2. Why other pen-tests suck ! (not
hating)
• External – Unless your SE’ing someone its
pretty boring. (nessus/qualys grepping human
thou art l33t)
• Web Apps – Unless you get SQLi or file upload
or good business logic bugs. (Oh burp
scanning/intruder ninja thou art l33t)
• Mobile – Fun unlimited but limited by small
threat surface
3. Internal Pen-Tests
• SHELLS! SHELLS! SHELLS! – Oh beautiful Shellness!
• Nothing beats the joy of popping a box !
• If Local Admin get Domain admin – always a new
challenge !
• Data – Oh delicious customer data !
• Mad respect from client
“More pen-tests…more monnneeyyy” – Hans
Michael Varbaek
4. Why we still own Internal Networks
• Weak passwords – Welcome1 still works in
2013
5. Why we still own Internal Networks
• No patching – MS08-67 still works in 2013
6. Why we still own Internal Networks
• No access controls – RDP/SSH anywhere
7. Easy Pwnage
• This stuff still works not because your l33t but because
your customer is clueless about securing stuff.
– Password attacks
• SMB bruteforce from list of domain users (null sessions or using
compromised host that gave you a domain user cred)
• ^ check password policy before going haywire.
• SSH, MSSQL etc (sa,sa still works in 2013)
• Metasploit auxillary modules / Nmap scripts are your best friend.
(you know most of the good ones r8 ?)
• Run all of them if you’ve got time. You never know how low the
fruit is hanging unless you bend down.
• Nessus/Qualys generally are pretty bad at brueforcing stuff.
• Use intelligent word lists – mixin company name
8. Easy Pwnage
– Not Patching
• Any vulnerable software that Qualys/Nessus finds - if metasploit
has a module for it = easy win.
– Web consoles (I like these – find them all the time!)
• Jboss JMX consoles (setup shell.war and invoke)
• Tomcat manager (deploy shell.war)
– These usually run as SYSTEM on a windows box.
• Any file upload from a web app that is internal (Don’t waste time
on this, if you do see something interesting have a poke)
– GPO cpassword (Group Policy Preference XML)
• post/windows/gather/credentials/gpp – de base 64 and then
decrypt using MS provided public AES key
• Most likely local administrator password (re-used across all hosts
that were deployed with GPPs)
13. Why are we doing all this anyway ??
• Get sensitive data and show customer the real
risk of allowing “Mr.Evil” to connect to their
internal network
– Hunting for data :
• Local admin -> Domain Admin -> Search for data
everywhere (usually databases – unless they're really
stupid and store it in unencrypted flat files)
Lesson learnt – Some clients don’t even know what
data is important to them.
- CEO’s Mailbox is a good start
14. Super Secure Customer
• Everything is patched
• Super random awesomely strong passwords
• Apps are secure coded – no SQLi and no file
upload
• AV everywhere – I mean everywhere
• ^ AV cant be turned off unless you provide
password
• OMG ! – I should quit pen-testing.
15.
16. Responder
• Developed by Laurent Gaffié (Trustwave)
• LLMNR and NBT-NS poisoning (Google for what this)
– If DNS and hosts file fails, tool yells out saying I’ll
resolve that for you and then steals your creds !
– DEMO
– Hashes can be cracked via John or can be relayed:
http://pen-testing.sans.org/blog/pen-
testing/2013/04/25/smb-relay-demystified-and-ntlmv2-
pwnage-with-python
17. Responder
• Tons of other features
– Google “responder trustwave”
– Does ICMP re-direct (this is effing awesome – but only
works for anything older than Vista/2k8)
– Abuse WPAD (Another kool feature)
– HTTP, FTP module.
• Make sure you are on a workstation subnet for
maximum hits.
18. OK – THAT DINT WORK ??
• Give up and go home ??
19. I SAY NO !
• Meet the angry, I will pwn you pentester !
20. Get your Ducky on
• HID usb thingy that has a small programmable chip.
• When user leaves desktop/laptop unlocked run and
connect. (or walk if your not that enthusiastic)
• Quickly add user, enable rdp, grab password hashes,
system info etc and ship to ur ftp server. (whatever
privs user has – ducky has)
• Easy to write scripts – write, compile with java load
onto Ducky.
• ^ Way easier than teensy – Although teensy can be
used in stealth/SE tactics. Teensy inside mouse, teensy
inside keyboard etc.
21. DUCKY DEMO
• If it quacks like a duck – it must be a duck
• Video
22. SAFE PASSWORD DUMPING
• Old school password dumping tools get picked
by AV (cain, pwdump etc)
• New ones are getting picked up as well (WCE,
mimikatz etc) – These two can dump plain-
text passwords from memory.
