attack all the layers secure 360

INTRODUCTIONS

Scott Sutherland

Security Consultant @ NetSPI

Twitter: @_nullbind

Karl Fosaaen

Security Consultant @ NetSPI

Twitter: @kfosaaen

We specialize in both things and stuff!

OVERVIEW

• Why do companies pen test?

• Attacking passwords

• Attacking protocols

• Attacking applications

• Bypassing AV

• Windows Escalation

• Conclusions

http://www.sxc.hu/browse.phtml?f=download&id=1372604

WHY DO COMPANIES PEN TEST?

• Compliance requirements

• Third party requests

• Identify unknown security gaps

• Validate existing security controls

• Prioritize existing security initiatives

• Prevent data breaches


PENETRATION TEST GOALS

• Identify and understand the impact of vulnerabilities at the application, system, and network layers

• Prioritize remediation

• Understand ability to detect and respond to attacks


PENETRATION TEST OBJECTIVES

• *Complete client specific objectives

• Gain access to critical systems, sensitive data, and application functionality

• Attack Surfaces Applications Networks Servers

• Attack Categories Configuration issues Code vulnerabilities Missing patches


OVERVIEW




• Bypassing AV

• Escalation

ATTACKING PASSWORDS

• Dictionary Attacks

• Dump Hashes and Crack

• Dump Hashes and PTH

• Impersonate

• Dump in Cleartext!


ATTACKING PASSWORDS

1997 2000s 2001 2007 2008 2010 2012

ATTACKING PASSWORDS: DICTIONARY

• Dictionary Attacks Enumerate users

- Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack!

• Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements


ATTACKING PASSWORDS: CRACKING

• Dumping Hashes and Cracking John

Rainbow Tables

oclHashcat plus

ATTACKING PASSWORDS: CRACKING

ATTACKING PASSWORDS: PASSING

• Dumping and Passing Hashes Pass the hash kit

Metasploit

PTH everything

ATTACKING PASSWORDS: IMPERSONATE

• Impersonate

Incognito

WCE

ATTACKING PASSWORDS: CLEARTEXT

• Dump in Cleartext! All the applications!

- Egyp7’s script

WCE

Mimikatz

OVERVIEW




• Bypassing AV


ATTACKING PROTOCOLS

• ARP: Address Resolution Protocol

• NBNS: NetBIOS Name Service

• SMB: Server Message Block

• DTP: Dynamic Trunking Protocol

• VTP: VLAN Trunking Protocol

• Honorable Mentions

ATTACKING PROTOCOLS: ARP

Address Resolution

Protocol


• General MAC to IP association Layer 2

• Conditions Independent of user action Broadcast network

• Attacks MITM Monitoring MITM Injection DOS


Common ARP MITM attacks:

• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner

• Intercept Passwords Cain will parse passwords for over 30 protocols

• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite


Common ARP MITM tools:

• Windows Tools Cain Ettercap-ng Interceptor-ng Nemesis

• Linux Tools Ettercap Dsniff Subterfuge Easycreds Loki Nemesis


Common mitigating controls:

• Dynamic ARP Inspection

• Port Security

• Static Routes (not recommended)

ATTACKING PROTOCOLS: NBNS

NetBIOS Name Service


• General IP to hostname association Layer 5 / 7

• Constraints Dependent on user action Broadcast Network Windows Only

• Attacks MITM Monitoring MITM Injection DOS


Common NBNS MITM attacks:

• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner

• Intercept Passwords Cain will parse passwords for over 30 protocols

• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite


Common NBNS MITM tools:

• Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)

• Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)



• Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS

• Disable NBNS (not highly recommended)

• Disable insecure authentication to help

limit impact of exposed hashes

• Enable packet signing to help prevent

SMB Relay attacks

ATTACKING PROTOCOLS: SMB

Server Message Block


• General SMB is the come back kid! Layer 7

• Constraints Dependent on user action Any routable network No connecting back to originating host

