PENTEST PREPPERS

PENTEST APOCALYPSE

BACKGROUND

• Complete domain compromise has been too easy

• Rarely detected• Unprivileged user to DA in <

60 seconds• Fix the common issues and

low hanging fruit first• Who needs a zero-day?

WHOAMI• Beau Bullock

• Pentester at Black Hills Information Security

• OSCP, OSWP, GXPN, GPEN, GCIH, GCFA, and GSEC

• Previously an enterprise defender

• Host of Hack Naked TV• Guitarist/Audio Engineer

WHAT ARE YOU BUYING?

• Penetration test vs. vulnerability assessment

• If your scanner results look like this you probably don’t need a pentest.

VULNERABILITY ASSESSMENT

• Help identify low-hanging fruit• Typically broader in scope• Locate and identify assets• Opportunity to tune detection

devices• Helps an organization improve

overall security posture

PENETRATION TEST

• Goal driven• Targeted escalation tactics• Typically try to avoid detection• Can your security posture

withstand an advanced attacker?

LET’S TALK ABOUT SOME COMMON ISSUES

1 - PATCHES

1 - PATCHES

• Vulnerabilities we still find all the time that should be patched:• MS08-067• MS14-068• PsExec Patch• ColdFusion Patches• ShellShock• Heartbleed

LOOKING FOR VULNERABLE SYSTEMS• Get-ExploitableSystem from PowerView by @harmj0y• Queries Active Directory for hostnames, OS versions, and service

pack levels• Cross-references those with common Metasploit modules

https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

PATCHES WON’T FIX EVERYTHING

2 - GROUP POLICY PREFERENCES (GPP)

• Extensions of Active Directory• Configurable settings for use

with Group Policy Objects• Advanced settings for folders,

mapped drives, and printers.• Deploy applications• Create a local administrator

account

http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

2 - GPP (CONTINUED)

• Passwords of accounts set by GPP are trivially decrypted!

• …by ANY authenticated user on the domain

• Located in *.xml files on SYSVOL

• Microsoft’s AES encryption key is publicly available

https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspxhttp://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/

2 - GPP (WHAT DOES THE PATCH DO?)

• May 13, 2014 – MS14-025• MS14-025 removes the ability

to create local accounts with GPP

• Doesn’t remove previous entries!

• You need to manually delete these accounts

2 - GPP (SUMMARY)

• First thing I check for on an internal assessment

• Almost always find an admin password here

• Find it with:• PowerSploit - Get-GPPPassword• Metasploit GPP Module

• Or…

C:>findstr /S cpassword %logonserver%\sysvol\*.xml

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp

3 - WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT

• Makes it easy to pivot from workstation to workstation• Using creds found elsewhere:

• SMB_Login Metasploit Module

http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login

@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /.\Administrator AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use /delete \\%s\C$ > NUL

3 - WIDESPREAD LOCAL ADMIN (CONTINUED)

• What’s next?• Hunt for Domain Admins –

JoeWare NetSess, Veil-PowerView UserHunter

• PsExec_psh Metasploit Module

• RDP?• If we don’t have cleartext creds:

• Pass-the-hash

http://www.joeware.net/freetools/tools/netsess/index.htmhttps://www.veil-framework.com/hunting-users-veil-framework/http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh

4 - PASSWORDS

• Default Passwords• admin:admin• tomcat:tomcat

• Pwnedlist or Have I Been Pwned• Credentials from previous data

breaches

• Weak domain password policy?• Password spraying

http://splashdata.com/press/worst-passwords-of-2014.htm

4 - PASSWORD SPRAYING

• Domain locks out accounts after a certain number of failed logins

• Can’t brute force a single users password

• Solution:• Try a number of passwords

less than the domain lockout policy against EVERY account in the domain

4 - PASSWORD SPRAYING (CONTINUED)

• Lockout Policy = Threshold of five• Let’s try one

• What passwords do we try?• SeasonYear (Summer2016)• Password123• Companyname123• Etc.

