Why other pen-tests suck ! (not hating) • External – Unless your SE’ing someone its pretty boring. (nessus/qualys grepping human thou art l33t) • Web Apps – Unless you get SQLi or file upload or good business logic bugs. (Oh burp scanning/intruder ninja thou art l33t) • Mobile – Fun unlimited but limited by small threat surface
Internal Pen-Tests • SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness! • Nothing beats the joy of popping a box ! • If Local Admin get Domain admin – always a new challenge ! • Data – Oh delicious customer data ! • Mad respect from client “More pen-tests…more monnneeyyy” – Hans Michael Varbaek
Why we still own Internal Networks • Weak passwords – Welcome1 still works in 2013
Why we still own Internal Networks • No patching – MS08-67 still works in 2013
Why we still own Internal Networks • No access controls – RDP/SSH anywhere
Easy Pwnage • This stuff still works not because your l33t but because your customer is clueless about securing stuff. – Password attacks • SMB bruteforce from list of domain users (null sessions or using compromised host that gave you a domain user cred) • ^ check password policy before going haywire. • SSH, MSSQL etc (sa,sa still works in 2013) • Metasploit auxillary modules / Nmap scripts are your best friend. (you know most of the good ones r8 ?) • Run all of them if you’ve got time. You never know how low the fruit is hanging unless you bend down. • Nessus/Qualys generally are pretty bad at brueforcing stuff. • Use intelligent word lists – mixin company name
Easy Pwnage – Not Patching • Any vulnerable software that Qualys/Nessus finds - if metasploit has a module for it = easy win. – Web consoles (I like these – find them all the time!) • Jboss JMX consoles (setup shell.war and invoke) • Tomcat manager (deploy shell.war) – These usually run as SYSTEM on a windows box. • Any file upload from a web app that is internal (Don’t waste time on this, if you do see something interesting have a poke) – GPO cpassword (Group Policy Preference XML) • post/windows/gather/credentials/gpp – de base 64 and then decrypt using MS provided public AES key • Most likely local administrator password (re-used across all hosts that were deployed with GPPs)
Why are we doing all this anyway ?? • Get sensitive data and show customer the real risk of allowing “Mr.Evil” to connect to their internal network – Hunting for data : • Local admin -> Domain Admin -> Search for data everywhere (usually databases – unless they're really stupid and store it in unencrypted flat files) Lesson learnt – Some clients don’t even know what data is important to them. - CEO’s Mailbox is a good start
Super Secure Customer • Everything is patched • Super random awesomely strong passwords • Apps are secure coded – no SQLi and no file upload • AV everywhere – I mean everywhere • ^ AV cant be turned off unless you provide password • OMG ! – I should quit pen-testing.
Responder • Developed by Laurent Gaffié (Trustwave) • LLMNR and NBT-NS poisoning (Google for what this) – If DNS and hosts file fails, tool yells out saying I’ll resolve that for you and then steals your creds ! – DEMO – Hashes can be cracked via John or can be relayed: http://pen-testing.sans.org/blog/pen- testing/2013/04/25/smb-relay-demystified-and-ntlmv2- pwnage-with-python
Responder • Tons of other features – Google “responder trustwave” – Does ICMP re-direct (this is effing awesome – but only works for anything older than Vista/2k8) – Abuse WPAD (Another kool feature) – HTTP, FTP module. • Make sure you are on a workstation subnet for maximum hits.
OK – THAT DINT WORK ?? • Give up and go home ??
I SAY NO ! • Meet the angry, I will pwn you pentester !
Get your Ducky on • HID usb thingy that has a small programmable chip. • When user leaves desktop/laptop unlocked run and connect. (or walk if your not that enthusiastic) • Quickly add user, enable rdp, grab password hashes, system info etc and ship to ur ftp server. (whatever privs user has – ducky has) • Easy to write scripts – write, compile with java load onto Ducky. • ^ Way easier than teensy – Although teensy can be used in stealth/SE tactics. Teensy inside mouse, teensy inside keyboard etc.
