attack all the layers secure 360
DESCRIPTION
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it. More security blogs by the authors can be found @ https://www.netspi.com/blog/TRANSCRIPT
![Page 1: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/1.jpg)
![Page 2: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/2.jpg)
INTRODUCTIONS
Scott Sutherland
Security Consultant @ NetSPI
Twitter: @_nullbind
Karl Fosaaen
Security Consultant @ NetSPI
Twitter: @kfosaaen
We specialize in both things and stuff!
![Page 3: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/3.jpg)
OVERVIEW
• Why do companies pen test?
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
• Conclusions
![Page 4: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/4.jpg)
WHY DO COMPANIES PEN TEST?
• Compliance requirements
• Third party requests
• Identify unknown security gaps
• Validate existing security controls
• Prioritize existing security initiatives
• Prevent data breaches
![Page 5: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/5.jpg)
PENETRATION TEST GOALS
• Identify and understand the impact of vulnerabilities at the application, system, and network layers
• Prioritize remediation
• Understand ability to detect and respond to attacks
![Page 6: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/6.jpg)
PENETRATION TEST OBJECTIVES
• *Complete client specific objectives
• Gain access to critical systems, sensitive data, and application functionality
• Attack Surfaces Applications Networks Servers
• Attack Categories Configuration issues Code vulnerabilities Missing patches
![Page 7: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/7.jpg)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Escalation
![Page 8: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/8.jpg)
ATTACKING PASSWORDS
• Dictionary Attacks
• Dump Hashes and Crack
• Dump Hashes and PTH
• Impersonate
• Dump in Cleartext!
![Page 9: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/9.jpg)
ATTACKING PASSWORDS
1997 2000s 2001 2007 2008 2010 2012
![Page 10: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/10.jpg)
ATTACKING PASSWORDS: DICTIONARY
• Dictionary Attacks Enumerate users
- Null SMB logins, RPC, *SID BF, SNMP, LDAP, SharePoint, etc Attack!
• Are users getting smarter? Sort of… - “Spring2013” meets password complexity requirements
![Page 11: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/11.jpg)
ATTACKING PASSWORDS: CRACKING
• Dumping Hashes and Cracking John
Rainbow Tables
oclHashcat plus
![Page 12: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/12.jpg)
ATTACKING PASSWORDS: CRACKING
![Page 13: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/13.jpg)
ATTACKING PASSWORDS: PASSING
• Dumping and Passing Hashes Pass the hash kit
Metasploit
PTH everything
![Page 14: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/14.jpg)
ATTACKING PASSWORDS: IMPERSONATE
• Impersonate
Incognito
WCE
![Page 15: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/15.jpg)
ATTACKING PASSWORDS: CLEARTEXT
• Dump in Cleartext! All the applications!
- Egyp7’s script
WCE
Mimikatz
![Page 16: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/16.jpg)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
![Page 17: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/17.jpg)
ATTACKING PROTOCOLS
• ARP: Address Resolution Protocol
• NBNS: NetBIOS Name Service
• SMB: Server Message Block
• DTP: Dynamic Trunking Protocol
• VTP: VLAN Trunking Protocol
• Honorable Mentions
![Page 18: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/18.jpg)
ATTACKING PROTOCOLS: ARP
Address Resolution
Protocol
![Page 19: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/19.jpg)
ATTACKING PROTOCOLS: ARP
• General MAC to IP association Layer 2
• Conditions Independent of user action Broadcast network
• Attacks MITM Monitoring MITM Injection DOS
![Page 20: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/20.jpg)
ATTACKING PROTOCOLS: ARP
![Page 21: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/21.jpg)
ATTACKING PROTOCOLS: ARP
Common ARP MITM attacks:
• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner
• Intercept Passwords Cain will parse passwords for over 30 protocols
• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify HTTP traffic with Burp Suite
![Page 22: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/22.jpg)
