hacking in the attack kill - clnv.s3.amazonaws.com · hacking in the attack kill chain håkan...

Hacking in the Attack Kill Chain

Håkan Nohre, Consulting Systems Engineer, GIAC GPEN #9666, CISSP #76731

Erkan Djafer, Consulting Systems Engineer, CISSP #535930

Chung-wai Lee, Cyber Security Partner Account Manager

LTRSEC-3300

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRSEC-3300


About this LAB (I read the abstract )

• It is not a sales session

• It is definitely not about Cisco products, designs, or definitive solutions!

• It is about offensive, not defensive techniques

• Hopefully, understanding how the attacker works we can build better defense or apply better risk management!

• Complimentary Cisco Live Berlin 2017 Breakout: BRKSEC-2309

“It’s Cats vs Rats in the Attack Kill Chain”

4LTRSEC-3300


Modified Kill Chain for this Breakout

• Note that attackers are not legally bound to follow the exact model ….

• E.g. may establish persistence before lateral movement…

5LTRSEC-3300

Recon

Gain Foothold- Attack Delivery

- Exploitation

Local Compromise

Command and Control

Lateral Movement

Establish Persistence

Exfiltration


Focus on Methodology, not Tools!

• Kali Linux

• https://www.kali.org/

• Metasploit

• http://www.rapid7.com/

• Mimikatz

• http://blog.gentilkiwi.com/mimikatz

• PowerShell Empire

• http://www.powershellempire.com/

6LTRSEC-3300

https://www.kali.org/

http://www.rapid7.com/

http://blog.gentilkiwi.com/mimikatz

http://www.powershellempire.com/


Lab Topology

7LTRSEC-3300

VPN to lab with AnyConnect

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8LTRSEC-3300

Lab1 Reconnaissance

FW

inside

198.19.10.0/24

“Internet”

198.18.128.0/18

Client-A (VPN)

.38

Client-B (VPN)

.37

evil2

.133.111

IoT

.211

AD

.?

Try to get to IoT Directly

- will not work

Use OSINT recon against clients


Lab 2: Gain Initial Foothold

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Spear phishing naïve end user

- examine Excel with Macro

- (examine RTF file)

inside

198.19.10.0/24

FW


inside

198.19..10/24

10LTRSEC-3300

Lab 3: Command and Control (CnC)

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Examine CnC

- tcpdump, agent options


inside

198.19.10.0/24

11LTRSEC-3300

Lab 4: Local Privilege Escalation

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Go from mordiac to system on A


Pivoting Explained

12LTRSEC-3300

IoT

Active

Directory

Clients

Internet NGFW

Permit outgoing HTTPClient ip is

198.18.19.38

198.18.19.38


inside

198.19.10.0/24

13LTRSEC-3300

Lab 5A: Lateral Movement against IoT

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Pivot attack against IoT via A

- pivoting, metasploit

- Bash shellshock exploit


inside

198.19.10.0/24

14LTRSEC-3300

Lab 5A: (cont) Local Privilege Escalation

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Pivot attack against IoT via A

- Local recon (find out OS)

- Escalate privileges


inside

198.19.10.0/24

15LTRSEC-3300

Lab 5B: Lateral Movement in AD environment

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Pivot attack against AD via A- Dump credentials, mimikatz

- WMI movement

- Dump hashes

- Pass-the-hash


inside

198.19.10.0/24

16LTRSEC-3300

Lab 6A: Persistence with Golden Tickets

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

- Take over workstationB (non Admin)

- Create golden ticket to impersonate any

user (even if all passwords are reset)


inside

198.19.10.0/24

17LTRSEC-3300

Lab 6B, 6C – Persistence after Reboot

FW

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil2

.133.111

IoT

.211

AD

.?

Try to different methods to ensure you

keep control after reboot

- Schedule task

- WMI subscriptions


Remember

• Tell us if you have problems!

• Tell us if you have feedback!

18LTRSEC-3300

Have Fun!

This lab does not even try to have the answers !

We hope it helps you ask the right questions!


Appendix B – Extra Turbo hacking lab

FW

Infrastructure

198.19.10.0/24Clients

198.19.19.0/24

“Internet”

198.18.128.0/18

Client-A (VPN)

.19.38

Client-B (VPN)

.19.37

evil1

.133.110

IoT

.211

AD

.?

Take over B via flash vulnerability

Local Priv Escalation

Dump hashes

Pivoting via Port forwarding

Hand over Metaploit -> Empire


Post-Exploitation with PowerShell

• Very powerful scripting language included in Windows from Win7

• Can leverage WMI, .NET, Win32 and do almost everything

• Key logging, Screenshots, CnC, grab passwords and hashes (Mimikatz)

• Is typically whitelisted and scripts not caught by Anti-Virus

• Can run from memory (no need to write file to disk: not caught by Anti-Virus)

• Can run on remote machine (if you know the credentials of target machine)

20LTRSEC-3300


Internal Recon: Scanning?

• Noisy scanning typically not necessary for internal recon

• Attacker can just ask Active Directory politely to find out:

• What machines are in the domain?

• Which machines are the domain controllers?

• On what machines are domain admins logged on?

• Which machines run Exchange, SQL servers?

• Which machines are file servers?

• ….and much more

21LTRSEC-3300


What is a Hash?

• One-way function to convert password to hash

• For NT hash, MD4 is used

• So we don’t have to store clear-text-passwords or send them over the network

• Instead we use the hash to store credentials (and authenticate)

22LTRSEC-3300

Crypto

stuff

Hash

Password

Stuff

Tunafish!

Crypto

stuff

d41d8cd..


Understanding NTLMv2

• NTLMv2 is a common network authentication method in Microsoft Active Directory for Net logons,File Shares, Web Sites etc.

