BSidesJXN 2016: Finding a Company's BreakPoint
-
Upload
andrew-mcnicol -
Category
Technology
-
view
262 -
download
0
Transcript of BSidesJXN 2016: Finding a Company's BreakPoint
![Page 1: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/1.jpg)
Finding a Company’s BreakPointBy: Zack Meyers
& Andrew McNicol
![Page 2: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/2.jpg)
Modern Day Hacking
![Page 3: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/3.jpg)
Agenda
~$ whoami OverviewOur MethodologyHow to Go Beyond a Scan1. Phishing2. Web Application Vulnerabilities3. Multicast Name Resolution Poisoning4. SMB Relay Attacks5. Account CompromiseFinal Thoughts and TipsUseful Training and Links
![Page 4: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/4.jpg)
~$ whoami
Zack Meyers (@b3armunch)Andrew McNicol (@primalsec)
Red Team @BreakPoint Labs (@0xcc_labs)
Bloggers/Podcasters @Primal Security (@primalsec)
Past: BSidesCHARM, BSidesDC, RVASec
Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.)
Python, CTFs, Learning, long walks on the beach (
@AnnapolisSec)
![Page 5: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/5.jpg)
Things Have Changed Since the 90s
![Page 6: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/6.jpg)
Overview
Goal: Break the mindset of “Scan then Exploit”
Cover 5 ways we commonly break into a network:
1. Phishing
2. Web Application Vulnerabilities
3. Multicast Name Resolution Poisoning
4. SMB Relay Attacks
5. Account Compromise
![Page 7: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/7.jpg)
Our Methodology (High Level)
Planning and Scoping
Reconnaissance
Mapping
Automated Testing
Manual Testing
Reporting
Remediation Support
![Page 8: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/8.jpg)
How to Go Beyond a Scan
1. Mindset: Fail 1000s of times and Continue Trying
2. Recon + Mapping: Find Systems + Content Others Have Missed
3. Automated Testing: Run the appropriate tool for the job
4. Manual Testing:
Identify, Understand, and Fuzz all Areas of Input
Research all Version Specific Vulnerabilities
Combine Findings, Remove False Positives, and Abuse Features
5. Reporting: Highlight Business Impact
![Page 9: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/9.jpg)
1. Phishing
[surprise] Phishing actually works. [/surprise]
Here is the process we generally follow:
1. Planning: Goals, ROE, what happens when the user clicks?
2. Determine Scenario: Ransomware, Targeted, etc.
3. Determine Phishing Domains
4. Find Vulnerabilities: Email Spoofing
5. Execute the Engagement
Full Blog Here: https://breakpoint-labs.com/phishing/
![Page 10: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/10.jpg)
1. Phishing: Planning
Work with the customer to understand their needs for the Phishing
campaign (Compliance, Part of a larger engagement, etc.)
We prefer to send email via Python (smtp module)
We generally perform these three types of engagements:
