Simon Nolet Pente test SME August, ust, 29, 2019
https://ici.radio-canada.ca/nouvelle/1168160/hak-mtl-documentaire-pirates-piratage-informatique-montreal-alexandre-sheldo
Disgrunted Hackers Nation State Hacktivists Criminals Competitors Employees Non Targetted Targetted
Privilege Escalation Domain in User Local al Administr trat ator or Domain in Admins Passwords Reuse Password Reuse Service account with Weak Passwords Inadequate Privilege administrative rights Password Spraying Workstations without full Passwords Reuse Passwords following a pattern disk encryption Weak Passwords Use of legacy protocols Use of domain admin credentials on workstations
Why is it importa tant nt ? ▪ Often the only authentication mecanism to impersonify a user on the network ▪ People tend to use passwords easily crackable by a computer ▪ Most company uses weak passwords policy ▪ Users can reuse their passwords ▪ Some users have a password template so password might be derived from the previous one ▪ Password Length greatly increase cracking complexity
M icrosoft’s Philos osop ophy hy ▪ Microsoft keep legacy features even when not used because their removal could impact operating systems ▪ Legacy features can lead to security issues ▪ Windows is not an operating system secure by default ▪ Pentesters often exploit the domain architecture against itself .
LINK LOCAL MULTICAST NAME RESOLUTION / NETBIOS NAMESERVER ▪ It’s purpose is the resolve NetBIOS computer name with the help of computer in the adjacent network.
LLMNR’s Usage When does a compu mpute ter r perfo form rm a L LLMNR / NBNS S request? ? 1. When a user perform a typo on the network. 2. When a program is configured to look for a name that doesn’t resolve 3. When the configured DNS server doesn’t have the response to the request.
Antid idote ote Example
Cassag age de mot de p passe
Cassag age de mot de p passe
Password Policy
Externa nal l Reconna nais issanc sance
Users without ut access ▪ Not targetted ▪ No access ▪ No confidential information ▪ Impersonate of Identity on the network ▪ SIEM logs will point fingers at you ▪ Accountability
Domain in User ▪ Read all group policy ( SYSVOL – Logon Scripts ) ▪ Read active directory attributes (Often find password in the description field) ▪ Ask for kerberos tickets of Service Principal Names ▪ Enumerate all users with their groups (Domain Admins, useful for password spraying)
DOMAIN IN USER RIGHTS ▪ Asks for actives session on computers (Know who is connected where). Get- NetSession ▪ Enumerate Active Directory configurations (servers, versions, domain controllers). ADRecon ▪ Enumerate network shares content (Everyone, Authenticated User and specific permission of the compromized user).
DROITS D’UTILISATEUR DU DOMAINE
DROITS D’ADMINISTRATEUR LOCAL ▪ Read passwords in plaintext in memory of active sessions ▪ Install a keylogger ▪ Read passwords and cookies in browsers
Local al Administr trat ator or Rights ts ▪ Retrieve Local Hashes (Lateral Movement) Samdump, Mimikatz ▪ Install a backdoor on the system. ▪ Use the machine account on the network (Domain Computers). ▪ Activate Wdigest (Store passwords in cleartext in memory).
WINDOWS S 7 ▪ In Windows 7, Credentials are stored in plaintext with Wdigest (default) ▪ Used for compatibility with SSO in HTTP.
Credentials tials Store red in Memory
WINDOWS S 7
Lateral al Movement – Pass The Hash Pass the Hash ▪ Allow to establish a connection with a remote machine by using credentials. ▪ Knowledge of the plaintext password not required ▪ You can PTH a Domain Account or a Local Account (RID 500)
Lateral al Movement – SMB Relay SMB Relay – SMB Signing ▪ Computers dont require signing ▪ Knowledge of the plaintext password not required
NT AUTHO HORITY ITY\SYST SYSTEM EM
Domain in Admins Rights ts ▪ Local Administrators on all computers connected to the domain ▪ Admin acces on all network share for all computers in the domain including hidden share (C$) ▪ Interact and Modify users in the active directory (Password, Rights, Groups etc)
Domain in Admins Rights ts ▪ Enumerate and modify trusts between different domains ▪ Acces to the Event Viewer of all Computers in the domain ▪ Change the password of all user in the domain. ▪ Acces to all hashes of all accounts in the domain ▪ Read all attribute that are protected in the Active Directory (Bitlocker, LAPS etc)
ACCES ES TO ALL L HASHES HES OF ALL L ACCOU OUNTS IN THE DOMAIN IN.
Domain in Admins Rights ts ▪ Average time to obtain Domain Admin privilege: ❖ 3-4 hours ▪ Clients rarely know that we successfully escalated our privilege to domain admin before the tester(s) tell them ▪ Obtaining Domain Admin privilege is only the beginning of the test ▪ Have the required acces to read all configuration and find multiple other entry points or configuration issues.
PASSWORD IS NOT LONGER ADEQUATE AND IS OLD.
REG ADD “HKLM \Software\policies\Microsoft\Windows NT\DNSClient ” REG ADD “HKLM \Software\policies\Microsoft\Windows NT\DNSClient ” /v ” EnableMulticast ” /t REG_DWORD /d “0” /f
Multi Factor Authentication ▪ Verify User Identity ▪ « What you know » ▪ « What you own »
Firewall ▪ Network segmentation ▪ Local firewall for machine isolation
Least Privilege Violation ▪ Vmware Admin = Domain Admins (Virtual DC) ▪ Tech Support Password Reset ▪ Service Account with Domain Admin
Zero-Trust ▪ Access Control ▪ Dont trust anyone / any accounts
USE « DEFENSE IN DEPTH AND LAYERS, NOT ‘THE BEST PRODUCT’
CYBERSECURITY IS A PROCESS, NOT A PRODUCT
HACKERS ARE ATTRACTED BY EASY AND ATTRACTIVE TARGETS
CONCLUSION
Recommend
More recommend
