Post on 28-May-2020
transcript
Paul Asadoorian
Security Weekly, Founder & CEO
Offensive Countermeasures, CEO
How To Defend Against Penetration Testers...and Win
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
About Me
● I run the Security Weekly podcast network
● I am the CEO at Offensive Countermeasures
● I’ve worked building security infrastructure, penetration testing and as a product specialist for Tenable Network Security
● I have serious hacking days:
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
DISCLAIMER
“The opinions, words, phrases, sentences, so-called facts, images, and/or videos expressed in this presentation and on the following slides are solely those of the presenter and not those of the conference, sponsors, affiliates, security vendors, or anyone else. Only Paul could guarantee the accuracy or reliability of the information provided herein (but does not anyhow).
If you are easily offended by imagery, puns, jokes, funny phrases, adult language and humor, or anything even close to the above, please excuse yourself from this presentation.”
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Talk Outline
How did I come up with this talk?
Then, practical stuff:
1. Active Directory Defense 2. Network & Data Segmentation3. Default Credential Discovery4. Canary Accounts5. Create Dark Space6. Analyze Outbound Network Traffic
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
I Ask A Lot Of Questions
“Why Are Penetration
Tests So Successful?” Literally every pen tester once they
are “successful”
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
The Question You Ask Matters
“People don’t patch stuff”
“People use dumb passwords”
“I am the most awesome penetration tester in the world, bow tomy exploits and expert coding skillz”
The Top Three Answers:
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
“Which exposures most often lead to complete network compromise? ”
Windows authentication is a “hot mess”
Once I’m in, I can roam free
People use dumb passwords
Better Question = Better Answers
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
I Asked Even More Penetration Testers
Collectively perform over 1,000 penetration tests per year
(including the teams they work on)
I interviewed all four of them and asked them the same question
(on the previous slide)...
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
1. Authentication
1. Segmentation
Two Themes Emerged
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Customers Did Not Fix The Critical Issues
Year after year, thefindings contained thesame exposures.
Why pay for a penetrationtest if you are not goingto address the issues?
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
But, Why Don’t People Get Better Over Time?
People fix it wrong.
1. Buying stuff
2. Ineffective Communications & Leadership
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Have A PlanOkay, commercial tools can help, but have goals and a plan first
What follows are 6 tips that can be implemented withoutbuying additional tools
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
How To Make A Penetration Tester Cry
1. Discontinue use of LM2. Prevent Pass-The-Hash Attacks3. Implement a Password Policy Manage High
Privileged Credentials4. Create a WPAD entry and disable NBNS and
LLMNR5. Prevent Password hashes from being stored in
memory
This could be an entire talk just on the above topics! The most important
thing is communication with your Active Directory administrators.
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
#1 Discontinue use of LM
Set NoLMHash setting in Group Policy or Registry
Users have to change their password
“If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems”
https://support.microsoft.com/en-us/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-password-in-active-directory-and-local-sam-databases
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
#2 Configure Active Directory to prevent Pass-The-Hash Attacks
Disable NTLM altogether (requires Win 8.1+ and Server 2012+), forces Kerberos for all
Implement Microsoft LAPS: https://technet.microsoft.com/en-us/mt227395.aspx (Not that easy)
Ref: https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
This Is Great! Except Tim Medin
https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-
%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Harmj0y is Really SmartEveryone I spoke with on this issue referenced these two posts:
1. http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/
1. http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
“It’s also worth noting that Microsoft’s LAPS effectively renders everything here moot. As LAPS randomizes the local administrator password for machines on a periodic basis”
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
#3 Manage High Privilege Credentials
Limit and restrict domain administrator accounts
Restrict permissions on service accounts
Use long passwords on Service accounts andchange them regularly
Reference: “The Most Common Active Directory Security Issues and What You Can Do to Fix Them”
By Sean Metcalf (Link: https://adsecurity.org/?p=1684)
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
#4 Create a WPAD entry and disable NBNS and LLMNR
Disable automatic proxy discover or create a WPAD entry in DNS
Disable NBNS (NetBIOS Naming Service) and LLMNR (Link-Local Multicast Name Resolution) via Group Policy (Test this first!)
