This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2. INTRODUCTIONS
Scott Sutherland
Principal Security Consultant @ NetSPI
Twitter: @_nullbind
Karl Fosaaen
Senior Security Consultant @ NetSPI
Twitter: @kfosaaen
We specialize in both
things and stuff!
3. OVERVIEW
• Why do companies pen test?
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
• Conclusions
4. WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Evaluate risks associated with an acquisition or
partnership
• Validate preventative controls
• Validate detective controls
• Prioritize internal security initiatives
• Proactively prevent breaches
5. OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
6. ATTACKING PROTOCOLS
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• PXE: Preboot Execution Environment
• DTP: Dynamic Trunking Protocol
8. ATTACKING PROTOCOLS: ARP
• General
MAC to IP association
Layer 2
• Conditions
Independent of user action
Broadcast network
• Attacks
MITM Monitoring
MITM Injection
DOS
12. ATTACKING PROTOCOLS: NBNS
• General
IP to hostname association
Layer 5 / 7
• Constraints
Dependent on user action
Broadcast Network
Windows Only
• Attacks
MITM Monitoring
MITM Injection
DOS
16. ATTACKING PROTOCOLS: NBNS
Common mitigating controls:
• Create a WPAD (Web Proxy Auto-Discovery)
server entry in DNS
• Disable NBNS
• Disable insecure authentication methods to help
limit impact of exposed hashes
• Enable packet signing to help prevent
SMB Relay attacks
18. ATTACKING PROTOCOLS: SMB
• General
SMB is the come back kid!
Layer 7
• Constraints
Dependent on user action
Any routable network
No connecting back
to originating host
• Attacks
Command execution
Shells..aaand shells
20. ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the community has been developing tools for
doing things like:
• LDAP queries
• SQL queries
• Exchange services
• Mounting file systems
21. ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay
attacks
• Apply really old patches like if you missed out on
the last decade…
26. ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non
routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
27. ATTACKING PROTOCOLS: DTP
• General
802.1Q encapsulation is in use
Layer 2
• Constraints
Independent of user action
Trunking is set to enabled
or auto on switch port
• Attacks
Monitor network traffic for all
VLANs, because all VLANs are
allowed on a trunk by default
*Full VLAN hopping
32. ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non
routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
33. OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
35. ATTACKING PASSWORDS
Tool Function Year
Pass the Hash Passing Hashes 1997
Rainbow Tables Password Cracking 2000s
SMB Relay Relaying Captured Hashes 2001
John the Ripper Password Cracking 2001
NetNTLM.pl Cracking Network Hashes 2007
PTH Toolkit Pass all the Hashes 2008
Hashcat CPU and GPU Cracking 2010
WCE and Mimikatz Cleartext Windows Creds 2012
37. ATTACKING PASSWORDS: HASHES
• What are hashes?
A non-reversible way of storing passwords
Operating systems and applications
Lots of types
LM/NTLM
Network and Local
MD5
SHA
descrypt
38. ATTACKING PASSWORDS: HASHES
• How do we get hashes?
Cain and Abel
fgdump
Metasploit
Mimikatz
Databases
Config files
43. OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
44. ATTACKING APPLICATIONS: COMMON
• Default and weak passwords
• SQL injection
• RFI/web shells
• Web directory traversals
• UNC path injection + SMB relay
• Critical missing patches
45. ATTACKING APPLICATIONS: BREAKOUTS
• Obtain a common dialog box
• Bypass folder path and file type restrictions
• Bypass file execution restrictions
• Bypass file black/white lists
• Access to native consoles and management tools
• Downloading and use third party applications
46. OVERVIEW
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
51. WINDOWS ESCALATION: GOALS
Local Escalation Goals
Find clear text or reversible credentials with local administrative privileges
Get application to run commands as Administrator or LocalSystem
Domain Escalation Goals
Find Domain Admins
Impersonate Domain Admins
52. WINDOWS ESCALATION: LOCAL
Local Escalation
*Clear text credentials in files, registry, over network
Insecure service paths
DLL preloading
DLL and exe replacement
Binary planting in auto-run locations (reg and file system)
Modifying schedule tasks
*Local and remote exploits
Leverage local application like IIS, SQL Server etc
*UNC path injection + SMB Relay / Capture + crack
53. WINDOWS ESCALATION: DOMAIN
Domain Escalation – Find DAs
Check locally! (Processes,Tokens, Cachedump)
Review active sessions - netsess
Review remote processes - tasklist
Service Principal Names (SPN) – get-spn
Scanning Remote Systems for NetBIOS Information - nbtscan
Pass the hash to other systems
PowerShell shell spraying
WINRM/WINRS shell spraying
Psexec shell spraying
54. WINDOWS ESCALATION: DOMAIN
Domain Escalation – Impersonate DAs
Dump passwords from memory with Mimikatz
Migrate into the Domain Admin’s process
Steal Domain Admins delegation tokens with Incognito
Dump cached domain admin hashes with cachedump
Relatively new techniques
PTH using Kerberos ticket
55.
56. CONCLUSIONS
All can kind of be fixed
Most Networks
Kind of broken
Most Protocols
Kind of broken
Most Applications
Kind of broken
58. ATTACK ALL THE LAYERS!
Scott Sutherland
Principal Security Consultant
Twitter: @_nullbind
Karl Fosaaen
Senior Security Consultant
Twitter: @kfosaaen
These are protocols that are commonly targeted. However, there are many others:Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycredsNetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploitDynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPackVLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
Go with what you like.
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
Windows Protocol- Kind of like a back up to DNS- Host file- DNS- NBNSRace condition Limited to broadcast network
Go with what you like. http basichttp_ntlmauthhttp_relaysmb
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
Image showing MITM
Go with what you like. http basichttp_ntlmauthhttp_relaysmb
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.Anyway, let’s get back on track…
Been an issue since the birth of the internet and hasn’t really gone away.ARP is a broadcast protocol used for IP to MAC relationshipsLimited to broadcast network- No encryption or validation allows for spoofingMITM Step 1 – tell server you are a clientMITM Step 2 - tell client you are the serverCan also broadcast as gateway to all systems on subnet, but your most likely not a router – so don’t do thatCan also dos very easily
the unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.
Image showing MITM
Image showing MITM
Image showing MITM
Image showing MITM
Touch on common tools and pitfalls (account lockouts)
Default and weak passwords for everythingTools: Nmap, Nessus, Web Scour, Manuals, GoogleSQL injectionTools: Manually, web scanners, SQL Ninja, SQL Map, MetasploitRFI/Web Shells (JBOSS, Tomcat, etc.)Tools: Metasploit, Fuzzdb, and other web shelleryWeb directory traversalsTools: Manually, web scanners, Fuzzdb, Metasploit, Critical Missing Patches (SEP etc)Tools: Metasploit, exploitdb exploits, etc
Execution via approved apps - Powershell Code Injection - Rundll32 - IEExecDirectory Exceptions - GACDisable ServicesPoisoning allowed file list and blocking updates via hosts filePoisoning updates
This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
Localuser Local AdministratorExcessive local group privileges (admin or power users)Cleartext credentialsSysprep (unattend.xml/ini/txt)Config files, scripts, logs, desktop foldersTech support calls filesWeak application configurations that allow: Restarting or reconfiguring servicesReplacing application files DLL pre or side loading Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.
This is a non-linear process so be aware that some techniques can be used at many levels.These are the common escalation scenarios seen during penetration testing.