• Attacks Command execution Shells..aaand shells


Historically SMB Relay has been used to:

• Execute arbitrary commands

• Obtain shells

Lately the community has been developing tools for doing things like:

• LDAP queries

• SQL queries

• Exchange services

• Mounting file systems


Many tools support SMB Relay attacks:

• Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows

• Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle



• Enable packet signing to help prevent SMB Relay attacks

• Apply really old patches like if you missed out on the last decade…

ATTACKING PROTOCOLS: DTP

Dynamic Trunking Protocol


• General 802.1Q encapsulation is in use Layer 2

• Constraints

Independent of user action Trunking is set to enabled or auto on switch port

• Attacks

Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default *Full VLAN hopping


• Intercept Data

SSN, Credit Cards, Healthcare data, etc

Whole file parsing with Network Minor

• Intercept Passwords

Cain will parse passwords for over 30 protocols


Common DTP spoofing tools:

• Windows Tools

I got nothing…

• Linux Tools

Yersinia



• Use dedicated VLAN ID for all trunking ports

• Disable all unused ports and place them on a non routable VLAN

• Configure all user ports as access ports

to prevent trunk negotiation

• Configure frames with two 8021Q headers

• Configure strong VACLs

ATTACKING PROTOCOLS: VTP

VLAN Trunking Protocol


• General

802.1Q encapsulation is in use

Layer 2

• Constraints

Independent of user action

VLANs are IP or MAC based

• Attacks

Ability to directly attack

systems on other VLANs


Common next steps after VTP tag forgery:

• MITM attacks against remote VLAN systems

• Intercept/Modify Data

Usually limited to broadcast traffic (unless MITM)


Tools for VLAN hopping attacks:

• Windows Tools

Native: Manually reconfigure via TCP/IP settings

• Linux Tools

Native: Modprobe + ifconfig

VoIP Hopper

Yersinia



• Use dedicated VLAN ID for all trunking ports

• Disable all unused ports and place them on a non routable VLAN

• Configure all user ports as access ports

to prevent trunk negotiation

• Configure frames with two 8021Q headers

• Configure strong VACLs

ATTACKING PROTOCOLS: OTHERS

Honorable Mention:

• Pre-Execution Environment (PXE)

• Link-local Multicast Name Resolution (LLMNR)

• Dynamic Host Configuration Protocol (DHCP)

OVERVIEW




• Bypassing AV


ATTACKING APPLICATIONS

• Default and weak passwords for everything Tools: Nmap, Nessus, Web Scour, Manuals, Google

• SQL injection Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit

• RFI/Web Shells (JBOSS, Tomcat, etc.) Tools: Metasploit, Fuzzdb, and other web shellery

• Web directory traversals Tools: Manually, web scanners, Fuzzdb, Metasploit,

• MS08-067 Tools: Metasploit, exploitdb exploits, etc

OVERVIEW




• Bypassing AV

• Escalation

BYPASSING AV

• Weak Configurations

• Source Code Tricks

• Binary Modifications

• Process/Thread Manipulation

BYPASSING AV: WEAK CONFIGURATIONS

• Execute from share, UNC path, or external media

• Disable via GUI

• Create policy exceptions

• Kill processes

• Stop / Disable Services

• Uninstall (not recommended)

• Insecure service registration (c:\program.exe)

• Insecure file permissions (file replacement/mods)

• Execute from a DLL

• DLL pre loading, side loading etc

• GAC poisoning (potentially)

BYPASSING AV: SOURCE CODE TRICKS

Customize everything…and be crazy

• Migrate to and suspend or kill AV

• Modify comments (web languages)

• Replace variable names

• Modify application logic

• Use alternative functions

• Remove or modify resources

• Encode or encrypt payloads

• Compress payloads

• Add time delays

• Call NTDLL.DLL directly



BYPASSING AV: BINARY MODIFICATIONS

Same idea…be crazy

• Simple string modification

• Decompile/modify source

• Disassemble / modify application logic

• Disassemble /insert time delays

• Modify resource table (ditto/cffexplorer)

