Zero to Domain Admin in 10
minutes
Alt:
A preview of what your next pentest
should look like.
whoami
Hi I’m Jon.
I steal things.
No seriously I’m being for real.
Just like this:
Jon
FALE
FALE Association of Locksport
Enthusiasts
From our twitter:
a privately-funded think tank
providing global thought leadership
to the security industry since
2010. – lol
Pentesting for value
- 1. Compliance versus Security
- 2. Postulates versus Proof
- 3. Pentest as Attack Simulation
Bad guys
Compliance
#REKT
Infosec trends:
- spend a lot of money
- still get owned
- spend more money
- get owned harder
- Maybe our testing needs a shift?
Today’s typical
methodology:
The right way:
Actual Attack Scenarios:
Attack
Access
Collecti
on
Exfiltra
tion
Actual attack scenarios
(best case):
How we think things are:
IT Security Industry is currently
focused on minimizing the presence
of vulnerabilities
Consider a change in focus to what
attacker tactics/techniques you can
detect and respond to
To do this we need to ramp up post
exploitation and stealth
Reality Check:
Good attackers don’t use expensive
vulnerability scanners
Good attackers don’t use automated
penetration testing
Attackers don’t have a scope or
timeframes
Attackers don’t stop after first
successful exploit
Risk Assessment?
- Test of Design
- Test of Effectiveness
HOW TO:
Step 1: Recon
Step 2: Recon
Step 3: Recon
Step 4: Exploit
Step 5: Show Impact
Step 6: Show Impact
Step 7: Show Impact
Why?
Because this is more valuable than a chart:
OSINT Value
It’s free!
Someone/Something else already did most of
it for you
Develop a Process/Methodology == Habit
Do it EVERY time: *Unicorns* show up
occasionally. You can’t take the attitude
that “I'll never find/see X”
Put eyes on EVERYTHING!
OSINT:
Open Source Intelligence
Gathering
Often excluded from penetration
testing
It’s the easiest way to learn about a
target w/o being detected
Hackers do it
Profiling will expedite chances for
success
Basis to formulate custom attack
matrix
OSINT - External
Support Tools
Harvester, Fierce, jigsaw, FOCA, Shodan, Maltego,
Deep Magic, etc.
Metasploit Auxiliary Modules
Nmap scripts (NSE)
Roll your own (ruby, python, bash)
No substitute for your eyes and brain
Is information X
important or not?
How can it be applied throughout an engagement?
What’s the value and potential damage of the Intel?
Harvester
./theHarvester.py -d anadarko.com -l 500 -b google
[+] Emails found:
-----------------[truncated – 87 results]
[+] Hosts found in search engines:
-----------------------------------208.39.97.145:www.anadarko.com
144.94.1.77:citrix.anadarko.com
208.39.97.145:careers.anadarko.com
144.94.0.4:nodea.anadarko.com
connect.data.com
Fierce
./fierce.pl --dns anadarko.com -threads 10
144.94.0.73
apps.anadarko.com
144.94.7.26
av.anadarko.com
208.39.97.145
careers.anadarko.com
144.94.1.56
ftp.anadarko.com
144.94.1.53
pager.anadarko.com
216.146.46.10
remote.anadarko.com
216.146.46.11
remote.anadarko.com
144.94.0.68
sa.anadarko.com
144.94.7.23
sip.anadarko.com
144.94.0.68
vpn.anadarko.com
144.94.7.97
video.anadarko.com
shodan
Common finds:
- - owa.example.com
- - vpn.example.com
OWA Smartbrute 101:
OWA2003 logon page:
http://192.168.1.145/exchweb/bin/auth
/usa/logon.asp
redirects to
http://XXXX/exchweb/bin/auth/owaauth.
dll
OWA Smartbrute 101:
- Burp Intruder
- Battering Ram
-
Generic Accounts list (make your own)
Sniper
OSINT usernames and “Summer14”
or any combo of [season][year]
(yes, it works)
OWA PostPost-Exploitation
- Dump GAL (also with burp)
- Phish as the compromised user
- Public folders
- Search for “password”
- Use the creds on VPN
VPN 101
VPN PostPost-Exploitation
Step 1: shell the machine
Step 2: dump creds (mimikatz pls)
Step 3: find Domain Admin
Step 4: Dump SAM from Domain
Controller
Step 6: other flags
Step 7: think about starting your
nessus scans
PostPost-Exploitation
tl;dr – testing doesn’t stop at shell
Phishing: traditional
Phishing: traditional
- Metrics only
- AV catches payloads
- Sites get caught in defenses
- Clean report for your board
Phishing: traditional
- Take email address list given by
the client.
