusion2011
 

Más contenido relacionado

La actualidad más candente

The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on Cryptography
Martijn Grooten
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz KitaOrganizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
AEM HUB
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 

La actualidad más candente (20)

The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on Cryptography
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
 
RustなNATSのClientを作ってみた
RustなNATSのClientを作ってみたRustなNATSのClientを作ってみた
RustなNATSのClientを作ってみた
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
 
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz KitaOrganizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
Organizing the world of CQ rest infinitive possibilities by Arkadiusz Kita
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
 
Tec doc catalog 2q 2016 full
Tec doc catalog 2q 2016 fullTec doc catalog 2q 2016 full
Tec doc catalog 2q 2016 full
 
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
WordPress Plugin Unit Tests (FR - WordCamp Paris 2015)
 
More developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestrationMore developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestration
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
curl better
curl bettercurl better
curl better
 
20111107 ns2-required cygwinpkg
20111107 ns2-required cygwinpkg20111107 ns2-required cygwinpkg
20111107 ns2-required cygwinpkg
 

Similar a Pentesting an unfriendly environment: bypassing (un)common defences and mate the king

Puppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionPuppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG edition
Joshua Thijssen
 
Github github-github
Github github-githubGithub github-github
Github github-github
fusion2011
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
Bishop Fox
 
Take care of hundred containers and not go crazy
Take care of hundred containers and not go crazyTake care of hundred containers and not go crazy
Take care of hundred containers and not go crazy
Honza Horák
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

Similar a Pentesting an unfriendly environment: bypassing (un)common defences and mate the king (20)

Puppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG editionPuppet for dummies - PHPBenelux UG edition
Puppet for dummies - PHPBenelux UG edition
 
Github github-github
Github github-githubGithub github-github
Github github-github
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Boxen: How to Manage an Army of Laptops
Boxen: How to Manage an Army of LaptopsBoxen: How to Manage an Army of Laptops
Boxen: How to Manage an Army of Laptops
 
Becoming a Git Master - Nicola Paolucci
Becoming a Git Master - Nicola PaolucciBecoming a Git Master - Nicola Paolucci
Becoming a Git Master - Nicola Paolucci
 
Triple Blitz Strike
Triple Blitz StrikeTriple Blitz Strike
Triple Blitz Strike
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
 
Take care of hundred containers and not go crazy
Take care of hundred containers and not go crazyTake care of hundred containers and not go crazy
Take care of hundred containers and not go crazy
 
Puppet for dummies - ZendCon 2011 Edition
Puppet for dummies - ZendCon 2011 EditionPuppet for dummies - ZendCon 2011 Edition
Puppet for dummies - ZendCon 2011 Edition
 
2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymoreCfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymore
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
BSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs BlueBSides Iowa 2018: Windows COM: Red vs Blue
BSides Iowa 2018: Windows COM: Red vs Blue
 
Managing Github via Terrafom.pdf
Managing Github via Terrafom.pdfManaging Github via Terrafom.pdf
Managing Github via Terrafom.pdf
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Pentesting an unfriendly environment: bypassing (un)common defences and mate the king

