SlideShare a Scribd company logo

Bsides-Philly-2016-Finding-A-Companys-BreakPoint

Download as PPT, PDF
Z
Zack Meyers

The document outlines techniques for identifying and exploiting vulnerabilities in a company's network, focusing on five primary methods: phishing, web application vulnerabilities, multicast name resolution poisoning, SMB relay attacks, and account compromise. It emphasizes a methodology that includes comprehensive planning, reconnaissance, automated and manual testing, and effective reporting. Additionally, the authors provide tips for both preventing attacks and improving security practices, along with resources for further training and information.

Technology
1 of 48
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
Modern Day Hacking
Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
Things Have Changed Since the 90s
Overview • Goal: Break the mindset of “Scan then Exploit” • Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
1. Phishing • [surprise] Phishing actually works. [/surprise] • Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement • Full Blog Here: https://breakpoint-labs.com/phishing/
1. Phishing: Planning • Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) • We prefer to send email via Python (smtp module) • We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
CEOs Reaction to Opening the Phishing Email
1. Phishing: Scenario • 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
1. Phishing: Phishing Domains • The scenario will determine what domains we leverage • If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: – breakpoint-labs.com vs. breakpoint-lab.com • If our goal is more common threat we will emulate those TTPs: – ups-pkgtracker.com • Its important to submit domains to web content filters/proxies
1. Phishing: Finding Vulnerabilities
1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
1. Phishing: Execute Code • Click Analysis: We generally use Python to send email + create a unique link per email to targets • Credential Grabbing: We generally use PHP to prompt for credentials • Execute Code: Usually leverage Empire (Office Macro, HTA method)
Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
2. Web App Vulns: Step 3 • Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
2. Web App Vulns: Step 4 • Attempt to execute code: 1.php = <?php system(‘id’);?>
2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
Responder!
3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Segment the local networks with VLANS to prevent impact •Ensure that only NTLMv2 is in use rather than LM and NTLM
4. SMB Relay Attacks • SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. • The attacker needs the victim to initiate an HTTP or SMB connection. • This initiation can occur often from either: – LLMNR/NBNS spoofing – Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
So You Started a Scan
4. SMB Relay Attack Visual: Automated Process
4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Nessus Scanner Scenario
4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: •Require SMB Signing •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Prevent SMB Traffic Outbound •Enable EPA (Extended Protection and Authentication)
5. Account Compromise
5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
Final Thoughts and Tips • Use Shodan and Censys.io for external reconnaissance • Make sure you investigate shares (enum4linux) • Unlinked Content enumeration on web applications is key • Passwords written down on sticky notes? Yea usually • Can you reset a PW via the Help Desk? • Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? • Once you get valid credentials try them across all the things
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook Book: Black Hat Python Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel Talk: How to Shot Web - Jason Haddix Talk: How to be an InfoSec Geek - Primal Security Talk: File in the hole! - Soroush Dalili Talk: Exploiting Deserialization Vulnerabilities in Java Talk: Polyglot Payloads in Practice - Marcus Niemietz Talk: Running Away From Security - Micah Hoffman Talk: Beyond Automated Testing – Us! GitHub Resource: Security Lists For Fun & Profit
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs We Are Hiring!

More Related Content

PPTX
Web Hacking With Burp Suite 101
Zack Meyers
 
PPTX
Burpsuite yara
Rinaldi Rampen
 
PDF
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
PPT
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
PPT
Logical Attacks(Vulnerability Research)
Ajay Negi
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PPT
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Web Hacking With Burp Suite 101
Zack Meyers
 
Burpsuite yara
Rinaldi Rampen
 
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
Logical Attacks(Vulnerability Research)
Ajay Negi
 
How To Start Your InfoSec Career
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 

What's hot (20)

PDF
Is code review the solution?
Tiago Mendo
 
ODP
Lets exploit Injection and XSS
lethalduck
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPTX
Burp suite
SOURABH DESHMUKH
 
PDF
Logical attacks
Tabish Ali CCISO,ECSA,CHFI,CEH,COBIT5
 
PPTX
Owasp web application security trends
beched
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
PDF
Email keeps getting us pwned v1.0
Michael Gough
 
PDF
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
PDF
What can you do about ransomware
Michael Gough
 
