TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach...
Transcript of TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach...
![Page 1: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/1.jpg)
![Page 2: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/2.jpg)
![Page 3: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/3.jpg)
TIM MEDINPrincipal Consultant, Founder – Red SiegeSANS Leach Author – 560SANS Instructor – 560, 660IANS FacultySANS MSISE Program DirectorPen Tester for more than a decade
3
![Page 4: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/4.jpg)
CONTENTS
01 A look at the traditional penetration tests and their limitations
T R A D I T I O N A L P E N
03The goals are always business focused, not technical
R I S K F O C U S
02What is happening in the real worldM O D E R N AT TA C K S
04 How to get the best value out of your assessments
A S S U M E D B R E A C H
![Page 5: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/5.jpg)
TRADITIONALINTERNAL PEN
5
PART
What have we been doing?
01redsiege.com
![Page 6: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/6.jpg)
TRADITIONAL INTERNAL PEN TESTOverview of the traditional internal penetration test
PLUG IN TO INTERNAL NETWORKDrop a laptop on the network and perform testing
SCANFire up the vulnerability scanner and let `er rip
EXPLOITCross reference exploits with vulns, press goLikely password guessing here too
6redsiege.com
![Page 7: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/7.jpg)
TRADITIONAL INTERNAL PEN TESTAssumptions – Given X, what do we know to be true?
PLUG IN TO INTERNAL NETWORKAdd has their device on the networkNo credentials and no access
SCANInitial compromised via exposed network service
EXPLOITAccess via known exploitPassword is escalation/pivot
7redsiege.com
![Page 8: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/8.jpg)
TRADITIONAL INTERNAL PEN TESTAssumptions – Given X, what do we know to be true?
PLUG IN TO INTERNAL NETWORKAdd has their device on the networkNo credentials and no access
SCANInitial compromised via exposed network service
EXPLOITAccess via known exploitPassword is escalation/pivot
8redsiege.com
![Page 9: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/9.jpg)
THEATTACKERS
9
PART
We must look at the attacker's actions and techniques to better model them
02
![Page 10: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/10.jpg)
30%INSIDERS
70%OUTSIDERS
Source: 2020 DBIR Executive Brief https://enterprise.verizon.com/resources/executivebriefs/2020-dbir-executive-brief.pdf
INSIDERS VS OUTSIDERS
redsiege.com
![Page 11: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/11.jpg)
TOP THREAT ACTIONS
Top threat Action varieties in breaches
1. Phishing2. Use of Stolen Creds
'It is not what is on top that’s interesting (we already know “Social—Phishing” and “Hacking— Use of stolen creds” are good ways to start a breach…' (p33)
Source: 2020 DBIR https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
redsiege.com
![Page 12: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/12.jpg)
TOP THREAT ACTIONS
Source: 2020 DBIR https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
In the top two cases, the attacker is effectively starting with access
redsiege.com
![Page 13: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/13.jpg)
78%NEVER CLICK
A PHISH
65%PHISHINGINCREASE
PHISHING STATISTICS
4%PHISHED PER CAMPAIGN
2017 PhishMe Enterprise Phishing Resiliency and Defense Report
2018 Verizon DBIR 2018 Verizon DBIR
redsiege.com
![Page 14: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/14.jpg)
BREACH ACTIONS
FireEye Blog lays out likely real-world attack scenario
Phishing
Pivot to internal through remote access
Targeted Kerberoasting => elevation of privilege
Access high-value targets
14
https://www.fireeye.com/blog/threat-research/2019/04/finding-weaknesses-before-the-attackers-do.htmlredsiege.com
![Page 15: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/15.jpg)
RISKFOCUS
15
PART
We must focus on the business risk
03
redsiege.com
![Page 16: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/16.jpg)
What is your most critical data or process?
StolenLeaked
Destroyed
BUSINESS RISK
redsiege.com
![Page 18: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/18.jpg)
GOAL FOCUSED
“I can guess, but I don’t like to be wrong, so can you describe for me what data or process if lost, destroyed, stolen, or leaked would cause the greatest damage to your organization?”
18
Ask the dumb question
NEVERASSUME
redsiege.com
![Page 19: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/19.jpg)
DOMAIN ADMINA TOOL, NOT A DESTINATION
Sensitive data can be compromised without administrative access
Privileged access is a tool, not a destination. It can be used to access sensitive data and put the vulnerabilities into context.
Vulnerabilities always have a context!
19redsiege.com
![Page 20: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/20.jpg)
ASSUMEDBREACH
20
PART
Assume that some defenses failedAssume a bad actor gets on the network
04
![Page 21: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/21.jpg)
Overconfidence is a significant bias“But AgentY or ServiceZ will catch this attack!”But what if it doesn’t?
Some basic math will not kill you
How often are these types of attacks successful?“Here? Never!”Everywhere else but us!
