SlideShare a Scribd company logo

Attack all the layers secure 360

Scott Sutherland, profile picture
Scott Sutherland

The document outlines the goals and objectives of penetration testing, including identifying vulnerabilities and validating security controls. It discusses various attack techniques, including password attacks, protocol exploitation, application weaknesses, and ways to bypass antivirus protections. The authors emphasize the importance of addressing multiple layers of security to mitigate risks effectively.

Technology
1 of 73
Downloaded 94 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Attack all the layers secure 360
INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
ATTACKING PASSWORDS: CRACKING
ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
ATTACKING PROTOCOLS: ARP Address Resolution Protocol
ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
ATTACKING PROTOCOLS: ARP
ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
ATTACKING PROTOCOLS: NBNS NetBIOS Name Service
ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS
ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
ATTACKING PROTOCOLS: SMB Server Message Block
ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
ATTACKING PROTOCOLS: SMB
ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
ATTACKING PROTOCOLS: DTP Dynamic Trunking Protocol
ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP
ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP
ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
Attack all the layers secure 360
CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
ATTACK ALL THE LAYERS! ANY QUESTIONS?
ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen

More Related Content

What's hot (20)

PDF
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
A Byte of Software Deployment
Gong Haibing
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
CNIT 123: 6: Enumeration
Sam Bowne
 
PDF
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PPTX
Going outside the application
Matthew Saltzman
 
PDF
Security events in 2014
Chong-Kuan Chen
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PPT
Open Audit
ncspa
 
PPTX
System hardening - OS and Application
edavid2685
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PPTX
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Outlook and Exchange for the bad guys
Nick Landers
 
Ch 6: Attacking Authentication
Sam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
A Byte of Software Deployment
Gong Haibing
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
CNIT 123: 6: Enumeration
Sam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Going outside the application
Matthew Saltzman
 
Security events in 2014
Chong-Kuan Chen
 
CNIT 126: Ch 2 & 3
Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Open Audit
ncspa
 
System hardening - OS and Application
edavid2685
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 

Viewers also liked (10)

PDF
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PDF
Declaration of malWARe
Scott Sutherland
 
PPTX
Secure360 - Extracting Password from Windows
Scott Sutherland
 
PDF
WTF is Penetration Testing
Scott Sutherland
 
PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PPTX
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
PDF
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PPTX
WTF is Penetration Testing v.2
Scott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Declaration of malWARe
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Scott Sutherland
 
WTF is Penetration Testing
Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
WTF is Penetration Testing v.2
Scott Sutherland
 
Ad

Similar to Attack all the layers secure 360 (20)

PDF
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
PPTX
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
PPTX
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PPTX
Security in network
DaNang University of Technology
 
PPTX
Seucrity in a nutshell
Yahia Kandeel
 
PPTX
DC612 Day - Hands on Penetration Testing 101
dc612
 
PDF
Practical mitm for_pentesters
Jonathan Cran
 
PPT
6005679.ppt
AlmaOraevi
 
PDF
Network Security & Attacks
Netwax Lab
 
PPT
How hackers attack networks
Adeel Javaid
 
PDF
Coporate Espionage
UTD Computer Security Group
 
PPTX
Phases of penetration testing
Abdul Rahman
 
PDF
Computer network (2)
NYversity
 
PPT
Intro To Hacking
nayakslideshare
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PPT
Network sec 1
Jasleen Kaur
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
PPTX
lecture5.pptx
Llobarro2
 
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Introduction to layer 2 attacks & mitigation
Rishabh Dangwal
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Security in network
DaNang University of Technology
 
Seucrity in a nutshell
Yahia Kandeel
 
DC612 Day - Hands on Penetration Testing 101
dc612
 
Practical mitm for_pentesters
Jonathan Cran
 
6005679.ppt
AlmaOraevi
 
Network Security & Attacks
Netwax Lab
 
How hackers attack networks
Adeel Javaid
 
Coporate Espionage
UTD Computer Security Group
 
Phases of penetration testing
Abdul Rahman
 
Computer network (2)
NYversity
 
Intro To Hacking
nayakslideshare
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Network sec 1
Jasleen Kaur
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
lecture5.pptx
Llobarro2
 
Ad

More from Scott Sutherland (13)

PPTX
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
PPTX
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
PDF
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
PPTX
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PDF
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
PPTX
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
PPTX
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
PPTX
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PPTX
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
PPTX
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PPTX
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 

Recently uploaded (20)

PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PDF
Lecture A - AI Workflows for Banking.pdf
Dr. LAM Yat-fai (林日辉)
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
Lecture A - AI Workflows for Banking.pdf
Dr. LAM Yat-fai (林日辉)
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 

