beyond the pentest: how c2, internal pivoting, and data exfiltration show true risk
TRANSCRIPT
Beyond the Pentest
How C2, Internal Pivoting, and Data Exfiltration Show True Risk
Beau Bullock
Beyond the PentestWhat does a standard internal network pentest already cover?
Port scans
Vulnerability scanning
Manual validation
Provide recommendations
What is Wrong With ThisAttackers don’t vulnerability scan - too noisy
Misses some very critical vulnerabilities
Doesn’t account for domain systems already compromised
whoamiBeau Bullock
Pentester at Black Hills Information Security
Host of Hack Naked TV
Previously an enterprise defender
OSCP, GXPN, GPEN, GCIH, GCFA, OSWP and GSEC
What Are We Missing
Three major things
Command and Control
Internal Pivoting
Data Exfiltration
How Do We Test TheseStart with the basics
Standard domain user account
Lowest level of access typically provisioned
Standard system build
Anyone on leave? Steal their system
Standard network access
Command and Control
Command and ControlThree focus areas
Payload delivery
Email, web, etc.
Client-based protections
AV, application whitelisting, HIDS, etc.
Network-based protections
Egress filtering, IDS/IPS, inline payload detonation
C2: Payload DeliveryWhat can be emailed to your employees?
Executable
Word DOC or XLS w/ macro
Batch file
Encrypted ZIP
Extensionless files?
C2: Payload DeliveryProtip:
Many webmail services scan attachments for malware
Some don’t allow EXE’s altogether
Yahoo’s MTA does not scan, and allows EXE’s
Use a third-party mail client to send through Yahoo
C2: Payload Delivery
What can be downloaded?
How about browser or Java or Adobe exploits?
Are users allowed to insert USB drives?
C2: Client-Based Protections
Did anything detect the payload after entry?
Anti-Virus
Application whitelisting
SIEM alerts
C2: Client-Based Protections
Payload types
Non-encoded EXE
Encoded EXE
ShellCode injection
Word Doc w/ macro
Software exploit
Physical access (rubber ducky)
C2: Client-Based Protections
Bypassing Client-based protections
Veil-Evasion
Framework for creating custom malware
PowerSploit
Shellcode injection directly into memory
Obfuscation
C2: Network-Based Protections
Was the C2 channel detected?
Firewall block
IDS/IPS detection
Inline Detonation
C2: Network-Based Protections
What does an outbound portscan reveal?
open.zorinaq.com
Weak egress filtering provides more legroom for C2
DLP might miss items not sent over standard ports
C2: Some Typical C2 Channels
Standard TCP
HTTP/HTTPS
DNS
ICMP
C2: C2 Through A Web Proxy
Meterpreter Reverse_https
Uses proxy settings on system
PowerShell Empire!!!
Same as above but in PowerShell
Appears as web traffic through your web proxy
C2: C2 Over Social Media
Can your users get to any social media sites?
Twittor - Uses Twitter direct messages as a C2 channel
GCAT - Uses Gmail as a C2 channel
Sneaky-Creeper - Uses Twitter, Tumblr, and Soundcloud as a C2 channel
C2: C2 over DNS
DNScat
Tunnels traffic through DNS requests
C2 channel through NS Records
C2 even with EVERY port blocked outbound from the client
https://github.com/iagox86/dnscat2
C2: C2 over ICMP
Invoke-PowerShellICMP
Tunnels traffic through ICMP echo-requests and echo-replys
ICMP is commonly allowed through firewalls
https://github.com/samratashok/nishang/tree/master/Shells
Internal Pivoting
Internal Pivoting
Use built-in tools as a low level user to compromise a network
No vuln scans needed
Less noise
Escalate privileges; locate sensitive data
Pivot: GPP PasswordsMay 13, 2014 – MS14-025
Passwords of accounts set by GPP are trivially decrypted!
