Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
2. BACKGROUND
• Complete domain
compromise has been too
easy
• Rarely detected
• Unprivileged user to DA in <
60 seconds
• Fix the common issues and
low hanging fruit first
• Who needs a zero-day?
3. WHOAMI
• Beau Bullock
• Pentester at Black Hills
Information Security
• OSCP, OSWP, GXPN,
GPEN, GCIH, GCFA, and
GSEC
• Previously an enterprise
defender
• Host of Hack Naked TV
• Guitarist/Audio Engineer
4. WHAT ARE YOU BUYING?
• Penetration test vs.
vulnerability
assessment
• If your scanner results
look like this you
probably don’t need a
pentest.
5. VULNERABILITY ASSESSMENT
• Help identify low-hanging fruit
• Typically broader in scope
• Locate and identify assets
• Opportunity to tune detection
devices
• Helps an organization improve
overall security posture
6. PENETRATION TEST
• Goal driven
• Targeted escalation tactics
• Typically try to avoid detection
• Can your security posture
withstand an advanced
attacker?
9. 1 - PATCHES
• Vulnerabilities we still find all the time that should be patched:
• MS08-067
• MS14-068
• PsExec Patch
• ColdFusion Patches
• ShellShock
• Heartbleed
10. LOOKING FOR VULNERABLE SYSTEMS
• Get-ExploitableSystem from PowerView by @harmj0y
• Queries Active Directory for hostnames, OS versions, and service
pack levels
• Cross-references those with common Metasploit modules
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1
12. 2 - GROUP POLICY PREFERENCES (GPP)
• Extensions of Active Directory
• Configurable settings for use
with Group Policy Objects
• Advanced settings for folders,
mapped drives, and printers.
• Deploy applications
• Create a local administrator
account
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
13. 2 - GPP (CONTINUED)
• Passwords of accounts set by
GPP are trivially decrypted!
• …by ANY authenticated user
on the domain
• Located in *.xml files on
SYSVOL
• Microsoft’s AES encryption key
is publicly available
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
14. 2 - GPP (WHAT DOES THE PATCH DO?)
• May 13, 2014 – MS14-025
• MS14-025 removes the ability
to create local accounts with
GPP
• Doesn’t remove previous
entries!
• You need to manually delete
these accounts
15. 2 - GPP (SUMMARY)
• First thing I check for on an
internal assessment
• Almost always find an admin
password here
• Find it with:
• PowerSploit - Get-GPPPassword
• Metasploit GPP Module
• Or…
C:>findstr /S cpassword %logonserver%sysvol*.xml
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
16. 3 - WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT
• Makes it easy to pivot from workstation to workstation
• Using creds found elsewhere:
• SMB_Login Metasploit Module
http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
@FOR /F %s in (systems.txt) DO @net use %sC$ /.Administrator
AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use
/delete %sC$ > NUL
17. 3 - WIDESPREAD LOCAL ADMIN (CONTINUED)
• What’s next?
• Hunt for Domain Admins –
JoeWare NetSess, Veil-
PowerView UserHunter
• PsExec_psh Metasploit
Module
• RDP?
• If we don’t have cleartext creds:
• Pass-the-hash
http://www.joeware.net/freetools/tools/netsess/index.htm
https://www.veil-framework.com/hunting-users-veil-framework/
http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
18. 4 - PASSWORDS
• Default Passwords
• admin:admin
• tomcat:tomcat
• Pwnedlist or Have I Been
Pwned
• Credentials from previous data
breaches
• Weak domain password policy?
• Password spraying
http://splashdata.com/press/worst-passwords-of-2014.htm
19. 4 - PASSWORD SPRAYING
• Domain locks out accounts after a
certain number of failed logins
• Can’t brute force a single users
password
• Solution:
• Try a number of passwords
less than the domain lockout
policy against EVERY account
in the domain
20. 4 - PASSWORD SPRAYING (CONTINUED)
• Lockout Policy = Threshold of
five
• Let’s try one
• What passwords do we try?
