Abstract image of a woman sitting on books and studying on a laptop

Pentest Apocalypse

Download as PPTX, PDF
Beau Bullock, profile picture
Beau Bullock

The document discusses common security issues related to penetration testing and vulnerability assessments, highlighting ten key vulnerabilities such as missing patches, weak password policies, and overprivileged users. It emphasizes the importance of addressing low-hanging fruit to improve overall security posture before conducting penetration tests. Additionally, the author provides practical advice on preparation, tools, and methods for effective pentesting.

Technology
Related topics:
Penetration-Testing
1 of 41
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PENTEST PREPPERS
WHOAMI • Beau Bullock • Pentester at Black Hills Information Security • OSCP, OSWP, GPEN, GCIH, GCFA, and GSEC • Previously an enterprise defender • Blogger • Guitarist/Audio Engineer • Homebrewer
BACKGROUND • Privilege escalation has been too easy • No detection • Unprivileged user to DA in < 60 seconds = Pentest Apocalypse • Fix the common issues and low hanging fruit first • Who needs a zero-day?
WHAT ARE YOU BUYING? • Penetration test vs. vulnerability assessment • If your scanner results look like this you don’t need a pentest.
VULNERABILITY ASSESSMENT • Help identify low-hanging fruit • Typically broader in scope • Locate and identify assets • Opportunity to tune detection devices • Helps an organization improve overall security posture
PENETRATION TEST • Goal driven • Targeted escalation tactics • Typically try to avoid detection • Can your security posture withstand an advanced attacker?
LET’S TALK ABOUT SOME COMMON ISSUES
10 COMMON ISSUES • 1. Missing Patches • 2. Group Policy Preference Passwords • 3. Widespread Local Administrator Accounts • 4. Weak Password Policy • 5. Overprivileged Users (admin of local host) • 6. Overprivileged Users (admin of other hosts) • 7. Sensitive Files on Shares • 8. Information Disclosure on Intranet Sites • 9. NetBIOS and LLMNR Poisoning • 10. Local Workstation Privilege Escalation
PATCHES • MS08-067 • MS14-068 • PsExec Patch • ColdFusion Patches • ShellShock • Heartbleed
PATCHES WON’T FIX EVERYTHING
GROUP POLICY PREFERENCES (GPP) • Extensions of Active Directory • Configurable settings for use with Group Policy Objects • Advanced settings for folders, mapped drives, and printers. • Deploy applications • Create a local administrator account http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
GPP (CONTINUED) • May 13, 2014 – MS14-025 • Passwords of accounts set by GPP are trivially decrypted! • …by ANY authenticated user on the domain • Located in groups.xml file on SYSVOL https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
GPP (WHAT DOES THE PATCH DO?) • MS14-025 removes the ability to create local accounts with GPP • Doesn’t remove previous entries! • You need to manually delete these accounts
GPP (SUMMARY) • First thing I check for on an internal assessment • Almost always find an admin password here • Find it with: • PowerSploit - Get-GPPPassword • Metasploit GPP Module • Or… C:>findstr /S cpassword %logonserver%sysvol*.xml https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT • Makes it easy to pivot from workstation to workstation • Using creds found via GPP: • SMB_Login Metasploit Module http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
WIDESPREAD LOCAL ADMIN (CONTINUED) • What’s next? • Hunt for Domain Admins – JoeWare NetSess, Veil-PowerView UserHunter • PsExec_psh Metasploit Module • RDP? • If we don’t have cleartext creds: • Pass-the-hash http://www.joeware.net/freetools/tools/netsess/index.htm https://www.veil-framework.com/hunting-users-veil-framework/ http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
PASSWORDS • Default Passwords • admin:admin • tomcat:tomcat • Pwnedlist • Credentials from previous data breaches • Default 8 character password policy? • Password spraying http://splashdata.com/press/worst-passwords-of-2014.htm
PASSWORD SPRAYING • Domain locks out accounts after a certain number of failed logins • Can’t brute force a single users password • Solution: • Try a number of passwords less than the domain lockout policy against EVERY account in the domain
PASSWORD SPRAYING (CONTINUED) • Lockout Policy = Threshold of five • Let’s try three or four passwords • What passwords do we try? • Password123 • Companyname123 • Etc. @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL http://www.lanmaster53.com/ https://github.com/lukebaggett/powerspray
PASSWORD SPRAYING (CONTINUED)
PASSWORDS (CONTINUED) • Increase password length • Don’t make ridiculous policies • Remember… correcthorsebatterystaple • Check PwnedList • Password spray http://xkcd.com/936/
OVERPRIVILEGED USERS • Are your standard users already local admins? • This takes out a major step of privilege escalation • Only grant admin access where necessary, not globally
OVERPRIVILEGED USERS (OTHER HOSTS) • Scenario: • Unprivileged user wants to run some software on their system • User calls helpdesk • Helpdesk attempts to get it working for the user • Fails • Decides adding “Domain Users” group to the local administrators group is a good idea
OVERPRIVILEGED USERS (OTHER HOSTS) • This means EVERY domain user is now is an administrator of that system • Veil-PowerView Invoke-FindLocalAdminAccess • Veil-PowerView Invoke-ShareFinder http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
WHAT INFORMATION CAN YOU LEARN FROM USERS ON THE NETWORK?
FILES ON SHARES • Sensitive files on shares? • Find them with more PowerView awesomeness… • Use list generated by ShareFinder with FileFinder • FileFinder will find files with the following strings in their title: • ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ https://www.veil-framework.com/hunting-sensitive-data-veil-framework/
INFORMATION DISCLOSURE ON INTRANET • Knowledge Bases are helpful to employees… and attackers • Helpdesk tickets • How-to articles • Emails • Search functionality is our best friend • Search for <insert critical infrastructure name, sensitive data type, or ‘password’>
NETBIOS AND LLMNR POISONING • LLMNR = Link-Local Multicast Name Resolution • NBT-NS = NetBIOS over TCP/IP Name Service • Both help hosts identify each other when DNS fails http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
NETBIOS AND LLMNR (CONTINUED) • SpiderLabs Responder • Poisons NBT-NS and LLMNR • The result is we obtain NTLM challenge/response hashes • Crack hashes https://github.com/Spiderlabs/Responder https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
LOCAL WORKSTATION PRIVILEGE ESCALATION • PowerUp! • Another awesome Veil tool • Invoke-AllChecks looks for potential privilege escalation vectors http://www.verisgroup.com/2014/06/17/powerup-usage/
SUMMARY (10 COMMON ISSUES) • 1. Missing Patches • 2. Group Policy Preference Passwords • 3. Widespread Local Administrator Accounts • 4. Weak Password Policy • 5. Overprivileged Users (admin of local host) • 6. Overprivileged Users (admin of other hosts) • 7. Sensitive Files on Shares • 8. Information Disclosure on Intranet Sites • 9. NetBIOS and LLMNR Poisoning • 10. Local Workstation Privilege Escalation
NOW TO PREP YOUR PENTEST BUG OUT BAG
TUNE DETECTION DEVICES • Test your network security devices prior to a pentest for common pentester activities • Meterpreter shells • Portscans • Password spraying
PERFORM EGRESS FILTERING • Block outbound access except where needed • Implement an authenticated web proxy and force all web traffic through it
THINGS THAT MAKE OUR JOB HARD • Application Whitelisting • Disabling PowerShell • Network Access Control • Network segmentation • Fixing the items mentioned earlier
THINGS NOT TO DO DURING A PENTEST • Inform your teams that the test is happening • Monitor, but don’t interfere during a pentest • Enforce different policies on the pentester than “normal” users • Alert users to an upcoming phishing test
PENTEST PREPARATION GUIDE
PENTEST PREP GUIDE • May help organizations prepare for an upcoming penetration test • Details of the 10 issues I talked about today • How to identify • How to remediate
CHECKLIST!
DOWNLOAD HERE http://bit.ly/1FF33nH
QUESTIONS? • Contact me • Personal - beau@dafthack.com • Work – beau@blackhillsinfosec.com • Twitter - @dafthack • Blog – www.dafthack.com

