Pentest Apocalypse
-
Upload
beau-bullock -
Category
Technology
-
view
154 -
download
0
Transcript of Pentest Apocalypse
![Page 1: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/1.jpg)
PENTEST PREPPERS
![Page 2: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/2.jpg)
WHOAMI
• Beau Bullock
• Pentester at Black Hills Information Security
• OSCP, OSWP, GPEN, GCIH, GCFA, and GSEC
• Previously an enterprise defender
• Blogger
• Guitarist/Audio Engineer
• Homebrewer
![Page 3: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/3.jpg)
BACKGROUND
• Privilege escalation has
been too easy
• No detection
• Unprivileged user to DA in <
60 seconds = Pentest
Apocalypse
• Fix the common issues and
low hanging fruit first
• Who needs a zero-day?
![Page 4: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/4.jpg)
WHAT ARE YOU BUYING?
• Penetration test vs.
vulnerability
assessment
• If your scanner
results look like this
you don’t need a
pentest.
![Page 5: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/5.jpg)
VULNERABILITY ASSESSMENT
• Help identify low-hanging fruit
• Typically broader in scope
• Locate and identify assets
• Opportunity to tune detection
devices
• Helps an organization
improve overall security
posture
![Page 6: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/6.jpg)
PENETRATION TEST
• Goal driven
• Targeted escalation tactics
• Typically try to avoid
detection
• Can your security posture
withstand an advanced
attacker?
![Page 7: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/7.jpg)
LET’S TALK ABOUT SOME COMMON
ISSUES
![Page 8: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/8.jpg)
10 COMMON ISSUES
• 1. Missing Patches
• 2. Group Policy Preference Passwords
• 3. Widespread Local Administrator Accounts
• 4. Weak Password Policy
• 5. Overprivileged Users (admin of local host)
• 6. Overprivileged Users (admin of other hosts)
• 7. Sensitive Files on Shares
• 8. Information Disclosure on Intranet Sites
• 9. NetBIOS and LLMNR Poisoning
• 10. Local Workstation Privilege Escalation
![Page 9: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/9.jpg)
PATCHES
• MS08-067
• MS14-068
• PsExec Patch
• ColdFusion Patches
• ShellShock
• Heartbleed
![Page 10: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/10.jpg)
PATCHES WON’T FIX EVERYTHING
![Page 11: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/11.jpg)
GROUP POLICY PREFERENCES (GPP)
• Extensions of Active Directory
• Configurable settings for use
with Group Policy Objects
• Advanced settings for folders,
mapped drives, and printers.
• Deploy applications
• Create a local administrator
account
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
![Page 12: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/12.jpg)
GPP (CONTINUED)
• May 13, 2014 – MS14-025
• Passwords of accounts set by
GPP are trivially decrypted!
• …by ANY authenticated user
on the domain
• Located in groups.xml file on
SYSVOL
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
![Page 13: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/13.jpg)
GPP (WHAT DOES THE PATCH DO?)
• MS14-025 removes the ability
to create local accounts with
GPP
• Doesn’t remove previous
entries!
• You need to manually delete
these accounts
![Page 14: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/14.jpg)
GPP (SUMMARY)
• First thing I check for on an
internal assessment
• Almost always find an admin
password here
• Find it with:
• PowerSploit - Get-GPPPassword
• Metasploit GPP Module
• Or…
C:>findstr /S cpassword %logonserver%\sysvol\*.xml
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
![Page 15: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/15.jpg)
WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT
• Makes it easy to pivot from workstation to workstation
• Using creds found via GPP:
• SMB_Login Metasploit Module
http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
![Page 16: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/16.jpg)
WIDESPREAD LOCAL ADMIN (CONTINUED)
• What’s next?
• Hunt for Domain Admins –
JoeWare NetSess, Veil-PowerView
UserHunter
• PsExec_psh Metasploit Module
• RDP?
• If we don’t have cleartext
creds:
• Pass-the-hash
http://www.joeware.net/freetools/tools/netsess/index.htm
https://www.veil-framework.com/hunting-users-veil-framework/
http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
![Page 17: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/17.jpg)
PASSWORDS
• Default Passwords
• admin:admin
• tomcat:tomcat
• Pwnedlist
• Credentials from previous data
breaches
• Default 8 character password
policy?
• Password spraying
http://splashdata.com/press/worst-passwords-of-2014.htm
![Page 18: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/18.jpg)
PASSWORD SPRAYING
• Domain locks out accounts after
a certain number of failed logins
• Can’t brute force a single users
password
• Solution:
• Try a number of passwords
less than the domain lockout
policy against EVERY
account in the domain
![Page 19: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/19.jpg)
PASSWORD SPRAYING (CONTINUED)
• Lockout Policy = Threshold of
five
• Let’s try three or four passwords
• What passwords do we try?
• Password123
• Companyname123
• Etc.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use
\\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*]
%n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
http://www.lanmaster53.com/
https://github.com/lukebaggett/powerspray
![Page 20: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/20.jpg)
PASSWORD SPRAYING (CONTINUED)
![Page 21: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/21.jpg)
PASSWORDS (CONTINUED)
• Increase password length
• Don’t make ridiculous policies
• Remember…
correcthorsebatterystaple
• Check PwnedList
• Password spray
http://xkcd.com/936/
![Page 22: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/22.jpg)
OVERPRIVILEGED USERS
• Are your standard users
already local admins?
• This takes out a major
step of privilege escalation
• Only grant admin access
where necessary, not
globally
![Page 23: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/23.jpg)
OVERPRIVILEGED USERS (OTHER HOSTS)
• Scenario:
• Unprivileged user wants to run
some software on their system
• User calls helpdesk
• Helpdesk attempts to get it
working for the user
• Fails
• Decides adding “Domain Users”
group to the local administrators
group is a good idea
![Page 24: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/24.jpg)
OVERPRIVILEGED USERS (OTHER HOSTS)
• This means EVERY domain user is now is an administrator of
that system
• Veil-PowerView Invoke-FindLocalAdminAccess
• Veil-PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
![Page 25: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/25.jpg)
WHAT INFORMATION CAN YOU LEARN FROM
USERS ON THE NETWORK?
![Page 26: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/26.jpg)
FILES ON SHARES
• Sensitive files on shares?
• Find them with more PowerViewawesomeness…
• Use list generated by ShareFinder with FileFinder
• FileFinder will find files with the following strings in their title:
• ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’,
‘*creds*’, or ‘*credential*’
https://www.veil-framework.com/hunting-sensitive-data-veil-framework/
![Page 27: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/27.jpg)
INFORMATION DISCLOSURE ON INTRANET
• Knowledge Bases are helpful
to employees… and attackers
• Helpdesk tickets
• How-to articles
• Emails
• Search functionality is our
best friend
• Search for <insert critical
infrastructure name, sensitive data
type, or ‘password’>
![Page 28: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/28.jpg)
NETBIOS AND LLMNR POISONING
• LLMNR = Link-Local Multicast Name Resolution
• NBT-NS = NetBIOS over TCP/IP Name Service
• Both help hosts identify each other when DNS fails
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
![Page 29: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/29.jpg)
NETBIOS AND LLMNR (CONTINUED)
• SpiderLabs Responder
• Poisons NBT-NS and LLMNR
• The result is we obtain NTLM challenge/response hashes
• Crack hashes
https://github.com/Spiderlabs/Responder
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
![Page 30: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/30.jpg)
LOCAL WORKSTATION PRIVILEGE ESCALATION
• PowerUp!
• Another awesome Veil tool
• Invoke-AllChecks looks for potential privilege escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/
![Page 31: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/31.jpg)
SUMMARY (10 COMMON ISSUES)
• 1. Missing Patches
• 2. Group Policy Preference Passwords
• 3. Widespread Local Administrator Accounts
• 4. Weak Password Policy
• 5. Overprivileged Users (admin of local host)
• 6. Overprivileged Users (admin of other hosts)
• 7. Sensitive Files on Shares
• 8. Information Disclosure on Intranet Sites
• 9. NetBIOS and LLMNR Poisoning
• 10. Local Workstation Privilege Escalation
![Page 32: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/32.jpg)
NOW TO PREP YOUR PENTEST BUG OUT BAG
![Page 33: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/33.jpg)
TUNE DETECTION DEVICES
• Test your network security
devices prior to a pentest for
common pentester activities
• Meterpreter shells
• Portscans
• Password spraying
![Page 34: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/34.jpg)
PERFORM EGRESS FILTERING
• Block outbound access
except where needed
• Implement an authenticated
web proxy and force all web
traffic through it
![Page 35: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/35.jpg)
THINGS THAT MAKE OUR JOB HARD
• Application Whitelisting
• Disabling PowerShell
• Network Access Control
• Network segmentation
• Fixing the items mentioned
earlier
![Page 36: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/36.jpg)
THINGS NOT TO DO DURING A PENTEST
• Inform your teams that the
test is happening
• Monitor, but don’t interfere during
a pentest
• Enforce different policies on
the pentester than “normal”
users
• Alert users to an upcoming
phishing test
![Page 37: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/37.jpg)
PENTEST PREPARATION GUIDE
![Page 38: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/38.jpg)
PENTEST PREP GUIDE
• May help organizations
prepare for an upcoming
penetration test
• Details of the 10 issues I
talked about today
• How to identify
• How to remediate
![Page 39: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/39.jpg)
CHECKLIST!
![Page 40: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/40.jpg)
DOWNLOAD HERE
http://bit.ly/1FF33nH
![Page 41: Pentest Apocalypse](https://reader033.fdocuments.in/reader033/viewer/2022052509/55a8a7f21a28abc5508b47b7/html5/thumbnails/41.jpg)
QUESTIONS?
• Contact me
• Personal - [email protected]
• Work – [email protected]
• Twitter - @dafthack
• Blog – www.dafthack.com