Post on 08-Jun-2018
transcript
Expert Webinar: Hacking Your Windows IT Environment
Presenters:
Liam Cleary
Microsoft MVP, Blogger
www.helloitsliam.com
@helloitsliam
helloitsliam@protonmail.com
Jeff Melnick
Pre-Sales Director, Netwrix
Jeff.Melnick@netwrix.com
Type your question
here
Click “Send”
Housekeeping
• All attendees are on mute
• Ask your questions!
• Questions will be answered during the session or at the Q&A at the end
• You will receive a copy of slides and webinar recording in the follow-up email
• Duration: Up to 60 minutes
• We hope you enjoy!
Win one of three $100 Amazon eGift Card
We will randomly draw 3 people’s names at the end of the Webinar
You must be present at the end of the webinar to be eligible
We will contact all winners after the webinar
Ask your questions and be active! $100
Protection
Patch management
General protections
Attacks
Understanding attacks
Attack methods
Exploitation process
Agenda
Monitoring
General approaches
Netwrix Auditor
Understanding Attacks
ExploitVulnerability Threat
Understanding Attacks
Vulnerabilities are entry points into an application or even hardware that allow usage in a way that it was not intended. Attackers can use the vulnerabilities for gleaning information
about the current security defenses in place. With vulnerabilities, hackers are typically attempting to solve a puzzle about what they can get away with before they attack
ExploitVulnerability Threat
Understanding Attacks
An exploit is normally some kind of package that understands an known vulnerability and executes arbitrary code or processes. Exploits can take place behind firewalls where they're
harder to spot, and can cause irreparable damage when gone undetected.
ExploitVulnerability Threat
Understanding Attacks
A threat refers to the hypothetical event wherein a hacker uses a vulnerability. The threat itself will normally have an exploit involved, as well as other processes and tools.
Post exploitation and reporting
Intelligence gathering Vulnerability analysis Exploitation
Attack Rules of Engagement
Cross-site Scripting
Man-in-the-middle
Phishing SQL Injection
Session Hijacking Credential Reuse
Types of Attacks
Malware
Denial-of-service
Authentication test
Database attack
Test manual access Brute force web access
Web service scanning Remote desktop test
Application Specific Attack Methods
sessions
Users
Client side controls Authentication
Back end components Web applications
Client Side Application Attacks
The Attack Process
Scan devices
Active directory attack
Scan firewall Scan IP ranges
Specific application attacks
Database attack
The Attack Process
Inverse MappingExclude devices and servers, that don’t
respond
Ping SweepsSend ICMP/TCP packets to return “Active” devices
and servers
Port ScansProtocol specific
interrogation of devices and servers
Scanning
Network Server Scanning
ICMP/TCP
PORTS
Network Device Scanning
ICMP/TCP
PORTS
Nmap port scan
PowerSploit
Ping sweeps AngryIP scanner
Metasploit Manual
Network, Port and Service Scanning
Exploitation Process
Create Payload
Select Module Framework
Identify Vulnerability Identify Exploit
Generate Code Create Listener
Exploitation Steps
Remote Shell
Remote Web Backdoor Opened
Remote Access Exploit Save & Executed
Remote Command Execution
Weapon Delivery
Exploitation Steps
Pivoting
• Access direct to target / no access beyond target
• Utilize target to proxy requests
192.168.153.X/24 192.168.111.X/24
Meterpreter Scan
run get_local_subnet
Return 192.168.111.X/24
Proxy
Pivoting Commands
# Get local subnets on target
run get_local_subnet
background
# Add route to send subnet traffic over current session
Route add 192.168.153.0 255.255.255.0 1
# Use Meterpreter routing to Pivot Traffic
ifconfig
run arp_scanner -r 192.168.111.0/24
Port Forwarding
• Forward traffic to target, then forward to none visible targets
• Attacker uses local port
• Target forwards request on chosen port
192.168.153.X/24 192.168.111.X/24
Relay Remote Port 3389Local Port 3389
Port Forwarding Commands
# Forward Ports between Local Machine and Target
portfwd add -l 3389 -p 3389 -r 192.168.111.130
portfwd list
# Remote Desktop locally
rdesktop 192.168.111.130
Token Stealing and Impersonation
• Incognito used to retrieve current Tokens
• Impersonate using a retrieved Token
192.168.153.X/24 192.168.111.X/24