More Related Content

PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PPTX
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Beau Bullock
 
PPTX
A Google Event You Won't Forget
Beau Bullock
 
PPTX
Red Team Apocalypse
Beau Bullock
 
PPTX
How to Build Your Own Physical Pentesting Go-bag
Beau Bullock
 
PPTX
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Beau Bullock
 
A Google Event You Won't Forget
Beau Bullock
 
Red Team Apocalypse
Beau Bullock
 
How to Build Your Own Physical Pentesting Go-bag
Beau Bullock
 
OK Google, How Do I Red Team GSuite?
Beau Bullock
 

What's hot (20)

PPTX
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
PPTX
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
PPTX
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Beau Bullock
 
PDF
Security vulnerabilities decomposition
Katy Anton
 
PDF
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Security Conference
 
PPTX
Offensive Python for Pentesting
Mike Felch
 
PDF
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Greg Castle
 
PDF
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
PDF
Attacker's Perspective of Active Directory
Sunny Neo
 
PDF
Fade from Whitehat... to Black
Beau Bullock
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
PPTX
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPTX
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
PDF
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
PDF
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Beau Bullock
 
Security vulnerabilities decomposition
Katy Anton
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Security Conference
 
Offensive Python for Pentesting
Mike Felch
 
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Greg Castle
 
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
Attacker's Perspective of Active Directory
Sunny Neo
 
Fade from Whitehat... to Black
Beau Bullock
 
Lares from LOW to PWNED
Chris Gates
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
External to DA, the OS X Way
Stephan Borosh
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Ad