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL

http://www.lanmaster53.com/

https://github.com/lukebaggett/powerspray

4 - PASSWORD SPRAYING (CONTINUED)

4 - PASSWORDS (CONTINUED)

• Increase password length• Don’t make ridiculous policies• Remember…

correcthorsebatterystaple• Check haveibeenpwned• Password spray

http://xkcd.com/936/

5 - OVERPRIVILEGED USERS (LOCAL HOST)

• Are your standard users already local admins?

• This takes out a major step of privilege escalation

• Only grant admin access where necessary, not globally

6 - OVERPRIVILEGED USERS (OTHER HOSTS)

Occasionally, admins get lazy… and do things like add “Domain Users” group to the “Local Administrators” group

6 - OVERPRIVILEGED USERS (OTHER HOSTS)

• This means EVERY domain user is now is an administrator of that system

• PowerView Find-LocalAdminAccess

• PowerView Invoke-ShareFinder

http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/

WHAT INFORMATION CAN YOU LEARN FROM USERS ON THE NETWORK?

7 - FILES ON SHARES• Sensitive files on shares?• Find them with more PowerView

awesomeness…• Use list generated by ShareFinder

with FileFinder• FileFinder will find files with the

following strings in their title:• ‘*pass*’, ‘*sensitive*’, ‘*admin*’,

‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’

https://www.veil-framework.com/hunting-sensitive-data-veil-framework/

8 - INFORMATION DISCLOSURE ON INTRANET

• Knowledge Bases are helpful to employees… and attackers• Helpdesk tickets• How-to articles• Emails

• Search functionality is our best friend• Search for <insert critical

infrastructure name, sensitive data type, or ‘password’>

9 - NETBIOS AND LLMNR POISONING

• LLMNR = Link-Local Multicast Name Resolution• NBT-NS = NetBIOS over TCP/IP Name Service• Both help hosts identify each other when DNS fails

http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

9 - NETBIOS AND LLMNR (CONTINUED)

• SpiderLabs Responder• Poisons NBT-NS and LLMNR • The result is we obtain NTLM challenge/response hashes• Crack hashes

https://github.com/Spiderlabs/Responder

https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/

10 - LOCAL WORKSTATION PRIVILEGE ESCALATION

• PowerUp!• Another awesome Veil tool• Invoke-AllChecks looks for potential privilege escalation vectors

http://www.verisgroup.com/2014/06/17/powerup-usage/

SUMMARY (10 COMMON ISSUES)• 1. Missing Patches• 2. Group Policy Preference Passwords• 3. Widespread Local Administrator Accounts• 4. Weak Password Policy• 5. Overprivileged Users (admin of local host)• 6. Overprivileged Users (admin of other hosts)• 7. Sensitive Files on Shares• 8. Information Disclosure on Intranet Sites• 9. NetBIOS and LLMNR Poisoning• 10. Local Workstation Privilege Escalation

NOW TO PREP YOUR PENTEST BUG OUT BAG

TUNE DETECTION DEVICES

• Test your network security devices prior to a pentest for common pentester activities• Meterpreter shells• Portscans• Password spraying• Use of Windows cmd line

tools like ‘net’, or ‘whoami’

PERFORM EGRESS FILTERING

• Block outbound access except where needed

• Implement an authenticated web proxy and force all web traffic through it

• Block ‘uncategorized’ sites• Portscan AllPorts.Exposed

from the inside of your network• See what ports are allowed

outbound

THINGS THAT MAKE OUR JOB HARD

• Application whitelisting• Disabling PowerShell• Network access control• Network segmentation• Two-Factor authentication• Locking down outbound access• Strong password policies• Fixing the other items

mentioned earlier

THINGS NOT TO DO DURING A PENTEST

• Inform your teams that the test is happening• Monitor, but don’t interfere during a

pentest

• Enforce different policies on the pentester than “normal” users

• Alert users to an upcoming phishing test

PENTEST PREPARATION GUIDE

PENTEST PREP GUIDE

• Details the 10 issues I talked about today

• How to identify• How to remediate • Hopefully this will help

organizations prepare for an upcoming penetration test

• …or help a pentester to pivot more easily

CHECKLIST!

DOWNLOAD HERE

http://bit.ly/1Uk6fKS

THANK YOU!

• Contact info:• beau@blackhillsinfosec.com • beau@dafthack.com• Twitter - @dafthack