…by ANY authenticated user on the domain
Located in groups.xml files on SYSVOL
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspxhttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
Pivot: GPP PasswordsFirst thing I check for on an internal assessment
Almost always find an admin password here
Find it with:
PowerSploit - Get-GPPPassword
Metasploit GPP Module
Or…C:>findstr /S cpassword %logonserver%\sysvol\*.xml
Pivot: Privilege EscalationLocal privilege escalation
Are we already a local admin?
PowerUp
Invoke-AllChecks looks for potential privilege escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/
Pivot: Misconfigured Systems
Occasionally, admins get lazy… and do things like add “Domain Users” group to the “Local Administrators” group
Pivot: Misconfigured Systems
This means EVERY domain user is now is an administrator of that system
Veil-PowerView Find-LocalAdminAccess
Veil-PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
Pivot: Password Spraying
Domain locks out accounts after a certain number of failed logins
Can’t brute force
Solution:
Try a number of passwords less than the domain lockout policy against EVERY account in the domain
Pivot: Password SprayingLockout Policy = Threshold of five
Let’s try one password across every account
What passwords do we try?
Password123
Companyname123
SeasonYear
C:\>@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
Pivot: Password Spraying
Pivot: LLMNR & NBTNS Poison
LLMNR = Link-Local Multicast Name Resolution
NBT-NS = NetBIOS over TCP/IP Name Service
Both help hosts identify each other when DNS fails
Pivot: LLMNR & NBTNS Poison
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
Pivot: LLMNR & NBTNS Poison
SpiderLabs Responder
Inveigh PowerShell Script
The result is that we obtain NTLM challenge/response hashes
Crack hashes
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
Sensitive Data Hunt
Sensitive Data: Info Disclosure on Shares
Sensitive files on shares?
Find them with PowerView
ShareFinder then FileFinder
FileFinder will find files with the following strings in their title:
‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’
Sensitive Data: Locate RDP Jump Hosts
Where are users RDP’ing to?
Can provide insight into where critical systems are
Get-NetComputers | Get-NetRDPSessions | Export-Csv –NoTypeInformation rdpsessions.csv
http://www.harmj0y.net/blog/powershell/powerquinsta/
Sensitive Data: Virtualization Hypervisors
Data Exfiltration
Data ExfiltrationWhat are organizations concerned about leaving their networks?
PCI data
Patient health information
Personally Identifying Information
Intellectual property
Data Exfiltration
How can attackers get data out of your network?
Web Access
USB Drive
Photo
Data Exfil: Email
For email is DLP being enforced on the following?
Cleartext in email body
Encoded in email body
Attachments
Optical Character Recognition
Data Exfil: Web
Is all web traffic subject to DLP inspection?
Same types of tests as email are performed but tracking over standard and non-standard web ports
Data Exfil: USB Drives
Are files allowed to be copied to a USB drive?
Encryption
DLP
Blocked completely
Putting It All Together
Attack ScenarioTarget Organization Setup
Firewall only allows outbound traffic through web proxy
AV up to date on clients
Email gateway allows Doc files
Local Administrator account is widespread with same credentials
Attack Scenario
Phishing email is crafted with Word doc attachment
Word doc is weaponized with a Macro
Email is sent to target employee
Attack ScenarioEmployee opens email
Downloads attached .doc
Enables content
Macro runs PowerSploit PowerShell script to inject Meterpreter Reverse_https into memory
Meterpreter C2 channel is established
Attack Scenario
Password spray from the command line
Spring2016?
Run Find-LocalAdminAccess to find where the users are local admin
Pivot using psexec
Attack ScenarioAttacker dumps local user hashes (including local admin)
Local administrator credential is not randomized
Using PowerView UserHunter the attacker finds where Domain Admins are located
Attack ScenarioAttacker pivots to DA workstation
Runs Mimikatz to dump creds from memory
Locates sensitive data with PowerView ShareFinder
Exfils data
Summary
Summary
What are the benefits of this style of testing?
Real test of detection and incident response
Shows how an attacker can go from low access to owning the environment
Shows true risk to the organization