Similar to Pentest Apocalypse (20)

PPTX
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
PDF
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
PPTX
System hardening - OS and Application
edavid2685
 
PPT
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PDF
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
PPTX
Facing enterprise specific challenges – utility programming in hadoop
fann wu
 
PDF
SQL Server Clustering for Dummies
Mark Broadbent
 
PPTX
Securing Windows with Group Policy
Josh Rickard
 
PDF
WordPress Server Security
Peter Baylies
 
PPTX
Elite Bug Squashing
Tony Brown
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PDF
Releasing To Production Every Week India
exortech
 
PPTX
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
PDF
Smart Platform Infrastructure with AWS
James Huston
 
PPTX
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
PDF
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
garrett honeycutt
 
PPTX
Why internal pen tests are still fun
pyschedelicsupernova
 
PDF
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 
PPTX
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
System hardening - OS and Application
edavid2685
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Metasploitation part-1 (murtuja)
ClubHack
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
Facing enterprise specific challenges – utility programming in hadoop
fann wu
 
SQL Server Clustering for Dummies
Mark Broadbent
 
Securing Windows with Group Policy
Josh Rickard
 
WordPress Server Security
Peter Baylies
 
Elite Bug Squashing
Tony Brown
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Releasing To Production Every Week India
exortech
 
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Smart Platform Infrastructure with AWS
James Huston
 
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
garrett honeycutt
 
Why internal pen tests are still fun
pyschedelicsupernova
 
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Ad

Recently uploaded (20)

PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
Five Habits of High-Impact Board Members
OnBoard
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
The various Industrial Revolutions .pptx
bandileshozi3
 