PPTX
Zap vs burp
Tomasz Fajks
 
PPTX
Cyber ppt
karthik menon
 
PDF
Email keeps getting us pwned v1.1
Michael Gough
 
PPTX
Application Security Tools
Lalit Kale
 
PDF
Flashack
n|u - The Open Security Community
 
KEY
DVWA BruCON Workshop
testuser1223
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Is code review the solution?
Tiago Mendo
 
Lets exploit Injection and XSS
lethalduck
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Burp suite
SOURABH DESHMUKH
 
Logical attacks
Tabish Ali CCISO,ECSA,CHFI,CEH,COBIT5
 
Owasp web application security trends
beched
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Api security-testing
n|u - The Open Security Community
 
Intro to Web Application Security
Rob Ragan
 
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Email keeps getting us pwned v1.0
Michael Gough
 
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
What can you do about ransomware
Michael Gough
 
Zap vs burp
Tomasz Fajks
 
Cyber ppt
karthik menon
 
Email keeps getting us pwned v1.1
Michael Gough
 
Application Security Tools
Lalit Kale
 
Flashack
n|u - The Open Security Community
 
DVWA BruCON Workshop
testuser1223
 
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Ad

Viewers also liked (20)

PPTX
Parque benito juárez
Daniela PLuche
 
DOCX
Milind_Padwal
milind padwal
 
PPTX
SplunkLive! Toronto - Ceryx
Splunk
 
PDF
Splunk app for_enterprise_security
Greg Hanchin
 
PDF
Cybersecurity tips for employees
Priscila Bernardes
 
PPT
La revolucion rusa
maricalvhi
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PPTX
U.d.9. la restauración
oscarjgope
 
PPT
Tema 3 1ºESO El relieve de América. Curso 2015/2016
Chema R.
 
DOCX
Sesión de aprendizaje nº18
Yesenia Anabel
 
PPT
Confronta Los Gigantes En Tu Vida!
Centro de Vida Victoriosa (Iglesia)
 
PPTX
París 2010
Manuel Herrán
 
PDF
Copiar y pegar
Martín Martínez
 
PPTX
Fabrica del mal o fuente de bendición
José Jorge
 
PPTX
Cositas que llegan muuuy pronto y otras no
Patricia Rangel Olea
 
DOCX
Guía para el alumno
Jenny Medel
 
ODP
La materia
Trinidad Rodriguez Gallardo
 
PPTX
Trabajo Grupal
mafer
 
PPT
Anabela Cofre
guestcb81f09
 
Parque benito juárez
Daniela PLuche
 
Milind_Padwal
milind padwal
 
SplunkLive! Toronto - Ceryx
Splunk
 
Splunk app for_enterprise_security
Greg Hanchin
 
Cybersecurity tips for employees
Priscila Bernardes
 
La revolucion rusa
maricalvhi
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
U.d.9. la restauración
oscarjgope
 
Tema 3 1ºESO El relieve de América. Curso 2015/2016
Chema R.
 
Sesión de aprendizaje nº18
Yesenia Anabel
 
Confronta Los Gigantes En Tu Vida!
Centro de Vida Victoriosa (Iglesia)
 
París 2010
Manuel Herrán
 
Copiar y pegar
Martín Martínez
 
Fabrica del mal o fuente de bendición
José Jorge
 
Cositas que llegan muuuy pronto y otras no
Patricia Rangel Olea
 
Guía para el alumno
Jenny Medel
 
La materia
Trinidad Rodriguez Gallardo
 
Trabajo Grupal
mafer
 
Anabela Cofre
guestcb81f09
 
Ad

Similar to Bsides-Philly-2016-Finding-A-Companys-BreakPoint (20)

PPTX
Network And Application Layer Attacks
Arun Modi
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPT
Hacking
rameswara reddy venkat
 
PPT
Hacking
Roshan Chaudhary
 
PPTX
Altitude SF 2017: Security at the edge
Fastly
 
PPTX
pr-host-intrusion-prevention-customer-presentation (5).pptx
maash3
 
PPT
Hacking 1224807880385377-9
Geoff Pesimo
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PPT
Hacking tutorial
MSA Technosoft
 