• Client requests auth

• Server sends challenge

• Client sends response to challenge

• Server validates (with help of Active Directory)

23LTRSEC-3300

Auth Request

Challenge(random no)

Response ✔

✔


Understanding NTLMv2

• If client sends correct response to challenge it is authenticated

• Response is calculated from hash that is calculated from password

24LTRSEC-3300

Auth Request


Response

Username

Timestamp

Other stuff

Crypto

stuff

Crypto

stuff

Hash

Password

✔



Pass-the-Hash

• If attacker has the hash, he does not need the password

• He can use a modified client that supplies the hash without calculating it from password

25LTRSEC-3300

Auth Request


Response

Hash

Username

Timestamp

Other stuff

Crypto

stuffResponse

Crypto

stuffPassword✖ ✖

✔



Overview: Hoarding Hashes

Domain

Admin?

Try

Next Host

w

credentials.

On new compromised host

Grab local hashes

Grab hashes of logged in users/services

N

Y

Partytime!Passwords/Hashes


Grab Local Hashes

• With system privileges it is possible to grab local password hashes from registry

• (not a vulnerability, it is same for other OS including Unix)

• Functionality (of course) included in Metasploit, PowerShell Empire

• Note: Local hashes only relevant to local computer

• But maybe same password is used on more than one computer ?

27LTRSEC-3300

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

cisco:1000:aad3b435b51404eeaad3b435b51404ee:579a13a46633f286db9155f5a612c765:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Grab local hashes


Mimikatz – Grab from LSASS

• It has nothing to do with cats!

• A tool run on compromised host that can (among many things) grab credentials from logged on users and services from memory

• http://blog.gentilkiwi.com/mimikatz

28LTRSEC-3300

User Password Hash

scratchy S3cret! aad3db5…

Mini-

catz?

LSASS (Credentials cache)

Grab hashes of logged in users/services


Why is the Password/Hash Cached?

• In Active Directory Domain, the user logs in once to his computer

• … and can then access domain resources without any further logon

• User-friendly! And Single-Sign-On is good for security too!

• …but client has to cache hash of password to authenticate transparentlyFile Server

Web Server

NGFW Security

ApplianceUser Password Hash

Authenticate

many times

Scratchy

Logs in

Once

Credentials cache

Scratchy S3cret! aad3db5…


So let’s consider Kerberos

• In Greek mythology, Cerberus was the Three-headed Monster Dog that guarded the underworld.

• Kerberos is the preferred authentication mechanism in Active Directory (used in Unix Environments before Microsoft adopted it).

• Note that it may be difficult to fully replace NTMLv2 with Kerberos due to legacy OS, appliances etc. so most AD domains use both methods!

30LTRSEC-3300

Rosemary,

CISO

Monster

dog?


How Kerberos Works – 1: Getting the TGT

1. Client authenticates by encrypting timestamp with its hash

31LTRSEC-3300

NT hash

Timestamp

Crypto AS-REQ

Auth

It is Scratchy


How Kerberos Works – 1,2: Getting the TGT

2. Domain Controller sends back a Ticket-Granting-Ticket (TGT), encrypted with the Kerberos Service (KRBTGT) hash. Only the Domain Controllers can read the ticket that includes info on username, group belongings, validity…

Crypto

Username:Scratchy

Ticket lifetime

Groups

AS-REP

TGT

KRBTGT

hash

It is Scratchy

TGT


How Kerberos Works – 3: Getting the TGS

3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.gfile service, web proxy). It includes the TGT in request.

TGS-REQ fileservice

TGT

I can decrypt

All TGTs!

TGT

File Server

Service Hash


How Kerberos Works – 3,4: Getting the TGS

3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.gfile service, web proxy). It includes the TGT in request.

4. Domain Controller decrypts TGT. If valid it creates a TGS populated with values from TGT and encrypts it with the hash of requested service.

Crypto

TGT

TGT

File Server

TGS-REP

TGS

Service Hash

Username

Ticket lifetime

Groups


How Kerberos Works – 5: Contacting Service

5. Client presents the TGS to server. Server can validate TGS (decrypting it with its hash) and gets back info on User, Ticket Lifetime, Groups… and can proceed to allow/disallow the request.

6. (No need for Server to contact Domain controller to verify anything!)

TGT

File ServerTGS

Username

Ticket lifetime

Groups

AP-REQ

TGS

Decrypt

Service Hash


So all is fine?

• Kerberos is well-proven (20 years old), used in Unix environments before Microsoft adopted it

• The big issue: All security depends on the master key (KRBTGT hash)!

• That typically changes very rarely, at domain functional level upgrades

• If Domain Controller is compromised, it is disastrous!

• Very good white paper (explaining next attack)

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf

36LTRSEC-3300

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf


But Hey! Our Domain Controller was compromised

• So by dumping hashes Itchy (the attacker) got the KRBGT hash!

• This is like being able to print his own passport!

• Now Itchy can create his own TGTs! =

37LTRSEC-3300

Golden Tickets

Crypto

KRBTGT

hash

Username: supercat

Groups: x,y, z

Lifetime: 10 years

TGT

Krbtgt :$NT$e27385934250848521eda994a585b79c:::


Access to lab

• AnyConnect to: dcloud-sjc-anyconnect.cisco.com

• Credentials via lab proctor• Username : xxxxxx

• Password : yyyyyyy

• Download lab guide from• https://cisco.box.com/v/labbguide

• Download lab prezo from• https://cisco.box.com/v/

38LTRSEC-3300

https://cisco.box.com/v/to


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRSEC-3000


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

LTRSEC-3300 41

Thank you

hacking in the attack kill - clnv.s3.amazonaws.com · hacking in the attack kill chain håkan...

Documents