More Reading:
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
#5 Prevent Password hashes from being stored in memory
Group Policy/Registry change across all systems as documented in MS advisory 2871997:
https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13,-2014
Attackers can still gain admin rights and revert the change (does not require reboot) (Ref: https://p16.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft)
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
The Wrong Way
Vulnerable Stuff
User Stuff
(Desktops, printers)
Windows Stuff (AD,
File, print, web,
DNS, DHCP)
Linux Stuff
Wireless Network
Remote Offices
Conference Rooms
More Printers
IT Administrators
Workstations
Firewall RulesFirewall Rules
Firewall Rules That Allow A Bunch Of Stuff
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
The Right Better Way
Vulnerable Stuff
User Stuff
(Desktops, printers)
Windows Stuff (AD,
File, print, web,
DNS, DHCP)
Linux Stuff
Wireless Network
Remote Offices
Conference Rooms
More Printers
DNS/DHCP
IT Administrators
Workstations
Firewall RulesFirewall Rules
Firewall Rules That Allow Restrict A Bunch Of Stuff
X
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Why Is This Important?
Default credentials are everywhere:● IoT● Management devices● Web applications● Printers● SAP systems● Audio/Video gear● Etc…
Sometimes the device requires no authentication at all!
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Find Default Credentials
Few commercial solutions exist to find default (or non-existent) credentials across a network
Nmap works if you like to build it yourself and integrate results into your monitoring systems:
nmap --open -sC -p80,21,23 --script=auth 192.168.1.0/24
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Using Nessus
https://www.tenable.com/blog/scanning-for-default-common-credentials-using-nessushttps://www.tenable.com/blog/default-credentials-low-hanging-fruit-in-the-enterprise
When I Google for this problem, I find my own blog posts
Apparently I am the only one searching for the answer?
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
A “Honeypot” Account
Create an account not tied to a real user (something-blah-123-xyz@example.com)
Monitor the email for SPAM or other activity
Monitor the domain account for activity
Any activity is most likely malicious!
http://blog.erratasec.com/2009/02/importance-of-being-canonical.html
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Create Fake Elements in Active Directory
MimikatzHoneyToken -https://github.com/SMAPPER/MimikatzHoneyToken
Creating Real Looking User Accounts in AD Lab https://www.darkoperator.com/blog/2016/7/30/creating-real-looking-user-accounts-in-ad-lab
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Create Fake Elements in Active Directory
1. Kerberoasting Service Accounts Honey Tokens https://adsecurity.org/?p=35132. Fake Memory Credentials Honey Tokens https://github.com/secureworks/dcept3. Fake Computer Accounts Honey Pots4. Fake Credentials Manager Credentials Breadcrumbs5. Fake Domain Admins Accounts Honey Tokens6. Fake Mapped Drives Breadcrumbs7. DNS Records Manipulation Honeypots
http://jblog.javelin-networks.com/blog/the-honeypot-buster/
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Fake LinkedIN Profiles
Why? - Attackers consistently harvest information from LinkedIN for phishing attacks.
Phishing attacks are one of the most popular methods to gaining a foothold on a system in your environment.
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Fake LinkedIN Profiles
Lure other fake LinkedIN profiles!
You can get out of control:● Custom images (stock photos can be traced)● Real email address (that points to your honeypot account)● Have other co-workers/people recommend the profile● Create other social media accounts and web sites/blogs
Problem: Once it has been discovered, you start all over
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Darknets Are Pretty Easy
1. Define an IP subnet not in use in your environment (The Darknet)
1. Add routes to the new darknet
1. Place a sniffer on the VLAN for the darknet
Do not put live systems on the Darknet!
http://www.team-cymru.org/darknet.html
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Hints To Your Darknet
HTTP redirects (robots.txt)
Fake DNS entries
Fake file servers
Word Macros that send ping backs to the darknet
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Monitoring The Darknet
Netflow (or similar protocols) canbe used as well (I used to use anold open-source tool calledIP-Audit)
Darknet data should then beintegrated into your SIEM, andused as an indicator to strengthen
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Math Is Easy!
Connection IntervalConnection Time
Data Size# Of Packets
Infected
Normal
Infected!
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
RITA Is Free
https://github.com/ocmdev/rita (You will need Bro logs (Bro is free too)
© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary
Bonus Tip: Communication & Teamwork
“You MUST secure/patch/harden the thing, or else, well, bad things”
Becomes:
“How can I help you do your job more efficiently?”