1. Click Analysis: Determine how many users clicked a link
2. Credential Gathering: Prompt for Credentials
3. Execute Code: PowerShell, Office Macros, HTAs, etc.
![Page 11: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/11.jpg)
CEOs Reaction to Opening to Phishing Email
![Page 12: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/12.jpg)
1. Phishing: Scenario
2 Main Types of Scenarios: Common Malware, and Targeted Attacker
UPS Tracking Ransomware: Cloned Site + Password Prompt:
![Page 13: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/13.jpg)
1. Phishing: Phishing Domains
The scenario will determine what domains we leverage
If our goal is to perform a more targeted attack we will attempt use a
similar domain to the target organization and clone login portals:
breakpoint-labs.com vs. breakpoint-lab.com
If our goal is more common threat we will emulate those TTPs:
ups-pkgtracker.com
Its important to submit domains to web content filters/proxies
![Page 14: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/14.jpg)
1. Phishing: Finding Vulnerabilities
![Page 15: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/15.jpg)
1. Phishing: Finding Vulnerabilities
Outlook client – Email below is sent from a Gmail account:
![Page 16: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/16.jpg)
1. Phishing: Execute Code
Click Analysis: We generally use Python to send email + create a unique
link per email to targets
Credential Grabbing: We generally use PHP to prompt for credentials
Execute Code: Usually leverage Empire (Office Macro, HTA method)
![Page 17: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/17.jpg)
Is your input being presented on the screen? -> XSS
Is your input calling on stored data? -> SQLi
Does input generate an action to an external service? -> SSRF
Does your input call on a local or remote file? -> File Inclusion
Does your input end up on the file system? -> File Upload
Does your input cause another page to load? -> Redirect Vulns
Can we enumerate technology and versions? -> Lots of Vulns
2. Web Application Vulnerabilities
![Page 18: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/18.jpg)
2. Web App Vulns: File Inclusion
File Inclusion vulns can lead to code execution “php include()”
Sometimes they are limited to just file inclusion “php echo()”
LFIs normally require you to get your input on disk then include
the affected resource (log poisoning)
RFIs are normally easier to exploit as you can point them to an
external resource containing your code
![Page 19: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/19.jpg)
2. Web App Vulns: Step 1
Unlinked resource “debug.php”- HTTP 200 OK and blank screen
![Page 20: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/20.jpg)
2. Web App Vulns: Step 2
Unlinked resource “debug.php”- HTTP 200 OK and blank screen
![Page 21: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/21.jpg)
2. Web App Vulns: Step 2
Never underestimate the power of a good lunch!
![Page 22: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/22.jpg)
2. Web App Vulns: Step 3
Parameters are fuzzed to enumerate inputs. "page=test" gives back a different
response "Failed opening 'test' for inclusion”
![Page 23: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/23.jpg)
2. Web App Vulns: Step 4
Attempt to execute code: 1.php = <?php system(‘id’);?>
![Page 24: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/24.jpg)
2. Web App Vulns: Step 5
IN REAL LIFE: The web service was running as SYSTEM!
![Page 25: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/25.jpg)
3. Multicast Name Resolution Poisoning
A majority of the time internal networks will have name resolution traffic
enabled with the following protocols:
Link-Local Multicast Name Resolution (LLMNR)
Netbios Name (NBT-NS) services.
Multicast DNS (mDNS)
By listening, intercepting and manipulating name resolution traffic an attacker
can redirect authentication traffic and perform Man in the Middle (MITM)
attacks.
![Page 26: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/26.jpg)
Responder!
![Page 27: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/27.jpg)
3. Enter Responder.py
Responder is a Python script that aids in:
Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS)
WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a
proxy server for all HTTP requests to the Internet.
MITM Attacks (Intercepting credential exchanges between hosts leading to
password cracking, pass the hash, SMB relay attacks, etc.)
Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS,
DNS, LDAP, SQL, etc.)
![Page 28: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/28.jpg)
3. Responder.py - Use Case 1 Rouge Services
Syntax: ~$ responder -I eth0 -f
![Page 29: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/29.jpg)
3. Responder.py - Use Case 2 WPAD
Syntax: ~$ responder -I eth0 -bw
![Page 30: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/30.jpg)
3. Responder.py - Use Case 3 Analyze
Syntax: ~$ responder -I eth0 -A
![Page 31: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/31.jpg)
3. Prevent Multicast Name Communication Attacks
Preventing multicast communication attacks through:
Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and
NBNS (NetBios Name Resolution)
Prevent WPAD Poisoning w/ WPAD file entries in DNS
Segment the local networks with VLANS to prevent impact
Ensure that only NTLMv2 is in use rather than LM and NTLM
![Page 32: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/32.jpg)
4. SMB Relay Attacks
SMB relay attacks occur once an attacker inserts themselves in
between the NTLM Challenge/Response protocol exchange.
The attacker needs the victim to initiate an HTTP or SMB connection.
