Pentest Apocalypse

41
PENTEST PREPPERS

Transcript of Pentest Apocalypse

Page 1: Pentest Apocalypse

PENTEST PREPPERS

Page 2: Pentest Apocalypse

WHOAMI

• Beau Bullock

• Pentester at Black Hills Information Security

• OSCP, OSWP, GPEN, GCIH, GCFA, and GSEC

• Previously an enterprise defender

• Blogger

• Guitarist/Audio Engineer

• Homebrewer

Page 3: Pentest Apocalypse

BACKGROUND

• Privilege escalation has

been too easy

• No detection

• Unprivileged user to DA in <

60 seconds = Pentest

Apocalypse

• Fix the common issues and

low hanging fruit first

• Who needs a zero-day?

Page 4: Pentest Apocalypse

WHAT ARE YOU BUYING?

• Penetration test vs.

vulnerability

assessment

• If your scanner

results look like this

you don’t need a

pentest.

Page 5: Pentest Apocalypse

VULNERABILITY ASSESSMENT

• Help identify low-hanging fruit

• Typically broader in scope

• Locate and identify assets

• Opportunity to tune detection

devices

• Helps an organization

improve overall security

posture

Page 6: Pentest Apocalypse

PENETRATION TEST

• Goal driven

• Targeted escalation tactics

• Typically try to avoid

detection

• Can your security posture

withstand an advanced

attacker?

Page 7: Pentest Apocalypse

LET’S TALK ABOUT SOME COMMON

ISSUES

Page 8: Pentest Apocalypse

10 COMMON ISSUES

• 1. Missing Patches

• 2. Group Policy Preference Passwords

• 3. Widespread Local Administrator Accounts

• 4. Weak Password Policy

• 5. Overprivileged Users (admin of local host)

• 6. Overprivileged Users (admin of other hosts)

• 7. Sensitive Files on Shares

• 8. Information Disclosure on Intranet Sites

• 9. NetBIOS and LLMNR Poisoning

• 10. Local Workstation Privilege Escalation

Page 9: Pentest Apocalypse

PATCHES

• MS08-067

• MS14-068

• PsExec Patch

• ColdFusion Patches

• ShellShock

• Heartbleed

Page 10: Pentest Apocalypse

PATCHES WON’T FIX EVERYTHING

Page 11: Pentest Apocalypse

GROUP POLICY PREFERENCES (GPP)

• Extensions of Active Directory

• Configurable settings for use

with Group Policy Objects

• Advanced settings for folders,

mapped drives, and printers.

• Deploy applications

• Create a local administrator

account

http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

Page 12: Pentest Apocalypse

GPP (CONTINUED)

• May 13, 2014 – MS14-025

• Passwords of accounts set by

GPP are trivially decrypted!

• …by ANY authenticated user

on the domain

• Located in groups.xml file on

SYSVOL

https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx

http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx

https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/

Page 13: Pentest Apocalypse

GPP (WHAT DOES THE PATCH DO?)

• MS14-025 removes the ability

to create local accounts with

GPP

• Doesn’t remove previous

entries!

• You need to manually delete

these accounts

Page 14: Pentest Apocalypse

GPP (SUMMARY)

• First thing I check for on an

internal assessment

• Almost always find an admin

password here

• Find it with:

• PowerSploit - Get-GPPPassword

• Metasploit GPP Module

• Or…

C:>findstr /S cpassword %logonserver%\sysvol\*.xml

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp

Page 15: Pentest Apocalypse

WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT

• Makes it easy to pivot from workstation to workstation

• Using creds found via GPP:

• SMB_Login Metasploit Module

http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login

Page 16: Pentest Apocalypse

WIDESPREAD LOCAL ADMIN (CONTINUED)

• What’s next?

• Hunt for Domain Admins –

JoeWare NetSess, Veil-PowerView

UserHunter

• PsExec_psh Metasploit Module

• RDP?

• If we don’t have cleartext

creds:

• Pass-the-hash

http://www.joeware.net/freetools/tools/netsess/index.htm

https://www.veil-framework.com/hunting-users-veil-framework/

http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh

Page 17: Pentest Apocalypse

PASSWORDS

• Default Passwords

• admin:admin

• tomcat:tomcat

• Pwnedlist

• Credentials from previous data

breaches

• Default 8 character password

policy?

• Password spraying

http://splashdata.com/press/worst-passwords-of-2014.htm

Page 18: Pentest Apocalypse

PASSWORD SPRAYING

• Domain locks out accounts after

a certain number of failed logins

• Can’t brute force a single users

password

• Solution:

• Try a number of passwords

less than the domain lockout

policy against EVERY

account in the domain

Page 19: Pentest Apocalypse

PASSWORD SPRAYING (CONTINUED)

• Lockout Policy = Threshold of

five

• Let’s try three or four passwords

• What passwords do we try?

• Password123

• Companyname123

• Etc.