- Send single phish attack (canned).
- Hope it works.
- Collect results…make table in
excel.
- Report.
Phishing for Value
Attack Site VS. Real Site
Attack Site VS. Real Site
Phishing for Value
Evaluate awareness level of users
Evaluate security of end user systems
Evaluate defense technologies (on box
and in line)
AV/IPS/Spam Gateways/Proxy/Content
Filters..
Phishing for Value
Evaluate incident response procedures
Measure defense capabilities (tech
and process)
Evaluate the ability to exfiltrate
data
Evaluate the ability to identify
persistence
- consider this:
As an attacker, I can submit as
clean the domains that I’m going to
phish you with. In fact, I ALWAYS
do.
let that simmer.
PostPost-Exploitation
- Multiple rounds of phishing
- Multiple undetectable payloads
- We’re in.
Time to pillage.
PostPost-Exploitation
Step 1: shell the machine
Step 2: dump creds (mimikatz pls)
Step 3: find Domain Admin
Step 4: Dump SAM from Domain
Controller
Step 5: other flags
Step 6: think about starting your
nessus scans
FLAGS
We stole countries with the cunning
use of flags. Just sail around the
world and stick a flag in.
"I claim India for Britain!"
They're going "You can't claim us, we
live here! Five hundred million of
us!"
"Do you have a flag …?
Domain Admin as a Flag
- some say it’s a dumb flag.
- some miss that it lets you do
anything you want.
FLAGS
- pick a flag.
- this is the point.
- A good pentest isn’t supposed to
show you whether an attacker can
get in.
- (hint: they can)
PostPost-Exploitation
- Lateral movement is the “live and
die in LA” of post-exploitation
- How can we do it?
Learn to Metasploit
- not the cert. Anything but that.
- LEARN it. We rarely encounter
environments where it cannot be
used.
- ps - AV evasion is easy
Quickest path to Domain
Admin
10 get shell
20 net groups ‘domain admins’ /domain
30 nslookup example.com
40 load mimikatz
50 wdigest
60 is domain admin in wdigest dump?
70 if yes, own domain controller
80 if no, use creds to pivot
90 go to 40
Can’t load mimikatz?
Put procdump on the compromised
machine.
‘at’ job to procdump lsass.exe
Can’t find domain admin workstations?
https://github.com/mubix/netview
Man netview: “Netview is a enumeration tool. It uses
(with the -d) the current domain or a specified
domain (with the -d domain) to enumerate hosts. You
can also use the -f if you wish to specify a file
with a list of hosts instead. Any hostnames you
wish to exclude can be specified in a list with -e.
If you want to query for a domain group and
highlight where those users are logged in from,
specify the group with -g.”
Can’t dump SAM?
Vssadmin create shadow
Pull SAM, SYSTEM, and NTDS.dit
Parse.
Boom.
MITIGATIONS
1. Train your people
Users are NOT the unpatchable
vulnerability.
We have been training people since we
left the caves, not a whole lot has
changed
MITIGATIONS
2. Two-factor Auth EVERYTHING
No really, do it.
Seriously.
Make an attacker phish or break in.
MITIGATIONS
3. Make phishing harder
SPF, DKIM, DMARC, domain age
checking, attachment filtering.
- Be aware of “RCPT TO” command
abuses
- http://centralops.net/co/ to peer
into your domain
MITIGATIONS
4. Filtering/Detection solutions
- URL filtering solutions
SSL Inspection
In-Line detection solutions
MITIGATIONS
4. Filtering/Detection continued
HIDS with real-time log aggregation
and real-time anomaly-based event
triggering.
Application whitelisting.
MITIGATIONS
5. Disable some things
- Do you need Java?
- - blocking .jar is cute and
ineffective
Disable powershell on user
subnets/systems.
MITIGATIONS
6. Account management
Don't make your users local admin.
No seriously don't.
For real though, don't do it.
MITIGATIONS
6. Account management continued
Make user account privilege tiers
standard user, local admin, server
admin, types of server admin,
domain admin, enterprise admin,
etc.
Make policies that dictate which
contexts each account may be used
in.
MITIGATIONS
7. Get your IR in order
don’t make your people the “HOW
SHOULD I KNOW” group.
invest in your blue team
time
personnel
budget
thanks.
(come by our table)