8. Current State (contd.)
Which is harder to identify something
happened?
Which is harder to identify someone is in your
territory?
9. Results Accurate?
The result of this is IT/Security says "we
caught you". “Hey Sr. Management we would
catch a real attack, we caught our pentesters.”
Several reasons for the fast/loud pentest
We need to adapt. Time to try and give IT a
run for their money.
10. What can we do?
Lets talk about a scenario and pick it up from
there:
Social engineered some employees and made
it in to a conference room or empty cube.
You think it would never happen… but what
happened here???
http://www.tripwire.com/state-of-security/topsecurity-stories/hacker-use-kvm-switchbreach-santander-bank/
11. You got in so now what?
No workstation present….
No NAC…
What to do next?
12. Would You?
Common Ways:
1)
Port Scan
2) Ping Sweep
3) Password guess
4) ARP Poison
5) Scan for Vulns
6) Anything Else?
What to consider with these???
13. Play by these rules
Play by the RFC’s
Traffic to a minimum
No excessive authentication
Initially.. Play in the safe zone
14. Enumerate the goods…
So we plugged in our rogue hardware.. What
to do??? Fire up your favorite packet
capturing software.
Identify
those subnets
EIGRP / OSPF broadcasting on the user subnets
with no authentication
DNS goodness
Anonymous Enum / Sid to name / Krbguess (last
resort)
Netbios? Net view?
15. How should we get auth?
Utilize
those broken host discovery protocols
NetBios
LLMNR
domain services – (?)
Insecure Printers (Praeda)
IPv6
Misconfigured
16. We got auth!
Enumerate
domain users / computers
Where are the good guys? (Admins)
How can we get there?
Dig
through those shares (netlogon / home folder of
user / random shares)
Drop shortcuts
GPP / WDS / PXE Boot / Unattend.xml
Hit those SQL Servers (xp_dirtree / xp_fileexists)
17. Got Local Admin, what next?
Check
Cached Creds / LSA Secrets
Procdump for those cleartext
Break the local security software
IE Passwords / Outlook files
Most obvious… Local Admin Password Reuse
To get those keys, now play the waiting game.
18. Do you still trust your SECURITY
software?
Arellia
– Privilege management software
McAfee
– Anti-Virus software
19. Do you still trust your SECURITY
software? (contd.)
WebSense
How
– Web Content Filtering
many other applications are doing this…?
20. Time to fix these issues.
Routing
protocols
Authentication
Passive-Interfaces
UAC
EMET
Limit
Cached Credentials
HIPS / ACLs – KEY **
Disable GPP / Fix Panther / Sysprep / etc.
Fix those dirty services – SCCM / Security
software / etc.
21. Time to fix these issues.
(contd.)
Fix
the host discovery protocols
Remove public roles from SQL servers – if
possible
Lock down those shares
Lockdown PXE booting to specific subnets
Lockdown communication between workstations
22. Time to detect the bad guys
Log
C$/Admin$ from non IT subnets
Log excessive share access (excessive access
denieds)
Detect excessive password guesses
Log DHCP Requests / compared to current
domain computers
23. Lessons Learned… the hard
way
guessing – If you must do it...
ARP Poisoning – bye bye port
Exploiting patches – too noisy with IDS/IPS
NAC – dammit.. Guest VLAN
Custom payloads get by AV.. – Powershell….?
Outbound connections..?
Password
Targeted attacks. Not sprayingmetasploit everywhere. Not blasting out traffic.WE NEED TO EXPLAIN THIS IS ABOUT NET PEN ONLY. WE need to introduce the scenario better too.
Port scans, nessus, qualsys
The bad guys don't want to be detected last time I checked?
Budget restrictions, time constraints, Scope.WE NEED TO EXPLAIN THIS IS JUST NET PEN
Social engineered and made your way in.. Or email. Add a picture of a guy either thinking or maybe a guy happy that he got in
Explain that the goal here is to map the network
Social engineered and made your way in.. Or email.