DUCKY DEMO • If it quacks like a duck – it must be a duck • Video
SAFE PASSWORD DUMPING • Old school password dumping tools get picked by AV (cain, pwdump etc) • New ones are getting picked up as well (WCE, mimikatz etc) – These two can dump plain- text passwords from memory. • Disable AV ? • What if AV can only be disabled using a password ?
SAFE PASSWORD DUMPING • You don’t have to disable AV or trigger it. • Procdump from sysinternals – C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemplsassdump.dmp – Mimikatz can then chew the .dmp file and spit out passwords in clear text.
SAFE PASSWORD DUMPING • Some old methods still work and don’t get picked by AV – hashes from hives: • Reg copy (C:>reg.exe save HKLMSAM sam) • Shadow volume copy (good to grab NTDIS) • ^ Ops guy now do check logs for shadow volume copies and so I’d recommend using SAMEX. (http://www.josho.org/blog//blog/2013/03/0 7/samex/)
Searching for Domain Admin • So you popped a few boxes - got some hashes • What now ? • If one of those boxes : – had a domain admin logged in – you have his password in plain-text or got his hash -> game over. – had a service running as domain admin – move to process, pop shell -> game over. • Shares the same local administrator password across the network. – Spray the hash and look for boxes with processes running as domain admin.
Searching for Domain Admin #!/bin/sh for ip in $(cat ip.txt);do ./winexe -U Administrator%passwordhash //$ip "ipconfig" ./winexe -U Administrator%passwordhash //$ip "tasklist /v" Done • ^ Metasploit module auxiliary/admin/smb/psexec_command also works. Do not use windows/smb/psexec as this uploads an exe to the box and will trigger AV. • Login to box running the domain admin process – dump hash or read from lsass as plain text. • Replay hash or login as domain admin over RDP etc. • Game over. – Pro Stealth tip : Once you get a domain admin shell DO NOT CREATE a new domain admin user. • This will trigger Ops as a lot of organisations are alerted if a new domain administrator is created.
Looting • Go after SQL servers – you should have a list of these from your scans • Shares – Yes people still store heaps of confidential stuff unencrypted in shares • Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2 us ! • Metasploit – post exploitation modules – store loot in MSF DB for grepping later.
Mitigations • You cant really stop a determined attacker • There are just way too many ways you could get hacked • Best bet is to detect • Check anomalies – New user creation (DA etc), Local admin logons, AV pickups etc • User education • Google’s new n/w architecture – All zones are untrust (Not a bad idea eh ?) • Obvious old school protections should still apply – Patching, strong passwords, access controls etc
Testing “Pro” tips • Don’t leave any accounts you create on customer’s network – delete everything (Finding DA account by pen-tester in last engagement = fail) • Bruteforce wisely – locking out an important service will not go down well with a customer (Bump down threads = increase stealth) • Don’t disable AV – Intelligent Ops are alerted if AV dies • Wipe your VM after every pen-test – A clean slate to work on is so much better • Snapshotting to have all your tools set-up and then reset also works • Script for linux is your best friend • Notes – always good for other eyes trying to read and understand what you did (doesn’t even have to be fancy - Vi or notepad works) • Videos for complex attacks – I’d highly recommend it (mind you this is gonna eat some disk space and sending this to a client might be difficult)
Music (Ignore slide if you don’t listen to music) • Messhugah, Lamb of God and Tool - when ur feeling effing awesome and pwning like a baws • Trying really hard for a breakthrough or fighting a problem – Really fast techno or dubstep • When you lose it and wanna break your laptop – Vitamin string quartet (trust me this works)
That’s it • Things I want to work on (any help will earn beers and respect): – Write more ducky scripts (hopefully run faster and grab more stuff, reverse shell etc) – Write post exploit modules (which can loot more efficiently) – Setup a Pi that can do all this over 3/4g to be sent to client so I can watch BSG and sip beer. – Hope this helped. Google for anything that I may have not provided a link or explained in detail Blog: http://psychsec.wordpress.com/