This initiation can occur often from either:
LLMNR/NBNS spoofing
Automated processes attempting to authenticate to systems
(ex. patch management, antivirus updates, vulnerability scanners,
custom admin scripts, etc.)
![Page 33: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/33.jpg)
So You Started a Scan
![Page 34: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/34.jpg)
4. SMB Relay Attack Visual: Automated Process
![Page 35: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/35.jpg)
4. SMB Relay Attack: Multicast Poisoning
Attackers IP: 192.168.56.103
Windows Client (Target): 192.168.56.105
Windows DC: 192.168.56.102
![Page 36: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/36.jpg)
4. SMB Relay Attack: Multicast Poisoning Cont.
Attackers IP: 192.168.56.103
Windows Client (Target): 192.168.56.105
Windows DC: 192.168.56.102
![Page 37: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/37.jpg)
4. SMB Relay Attack: Multicast Poisoning Cont.
Attackers IP: 192.168.56.103
Windows Client (Target): 192.168.56.105
Windows DC: 192.168.56.102
![Page 38: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/38.jpg)
4. SMB Relay Attack: Nessus Scanner Scenario
![Page 39: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/39.jpg)
4. Prevent SMB Relay Attacks
Preventing SMB relay attacks through:
Require SMB Signing
Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and
NBNS (NetBios Name Resolution)
Prevent WPAD Poisoning w/ WPAD file entries in DNS
Prevent SMB Traffic Outbound
Enable EPA (Extended Protection and Authentication)
![Page 40: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/40.jpg)
5. Account Compromise
![Page 41: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/41.jpg)
5. Account Compromise
Combines several vulnerabilities to demonstrate risk:
- Username enumeration (Low) +- Lack of Automation Controls (Low) +- Lack of Password Complexity Reqs (Low) =- Account Compromise (Critical)
![Page 42: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/42.jpg)
5. Acct Comp: Username Enumeration
Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
![Page 43: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/43.jpg)
5. Acct Comp: Automation Controls
Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder
- No account lockout- Non-existent or Weak CAPTCHA- Main login is strong, but others? (Mobile Interface, API, etc.)
![Page 44: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/44.jpg)
5. Acct Comp: Weak Passwords
We as humans are bad at passwords…here are some tricks:- Password the same as username- Variations of “password”: “p@ssw0rd”…- Month+Year, Season+Year: winter2015…- Company Name + year- Keyboard Walks – PW Generator: “!QAZ2wsx”
Lots of wordlists out there, consider making a targeted wordlist
Research the targeted user’s interests and build lists around those interests
![Page 45: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/45.jpg)
5. Acct Comp: Default and Shared
Attempt to brute force across all the things
Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB
modules, Nmap, etc.
Always try default creds for any given technology
We commonly see shared Linux root creds, and shared Windows local admin
creds across the entire enterprise
![Page 46: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/46.jpg)
Final Thoughts and Tips
Use Shodan and Censys.io for external reconnaissance
Make sure you investigate shares (enum4linux)
Unlinked Content enumeration on web applications is key
Passwords written down on sticky notes? Yea usually
Can you reset a PW via the Help Desk?
Put a focus on feature abuse: What does the technology let you do? How can
you abuse that functionality?
Once you get valid credentials try them across all the things
![Page 47: BSidesJXN 2016: Finding a Company's BreakPoint](https://reader035.fdocuments.us/reader035/viewer/2022070517/58d0662e1a28ab10448b5edd/html5/thumbnails/47.jpg)
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook
• Book: Black Hat Python• Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel• Talk: How to Shot Web - Jason Haddix• Talk: How to be an InfoSec Geek - Primal Security• Talk: File in the hole! - Soroush Dalili• Talk: Exploiting Deserialization Vulnerabilities in Java• Talk: Polyglot Payloads in Practice - Marcus Niemietz• Talk: Running Away From Security - Micah Hoffman• Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit