How To Defend Against Penetration Testersand Win · I run the Security Weekly podcast network ......

Paul Asadoorian

Security Weekly, Founder & CEO

Offensive Countermeasures, CEO

How To Defend Against Penetration Testers...and Win

Who is your hero?

© Defensive Intuition, LLC 2004-2017 Confidential & Proprietary

About Me

● I run the Security Weekly podcast network

● I am the CEO at Offensive Countermeasures

● I’ve worked building security infrastructure, penetration testing and as a product specialist for Tenable Network Security

● I have serious hacking days:


DISCLAIMER

“The opinions, words, phrases, sentences, so-called facts, images, and/or videos expressed in this presentation and on the following slides are solely those of the presenter and not those of the conference, sponsors, affiliates, security vendors, or anyone else. Only Paul could guarantee the accuracy or reliability of the information provided herein (but does not anyhow).

If you are easily offended by imagery, puns, jokes, funny phrases, adult language and humor, or anything even close to the above, please excuse yourself from this presentation.”


Talk Outline

How did I come up with this talk?

Then, practical stuff:

1. Active Directory Defense 2. Network & Data Segmentation3. Default Credential Discovery4. Canary Accounts5. Create Dark Space6. Analyze Outbound Network Traffic


I Ask A Lot Of Questions

“Why Are Penetration

Tests So Successful?” Literally every pen tester once they

are “successful”


The Question You Ask Matters

“People don’t patch stuff”

“People use dumb passwords”

“I am the most awesome penetration tester in the world, bow tomy exploits and expert coding skillz”

The Top Three Answers:


“Which exposures most often lead to complete network compromise? ”

Windows authentication is a “hot mess”

Once I’m in, I can roam free

People use dumb passwords

Better Question = Better Answers


I Asked Even More Penetration Testers

Collectively perform over 1,000 penetration tests per year

(including the teams they work on)

I interviewed all four of them and asked them the same question

(on the previous slide)...


1. Authentication

1. Segmentation

Two Themes Emerged


Customers Did Not Fix The Critical Issues

Year after year, thefindings contained thesame exposures.

Why pay for a penetrationtest if you are not goingto address the issues?


But, Why Don’t People Get Better Over Time?

People fix it wrong.

1. Buying stuff

2. Ineffective Communications & Leadership


WRONG ANSWER!


Have A PlanOkay, commercial tools can help, but have goals and a plan first

What follows are 6 tips that can be implemented withoutbuying additional tools


#1

Active Directory Defense


How To Make A Penetration Tester Cry

1. Discontinue use of LM2. Prevent Pass-The-Hash Attacks3. Implement a Password Policy Manage High

Privileged Credentials4. Create a WPAD entry and disable NBNS and

LLMNR5. Prevent Password hashes from being stored in

memory

This could be an entire talk just on the above topics! The most important

thing is communication with your Active Directory administrators.


#1 Discontinue use of LM

Set NoLMHash setting in Group Policy or Registry

Users have to change their password

“If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems”

https://support.microsoft.com/en-us/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-password-in-active-directory-and-local-sam-databases

https://support.microsoft.com/en-us/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-password-in-active-directory-and-local-sam-databases


#2 Configure Active Directory to prevent Pass-The-Hash Attacks

Disable NTLM altogether (requires Win 8.1+ and Server 2012+), forces Kerberos for all

Implement Microsoft LAPS: https://technet.microsoft.com/en-us/mt227395.aspx (Not that easy)

Ref: https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/

https://technet.microsoft.com/en-us/mt227395.aspx

https://dfir-blog.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/


This Is Great! Except Tim Medin

https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-

%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf

https://files.sans.org/summit/hackfest2014/PDFs/Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin(1).pdf


Harmj0y is Really SmartEveryone I spoke with on this issue referenced these two posts:

1. http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/

1. http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

“It’s also worth noting that Microsoft’s LAPS effectively renders everything here moot. As LAPS randomizes the local administrator password for machines on a periodic basis”

http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/

http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/


#3 Manage High Privilege Credentials

Limit and restrict domain administrator accounts

Restrict permissions on service accounts

Use long passwords on Service accounts andchange them regularly

Reference: “The Most Common Active Directory Security Issues and What You Can Do to Fix Them”

By Sean Metcalf (Link: https://adsecurity.org/?p=1684)

https://adsecurity.org/?p=1684


#4 Create a WPAD entry and disable NBNS and LLMNR

Disable automatic proxy discover or create a WPAD entry in DNS

Disable NBNS (NetBIOS Naming Service) and LLMNR (Link-Local Multicast Name Resolution) via Group Policy (Test this first!)