B E L E S S C E R TA I N
T H I N K P R O B A B I L I S T I C A L LY
A S K “ H O W O F T E N D O E S T H I S T Y P I C A L LY H A P P E N ? ”
Source Harvard Business Review: 3 Ways to Improve Your Decision Makinghttps://hbr.org/2018/01/3-ways-to-improve-your-decision-making
MAKING GOOD DECISIONS
redsiege.com
![Page 22: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/22.jpg)
ACCESS VIA 0-DAY
Focuses on defending against initial access is a bit misguided
Focuses on the shell of the egg, not the yolk
There are more efficient ways to test many of these protections and detection methods
What are you actually trying to test?
What if the red team doesn't get in?
22redsiege.com
![Page 23: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/23.jpg)
ACCESS VIA 0-DAY
Do you really need a "Red Team" or do you just want the buzzword?
It can take a time for a red team to get initial access
One team trying to get in vs all the bad guy teams
Zero-day focus is expensive and changes very quickly
Do you want to spend money on this or something else?
Attackers are still getting in and they often have access for 5-6 months
Let's assume they are in, now what!
I'm not against Red Teams (I Love 'em!) but we need to use the right tool for the job
23redsiege.com
![Page 24: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/24.jpg)
Assume access via common mechanism Phishing on end-user system?Command injection on web server?
Focus on the dataEvery user has access to data. Is the sensitive data already accessible before escalation? Is it freely available on shares?
Assume the attacker has internal access
Insider? Phish? Drive by?
Attacker has authenticated access
Credential stuffing? Phish? Access on end-user system?
1 2
3 4
Assume a common
compromise scenario and then look for sensitive info
ASSUMED BREACH
redsiege.com
![Page 25: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/25.jpg)
PWNAGE WITHOUT DA
redsiege.com/goal
![Page 26: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/26.jpg)
NETWORK SHARES
Look at the available shares
PowerView (dev branch) has a lot of useful modules for finding data on the network
26http://redsiege.com/slides#abm - Talk by Mike Saunders
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1Shortlink: https://www.redsiege.com/powerview
redsiege.com
![Page 27: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/27.jpg)
Find-InterestingDomainShareFile Finds (non-standard) shares on hosts in the local domain
PS C:\> Find-InterestingDomainShareFile
ComputerName Can be a single name or a list with @('comp1', 'comp2', 'comp3') (optional)
SharePath Specifies one or more specific share paths to search, in the form \\COMPUTER\Share
ExcludedShares Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.
Credential Alternate credentials for connection
OfficeDocs Switch to search for office documents (docx, xlsx, pptx, ..)
POWERVIEW
redsiege.com
![Page 28: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/28.jpg)
PWNAGE WITHOUT DA
https://adsecurity.org/?p=2288redsiege.com
![Page 29: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/29.jpg)
PWNAGE WITHOUT DA
https://adsecurity.org/?p=2288redsiege.com
![Page 30: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/30.jpg)
PWNAGE WITHOUT DA
https://adsecurity.org/?p=2288redsiege.com
![Page 31: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/31.jpg)
POWERSPLOIT
Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences
PS C:> Get-GPPPassword
redsiege.com
![Page 32: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/32.jpg)
POWERVIEW
Invoke-Kerberoast Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes
PS C:> Invoke-Kerberoast -OutputFormat HashCat
OutputFormat John [the Ripper] or Hashcat
redsiege.com
![Page 33: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/33.jpg)
PWNAGE WITHOUT DA
redsiege.com
Get user list from AD, then sprays. Better than just guessing usernames!
https://github.com/dafthack/DomainPasswordSprayhttps://www.blackhillsinfosec.com/the-creddefense-toolkit/
![Page 34: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/34.jpg)
DOMAINPASSWORDSPRAY
redsiege.com
Invoke-DomainPasswordSpray This module performs a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. Be careful not to lockout any accounts.
PS C:> Invoke-DomainPasswordSpray -Password Winter2019
Password A single password that will be used to perform the password spray
PasswordList A list of passwords one per line to use for the password spray
OutFile A file to output the results to
UsernameAsPassword For each user, will try that user's name as their password
https://github.com/dafthack/DomainPasswordSpray
![Page 35: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/35.jpg)
ABUSING MAILBOX PERMS
redsiege.com https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/
![Page 36: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/36.jpg)
OPENINBOXFINDER
redsiege.com
Invoke-OpenInboxFinder This module will connect to a Microsoft Exchange server using Exchange Web Services and check mailboxes to determine if the current user has permissions to access them
PS C:> Invoke-OpenInboxFinder -EmailList email-list.txt
EmailList List of email addresses one per line to check permissions on
https://github.com/dafthack/MailSniper
Remote Will prompt for credentials for use with connecting to a remote server such as Office365 or an externally facing Exchange server
![Page 37: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/37.jpg)
![Page 38: TIM MEDIN - redsiege.com€¦ · TIM MEDIN. Principal Consultant, Founder –Red Siege. SANS Leach Author – 560. SANS Instructor – 560, 660. IANS Faculty. SANS MSISE Program Director](https://reader036.fdocuments.in/reader036/viewer/2022081410/60942c8c1f95e72d4321d607/html5/thumbnails/38.jpg)