ATTACKING PROTOCOLS: ARP
Common ARP MITM tools:
• Windows Tools Cain Ettercap-ng Interceptor-ng Nemesis
• Linux Tools Ettercap Dsniff Subterfuge Easycreds Loki Nemesis
![Page 23: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/23.jpg)
ATTACKING PROTOCOLS: ARP
Common mitigating controls:
• Dynamic ARP Inspection
• Port Security
• Static Routes (not recommended)
![Page 24: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/24.jpg)
ATTACKING PROTOCOLS: NBNS
NetBIOS Name Service
![Page 25: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/25.jpg)
ATTACKING PROTOCOLS: NBNS
• General IP to hostname association Layer 5 / 7
• Constraints Dependent on user action Broadcast Network Windows Only
• Attacks MITM Monitoring MITM Injection DOS
![Page 26: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/26.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 27: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/27.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 28: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/28.jpg)
ATTACKING PROTOCOLS: NBNS
![Page 29: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/29.jpg)
ATTACKING PROTOCOLS: NBNS
Common NBNS MITM attacks:
• Intercept Data SSN, Credit Cards, Healthcare data, etc Whole file parsing with NetworkMiner
• Intercept Passwords Cain will parse passwords for over 30 protocols
• Injection Content SQL injection – Web and direct database connections HTML injection – redirection, browser exploits UNC path injection – Force authentication Proxy and modify traffic with Burp Suite
![Page 30: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/30.jpg)
ATTACKING PROTOCOLS: NBNS
Common NBNS MITM tools:
• Windows Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
• Linux Tools nbnspoof (python) Metasploit (nbns_response + other modules) Responder (python)
![Page 31: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/31.jpg)
ATTACKING PROTOCOLS: NBNS
Common mitigating controls:
• Create a WPAD (Web Proxy Auto-Discovery) server entry in DNS
• Disable NBNS (not highly recommended)
• Disable insecure authentication to help
limit impact of exposed hashes
• Enable packet signing to help prevent
SMB Relay attacks
![Page 32: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/32.jpg)
ATTACKING PROTOCOLS: SMB
Server Message Block
![Page 33: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/33.jpg)
ATTACKING PROTOCOLS: SMB
• General SMB is the come back kid! Layer 7
• Constraints Dependent on user action Any routable network No connecting back to originating host
• Attacks Command execution Shells..aaand shells
![Page 34: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/34.jpg)
ATTACKING PROTOCOLS: SMB
![Page 35: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/35.jpg)
ATTACKING PROTOCOLS: SMB
Historically SMB Relay has been used to:
• Execute arbitrary commands
• Obtain shells
Lately the community has been developing tools for doing things like:
• LDAP queries
• SQL queries
• Exchange services
• Mounting file systems
![Page 36: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/36.jpg)
ATTACKING PROTOCOLS: SMB
Many tools support SMB Relay attacks:
• Windows Tools Metasploit (smb_relay and http_ntlmrelay) Interceptor-ng …this is a kind a pain in Windows
• Linux Tools Metasploit (smb_relay and http_ntlmrelay) Zack attack Subterfuge Squirtle
![Page 37: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/37.jpg)
ATTACKING PROTOCOLS: SMB
Common mitigating controls:
• Enable packet signing to help prevent SMB Relay attacks
• Apply really old patches like if you missed out on the last decade…
![Page 38: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/38.jpg)
ATTACKING PROTOCOLS: DTP
Dynamic Trunking Protocol
![Page 39: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/39.jpg)
ATTACKING PROTOCOLS: DTP
• General 802.1Q encapsulation is in use Layer 2
• Constraints
Independent of user action Trunking is set to enabled or auto on switch port
• Attacks
Monitor network traffic for all VLANs, because all VLANs are allowed on a trunk by default *Full VLAN hopping
![Page 40: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/40.jpg)
ATTACKING PROTOCOLS: DTP
![Page 41: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/41.jpg)
ATTACKING PROTOCOLS: DTP