Attack all the layers secure 360

  • 2. INTRODUCTIONS Scott Sutherland  Security Consultant @ NetSPI  Twitter: @_nullbind Karl Fosaaen  Security Consultant @ NetSPI  Twitter: @kfosaaen We specialize in both things and stuff!
  • 3. OVERVIEW • Why do companies pen test? • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation • Conclusions
  • 4. WHY DO COMPANIES PEN TEST? • Compliance requirements • Third party requests • Identify unknown security gaps • Validate existing security controls • Prioritize existing security initiatives • Prevent data breaches
  • 5. PENETRATION TEST GOALS • Identify and understand the impact of vulnerabilities at the application, system, and network layers • Prioritize remediation • Understand ability to detect and respond to attacks
  • 6. PENETRATION TEST OBJECTIVES • *Complete client specific objectives • Gain access to critical systems, sensitive data, and application functionality • Attack Surfaces Applications Networks Servers • Attack Categories Configuration issues Code vulnerabilities Missing patches
  • 7. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 8. ATTACKING PASSWORDS • Dictionary Attacks • Dump Hashes and Crack • Dump Hashes and PTH • Impersonate • Dump in Cleartext!
  • 9. ATTACKING PASSWORDS 1997 2000s 2001 2007 2008 2010 2012
  • 10. ATTACKING PASSWORDS: DICTIONARY • Dictionary Attacks Enumerate users - Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack! • Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
  • 11. ATTACKING PASSWORDS: CRACKING • Dumping Hashes and Cracking John Rainbow Tables oclHashcat plus
  • 13. ATTACKING PASSWORDS: PASSING • Dumping and Passing Hashes Pass the hash kit Metasploit PTH everything
  • 14. ATTACKING PASSWORDS: IMPERSONATE • Impersonate Incognito WCE
  • 15. ATTACKING PASSWORDS: CLEARTEXT • Dump in Cleartext! All the applications! - Egyp7’s script WCE Mimikatz
  • 16. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 17. ATTACKING PROTOCOLS • ARP: Address Resolution Protocol • NBNS: NetBIOS Name Service • SMB: Server Message Block • DTP: Dynamic Trunking Protocol • VTP: VLAN Trunking Protocol • Honorable Mentions
  • 19. ATTACKING PROTOCOLS: ARP • General MAC to IP association Layer 2 • Conditions Independent of user action Broadcast network • Attacks MITM Monitoring MITM Injection DOS
  • 21. ATTACKING PROTOCOLS: ARP Common ARP MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
  • 22. ATTACKING PROTOCOLS: ARP Common ARP MITM tools: • Windows Tools  Cain  Ettercap-ng  Interceptor-ng  Nemesis • Linux Tools  Ettercap  Dsniff  Subterfuge  Easycreds  Loki  Nemesis
  • 23. ATTACKING PROTOCOLS: ARP Common mitigating controls: • Dynamic ARP Inspection • Port Security • Static Routes (not recommended)
  • 25. ATTACKING PROTOCOLS: NBNS • General  IP to hostname association  Layer 5 / 7 • Constraints  Dependent on user action  Broadcast Network  Windows Only • Attacks  MITM Monitoring  MITM Injection  DOS
  • 29. ATTACKING PROTOCOLS: NBNS Common NBNS MITM attacks: • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner • Intercept Passwords Cain will parse passwords for over 30 protocols • Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
  • 30. ATTACKING PROTOCOLS: NBNS Common NBNS MITM tools: • Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python) • Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
  • 31. ATTACKING PROTOCOLS: NBNS Common mitigating controls: • Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS • Disable NBNS (not highly recommended) • Disable insecure authentication to help limit impact of exposed hashes • Enable packet signing to help prevent SMB Relay attacks
  • 33. ATTACKING PROTOCOLS: SMB • General SMB is the come back kid! Layer 7 • Constraints Dependent on user action Any routable network No connecting back to originating host • Attacks Command execution Shells..aaand shells
  • 35. ATTACKING PROTOCOLS: SMB Historically SMB Relay has been used to: • Execute arbitrary commands • Obtain shells Lately the community has been developing tools for doing things like: • LDAP queries • SQL queries • Exchange services • Mounting file systems
  • 36. ATTACKING PROTOCOLS: SMB Many tools support SMB Relay attacks: • Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows • Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
  • 37. ATTACKING PROTOCOLS: SMB Common mitigating controls: • Enable packet signing to help prevent SMB Relay attacks • Apply really old patches like if you missed out on the last decade…
  • 39. ATTACKING PROTOCOLS: DTP • General  802.1Q encapsulation is in use  Layer 2 • Constraints  Independent of user action  Trunking is set to enabled or auto on switch port • Attacks  Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default  *Full VLAN hopping
  • 44. ATTACKING PROTOCOLS: DTP • Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with Network Minor • Intercept Passwords Cain will parse passwords for over 30 protocols
  • 45. ATTACKING PROTOCOLS: DTP Common DTP spoofing tools: • Windows Tools  I got nothing… • Linux Tools Yersinia
  • 46. ATTACKING PROTOCOLS: DTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 47. ATTACKING PROTOCOLS: VTP VLAN Trunking Protocol