  • 1. Sandro "guly" Zaccarini PENTESTING AN UNFRIENDLY ENVIRONMENT: BYPASSING (UN)COMMON DEFENCES AND MATE THE KING some visibility to the sponsors of course
  • 2. once upon a time in a high school 2 1995, dade murphy used his hacking skill to seduce kate libby
  • 3. looking for help to learn ▸ caught up in excitement, a decision was taken: ▸ have to learn to hack ▸ ...must ask for mentorship from that weirdy^Wquirky guy who lives in the CLI 3 sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/ youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
  • 4. looking for help to learn ▸ caught up in excitement, a decision was taken: ▸ have to learn to hack ▸ ...must ask for mentorship from that weirdy^Wquirky guy who lives in the CLI 3 sure we can do the same! we just have to learn operating systems from the inside, a couple of scripting language, C and assembly, follow a bunch of people on twitter/ youtube/facebook/linkedin, of course reddit/netsec is gold. and also should follow 245 blogs...
  • 5. brain overflow ▸ too much work, not enough time 4
  • 6. brain overflow ▸ too much work, not enough time ▸ lazyweb to the rescue: !google hacking tutorials 4
  • 7. ▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
  • 8. ▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
  • 9. ▸ HOWTO hack with^W^Winstall Kali Linux ▸ MSSQL penetration testing using nmap ▸ From PHP local file inclusion to RCE ▸ Windows Hacking (a.k.a. MS08-067 / psexec with Local Admin) ▸ From directory listing to uid 0 5 easy peasy
  • 10. whoami ▸ Sandro "guly" Zaccarini ▸ proud father ▸ martial&security artist ▸ wine&food taster 6 ▸ @theguly ▸ happy to build and secure ▸ hungry to break ▸ born purple
  • 11. of course everything seen in real life is protected by NDA, no really-real stuff will be showed
  • 12.
  • 13. let's start ▸ full scope pentest ▸ OSINT, then nmap all the things ▸ found some websites, an Exchange and nothing more: ▸ https://www.bigcorp.it ▸ http://timesheet.bigcorp.it:8080 9
  • 14. let's start ▸ full scope pentest ▸ OSINT, then nmap all the things ▸ found some websites, an Exchange and nothing more: ▸ https://www.bigcorp.it ▸ http://timesheet.bigcorp.it:8080 9 VERIFY /MANAGER/HTML DIG!
  • 15. tutes chapter 1 ▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn ▸ bruteforce is slow, and this looks like a custom website ▸ won't find anything, even forgotten backups 10 "dirbuster" in background, because it's cheap, and move to tomcat
  • 16. tutes chapter 1 ▸ website: dirbuster, wfuzz, CMSmap, shell upload, pwn ▸ bruteforce is slow, and this looks like a custom website ▸ won't find anything, even forgotten backups ▸ tomcat: upload bypass, weak credentials ▸ ./msfconsole, use, set, exploit, pwn 10 "dirbuster" in background, because it's cheap, and move to tomcat
  • 17. tomcat manager 02 ▸ see video at https://www.youtube.com/watch? v=YMfK_xq2iAc 12
  • 18. our tool of choice: reGeorg ▸ all we can use was 8080/tcp inbound: let's proxy it ▸ The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. ▸ https://github.com/sensepost/reGeorg 13
  • 23. tutes chapter 2 - linux privesc ▸ ./linux-priv-esc.sh && ./LinEnum.sh ▸ lots of *possible* kernel exploit ▸ sudo/sudoedit local root ▸ ...and many more 15
  • 24. tutes chapter 2 - linux privesc ▸ ./linux-priv-esc.sh && ./LinEnum.sh ▸ lots of *possible* kernel exploit ▸ sudo/sudoedit local root ▸ ...and many more ▸ ...but we heard about that somethingc0w universal root 15
  • 25. easy root ▸ after a quick search/edit at dirtycow exploit list: 16 for example, exploit at 3 backups passwd to /usr/bin/passwd.bak what happens if you run it twice? :)
  • 26. confirm the reason of the oops ▸ we have a clue about that tomcat ops: 17 again, this is a semplification. of course the network is filtered on the gateway and not just here with iptables
  • 27. local file inclusion ▸ crawling, found what looks like the backup of a website: 18 very easy local file inclusion, let's pwn the webserver!
  • 28. tutes chapter 3 - PHP+LFI+RCE ▸ ?page=/proc/self/environ ▸ include(/proc/self/environ): failed to open stream: Permission denied ▸ ?page=/var/log/httpd/access_log ▸ include(/var/log/httpd/access_log): failed to open stream: Permission denied ▸ ?page=/var/lib/php/session/sess_ID ▸ are you sure you can write arbitrary data to sessions? ▸ upload and ?page=/tmp/`mkstemp` ▸ if you can upload there is a race to win, if you can't there's no race at all ▸ ?page=expect://ls ▸ include(): Unable to find the wrapper "expect" ▸ ?page=php://input data:// etc ▸ allow_url_include anyone? :) 19
  • 29. local file inclusion oops... ▸ rules of thumb: YMMV ▸ PHP LFI to RCE is more difficult nowdays ▸ chain bugs and business logic, there is (almost) always a path to RCE 20
  • 30. back to the plan ▸ now, back to the plan: there are possible low hanging fruit ▸ what have been pwnd: ▸ bastion host (root dance here) ▸ webapp ▸ mysql database 21 once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
