Pentest Apocalypse - SANSFIRE 2016 Edition
-
Upload
beau-bullock -
Category
Technology
-
view
389 -
download
1
Transcript of Pentest Apocalypse - SANSFIRE 2016 Edition
PENTEST PREPPERS
PENTEST APOCALYPSE
BACKGROUND
• Complete domain compromise has been too easy
• Rarely detected• Unprivileged user to DA in <
60 seconds• Fix the common issues and
low hanging fruit first• Who needs a zero-day?
WHOAMI• Beau Bullock
• Pentester at Black Hills Information Security
• OSCP, OSWP, GXPN, GPEN, GCIH, GCFA, and GSEC
• Previously an enterprise defender
• Host of Hack Naked TV• Guitarist/Audio Engineer
WHAT ARE YOU BUYING?
• Penetration test vs. vulnerability assessment
• If your scanner results look like this you probably don’t need a pentest.
VULNERABILITY ASSESSMENT
• Help identify low-hanging fruit• Typically broader in scope• Locate and identify assets• Opportunity to tune detection
devices• Helps an organization improve
overall security posture
PENETRATION TEST
• Goal driven• Targeted escalation tactics• Typically try to avoid detection• Can your security posture
withstand an advanced attacker?
LET’S TALK ABOUT SOME COMMON ISSUES
1 - PATCHES
1 - PATCHES
• Vulnerabilities we still find all the time that should be patched:• MS08-067• MS14-068• PsExec Patch• ColdFusion Patches• ShellShock• Heartbleed
LOOKING FOR VULNERABLE SYSTEMS• Get-ExploitableSystem from PowerView by @harmj0y• Queries Active Directory for hostnames, OS versions, and service
pack levels• Cross-references those with common Metasploit modules
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1
PATCHES WON’T FIX EVERYTHING
2 - GROUP POLICY PREFERENCES (GPP)
• Extensions of Active Directory• Configurable settings for use
with Group Policy Objects• Advanced settings for folders,
mapped drives, and printers.• Deploy applications• Create a local administrator
account
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
2 - GPP (CONTINUED)
• Passwords of accounts set by GPP are trivially decrypted!
• …by ANY authenticated user on the domain
• Located in *.xml files on SYSVOL
• Microsoft’s AES encryption key is publicly available
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspxhttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
2 - GPP (WHAT DOES THE PATCH DO?)
• May 13, 2014 – MS14-025• MS14-025 removes the ability
to create local accounts with GPP
• Doesn’t remove previous entries!
• You need to manually delete these accounts
2 - GPP (SUMMARY)
• First thing I check for on an internal assessment
• Almost always find an admin password here
• Find it with:• PowerSploit - Get-GPPPassword• Metasploit GPP Module
• Or…
C:>findstr /S cpassword %logonserver%\sysvol\*.xml
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
3 - WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT
• Makes it easy to pivot from workstation to workstation• Using creds found elsewhere:
• SMB_Login Metasploit Module
http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /.\Administrator AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use /delete \\%s\C$ > NUL
3 - WIDESPREAD LOCAL ADMIN (CONTINUED)
• What’s next?• Hunt for Domain Admins –
JoeWare NetSess, Veil-PowerView UserHunter
• PsExec_psh Metasploit Module
• RDP?• If we don’t have cleartext creds:
• Pass-the-hash
http://www.joeware.net/freetools/tools/netsess/index.htmhttps://www.veil-framework.com/hunting-users-veil-framework/http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
4 - PASSWORDS
• Default Passwords• admin:admin• tomcat:tomcat
• Pwnedlist or Have I Been Pwned• Credentials from previous data
breaches
• Weak domain password policy?• Password spraying
http://splashdata.com/press/worst-passwords-of-2014.htm
4 - PASSWORD SPRAYING
• Domain locks out accounts after a certain number of failed logins
• Can’t brute force a single users password
• Solution:• Try a number of passwords
less than the domain lockout policy against EVERY account in the domain
4 - PASSWORD SPRAYING (CONTINUED)
• Lockout Policy = Threshold of five• Let’s try one
• What passwords do we try?• SeasonYear (Summer2016)• Password123• Companyname123• Etc.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
http://www.lanmaster53.com/
https://github.com/lukebaggett/powerspray
4 - PASSWORD SPRAYING (CONTINUED)
4 - PASSWORDS (CONTINUED)
• Increase password length• Don’t make ridiculous policies• Remember…
correcthorsebatterystaple• Check haveibeenpwned• Password spray
http://xkcd.com/936/
5 - OVERPRIVILEGED USERS (LOCAL HOST)
• Are your standard users already local admins?