• Disable AV ?
• What if AV can only be disabled using a
password ?
23. SAFE PASSWORD DUMPING
• You don’t have to disable AV or trigger it.
• Procdump from sysinternals
– C:windowstempprocdump.exe -accepteula -ma
lsass.exe C:windowstemplsassdump.dmp
– Mimikatz can then chew the .dmp file and spit out
passwords in clear text.
24. SAFE PASSWORD DUMPING
• Some old methods still work and don’t get
picked by AV – hashes from hives:
• Reg copy (C:>reg.exe save HKLMSAM sam)
• Shadow volume copy (good to grab NTDIS)
• ^ Ops guy now do check logs for shadow
volume copies and so I’d recommend using
SAMEX.
(http://www.josho.org/blog//blog/2013/03/0
7/samex/)
25. Searching for Domain Admin
• So you popped a few boxes - got some hashes
• What now ?
• If one of those boxes :
– had a domain admin logged in – you have his
password in plain-text or got his hash -> game over.
– had a service running as domain admin – move to
process, pop shell -> game over.
• Shares the same local administrator password
across the network.
– Spray the hash and look for boxes with processes
running as domain admin.
26. Searching for Domain Admin
#!/bin/sh
for ip in $(cat ip.txt);do
./winexe -U Administrator%passwordhash //$ip "ipconfig"
./winexe -U Administrator%passwordhash //$ip "tasklist /v"
Done
• ^ Metasploit module auxiliary/admin/smb/psexec_command
also works. Do not use windows/smb/psexec as this uploads
an exe to the box and will trigger AV.
• Login to box running the domain admin process – dump hash
or read from lsass as plain text.
• Replay hash or login as domain admin over RDP etc.
• Game over.
– Pro Stealth tip : Once you get a domain admin shell DO NOT
CREATE a new domain admin user.
• This will trigger Ops as a lot of organisations are alerted if a new
domain administrator is created.
27. Looting
• Go after SQL servers – you should have a list of these from your scans
• Shares – Yes people still store heaps of confidential stuff unencrypted in
shares
• Have you guys seen Firefox PTH ? – All ur OWA and sharepoint r belong 2
us !
• Metasploit – post exploitation modules – store loot in MSF DB for
grepping later.
29. Mitigations
• You cant really stop a determined attacker
• There are just way too many ways you could get
hacked
• Best bet is to detect
• Check anomalies – New user creation (DA etc), Local
admin logons, AV pickups etc
• User education
• Google’s new n/w architecture – All zones are untrust
(Not a bad idea eh ?)
• Obvious old school protections should still apply –
Patching, strong passwords, access controls etc
30. Testing “Pro” tips
• Don’t leave any accounts you create on customer’s network – delete
everything (Finding DA account by pen-tester in last engagement = fail)
• Bruteforce wisely – locking out an important service will not go down well
with a customer (Bump down threads = increase stealth)
• Don’t disable AV – Intelligent Ops are alerted if AV dies
• Wipe your VM after every pen-test – A clean slate to work on is so much
better
• Snapshotting to have all your tools set-up and then reset also works
• Script for linux is your best friend
• Notes – always good for other eyes trying to read and understand what
you did (doesn’t even have to be fancy - Vi or notepad works)
• Videos for complex attacks – I’d highly recommend it (mind you this is
gonna eat some disk space and sending this to a client might be difficult)
31. Music (Ignore slide if you don’t listen to
music)
• Messhugah, Lamb of God and Tool - when ur
feeling effing awesome and pwning like a
baws
• Trying really hard for a breakthrough or
fighting a problem – Really fast techno or
dubstep
• When you lose it and wanna break your
laptop – Vitamin string quartet (trust me this
works)
32. That’s it
• Things I want to work on (any help will earn beers
and respect):
– Write more ducky scripts (hopefully run faster and
grab more stuff, reverse shell etc)
– Write post exploit modules (which can loot more
efficiently)
– Setup a Pi that can do all this over 3/4g to be sent to
client so I can watch BSG and sip beer.
– Hope this helped. Google for anything that I may have
not provided a link or explained in detail
Blog: http://psychsec.wordpress.com/
Editor's Notes
Windows =< 5.2 Domain members (XP, Windows server 2003 and above) have ICMP Redirect enabled by default. This functionality can be used to remotely add (with no authentication required) a new route for a given host.
So basically, anything older than Windows Vista / Server 2008 is vulnerable. You just send it an ICMP redirect, and shiz gets redirected.