  • 31. back to the plan ▸ now, back to the plan: there are possible low hanging fruit ▸ what have been pwnd: ▸ bastion host (root dance here) ▸ webapp ▸ mysql database ▸ tutes say: Responder.py FTW! 21 once you have a foot on a network, tutorials says that Responder is the way to domain admin. let's go!
  • 32. tutes chapter 4 - Responder.py ▸ steps: ▸ Responder.py ▸ smbrelayx.py ▸ psexec ▸ win 22
  • 33. Respond all the things!...or not 23 nothing happens here...
  • 34. tutes chapter 5 ▸ and nobody should be LA if not really needed...(ok, ok :) ) ▸ but: our server is in a DMZ and we don't have any access to smb/wmi in LAN ▸ and we shouldn't even see any usefull traffic 24
  • 35. back to the plan[2] ▸ what we have: ▸ an Exchange ▸ a timesheet app (maybe they also collect reports?) ▸ teh timesheet interface itself!1 25
  • 36. capture passwords for teh glory 26 this is auth.jsp we saw on mysql config that timesheet auth at LDAP, a.k.a. (hoply) valid domain creds therefore we add an unNoticedRoutine that logs creds
  • 37. while unNoticedRoutine works unnoticed ▸ lurk into the timesheet database: no useful info, just hrs and customers' name ▸ still no logins (a.k.a. domain creds) so far ▸ maybe we could also tamper login.jsp for the lulz 27 "for the lulz" of course means BeEF
  • 38. let's BeEF it! ▸ quite dirty but handy 28
  • 43. BeEF oops... 30 timesheet logs shows accesses, but no hook in here we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy) but wait, if we saw log it means that we have credentials!
  • 44. BeEF oops... 30 timesheet logs shows accesses, but no hook in here we know that the network is segmented and "well" protected at layer4. we suspect that there are also layer7 protection (read: web proxy) but wait, if we saw log it means that we have credentials!
  • 45. meantime our unNoticedRoutine()... ▸ logged some credentials! ▸ how to (ab)use those creds? ▸ Exchange maybe? ▸ something more than email lurking? 31 hold on, overexitement here
  • 46. let's rule it out! ▸ Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/ HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely. ▸ drops a shell by abusing scripting at: ▸ outlook rules ▸ outlook forms ▸ outlook home page ▸ https://github.com/sensepost/ruler 32
  • 47. because we're talking about pitfalls... ▸ outlook rules: patched 06/2017 ▸ outlook forms: patched 10/2017 ▸ outlook home page: patched 10/2017 33 "work for sure", isn't it? no, patched :)
  • 48. never overlook lurking ▸ MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). ▸ also GAL, too-open mailboxes, password spray ▸ https://github.com/dafthack/MailSniper 34
  • 49. never overlook lurking ▸ MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). ▸ also GAL, too-open mailboxes, password spray ▸ https://github.com/dafthack/MailSniper ▸ what's not *that* explicit is that she needs a valid "domain session" OR an Exchange admin account...oops... ▸ will keep this for next session maybe :) 34
  • 50. back to BeEF oops... 35 back to that possible web proxy, start with assumption
  • 51. with a little help from a friend ▸ Domain Fronting A.K.A. High Reputation Redirectors ▸ CDN anyone? 36original pictures from https://blog.cobaltstrike.com/ a very good read is here: https://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/
  • 52. with a little help from a friend... ▸ cloudfront, like lot of other CDNs, lets us to bypass reputational filter and hook the target ▸ note: ALL the traffic goes through the CDN, both the hook and the following communications between the browser and BeEF service ▸ oops warning: they also do some basic malware analysis 37 ED now, back to beef that hooked a browser
  • 53. BeEFed ▸ see video at https://www.youtube.com/watch? v=lCT6dJHO1vc 38
  • 54. time's almost gone ▸ we already stumbled^Wdodged lots of stones ▸ prepare to evade an eventual (NextGen)AntiVirus ▸ no more chances to fail, AKA no chances to test even a part of the FUD tutorial plethora 39 FUD of course means fully undetectable, NOT fear/uncertainty/doubt :)
  • 55. last chance, shellter the exe ▸ see video at https://www.youtube.com/watch? v=6v20_gNRD4I 40
  • 56. approoved by Bob: ShellterPro ▸ Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. ▸ One-stop-shop for AV evasion ▸ ShellterPro introduces some extra features: ▸ Dynamic Payload Injection In DLLs ▸ Multi-Payload Chaining ▸ donates part of the fee 41 pro means $$, but it's very cheap :)
  • 57. last oops, at least for today ▸ meterpreter supports domain fronting since nov 2017 42 because i'm not that lucky, also meterpreter/reverse_https looks broken when i'm working on this presentation :)
  • 58. with a little help from a friend... ▸ see video at https://www.youtube.com/watch?v=- Wu23uDsLDo 43
  • 59. we're in LAN, jig dance! 44
  • 60. time's gone, but Domain Admin isn't that far... ...to be continued? 45 thanks!
  • 61. 45 ▸ Acta est fabula, plaudite! ▸ Wait wait, any question? ▸ feedback please! ▸ guly@guly.org ▸ @theguly time's gone, but Domain Admin isn't that far... ...to be continued? thanks!