• Modify imports table (ditto/cffexplorer)

• Pack (UPX, Mpress, iExpress etc)

• Metasploit Pro Payloads:

dynamic exe generation

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=cAc_VPNsM8OO_M&tbnid=k1jRUWkFSLJivM:&ved=0CAUQjRw&url=http://gmjamali-jamali4u.blogspot.com/2011/03/funny-crazy-terrible-very-nice-car-mods_31.html&ei=O_6JUYC2D9H-qAGRu4DQCQ&bvm=bv.46226182,d.aWc&psig=AFQjCNHu8K_ADNTy_IuvsPnxTBu4c6DSNA&ust=1368084369707958

BYPASSING AV: PROCESS/THREAD MODS

Inject, inject, replace…

• Code injection (local and remote)

• DLL injection (local and remote)

• Process replacement

Common Tools:

• Powershell: Powersploit, etc

• Python and Py2exe

• Any language that supports

calls to native DLLs

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=sZUljRTrSdTIJM&tbnid=oH7s47ZtBvT9BM:&ved=0CAUQjRw&url=http://www.tumblr.com/tagged/being replaced&ei=9fyJUdmJMsuArQHR2oC4Bw&bvm=bv.46226182,d.aWc&psig=AFQjCNESoV5iT5dVBFZpyPRd3RZj-Sqfow&ust=1368084075047095

OVERVIEW




• AV evasion


WINDOWS ESCALATION: OVERVIEW

• Local user Local Administrator

• Domain user Local Administrator

• Local Administrator LocalSystem

• LocalSystem Domain User

• Locate Domain Admin Tokens

• LocalSystem Domain Admin

WINDOWS ESCALATION: LOCAL ADMIN

• Local user Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files

Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)”

Local and remote exploits (Metasploit: getsystem)


• Domain user Local Administrator Issues from last slide and…

Group policy: groups.xml

File shares accessible to domain users

Ability to log into domain workstations

Excessive database privileges (xp_cmdshell etc)

SMB Relay + cracking hashes

Other systems and applications that use integrated domain authentication…


• Local Administrator LocalSystem At.exe (on older systems) – we still see it! Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and

sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe

Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito

Local and remote exploits • Metasploit: getsystem etc

SQL Server and Database links + xp_cmdshell

WINDOWS ESCALATION: FIND DA TOKENS

• Locate Domain Admin tokens Check locally ;) • incognito

Query the domain controllers • netsess.exe

Scan remote systems for running tasks • native tasklist or smbexec

Scan old Windows systems for NetBIOS

Shell spraying for tokens (not advised)

WINDOWS ESCALATION: DOMAIN ADMIN

• LocalSystem Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc

Impersonate authentication token • Custom application, Incognito, WCE, Metasploit

Dump clear text domain credentials • Mimikatz, WCE, or Metasploit

Key logging MITM + sniffing (http integrated auth etc)

CONCLUSIONS

All can kind of be fixed

Most Networks

Kind of broken

Most Protocols

Kind of broken

Most Applications

Kind of broken


ATTACK ALL THE LAYERS!

ANY QUESTIONS?

ATTACK ALL THE LAYERS!

Scott Sutherland Principal Security Consultant Twitter: @_nullbind

Karl Fosaaen Security Consultant Twitter: @kfosaaen

http://images.google.com/url?sa=i&rct=j&q=thinking+monkey&source=images&cd=&cad=rja&docid=FezL9Kq4q1re-M&tbnid=uaud6lmrkPHsGM:&ved=0CAUQjRw&url=http://www.metalsucks.net/2011/12/16/years-end-addendum-the-year-in-which-i-was-more-pretentious-than-usual/&ei=_rKRUc3JNOeNyAG-m4HYAw&bvm=bv.46471029,d.aWc&psig=AFQjCNGz2iQMrOIySn3vsc4OnUgtepFHrg&ust=1368589404053200

attack all the layers secure 360

Technology