This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
Attack All the Layers: What's Working during Pentests (OWASP NYC)
1. Attack All the Layers:
What’s Working During Pen Tests
Scott Sutherland and Karl Fosaaen
2. Introductions
• Scott Sutherland
‒ Principal Security Consultant @ NetSPI
‒ Twitter: @_nullbind
• Karl Fosaaen
‒ Senior Security Consultant @ NetSPI
‒ Twitter: @kfosaaen
We specialize in both
things and stuff!
3. Overview
• Why do Companies Pen Test?
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
• Conclusions
4. Why do companies pen test?
• Compliance requirements
• Evaluate risks associated with an acquisition or
partnership
• Validate preventative controls
• Validate detective controls
• Prioritize internal security initiatives
• Proactively prevent breaches
5. Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
6. Attacking protocols
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• PXE: Preboot Execution Environment
• DTP: Dynamic Trunking Protocol
8. Attacking protocols: ARP
• General
‒MAC to IP association
‒Layer 2
• Conditions
‒Independent of user action
‒Broadcast network
• Attacks
‒MITM Monitoring
‒MITM Injection
‒DOS
12. Attacking protocols: NBNS
• General
‒ IP to hostname association
‒ Layer 5 / 7
• Constraints
‒ Dependent on user action
‒ Broadcast Network
‒ Windows Only
• Attacks
‒ MITM Monitoring
‒ MITM Injection
‒ DOS
16. Attacking protocols: NBNS
• Common mitigating controls:
‒ Create a WPAD (Web Proxy Auto-Discovery) server entry in
DNS
‒ Disable NBNS (recommended)
• Might cause issues with legacy apps
‒ Disable insecure authentication to help
• limit impact of exposed hashes
‒ Enable packet signing to help prevent
• SMB Relay attacks
18. Attacking protocols: SMB
• General
‒ SMB is the come back kid!
‒ Layer 7
• Constraints
‒ Dependent on user action
‒ Any routable network
‒ No connecting back to
originating host
• Attacks
‒ Command execution
‒ Shells..aaand shells
20. Attacking protocols: SMB
• Historically, SMB Relay has been used to:
‒ Execute arbitrary commands
‒ Obtain shells
• Lately the community has been developing tools for doing
things like:
‒ LDAP queries
‒ SQL queries
‒ Exchange services
‒ Mounting file systems
21. Attacking protocols: SMB
• Common mitigating controls:
‒ Enable packet signing to help prevent SMB Relay attacks
‒ Apply really old patches like if you missed out on the last
decade…
26. Attacking protocols: DTP
• General
‒ 802.1Q encapsulation is in use
‒ Layer 2
• Constraints
‒ Independent of user action
‒ Trunking is set to enabled
• or auto on switch port
• Attacks
‒ Monitor network traffic for all VLANs, because all VLANs are
• allowed on a trunk by default
• *Full VLAN hopping
31. Attacking protocols: DTP
• Common mitigating controls:
‒ Use dedicated VLAN ID for all trunking ports
‒ Disable all unused ports and place them on a
non-routable VLAN
‒ Configure all user ports as access ports to
prevent trunk negotiation
‒ Configure frames with two 802.1Q headers
‒ Configure strong VACLs
32. Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
34. Attacking Passwords
Tool Function Year
Pass the Hash Passing Hashes 1997
Rainbow Tables Password Cracking 2000s
SMB Relay Relaying Captured Hashes 2001
John the Ripper Password Cracking 2001
NetNTLM.pl Cracking Network Hashes 2007
PTH Toolkit Pass all the Hashes 2008
Hashcat CPU and GPU Cracking 2010
WCE and Mimikatz Cleartext Windows Creds 2012
35. Attacking Passwords: Hashes
• What are hashes?
‒ A non-reversible way of storing passwords
‒ Operating systems and applications
‒ Lots of types
• LM/NTLM
• Network and Local
• MD5
• SHA
• descrypt
36. Attacking Passwords: Hashes
• How do we get hashes?
‒ Cain and Abel
‒ fgdump
‒ Metasploit
‒ Mimikatz
‒ Databases
‒ Config files
43. Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
44. Attacking Applications: Common
• Default and weak passwords
• SQL injection
• RFI/web shells
• Web directory traversals
• UNC path injection + SMB relay
• Critical missing patches
45. Attacking Applications: Breakouts
• Obtain a common dialog box
• Bypass folder path and file type restrictions
• Bypass file execution restrictions
• Bypass file black/white lists
• Access to native consoles and management tools
• Downloading and use third party applications
46. Overview
• Attacking Protocols
• Attacking Passwords
• Attacking Applications
• Bypassing End Point Protection
• Windows Escalation
51. Windows Escalation: Goals
• Local Escalation Goals
‒ Find clear text or reversible credentials with local
administrative privileges
‒ Get application to run commands as Administrator or
LocalSystem
• Domain Escalation Goals
‒ Find Domain Admins
‒ Impersonate Domain Admins
52. Windows Escalation: Local
• Local Escalation
‒ *Clear text credentials in files, registry, over network
‒ Insecure service paths
‒ DLL preloading
‒ DLL and exe replacement
‒ Binary planting in auto-run locations (reg and file
system)
‒ Modifying schedule tasks
‒ *Local and remote exploits
‒ Leverage local application like IIS, SQL Server etc
‒ *UNC path injection + SMB Relay / Capture + crack
53. Windows Escalation: Domain
• Domain Escalation – Find DAs
‒ Check locally! (Processes, Tokens, Cachedump)
‒ Review active sessions – netsess (veil)
‒ Review remote processes - tasklist
‒ Service Principal Names (SPN) – get-spn
‒ Scanning Remote Systems for NetBIOS Information - nbtscan
‒ Pass the hash to other systems
‒ PowerShell shell spraying
‒ WINRM/WINRS shell spraying
‒ Psexec shell spraying
54. Windows Escalation: Domain
• Domain Escalation – Impersonate DAs
‒ Dump passwords from memory with Mimikatz
‒ Migrate into the Domain Admin’s process
‒ Steal Domain Admins delegation tokens with Incognito
‒ Dump cached domain admin hashes with cachedump
‒ Relatively new techniques
• PTH using Kerberos ticket
55.
56. Conclusions
• Most Networks
‒ Kind of broken
• Most Protocols
‒ Kind of broken
• Most Applications
‒ Kind of broken
All can kind of be fixed
58. Attack all the layers!
• Scott Sutherland
‒ Principal Security Consultant
‒ Twitter: @_nullbind
• Karl Fosaaen
‒ Senior Security Consultant
‒ Twitter: @kfosaaen