bsidesdfw - stealth pentesting - it doesn't know we're here
TRANSCRIPT
STEALTH PENTESTING:I.T. DOESN’T KNOW WE ARE HERE
BIOs
Ryan Reynolds Manager, Crowe Horwath Pentester Twitter: @reynoldsrb
Tony James Senior Consultant, Crowe Horwath Pentester Twitter: @tx3_
Audience
Blue Team Red Team Management Just Here to Drink
Agenda
World Current InfoSec State What we might want to be doing Tactical Recommendations
Real World Attacks
APT1 Anonymous Corporate Espionage Syrian Electronic Army Russian Business Network Etc.
Overview
Attackers are doing this:
Companies want to know how they would do against this.
Current State
So companies hire a company to perform a "pentest" and they do this:
Current State (contd.)
Which is harder to identify something happened?
Which is harder to identify someone is in your territory?
Results Accurate?
The result of this is IT/Security says "we caught you". “Hey Sr. Management we would catch a real attack, we caught our pentesters.”
Several reasons for the fast/loud pentest
We need to adapt. Time to try and give IT a run for their money.
What can we do?
Lets talk about a scenario and pick it up from there:
Social engineered some employees and made it in to a conference room or empty cube.
You think it would never happen… but what happened here???
http://www.tripwire.com/state-of-security/top-security-stories/hacker-use-kvm-switch-breach-santander-bank/
You got in so now what?
No workstation present…. No NAC… What to do next?
Would You?
Common Ways: 1) Port Scan 2) Ping Sweep 3) Password guess 4) ARP Poison 5) Scan for Vulns 6) Anything Else?
What to consider with these???
Play by these rules
Play by the RFC’s Traffic to a minimum No excessive authentication Initially.. Play in the safe zone
Enumerate the goods…
So we plugged in our rogue hardware.. What to do??? Fire up your favorite packet capturing software. Identify those subnets EIGRP / OSPF broadcasting on the user
subnets with no authentication DNS goodness Anonymous Enum / Sid to name / Krbguess
(last resort) Netbios? Net view?
How should we get auth?
Utilize those broken host discovery protocols NetBios LLMNR
Misconfigured domain services – (?) Insecure Printers (Praeda) IPv6
We got auth!
Enumerate domain users / computers Where are the good guys? (Admins) How can we get there?
Dig through those shares (netlogon / home folder of user / random shares)
Drop shortcuts GPP / WDS / PXE Boot / Unattend.xml Hit those SQL Servers (xp_dirtree /
xp_fileexists)
Got Local Admin, what next?
Check Cached Creds / LSA Secrets Procdump for those cleartext Break the local security software IE Passwords / Outlook files Most obvious… Local Admin Password
Reuse To get those keys, now play the waiting
game.
Do you still trust your SECURITY software?
Arellia – Privilege management software
McAfee – Anti-Virus software
Do you still trust your SECURITY software? (contd.)
WebSense – Web Content Filtering
How many other applications are doing this…?
Time to fix these issues.
Routing protocols Authentication Passive-Interfaces
UAC EMET Limit Cached Credentials HIPS / ACLs – KEY ** Disable GPP / Fix Panther / Sysprep / etc. Fix those dirty services – SCCM / Security
software / etc.
Time to fix these issues. (contd.)
Fix the host discovery protocols Remove public roles from SQL servers – if
possible Lock down those shares Lockdown PXE booting to specific subnets Lockdown communication between
workstations
Time to detect the bad guys
Log C$/Admin$ from non IT subnets Log excessive share access (excessive
access denieds) Detect excessive password guesses Log DHCP Requests / compared to current
domain computers
Lessons Learned… the hard way
Password guessing – If you must do it... ARP Poisoning – bye bye port Exploiting patches – too noisy with IDS/IPS NAC – dammit.. Guest VLAN Custom payloads get by AV.. –
Powershell….? Outbound connections..?
Take Away
What to expect from a pentest Standards PTES, OSSTMM, OWASP
Questions???
References
Arellia - http://www.arellia.com/ McAfee – http://www.mcafee.com Websense - http://www.websense.com SCCM – http://www.microsoft.com