![Page 42: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/42.jpg)
ATTACKING PROTOCOLS: DTP
![Page 43: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/43.jpg)
ATTACKING PROTOCOLS: DTP
![Page 44: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/44.jpg)
ATTACKING PROTOCOLS: DTP
• Intercept Data
SSN, Credit Cards, Healthcare data, etc
Whole file parsing with Network Minor
• Intercept Passwords
Cain will parse passwords for over 30 protocols
![Page 45: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/45.jpg)
ATTACKING PROTOCOLS: DTP
Common DTP spoofing tools:
• Windows Tools
I got nothing…
• Linux Tools
Yersinia
![Page 46: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/46.jpg)
ATTACKING PROTOCOLS: DTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
![Page 47: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/47.jpg)
ATTACKING PROTOCOLS: VTP
VLAN Trunking Protocol
![Page 48: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/48.jpg)
ATTACKING PROTOCOLS: VTP
• General
802.1Q encapsulation is in use
Layer 2
• Constraints
Independent of user action
VLANs are IP or MAC based
• Attacks
Ability to directly attack
systems on other VLANs
![Page 49: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/49.jpg)
ATTACKING PROTOCOLS: VTP
![Page 50: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/50.jpg)
ATTACKING PROTOCOLS: VTP
![Page 51: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/51.jpg)
ATTACKING PROTOCOLS: VTP
Common next steps after VTP tag forgery:
• MITM attacks against remote VLAN systems
• Intercept/Modify Data
Usually limited to broadcast traffic (unless MITM)
![Page 52: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/52.jpg)
ATTACKING PROTOCOLS: VTP
Tools for VLAN hopping attacks:
• Windows Tools
Native: Manually reconfigure via TCP/IP settings
• Linux Tools
Native: Modprobe + ifconfig
VoIP Hopper
Yersinia
![Page 53: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/53.jpg)
ATTACKING PROTOCOLS: VTP
Common mitigating controls:
• Use dedicated VLAN ID for all trunking ports
• Disable all unused ports and place them on a non routable VLAN
• Configure all user ports as access ports
to prevent trunk negotiation
• Configure frames with two 8021Q headers
• Configure strong VACLs
![Page 54: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/54.jpg)
ATTACKING PROTOCOLS: OTHERS
Honorable Mention:
• Pre-Execution Environment (PXE)
• Link-local Multicast Name Resolution (LLMNR)
• Dynamic Host Configuration Protocol (DHCP)
![Page 55: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/55.jpg)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Windows Escalation
![Page 56: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/56.jpg)
ATTACKING APPLICATIONS
• Default and weak passwords for everything Tools: Nmap, Nessus, Web Scour, Manuals, Google
• SQL injection Tools: Manually, web scanners, SQL Ninja, SQL Map, Metasploit
• RFI/Web Shells (JBOSS, Tomcat, etc.) Tools: Metasploit, Fuzzdb, and other web shellery
• Web directory traversals Tools: Manually, web scanners, Fuzzdb, Metasploit,
• MS08-067 Tools: Metasploit, exploitdb exploits, etc
![Page 57: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/57.jpg)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• Bypassing AV
• Escalation
![Page 58: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/58.jpg)
BYPASSING AV
• Weak Configurations
• Source Code Tricks
• Binary Modifications
• Process/Thread Manipulation
![Page 59: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/59.jpg)
BYPASSING AV: WEAK CONFIGURATIONS
• Execute from share, UNC path, or external media
• Disable via GUI
• Create policy exceptions
• Kill processes
• Stop / Disable Services
• Uninstall (not recommended)
• Insecure service registration (c:\program.exe)
• Insecure file permissions (file replacement/mods)
• Execute from a DLL
• DLL pre loading, side loading etc
• GAC poisoning (potentially)
![Page 60: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/60.jpg)
BYPASSING AV: SOURCE CODE TRICKS
Customize everything…and be crazy
• Migrate to and suspend or kill AV
• Modify comments (web languages)
• Replace variable names
• Modify application logic
• Use alternative functions
• Remove or modify resources
• Encode or encrypt payloads
• Compress payloads
• Add time delays
• Call NTDLL.DLL directly