More Reading:

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector


#5 Prevent Password hashes from being stored in memory

Group Policy/Registry change across all systems as documented in MS advisory 2871997:

https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13,-2014

Attackers can still gain admin rights and revert the change (does not require reboot) (Ref: https://p16.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft)

https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13,-2014

https://p16.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft


#2

“Network” Segmentation


Network Segmentation

WTF


The Wrong Way

Vulnerable Stuff

User Stuff

(Desktops, printers)

Windows Stuff (AD,

File, print, web,

DNS, DHCP)

Linux Stuff

Wireless Network

Remote Offices

Conference Rooms

More Printers

IT Administrators

Workstations

Firewall RulesFirewall Rules

Firewall Rules That Allow A Bunch Of Stuff


The Right Better Way

Vulnerable Stuff

User Stuff

(Desktops, printers)

Windows Stuff (AD,

File, print, web,

DNS, DHCP)

Linux Stuff

Wireless Network

Remote Offices

Conference Rooms

More Printers

DNS/DHCP

IT Administrators

Workstations

Firewall RulesFirewall Rules

Firewall Rules That Allow Restrict A Bunch Of Stuff

X


#3

Discover Default Credentials


Why Is This Important?

Default credentials are everywhere:● IoT● Management devices● Web applications● Printers● SAP systems● Audio/Video gear● Etc…

Sometimes the device requires no authentication at all!


Find Default Credentials

Few commercial solutions exist to find default (or non-existent) credentials across a network

Nmap works if you like to build it yourself and integrate results into your monitoring systems:

nmap --open -sC -p80,21,23 --script=auth 192.168.1.0/24


Using Nessus

https://www.tenable.com/blog/scanning-for-default-common-credentials-using-nessushttps://www.tenable.com/blog/default-credentials-low-hanging-fruit-in-the-enterprise

When I Google for this problem, I find my own blog posts

Apparently I am the only one searching for the answer?

https://www.tenable.com/blog/scanning-for-default-common-credentials-using-nessus

https://www.tenable.com/blog/default-credentials-low-hanging-fruit-in-the-enterprise


#4

Canary Accounts


A “Honeypot” Account

Create an account not tied to a real user ([email protected])

Monitor the email for SPAM or other activity

Monitor the domain account for activity

Any activity is most likely malicious!

http://blog.erratasec.com/2009/02/importance-of-being-canonical.html

mailto:[email protected]

http://blog.erratasec.com/2009/02/importance-of-being-canonical.html


Create Fake Elements in Active Directory

MimikatzHoneyToken -https://github.com/SMAPPER/MimikatzHoneyToken

Creating Real Looking User Accounts in AD Lab https://www.darkoperator.com/blog/2016/7/30/creating-real-looking-user-accounts-in-ad-lab

https://github.com/SMAPPER/MimikatzHoneyToken

https://www.darkoperator.com/blog/2016/7/30/creating-real-looking-user-accounts-in-ad-lab


Create Fake Elements in Active Directory

1. Kerberoasting Service Accounts Honey Tokens https://adsecurity.org/?p=35132. Fake Memory Credentials Honey Tokens https://github.com/secureworks/dcept3. Fake Computer Accounts Honey Pots4. Fake Credentials Manager Credentials Breadcrumbs5. Fake Domain Admins Accounts Honey Tokens6. Fake Mapped Drives Breadcrumbs7. DNS Records Manipulation Honeypots

http://jblog.javelin-networks.com/blog/the-honeypot-buster/

https://adsecurity.org/?p=3513

https://github.com/secureworks/dcept

http://jblog.javelin-networks.com/blog/the-honeypot-buster/


Fake LinkedIN Profiles

Why? - Attackers consistently harvest information from LinkedIN for phishing attacks.

Phishing attacks are one of the most popular methods to gaining a foothold on a system in your environment.


Fake LinkedIN Profiles

Lure other fake LinkedIN profiles!

You can get out of control:● Custom images (stock photos can be traced)● Real email address (that points to your honeypot account)● Have other co-workers/people recommend the profile● Create other social media accounts and web sites/blogs

Problem: Once it has been discovered, you start all over


#5

Create Dark Space


Darknets Are Pretty Easy

1. Define an IP subnet not in use in your environment (The Darknet)

1. Add routes to the new darknet

1. Place a sniffer on the VLAN for the darknet

Do not put live systems on the Darknet!

http://www.team-cymru.org/darknet.html

http://www.team-cymru.org/darknet.html


Hints To Your Darknet

HTTP redirects (robots.txt)

Fake DNS entries

Fake file servers

Word Macros that send ping backs to the darknet


Monitoring The Darknet

Netflow (or similar protocols) canbe used as well (I used to use anold open-source tool calledIP-Audit)

Darknet data should then beintegrated into your SIEM, andused as an indicator to strengthen


#6

Analyze Outbound Network Traffic


Math Is Easy!

Connection IntervalConnection Time

Data Size# Of Packets

Infected

Normal

Infected!


RITA Is Free

https://github.com/ocmdev/rita (You will need Bro logs (Bro is free too)

https://github.com/ocmdev/rita


RITA FTW


Bonus Tip: Communication & Teamwork

“You MUST secure/patch/harden the thing, or else, well, bad things”

Becomes:

“How can I help you do your job more efficiently?”

Paul Asadoorian

[email protected]

@securityweekly

mailto:[email protected]

Date post:	28-May-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

How To Defend Against Penetration Testersand Win · I run the Security Weekly podcast network ......

Documents