  • 48. ATTACKING PROTOCOLS: VTP • General 802.1Q encapsulation is in use Layer 2 • Constraints Independent of user action VLANs are IP or MAC based • Attacks Ability to directly attack systems on other VLANs
  • 51. ATTACKING PROTOCOLS: VTP Common next steps after VTP tag forgery: • MITM attacks against remote VLAN systems • Intercept/Modify Data Usually limited to broadcast traffic (unless MITM)
  • 52. ATTACKING PROTOCOLS: VTP Tools for VLAN hopping attacks: • Windows Tools Native: Manually reconfigure via TCP/IP settings • Linux Tools Native: Modprobe + ifconfig VoIP Hopper Yersinia
  • 53. ATTACKING PROTOCOLS: VTP Common mitigating controls: • Use dedicated VLAN ID for all trunking ports • Disable all unused ports and place them on a non routable VLAN • Configure all user ports as access ports to prevent trunk negotiation • Configure frames with two 8021Q headers • Configure strong VACLs
  • 54. ATTACKING PROTOCOLS: OTHERS Honorable Mention: • Pre-Execution Environment (PXE) • Link-local Multicast Name Resolution (LLMNR) • Dynamic Host Configuration Protocol (DHCP)
  • 55. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Windows Escalation
  • 56. ATTACKING APPLICATIONS • Default and weak passwords for everything  Tools: Nmap, Nessus, Web Scour, Manuals, Google • SQL injection  Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit • RFI/Web Shells (JBOSS, Tomcat, etc.)  Tools: Metasploit, Fuzzdb, and other web shellery • Web directory traversals  Tools: Manually, web scanners, Fuzzdb, Metasploit, • MS08-067  Tools: Metasploit, exploitdb exploits, etc
  • 57. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • Bypassing AV • Escalation
  • 58. BYPASSING AV • Weak Configurations • Source Code Tricks • Binary Modifications • Process/Thread Manipulation
  • 59. BYPASSING AV: WEAK CONFIGURATIONS • Execute from share, UNC path, or external media • Disable via GUI • Create policy exceptions • Kill processes • Stop / Disable Services • Uninstall (not recommended) • Insecure service registration (c:program.exe) • Insecure file permissions (file replacement/mods) • Execute from a DLL • DLL pre loading, side loading etc • GAC poisoning (potentially)
  • 60. BYPASSING AV: SOURCE CODE TRICKS Customize everything…and be crazy • Migrate to and suspend or kill AV • Modify comments (web languages) • Replace variable names • Modify application logic • Use alternative functions • Remove or modify resources • Encode or encrypt payloads • Compress payloads • Add time delays • Call NTDLL.DLL directly
  • 61. BYPASSING AV: BINARY MODIFICATIONS Same idea…be crazy • Simple string modification • Decompile/modify source • Disassemble / modify application logic • Disassemble /insert time delays • Modify resource table (ditto/cffexplorer) • Modify imports table (ditto/cffexplorer) • Pack (UPX, Mpress, iExpress etc) • Metasploit Pro Payloads: dynamic exe generation
  • 62. BYPASSING AV: PROCESS/THREAD MODS Inject, inject, replace… • Code injection (local and remote) • DLL injection (local and remote) • Process replacement Common Tools: • Powershell: Powersploit, etc • Python and Py2exe • Any language that supports calls to native DLLs
  • 63. OVERVIEW • Attacking passwords • Attacking protocols • Attacking applications • AV evasion • Windows Escalation
  • 64. WINDOWS ESCALATION: OVERVIEW • Local user  Local Administrator • Domain user Local Administrator • Local Administrator  LocalSystem • LocalSystem  Domain User • Locate Domain Admin Tokens • LocalSystem  Domain Admin
  • 65. WINDOWS ESCALATION: LOCAL ADMIN • Local user  Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:Program Files (x86) vs “C:Program Files (x86)” Local and remote exploits (Metasploit: getsystem)
  • 66. WINDOWS ESCALATION: LOCAL ADMIN • Domain user  Local Administrator Issues from last slide and… Group policy: groups.xml File shares accessible to domain users Ability to log into domain workstations Excessive database privileges (xp_cmdshell etc) SMB Relay + cracking hashes Other systems and applications that use integrated domain authentication…
  • 67. WINDOWS ESCALATION: LOCAL ADMIN • Local Administrator  LocalSystem At.exe (on older systems) – we still see it!  Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito Local and remote exploits • Metasploit: getsystem etc SQL Server and Database links + xp_cmdshell
  • 68. WINDOWS ESCALATION: FIND DA TOKENS • Locate Domain Admin tokens Check locally ;) • incognito Query the domain controllers • netsess.exe Scan remote systems for running tasks • native tasklist or smbexec Scan old Windows systems for NetBIOS Shell spraying for tokens (not advised)
  • 69. WINDOWS ESCALATION: DOMAIN ADMIN • LocalSystem  Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc Impersonate authentication token • Custom application, Incognito, WCE, Metasploit Dump clear text domain credentials • Mimikatz, WCE, or Metasploit Key logging MITM + sniffing (http integrated auth etc)
  • 71. CONCLUSIONS All can kind of be fixed Most Networks Kind of broken Most Protocols Kind of broken Most Applications Kind of broken
  • 72. ATTACK ALL THE LAYERS! ANY QUESTIONS?
  • 73. ATTACK ALL THE LAYERS! Scott Sutherland Principal Security Consultant Twitter: @_nullbind Karl Fosaaen Security Consultant Twitter: @kfosaaen