• This takes out a major step of privilege escalation
• Only grant admin access where necessary, not globally
6 - OVERPRIVILEGED USERS (OTHER HOSTS)
Occasionally, admins get lazy… and do things like add “Domain Users” group to the “Local Administrators” group
6 - OVERPRIVILEGED USERS (OTHER HOSTS)
• This means EVERY domain user is now is an administrator of that system
• PowerView Find-LocalAdminAccess
• PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
WHAT INFORMATION CAN YOU LEARN FROM USERS ON THE NETWORK?
7 - FILES ON SHARES• Sensitive files on shares?• Find them with more PowerView
awesomeness…• Use list generated by ShareFinder
with FileFinder• FileFinder will find files with the
following strings in their title:• ‘*pass*’, ‘*sensitive*’, ‘*admin*’,
‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’
https://www.veil-framework.com/hunting-sensitive-data-veil-framework/
8 - INFORMATION DISCLOSURE ON INTRANET
• Knowledge Bases are helpful to employees… and attackers• Helpdesk tickets• How-to articles• Emails
• Search functionality is our best friend• Search for <insert critical
infrastructure name, sensitive data type, or ‘password’>
9 - NETBIOS AND LLMNR POISONING
• LLMNR = Link-Local Multicast Name Resolution• NBT-NS = NetBIOS over TCP/IP Name Service• Both help hosts identify each other when DNS fails
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
9 - NETBIOS AND LLMNR (CONTINUED)
• SpiderLabs Responder• Poisons NBT-NS and LLMNR • The result is we obtain NTLM challenge/response hashes• Crack hashes
https://github.com/Spiderlabs/Responder
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
10 - LOCAL WORKSTATION PRIVILEGE ESCALATION
• PowerUp!• Another awesome Veil tool• Invoke-AllChecks looks for potential privilege escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/
SUMMARY (10 COMMON ISSUES)• 1. Missing Patches• 2. Group Policy Preference Passwords• 3. Widespread Local Administrator Accounts• 4. Weak Password Policy• 5. Overprivileged Users (admin of local host)• 6. Overprivileged Users (admin of other hosts)• 7. Sensitive Files on Shares• 8. Information Disclosure on Intranet Sites• 9. NetBIOS and LLMNR Poisoning• 10. Local Workstation Privilege Escalation
NOW TO PREP YOUR PENTEST BUG OUT BAG
TUNE DETECTION DEVICES
• Test your network security devices prior to a pentest for common pentester activities• Meterpreter shells• Portscans• Password spraying• Use of Windows cmd line
tools like ‘net’, or ‘whoami’
PERFORM EGRESS FILTERING
• Block outbound access except where needed
• Implement an authenticated web proxy and force all web traffic through it
• Block ‘uncategorized’ sites• Portscan AllPorts.Exposed
from the inside of your network• See what ports are allowed
outbound
THINGS THAT MAKE OUR JOB HARD
• Application whitelisting• Disabling PowerShell• Network access control• Network segmentation• Two-Factor authentication• Locking down outbound access• Strong password policies• Fixing the other items
mentioned earlier
THINGS NOT TO DO DURING A PENTEST
• Inform your teams that the test is happening• Monitor, but don’t interfere during a
pentest
• Enforce different policies on the pentester than “normal” users
• Alert users to an upcoming phishing test
PENTEST PREPARATION GUIDE
PENTEST PREP GUIDE
• Details the 10 issues I talked about today
• How to identify• How to remediate • Hopefully this will help
organizations prepare for an upcoming penetration test
• …or help a pentester to pivot more easily
CHECKLIST!
DOWNLOAD HERE
http://bit.ly/1Uk6fKS
THANK YOU!
• Contact info:• [email protected] • [email protected]• Twitter - @dafthack