August, ust, 29, 2019 - - PowerPoint PPT Presentation

Simon Nolet

Pente test SME

August, ust, 29, 2019

https://ici.radio-canada.ca/nouvelle/1168160/hak-mtl-documentaire-pirates-piratage-informatique-montreal-alexandre-sheldo

Criminals Hacktivists Hackers Competitors Nation State Disgrunted Employees Non Targetted Targetted

Domain in User Local al Administr trat ator

• r

Domain in Admins

 Passwords Reuse  Weak Passwords  Password Spraying  Passwords following a pattern  Use of legacy protocols  Password Reuse  Inadequate Privilege  Workstations without full disk encryption  Service account with administrative rights  Passwords Reuse  Weak Passwords  Use of domain admin credentials on workstations

Privilege Escalation

Why is it importa tant nt ?

▪ Often the only authentication mecanism to impersonify a user on the network ▪ People tend to use passwords easily crackable by a computer ▪ Most company uses weak passwords policy ▪ Users can reuse their passwords ▪ Some users have a password template so password might be derived from the previous one ▪ Password Length greatly increase cracking complexity

Microsoft’s Philos

• sop
• phy

hy

▪ Microsoft keep legacy features even when not used because their removal could impact operating systems ▪ Legacy features can lead to security issues ▪ Windows is not an operating system secure by default ▪ Pentesters often exploit the domain architecture against itself .

LINK LOCAL MULTICAST NAME RESOLUTION / NETBIOS NAMESERVER

▪ It’s purpose is the resolve NetBIOS computer name with the help of computer in the adjacent network.

LLMNR’s Usage

When does a compu mpute ter r perfo form rm a L LLMNR / NBNS S request? ?

• 1. When a user perform a typo on the network.
• 2. When a program is configured to look for a name that doesn’t resolve
• 3. When the configured DNS server doesn’t have the response to the

request.

Antid idote

• te Example

Cassag age de mot de p passe

Cassag age de mot de p passe

Password Policy

Externa nal l Reconna nais issanc sance

Users without ut access

▪ Not targetted ▪ No access ▪ No confidential information ▪ Impersonate of Identity on the network ▪ SIEM logs will point fingers at you ▪ Accountability

Domain in User

▪ Read all group policy ( SYSVOL – Logon Scripts ) ▪ Read active directory attributes (Often find password in the description field) ▪ Ask for kerberos tickets of Service Principal Names ▪ Enumerate all users with their groups (Domain Admins, useful for password spraying)

DOMAIN IN USER RIGHTS

▪ Asks for actives session on computers (Know who is connected where). Get- NetSession ▪ Enumerate Active Directory configurations (servers, versions, domain controllers). ADRecon ▪ Enumerate network shares content (Everyone, Authenticated User and specific permission of the compromized user).

DROITS D’UTILISATEUR DU DOMAINE

DROITS D’ADMINISTRATEUR LOCAL

▪ Read passwords in plaintext in memory of active sessions ▪ Install a keylogger ▪ Read passwords and cookies in browsers

Local al Administr trat ator

• r Rights

ts

▪ Retrieve Local Hashes (Lateral Movement) Samdump, Mimikatz ▪ Install a backdoor on the system. ▪ Use the machine account on the network (Domain Computers). ▪ Activate Wdigest (Store passwords in cleartext in memory).

WINDOWS S 7

▪ In Windows 7, Credentials are stored in plaintext with Wdigest (default) ▪ Used for compatibility with SSO in HTTP.

Credentials tials Store red in Memory

WINDOWS S 7

Lateral al Movement – Pass The Hash

Pass the Hash ▪ Allow to establish a connection with a remote machine by using credentials. ▪ Knowledge of the plaintext password not required ▪ You can PTH a Domain Account or a Local Account (RID 500)

Lateral al Movement – SMB Relay

SMB Relay – SMB Signing ▪ Computers dont require signing ▪ Knowledge of the plaintext password not required

NT AUTHO HORITY ITY\SYST SYSTEM EM

Domain in Admins Rights ts

▪ Local Administrators on all computers connected to the domain ▪ Admin acces on all network share for all computers in the domain including hidden share (C$) ▪ Interact and Modify users in the active directory (Password, Rights, Groups etc)

Domain in Admins Rights ts

▪ Enumerate and modify trusts between different domains ▪ Acces to the Event Viewer of all Computers in the domain ▪ Change the password of all user in the domain. ▪ Acces to all hashes of all accounts in the domain ▪ Read all attribute that are protected in the Active Directory (Bitlocker, LAPS etc)

ACCES ES TO ALL L HASHES HES OF ALL L ACCOU OUNTS IN THE DOMAIN IN.

Domain in Admins Rights ts

▪ Average time to obtain Domain Admin privilege: ❖ 3-4 hours ▪ Clients rarely know that we successfully escalated our privilege to domain admin before the tester(s) tell them ▪ Obtaining Domain Admin privilege is only the beginning of the test ▪ Have the required acces to read all configuration and find multiple other entry points or configuration issues.

PASSWORD IS NOT LONGER ADEQUATE AND IS OLD.

REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

Multi Factor Authentication ▪ Verify User Identity ▪ « What you know » ▪ « What you own »

Firewall ▪ Network segmentation ▪ Local firewall for machine isolation

Least Privilege Violation ▪ Vmware Admin = Domain Admins (Virtual DC) ▪ Tech Support Password Reset ▪ Service Account with Domain Admin

Zero-Trust ▪ Access Control ▪ Dont trust anyone / any accounts

USE « DEFENSE IN DEPTH AND LAYERS, NOT ‘THE BEST PRODUCT’

CYBERSECURITY IS A PROCESS, NOT A PRODUCT

HACKERS ARE ATTRACTED BY EASY AND ATTRACTIVE TARGETS

CONCLUSION