Relay
Pivoting Commands
# Grab the current Process List
ps
# Steal Tokens
steal_token 380
# Use Incognito
load incognito
# List Current Tokens, then elevate account permissions
list_tokens -u
impersonate_token DOMAIN\user
Protecting the Environment
Monthly RollupStandard full roll-up for
ALL released patches
Global PatchCritical operating system
updates
Limited Release Patch“From the field” patches,
covers specific issues
Patching your windows environments
Patching your windows environments
PatchOnly install patches that match current level
If patch resolves current issueIf patch is a security update
Don’t PatchUnless current service pack, don’t deployMultiple hotfixes versus Latest released
serviceInconsistency across servers
General Server Protection
Inspect ALL Traffic
Access Control Traffic
Monitor
Application Firewall
Perimeter
Firewall
Operating System
Firewall
General Device Protection
Inspect ALL Traffic
Access Control Traffic
Monitor
Device
Firewall
PerimeterFirewall
Block Ports
Infrastructure Protection
Inspect ALL Traffic
Access Control Traffic
Monitor
Application Firewall
Perimeter
Firewall
Operating System
Firewall
Server Isolation
Port Control
Process Whitelisting
Allowed Executables
Allowed
Scripts
Allowed
Paths
Blocked
Executables
Blocked
Scripts
Blocked
Paths
Escalation Protection
Additional logging
Isolation/scoping of privileges Step-up and proof-up
Customizable workflow
Privileged Access Management (PAM)
Privileged Access Management (PAM)
Corporate Domain Bastion Domain
Trust
Shadow Principal SID Mapped between identities
CORP\group BASTION\group
Approval of AccessRequest Access Permissions Assigned
Time restricted access granted
Privileged Access Management (PAM)
Privileged Access Workstations (PAW)
Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.
Tier 0 Tier 1 Tier 2
Privileged Access Workstations (PAW)
Admin Workstation
Admin Workstation
Admin Workstation Active Directory
Servers
Workstations
Tier 0
Tier 1
Tier 2
Forest / Domain Admins
Server Admins
Workstation Admins
Same Tier Login
Higher Tier Login
Lower Tier Login
Monitoring
Audit LoggingSecurity Event Logging Firewall Logs
Monitoring approaches
Non-active accounts
External accounts
High-value accounts
Anomalies or malicious
actions
Account whitelist
Different account types
Monitoring categories
Restricted use accounts/devices
Account naming conventions
Alerts example
# Filter the Security Event log for specific event
Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account Creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name –eq “SamAccountName”}| %{$_.’#text’}}}
# Send event details as email
$Subject = “User account created”
$Server = “your.smtp.server”
$From = “From@domain.com
$To = “To@domain.com”
$Pwd = ConvertTo-SecureString “password” -AsPlainText -Force #Sender account password $Cred = New-Object System.Management.Automation.PSCredential(“accountname” , $Pwd)
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
$Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.’#text’}}} | select-object -first 1
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding
Netwrix Auditor - Demonstration
Demonstration
Netwrix Auditor
Netwrix Auditor Applications
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Oracle Database
Netwrix Auditor for Azure AD
Netwrix Auditor for EMC
Netwrix Auditor for SQL Server
Netwrix Auditor for Exchange
Netwrix Auditor for NetApp
Netwrix Auditor for Windows Server
Netwrix Auditor for Office 365
Netwrix Auditor for SharePoint
Netwrix Auditor for VMware
GA
Financial
Healthcare & Pharmaceutical
Federal, State, Local, Government
Industrial/Technology/Other
Netwrix Customers
All awards: www.netwrix.com/awards
Industry Awards and Recognition
Next Steps
Free Trial: setup in your own test environment:
On-premises: netwrix.com/freetrial
Virtual: netwrix.com/go/appliance
Cloud: netwrix.com/go/cloud
Test Drive: run a virtual POС in a Netwrix-hosted test lab netwrix.com/testdrive
Webinars: join our upcoming webinars and watch the recorded sessions netwrix.com/webinars
Come see us at MS Ignite!
September 25th-29th, Booth #1825
Thank you
Contact us:
Liam Cleary
Microsoft MVP, Blogger
www.helloitsliam.com
@helloitsliam
helloitsliam@protonmail.com
Jeff Melnick
Pre-Sales Director, Netwrix
Jeff.Melnick@netwrix.com