Think like an Attacker to Protect against Data Breach · PDF file 2019-10-23 ·...

Click here to load reader

  • date post

    29-May-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Think like an Attacker to Protect against Data Breach · PDF file 2019-10-23 ·...

  • Think like an Attacker to Protect against Data Breach

  • WHOAMI /groups Where I work:

    Husband / Red Teamer / Marine Corps Veteran

    Twitter:

    @RedVuln

    Name:

    Matt Batten

  • How to:

    Think Like an Attacker to Protect against Data Breach

    What about

  • Misconfigurations Unpatched systems

    Using default account credentials (i.e., usernames and passwords)

    Unprotected files and directories

    Unused web pages

    Poorly configured network devices

    https://resources.infosecinstitute.com/guide-preventing- common-security-misconfigurations/#gref

    https://resources.infosecinstitute.com/guide-preventing-common-security-misconfigurations/#gref

  • Old But New 08/26/2019 | Matt

    An unquoted Environment Variable path in a Scheduled Task that

    runs as system

    Unquoted paths are abused frequently on engagements. Normally an attacker would see an

    unquoted service path, not an unquoted schedule task path. What makes this unique is that it

    is an environment variable that has a space in it that allows for an attacker to abuse it. The key

    is, if the path is unquoted then Windows sees the space character in the path as a delimiter and

    will then search for program.exe instead of knowing to go to C:\Program Files\. I was surprised

    that an up to date Windows 10 machine would still have a vulnerability like this.

    The scheduled task shell-usoscan is present and active on a default install of Windows 10

    and uses the environment variable %programfiles% with a path that is unquoted.

    Example:

  • 08/26/2019: Submitted to MSRC

    09/03/2019: Initial response from MSRC:

    MSRC closed the case and asked how it was a MITM or social engineering attack

    09/10/2019: Reached back out to ask MSRC because their response didn’t make sense;

    informed MSRC of my intent to publish findings.

    09/10/2019: MSRC reopened the ticket

    09/10/2019: MSRC final response:

    Will be a next version fix

    This is the link provided by Microsoft as a point of reference:

    https://blogs.msdn.microsoft.com/aaron_margosis/2014/11/14/it-rather-involved-being-on-the-

    other-side-of-this-airtight-hatchway-unquoted-service-paths/

    The reference sent by Microsoft refers to vendors having misconfigured services. This is a

    Microsoft owned Scheduled Task.

    https://blogs.msdn.microsoft.com/aaron_margosis/2014/11/14/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-unquoted-service-paths/

  • Am I vulnerable? YES!

    You are always vulnerable.

    That is why Defense in-depth is important.

    There are 0-days that no one knows publicly.

    Your network is most likely vulnerable without a 0-day exploit.

    Every time you download a third-party application you open yourself up even more.

  • Most common things I have seen

  • OSINT

    Fun word red teamers throw around

    What are Red teamers doing?

  • Passwords and usernames in public

    filetype:doc password "walmart“

    Google Dorking

  • Enumerating subdomains

  • Public facing without muti-factor authentication

  • Why multi-factor authentication is important

    Security Questions

    Physical

    Apps

    Email

    Text

  • Employee’s personal account gets “hacked”

    Why and how does this affect you?

    Educate users on how to prevent their

    accounts from being compromised,

    and how to recognize if they already

    are.

  • Who cares? Only you!

    If someone’s account gets taken over local law

    enforcement most likely will not be able to

    help due to lack of resources.

    There are options, but most are not likely to

    care unless it involves money over 10k, if you

    are a political figure, or if enough people report

    the same issue in a short amount of time.

  • Port Security

    Does port security really help?

    Such as Sticky Macs.

    Issues I have seen while testing this.

  • Scanning Methodology

  • Responder

    LLMNR and NBT-NS Spoofing Attack is an easy way, even today, to harvest credentials and laterally move based off of normal network traffic.

  • A powerful pentest utility included in Responder's tools

    folder giving you the ability to perform targeted

    NTLMv1 and NTLMv2 relay on a selected target.

    Currently MultiRelay relays HTTP, WebDav, Proxy, and

    SMB authentications to an SMB server.

    This tool can be customized to accept a range of users to

    relay to a target. The concept behind this is to only

    target domain Administrators, local Administrators, or

    privileged accounts.

    (http://g-laurent.blogspot.com/2016/10/introducing-

    responder-multirelay-10.html)

    Multi-Relay

    http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html

  • SMB signing not on

    (I know you can’t

    turn it on)

    Compatibility Issues.

    Every penetration test you will get the same feedback

    (turn smb signing on).

    Too bad you are still running that windows 2003

    server.

  • Ways to stop Responder and pass the hash (PTH)

    Honestly, it is hard.

    Disable LLMNR and NBT-NS

    Create an entry for WPAD

    GPO for SMB signing and

    NTLMv2

    Ensure that an account an

    attacker gets to is not an admin

    (Only use secure workstations as

    an admin).

  • Why are some systems not restarted for years?

    What is LSASS?

    Local Security Authority Subsystem Service (LSASS), is a process in Microsoft

    Windows operating systems that is responsible for enforcing the security policy

    on the system. It verifies users logging on to a Windows computer or server,

    handles password changes, and creates access tokens. It also writes to the

    Windows Security Log.

    (https://www.anvir.com/local-security-authority-subsystem-service-lsassexe.htm)

    Every user who has logged into that box since the last time it was restarted an

    attacker can get their password.

    https://www.anvir.com/local-security-authority-subsystem-service-lsassexe.htm

  • dsquery

  • SIEM

    Very powerful instrument in the right hands.

    Alarms and rules must be properly set.

    Turnover rate of analyst makes it harder.

    Need a baseline (high turnover rate = no

    understanding of baseline).

  • Ticket Management Team gets an alarm.

    Looks up what alarm is and sees that another analyst handles it by

    adding it to additional comments.

    So then the analyst who sees the alarm now then adds it to

    additional comments and saves without looking at SIEM.

    See any issues with this?

    ________________________________________________________________

    Security Analyst need to be trained.

    Do not get complacent.

    Playbooks and Runbooks need to be a thing.

  • If you enjoyed this

    talk and would

    like to know more

    If you have any questions or just interested in talking feel free

    to message me on Twitter. (Walk up to me while I am here)

    Twitter: @RedVuln

    Name: Matt Batten