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use

\\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*]

%n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL

http://www.lanmaster53.com/

https://github.com/lukebaggett/powerspray

Page 20: Pentest Apocalypse

PASSWORD SPRAYING (CONTINUED)

Page 21: Pentest Apocalypse

PASSWORDS (CONTINUED)

• Increase password length

• Don’t make ridiculous policies

• Remember…

correcthorsebatterystaple

• Check PwnedList

• Password spray

http://xkcd.com/936/

Page 22: Pentest Apocalypse

OVERPRIVILEGED USERS

• Are your standard users

already local admins?

• This takes out a major

step of privilege escalation

• Only grant admin access

where necessary, not

globally

Page 23: Pentest Apocalypse

OVERPRIVILEGED USERS (OTHER HOSTS)

• Scenario:

• Unprivileged user wants to run

some software on their system

• User calls helpdesk

• Helpdesk attempts to get it

working for the user

• Fails

• Decides adding “Domain Users”

group to the local administrators

group is a good idea

Page 24: Pentest Apocalypse

OVERPRIVILEGED USERS (OTHER HOSTS)

• This means EVERY domain user is now is an administrator of

that system

• Veil-PowerView Invoke-FindLocalAdminAccess

• Veil-PowerView Invoke-ShareFinder

http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/

Page 25: Pentest Apocalypse

WHAT INFORMATION CAN YOU LEARN FROM

USERS ON THE NETWORK?

Page 26: Pentest Apocalypse

FILES ON SHARES

• Sensitive files on shares?

• Find them with more PowerViewawesomeness…

• Use list generated by ShareFinder with FileFinder

• FileFinder will find files with the following strings in their title:

• ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’,

‘*creds*’, or ‘*credential*’

https://www.veil-framework.com/hunting-sensitive-data-veil-framework/

Page 27: Pentest Apocalypse

INFORMATION DISCLOSURE ON INTRANET

• Knowledge Bases are helpful

to employees… and attackers

• Helpdesk tickets

• How-to articles

• Emails

• Search functionality is our

best friend

• Search for <insert critical

infrastructure name, sensitive data

type, or ‘password’>

Page 28: Pentest Apocalypse

NETBIOS AND LLMNR POISONING

• LLMNR = Link-Local Multicast Name Resolution

• NBT-NS = NetBIOS over TCP/IP Name Service

• Both help hosts identify each other when DNS fails

http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

Page 29: Pentest Apocalypse

NETBIOS AND LLMNR (CONTINUED)

• SpiderLabs Responder

• Poisons NBT-NS and LLMNR

• The result is we obtain NTLM challenge/response hashes

• Crack hashes

https://github.com/Spiderlabs/Responder

https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/

Page 30: Pentest Apocalypse

LOCAL WORKSTATION PRIVILEGE ESCALATION

• PowerUp!

• Another awesome Veil tool

• Invoke-AllChecks looks for potential privilege escalation vectors

http://www.verisgroup.com/2014/06/17/powerup-usage/

Page 31: Pentest Apocalypse

SUMMARY (10 COMMON ISSUES)

• 1. Missing Patches

• 2. Group Policy Preference Passwords

• 3. Widespread Local Administrator Accounts

• 4. Weak Password Policy

• 5. Overprivileged Users (admin of local host)

• 6. Overprivileged Users (admin of other hosts)

• 7. Sensitive Files on Shares

• 8. Information Disclosure on Intranet Sites

• 9. NetBIOS and LLMNR Poisoning

• 10. Local Workstation Privilege Escalation

Page 32: Pentest Apocalypse

NOW TO PREP YOUR PENTEST BUG OUT BAG

Page 33: Pentest Apocalypse

TUNE DETECTION DEVICES

• Test your network security

devices prior to a pentest for

common pentester activities

• Meterpreter shells

• Portscans

• Password spraying

Page 34: Pentest Apocalypse

PERFORM EGRESS FILTERING

• Block outbound access

except where needed

• Implement an authenticated

web proxy and force all web

traffic through it

Page 35: Pentest Apocalypse

THINGS THAT MAKE OUR JOB HARD

• Application Whitelisting

• Disabling PowerShell

• Network Access Control

• Network segmentation

• Fixing the items mentioned

earlier

Page 36: Pentest Apocalypse

THINGS NOT TO DO DURING A PENTEST

• Inform your teams that the

test is happening

• Monitor, but don’t interfere during

a pentest

• Enforce different policies on

the pentester than “normal”

users

• Alert users to an upcoming

phishing test

Page 37: Pentest Apocalypse

PENTEST PREPARATION GUIDE

Page 38: Pentest Apocalypse

PENTEST PREP GUIDE

• May help organizations

prepare for an upcoming

penetration test

• Details of the 10 issues I

talked about today

• How to identify

• How to remediate

Page 39: Pentest Apocalypse

CHECKLIST!

Page 40: Pentest Apocalypse

DOWNLOAD HERE

http://bit.ly/1FF33nH

Page 41: Pentest Apocalypse

QUESTIONS?

• Contact me

• Personal - [email protected]

• Work – [email protected]

• Twitter - @dafthack

• Blog – www.dafthack.com