PPT
Ethical Hacking : Why Do Hackers Attack And How ?
HBServices7
 
PPTX
How to stay protected against ransomware
Sophos Benelux
 
PPT
Hacking In Detail
Greater Noida Institute Of Technology
 
PPT
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPT
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
PPT
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
PPTX
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PPTX
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
Network And Application Layer Attacks
Arun Modi
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Hacking
rameswara reddy venkat
 
Hacking
Roshan Chaudhary
 
Altitude SF 2017: Security at the edge
Fastly
 
pr-host-intrusion-prevention-customer-presentation (5).pptx
maash3
 
Hacking 1224807880385377-9
Geoff Pesimo
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Hacking tutorial
MSA Technosoft
 
Ethical Hacking : Why Do Hackers Attack And How ?
HBServices7
 
How to stay protected against ransomware
Sophos Benelux
 
Hacking In Detail
Greater Noida Institute Of Technology
 
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 

Recently uploaded (20)

PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Software Development Methodologies in 2025
KodekX
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 

Bsides-Philly-2016-Finding-A-Companys-BreakPoint

  • 1. Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
  • 3. Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
  • 4. ~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
  • 5. Things Have Changed Since the 90s
  • 6. Overview • Goal: Break the mindset of “Scan then Exploit” • Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
  • 7. Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
  • 8. How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
  • 9. 1. Phishing • [surprise] Phishing actually works. [/surprise] • Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement • Full Blog Here: https://breakpoint-labs.com/phishing/
  • 10. 1. Phishing: Planning • Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) • We prefer to send email via Python (smtp module) • We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
  • 11. CEOs Reaction to Opening the Phishing Email
  • 12. 1. Phishing: Scenario • 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
  • 13. 1. Phishing: Phishing Domains • The scenario will determine what domains we leverage • If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: – breakpoint-labs.com vs. breakpoint-lab.com • If our goal is more common threat we will emulate those TTPs: – ups-pkgtracker.com • Its important to submit domains to web content filters/proxies
  • 14. 1. Phishing: Finding Vulnerabilities
  • 15. 1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
  • 16. 1. Phishing: Execute Code • Click Analysis: We generally use Python to send email + create a unique link per email to targets • Credential Grabbing: We generally use PHP to prompt for credentials • Execute Code: Usually leverage Empire (Office Macro, HTA method)
  • 17. Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
  • 18. 2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
  • 19. 2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 20. 2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 21. 2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
  • 22. 2. Web App Vulns: Step 3 • Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
  • 23. 2. Web App Vulns: Step 4 • Attempt to execute code: 1.php = <?php system(‘id’);?>
  • 24. 2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
  • 25. 3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
  • 27. 3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
  • 28. 3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
  • 29. 3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
  • 30. 3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
  • 31. 3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Segment the local networks with VLANS to prevent impact •Ensure that only NTLMv2 is in use rather than LM and NTLM
  • 32. 4. SMB Relay Attacks • SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. • The attacker needs the victim to initiate an HTTP or SMB connection. • This initiation can occur often from either: – LLMNR/NBNS spoofing – Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
  • 33. So You Started a Scan
  • 34. 4. SMB Relay Attack Visual: Automated Process
  • 35. 4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 36. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 37. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 38. 4. SMB Relay Attack: Nessus Scanner Scenario
  • 39. 4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: •Require SMB Signing •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Prevent SMB Traffic Outbound •Enable EPA (Extended Protection and Authentication)
  • 41. 5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
  • 42. 5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
  • 43. 5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
  • 44. 5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
  • 45. 5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
  • 46. Final Thoughts and Tips • Use Shodan and Censys.io for external reconnaissance • Make sure you investigate shares (enum4linux) • Unlinked Content enumeration on web applications is key • Passwords written down on sticky notes? Yea usually • Can you reset a PW via the Help Desk? • Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? • Once you get valid credentials try them across all the things
  • 47. Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook Book: Black Hat Python Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel Talk: How to Shot Web - Jason Haddix Talk: How to be an InfoSec Geek - Primal Security Talk: File in the hole! - Soroush Dalili Talk: Exploiting Deserialization Vulnerabilities in Java Talk: Polyglot Payloads in Practice - Marcus Niemietz Talk: Running Away From Security - Micah Hoffman Talk: Beyond Automated Testing – Us! GitHub Resource: Security Lists For Fun & Profit