STEALTH PENTESTING:I.T. DOESN’T KNOW WE ARE HERE

BIOs

Ryan Reynolds Manager, Crowe Horwath Pentester Twitter: @reynoldsrb

Tony James Senior Consultant, Crowe Horwath Pentester Twitter: @tx3_

Audience

Blue Team Red Team Management Just Here to Drink

Agenda

World Current InfoSec State What we might want to be doing Tactical Recommendations

Real World Attacks

APT1 Anonymous Corporate Espionage Syrian Electronic Army Russian Business Network Etc.

Overview

Attackers are doing this:

Companies want to know how they would do against this.

Current State

So companies hire a company to perform a "pentest" and they do this:

Current State (contd.)

Which is harder to identify something happened?

Which is harder to identify someone is in your territory?

Results Accurate?

The result of this is IT/Security says "we caught you". “Hey Sr. Management we would catch a real attack, we caught our pentesters.”

Several reasons for the fast/loud pentest

We need to adapt. Time to try and give IT a run for their money.

What can we do?

Lets talk about a scenario and pick it up from there:

Social engineered some employees and made it in to a conference room or empty cube.

You think it would never happen… but what happened here???

http://www.tripwire.com/state-of-security/top-security-stories/hacker-use-kvm-switch-breach-santander-bank/

You got in so now what?

No workstation present…. No NAC… What to do next?

Would You?

Common Ways: 1) Port Scan 2) Ping Sweep 3) Password guess 4) ARP Poison 5) Scan for Vulns 6) Anything Else?

What to consider with these???

Play by these rules

Play by the RFC’s Traffic to a minimum No excessive authentication Initially.. Play in the safe zone

Enumerate the goods…

So we plugged in our rogue hardware.. What to do??? Fire up your favorite packet capturing software. Identify those subnets EIGRP / OSPF broadcasting on the user

subnets with no authentication DNS goodness Anonymous Enum / Sid to name / Krbguess

(last resort) Netbios? Net view?

How should we get auth?

Utilize those broken host discovery protocols NetBios LLMNR

Misconfigured domain services – (?) Insecure Printers (Praeda) IPv6

We got auth!

Enumerate domain users / computers Where are the good guys? (Admins) How can we get there?

Dig through those shares (netlogon / home folder of user / random shares)

Drop shortcuts GPP / WDS / PXE Boot / Unattend.xml Hit those SQL Servers (xp_dirtree /

xp_fileexists)

Got Local Admin, what next?

Check Cached Creds / LSA Secrets Procdump for those cleartext Break the local security software IE Passwords / Outlook files Most obvious… Local Admin Password

Reuse To get those keys, now play the waiting

game.

Do you still trust your SECURITY software?

Arellia – Privilege management software

McAfee – Anti-Virus software

Do you still trust your SECURITY software? (contd.)

WebSense – Web Content Filtering

How many other applications are doing this…?

Time to fix these issues.

Routing protocols Authentication Passive-Interfaces

UAC EMET Limit Cached Credentials HIPS / ACLs – KEY ** Disable GPP / Fix Panther / Sysprep / etc. Fix those dirty services – SCCM / Security

software / etc.

Time to fix these issues. (contd.)

Fix the host discovery protocols Remove public roles from SQL servers – if

possible Lock down those shares Lockdown PXE booting to specific subnets Lockdown communication between

workstations

Time to detect the bad guys

Log C$/Admin$ from non IT subnets Log excessive share access (excessive

access denieds) Detect excessive password guesses Log DHCP Requests / compared to current

domain computers

Lessons Learned… the hard way

Password guessing – If you must do it... ARP Poisoning – bye bye port Exploiting patches – too noisy with IDS/IPS NAC – dammit.. Guest VLAN Custom payloads get by AV.. –

Powershell….? Outbound connections..?

Take Away

What to expect from a pentest Standards PTES, OSSTMM, OWASP

Questions???

References

Arellia - http://www.arellia.com/ McAfee – http://www.mcafee.com Websense - http://www.websense.com SCCM – http://www.microsoft.com