![Page 61: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/61.jpg)
BYPASSING AV: BINARY MODIFICATIONS
Same idea…be crazy
• Simple string modification
• Decompile/modify source
• Disassemble / modify application logic
• Disassemble /insert time delays
• Modify resource table (ditto/cffexplorer)
• Modify imports table (ditto/cffexplorer)
• Pack (UPX, Mpress, iExpress etc)
• Metasploit Pro Payloads:
dynamic exe generation
![Page 62: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/62.jpg)
BYPASSING AV: PROCESS/THREAD MODS
Inject, inject, replace…
• Code injection (local and remote)
• DLL injection (local and remote)
• Process replacement
Common Tools:
• Powershell: Powersploit, etc
• Python and Py2exe
• Any language that supports
calls to native DLLs
![Page 63: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/63.jpg)
OVERVIEW
• Attacking passwords
• Attacking protocols
• Attacking applications
• AV evasion
• Windows Escalation
![Page 64: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/64.jpg)
WINDOWS ESCALATION: OVERVIEW
• Local user Local Administrator
• Domain user Local Administrator
• Local Administrator LocalSystem
• LocalSystem Domain User
• Locate Domain Admin Tokens
• LocalSystem Domain Admin
![Page 65: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/65.jpg)
WINDOWS ESCALATION: LOCAL ADMIN
• Local user Local Administrator Excessive local group privileges (admin or power users) Cleartext credentials • Sysprep (unattend.xml/ini/txt) • Config files, scripts, logs, desktop folders • Tech support calls files
Weak application configurations that allow: • Restarting or reconfiguring services • Replacing application files • DLL pre or side loading • Executable injection via poorly registered services C:\Program Files (x86) vs “C:\Program Files (x86)”
Local and remote exploits (Metasploit: getsystem)
![Page 66: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/66.jpg)
WINDOWS ESCALATION: LOCAL ADMIN
• Domain user Local Administrator Issues from last slide and…
Group policy: groups.xml
File shares accessible to domain users
Ability to log into domain workstations
Excessive database privileges (xp_cmdshell etc)
SMB Relay + cracking hashes
Other systems and applications that use integrated domain authentication…
![Page 67: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/67.jpg)
WINDOWS ESCALATION: LOCAL ADMIN
• Local Administrator LocalSystem At.exe (on older systems) – we still see it! Accessibility Options • Replace accessibility options like utilman.exe, osk.exe and
sethc.exe with cmd.exe or other backdoor Create a custom service to run as LocalSystem • Psexec –s –i cmd.exe
Migrate to a system process • Remote process injection, MSF ps + migrate, and Incognito
Local and remote exploits • Metasploit: getsystem etc
SQL Server and Database links + xp_cmdshell
![Page 68: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/68.jpg)
WINDOWS ESCALATION: FIND DA TOKENS
• Locate Domain Admin tokens Check locally ;) • incognito
Query the domain controllers • netsess.exe
Scan remote systems for running tasks • native tasklist or smbexec
Scan old Windows systems for NetBIOS
Shell spraying for tokens (not advised)
![Page 69: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/69.jpg)
WINDOWS ESCALATION: DOMAIN ADMIN
• LocalSystem Domain Admin Pass-the-hash to target system • Local administrator account and shared service accounts • Manually via trusted connections or via MSF etc
Impersonate authentication token • Custom application, Incognito, WCE, Metasploit
Dump clear text domain credentials • Mimikatz, WCE, or Metasploit
Key logging MITM + sniffing (http integrated auth etc)
![Page 70: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/70.jpg)
![Page 71: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/71.jpg)
CONCLUSIONS
All can kind of be fixed
Most Networks
Kind of broken
Most Protocols
Kind of broken
Most Applications
Kind of broken
![Page 72: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/72.jpg)
ATTACK ALL THE LAYERS!
ANY QUESTIONS?
![Page 73: Attack all the layers secure 360](https://reader033.vdocuments.net/reader033/viewer/2022052912/554b9e5eb4c905b8618b4873/html5/thumbnails/73.jpg)
ATTACK ALL THE LAYERS!
Scott Sutherland Principal Security Consultant Twitter: @_nullbind
Karl Fosaaen Security Consultant Twitter: @kfosaaen