Pentest Apocalypse

  • 2. WHOAMI • Beau Bullock • Pentester at Black Hills Information Security • OSCP, OSWP, GPEN, GCIH, GCFA, and GSEC • Previously an enterprise defender • Blogger • Guitarist/Audio Engineer • Homebrewer
  • 3. BACKGROUND • Privilege escalation has been too easy • No detection • Unprivileged user to DA in < 60 seconds = Pentest Apocalypse • Fix the common issues and low hanging fruit first • Who needs a zero-day?
  • 4. WHAT ARE YOU BUYING? • Penetration test vs. vulnerability assessment • If your scanner results look like this you don’t need a pentest.
  • 5. VULNERABILITY ASSESSMENT • Help identify low-hanging fruit • Typically broader in scope • Locate and identify assets • Opportunity to tune detection devices • Helps an organization improve overall security posture
  • 6. PENETRATION TEST • Goal driven • Targeted escalation tactics • Typically try to avoid detection • Can your security posture withstand an advanced attacker?
  • 7. LET’S TALK ABOUT SOME COMMON ISSUES
  • 8. 10 COMMON ISSUES • 1. Missing Patches • 2. Group Policy Preference Passwords • 3. Widespread Local Administrator Accounts • 4. Weak Password Policy • 5. Overprivileged Users (admin of local host) • 6. Overprivileged Users (admin of other hosts) • 7. Sensitive Files on Shares • 8. Information Disclosure on Intranet Sites • 9. NetBIOS and LLMNR Poisoning • 10. Local Workstation Privilege Escalation
  • 9. PATCHES • MS08-067 • MS14-068 • PsExec Patch • ColdFusion Patches • ShellShock • Heartbleed
  • 10. PATCHES WON’T FIX EVERYTHING
  • 11. GROUP POLICY PREFERENCES (GPP) • Extensions of Active Directory • Configurable settings for use with Group Policy Objects • Advanced settings for folders, mapped drives, and printers. • Deploy applications • Create a local administrator account http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
  • 12. GPP (CONTINUED) • May 13, 2014 – MS14-025 • Passwords of accounts set by GPP are trivially decrypted! • …by ANY authenticated user on the domain • Located in groups.xml file on SYSVOL https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
  • 13. GPP (WHAT DOES THE PATCH DO?) • MS14-025 removes the ability to create local accounts with GPP • Doesn’t remove previous entries! • You need to manually delete these accounts
  • 14. GPP (SUMMARY) • First thing I check for on an internal assessment • Almost always find an admin password here • Find it with: • PowerSploit - Get-GPPPassword • Metasploit GPP Module • Or… C:>findstr /S cpassword %logonserver%sysvol*.xml https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
  • 15. WIDESPREAD LOCAL ADMINISTRATOR ACCOUNT • Makes it easy to pivot from workstation to workstation • Using creds found via GPP: • SMB_Login Metasploit Module http://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_login
  • 16. WIDESPREAD LOCAL ADMIN (CONTINUED) • What’s next? • Hunt for Domain Admins – JoeWare NetSess, Veil-PowerView UserHunter • PsExec_psh Metasploit Module • RDP? • If we don’t have cleartext creds: • Pass-the-hash http://www.joeware.net/freetools/tools/netsess/index.htm https://www.veil-framework.com/hunting-users-veil-framework/ http://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
  • 17. PASSWORDS • Default Passwords • admin:admin • tomcat:tomcat • Pwnedlist • Credentials from previous data breaches • Default 8 character password policy? • Password spraying http://splashdata.com/press/worst-passwords-of-2014.htm
  • 18. PASSWORD SPRAYING • Domain locks out accounts after a certain number of failed logins • Can’t brute force a single users password • Solution: • Try a number of passwords less than the domain lockout policy against EVERY account in the domain
  • 19. PASSWORD SPRAYING (CONTINUED) • Lockout Policy = Threshold of five • Let’s try three or four passwords • What passwords do we try? • Password123 • Companyname123 • Etc. @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL http://www.lanmaster53.com/ https://github.com/lukebaggett/powerspray
  • 21. PASSWORDS (CONTINUED) • Increase password length • Don’t make ridiculous policies • Remember… correcthorsebatterystaple • Check PwnedList • Password spray http://xkcd.com/936/
  • 22. OVERPRIVILEGED USERS • Are your standard users already local admins? • This takes out a major step of privilege escalation • Only grant admin access where necessary, not globally
  • 23. OVERPRIVILEGED USERS (OTHER HOSTS) • Scenario: • Unprivileged user wants to run some software on their system • User calls helpdesk • Helpdesk attempts to get it working for the user • Fails • Decides adding “Domain Users” group to the local administrators group is a good idea
  • 24. OVERPRIVILEGED USERS (OTHER HOSTS) • This means EVERY domain user is now is an administrator of that system • Veil-PowerView Invoke-FindLocalAdminAccess • Veil-PowerView Invoke-ShareFinder http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
  • 25. WHAT INFORMATION CAN YOU LEARN FROM USERS ON THE NETWORK?
  • 26. FILES ON SHARES • Sensitive files on shares? • Find them with more PowerView awesomeness… • Use list generated by ShareFinder with FileFinder • FileFinder will find files with the following strings in their title: • ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ https://www.veil-framework.com/hunting-sensitive-data-veil-framework/
  • 27. INFORMATION DISCLOSURE ON INTRANET • Knowledge Bases are helpful to employees… and attackers • Helpdesk tickets • How-to articles • Emails • Search functionality is our best friend • Search for <insert critical infrastructure name, sensitive data type, or ‘password’>
  • 28. NETBIOS AND LLMNR POISONING • LLMNR = Link-Local Multicast Name Resolution • NBT-NS = NetBIOS over TCP/IP Name Service • Both help hosts identify each other when DNS fails http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
  • 29. NETBIOS AND LLMNR (CONTINUED) • SpiderLabs Responder • Poisons NBT-NS and LLMNR • The result is we obtain NTLM challenge/response hashes • Crack hashes https://github.com/Spiderlabs/Responder https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/
  • 30. LOCAL WORKSTATION PRIVILEGE ESCALATION • PowerUp! • Another awesome Veil tool • Invoke-AllChecks looks for potential privilege escalation vectors http://www.verisgroup.com/2014/06/17/powerup-usage/
  • 31. SUMMARY (10 COMMON ISSUES) • 1. Missing Patches • 2. Group Policy Preference Passwords • 3. Widespread Local Administrator Accounts • 4. Weak Password Policy • 5. Overprivileged Users (admin of local host) • 6. Overprivileged Users (admin of other hosts) • 7. Sensitive Files on Shares • 8. Information Disclosure on Intranet Sites • 9. NetBIOS and LLMNR Poisoning • 10. Local Workstation Privilege Escalation
  • 32. NOW TO PREP YOUR PENTEST BUG OUT BAG
  • 33. TUNE DETECTION DEVICES • Test your network security devices prior to a pentest for common pentester activities • Meterpreter shells • Portscans • Password spraying
  • 34. PERFORM EGRESS FILTERING • Block outbound access except where needed • Implement an authenticated web proxy and force all web traffic through it
  • 35. THINGS THAT MAKE OUR JOB HARD • Application Whitelisting • Disabling PowerShell • Network Access Control • Network segmentation • Fixing the items mentioned earlier
  • 36. THINGS NOT TO DO DURING A PENTEST • Inform your teams that the test is happening • Monitor, but don’t interfere during a pentest • Enforce different policies on the pentester than “normal” users • Alert users to an upcoming phishing test
  • 38. PENTEST PREP GUIDE • May help organizations prepare for an upcoming penetration test • Details of the 10 issues I talked about today • How to identify • How to remediate
  • 41. QUESTIONS? • Contact me • Personal - [email protected] • Work – [email protected] • Twitter - @dafthack • Blog – www.dafthack.com