SlideShare uma empresa Scribd logo

Bsidesnova- Pentesting Methodology - Making bits less complicated

Transferir como PPTX, PDF
O
Octavio Paguaga

Slides from Pentesting Methodology

Tecnologia
1 de 36
Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
OSINT https://generated.photos
Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Azure domain front photos go here
Azure Domain Fronting
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Commands used
Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
Manual Enumeration • Description Field • Get-DomainUser | select Description
Bloodhound & ACLs
GenericWrite permissions
Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
Delegation • https://adsecurity.org/wp-content/uploads/2015/08/Visio-KerberosDoubleHop-Visio.png
Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
Unconstrained Delegation Demo
DPAPI Data Protection API
• The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
Getting creds from Chrome
Getting creds from Chrome
Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
Access Credential Manager Vault
• https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential- manager-saved-credentials • https://www.harmj0y.net/blog/redteaming/operational-guidance- for-offensive-user-dpapi-abuse/
Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

Recomendados

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 

Recomendados

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 

Mais conteúdo relacionado

Mais procurados

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Mais procurados (20)

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Vault 101
Vault 101Vault 101
Vault 101
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Semelhante a Bsidesnova- Pentesting Methodology - Making bits less complicated

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themKarl Ots
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 

Semelhante a Bsidesnova- Pentesting Methodology - Making bits less complicated (20)

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Bsidesnova- Pentesting Methodology - Making bits less complicated

  • 1. Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
  • 2. Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
  • 3.
  • 5. Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
  • 6. Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
  • 7.
  • 8. Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
  • 9. Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
  • 10. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 11. Azure domain front photos go here
  • 13. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 15. Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
  • 16. Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
  • 17. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 18.
  • 19. KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
  • 20. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 21. Manual Enumeration • Description Field • Get-DomainUser | select Description
  • 24. Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
  • 26. Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • 28.
  • 30. • The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
  • 33. Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
  • 36. Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)