• SeasonYear (Summer2016)
• Password123
• Companyname123
• Etc.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use
DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 && @echo [*]
%n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL
http://www.lanmaster53.com/
https://github.com/lukebaggett/powerspray
23. 5 - OVERPRIVILEGED USERS (LOCAL HOST)
• Are your standard users
already local admins?
• This takes out a major step
of privilege escalation
• Only grant admin access
where necessary, not
globally
24. 6 - OVERPRIVILEGED USERS (OTHER HOSTS)
Occasionally, admins get lazy… and do things like add “Domain
Users” group to the “Local Administrators” group
25. 6 - OVERPRIVILEGED USERS (OTHER HOSTS)
• This means EVERY domain user is now is an administrator of that
system
• PowerView Find-LocalAdminAccess
• PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
27. 7 - FILES ON SHARES
• Sensitive files on shares?
• Find them with more PowerView
awesomeness…
• Use list generated by ShareFinder
with FileFinder
• FileFinder will find files with the
following strings in their title:
• ‘*pass*’, ‘*sensitive*’, ‘*admin*’,
‘*secret*’, ‘*login*’, ‘*unattend*.xml’,
‘*.vmdk’, ‘*creds*’, or ‘*credential*’
https://www.veil-framework.com/hunting-sensitive-data-veil-framework/
28. 8 - INFORMATION DISCLOSURE ON INTRANET
• Knowledge Bases are helpful to
employees… and attackers
• Helpdesk tickets
• How-to articles
• Emails
• Search functionality is our best
friend
• Search for <insert critical
infrastructure name, sensitive data
type, or ‘password’>
29. 9 - NETBIOS AND LLMNR POISONING
• LLMNR = Link-Local Multicast Name Resolution
• NBT-NS = NetBIOS over TCP/IP Name Service
• Both help hosts identify each other when DNS fails
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
30. 9 - NETBIOS AND LLMNR (CONTINUED)
• SpiderLabs Responder
• Poisons NBT-NS and LLMNR
• The result is we obtain NTLM challenge/response hashes
• Crack hashes
https://github.com/Spiderlabs/Responder
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
31. 10 - LOCAL WORKSTATION PRIVILEGE
ESCALATION
• PowerUp!
• Another awesome Veil tool
• Invoke-AllChecks looks for potential privilege escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/
32. SUMMARY (10 COMMON ISSUES)
• 1. Missing Patches
• 2. Group Policy Preference Passwords
• 3. Widespread Local Administrator Accounts
• 4. Weak Password Policy
• 5. Overprivileged Users (admin of local host)
• 6. Overprivileged Users (admin of other hosts)
• 7. Sensitive Files on Shares
• 8. Information Disclosure on Intranet Sites
• 9. NetBIOS and LLMNR Poisoning
• 10. Local Workstation Privilege Escalation
34. TUNE DETECTION DEVICES
• Test your network security
devices prior to a pentest for
common pentester activities
• Meterpreter shells
• Portscans
• Password spraying
• Use of Windows cmd line
tools like ‘net’, or ‘whoami’
35. PERFORM EGRESS FILTERING
• Block outbound access except
where needed
• Implement an authenticated
web proxy and force all web
traffic through it
• Block ‘uncategorized’ sites
• Portscan AllPorts.Exposed
from the inside of your network
• See what ports are allowed
outbound
36. THINGS THAT MAKE OUR JOB HARD
• Application whitelisting
• Disabling PowerShell
• Network access control
• Network segmentation
• Two-Factor authentication
• Locking down outbound access
• Strong password policies
• Fixing the other items
mentioned earlier
37. THINGS NOT TO DO DURING A PENTEST
• Inform your teams that the test
is happening
• Monitor, but don’t interfere during a
pentest
• Enforce different policies on the
pentester than “normal” users
• Alert users to an upcoming
phishing test
39. PENTEST PREP GUIDE
• Details the 10 issues I
talked about today
• How to identify
• How to remediate
• Hopefully this will help
organizations prepare for an
upcoming penetration test
• …or help a pentester to
pivot more easily