Hacking identity: A Pen Tester's Guide to IAM

HACKING IDENTITY
A PEN TESTER’S GUIDE TO IAM

WHO AM I?
 Music teacher turned hacker
 Security Solutions Architect,
One Identity
 Certs
 ACE
 CISSP
 GWAPT
 GWEB
 Groups
 ISSA
 OWASP

LET’S TALK ATTACK SURFACE
 Publicly available user information
 Open Source Intelligence (OSINT) gathering
 Social media, corporate email used on personal sites
 Publicly available system information
 Hostnames, IP addresses, DNS servers, mail servers
 It’s how the Internet works, folks
 Increasing reliance on software-as-a-service (SaaS)
 Corresponding increase in password reuse and unmanaged user accounts

DAY 19:THEY STILL SUSPECT NOTHING

PEN TESTING:TEN EIGHT STEP PROCESS
 Step 1: Gather OSINT
 Step 2: Score Some Creds
 Step 3: Logon to an Internal System
 Step 4: Dump SAM/System/Security Hives
 Step 5: Extract Hashes and Get Cracking
 Step 6: Identify Admin Accounts
 Step 7: Find Active DA Logins
 Step 8: Pass the Hash

NOTHING NEW UNDER THE SUN
 DumpingWindows Credentials (December 20, 2013)
 https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
 I Hunt Sys Admins (January 19, 2015)
 http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
 Password Spraying OutlookWeb Access (February 17, 2016)
 http://www.blackhillsinfosec.com/?p=4694

TLA’S AND FLA’S
 IdM = Identity Management
 Manage the accounts
 IAM = Identity & Access Management
 Manage what the accounts can access
 FIdM = Federated Identity Management
 Manage identity across autonomous domains
 LDAP = Lightweight Directory Access Protocol
 RBAC = Role Based Access Control
 SSO = Single Sign-On
 Federation = SSO across multiple enterprises
 ADFS, SAML, OAuth, OpenID,WS-Federation, etc.

IT GIVETH AND IT TAKETH AWAY
 Entitlements – The things tied to a user (hardware, licenses, access, etc.)
 Attributes – Flags that indicate which things a user should have
 Provisioning – Granting entitlements to a user account
 Deprovisioning – Removing entitlements from a user account

USER LIFECYCLE
Image via KuppingerCole

WHO (TRADITIONALLY) DOES WHAT?
 Help Desk
 Fields access issues, including password resets
 Security Operations Center
 Monitors log data
 SecurityTeam (Analysts,Architects, Engineers)
 Sets policy
 May manage the IAM toolset

OSINT GATHERING
Systems
 Shodan - https://www.shodan.io/
 Censys - https://censys.io/
 Find Subdomains - https://findsubdomains.com/
 HE BGP Toolkit - https://bgp.he.net/
 SPF Records - https://mxtoolbox.com/spf.aspx
People
 LinkedIn - https://www.linkedin.com/
 Hunter - https://hunter.io/
 Pastebin - https://pastebin.com/
 IntelTechniques - https://inteltechniques.com/menu.html
 Recon-ng - https://bitbucket.org/LaNMaSteR53/recon-ng
 Discover - https://github.com/leebaird/discover

DOCUMENT METADATA
 Metagoofil
 https://github.com/laramies/metagoofil
 https://tools.kali.org/information-gathering/metagoofil
 Sample Command
 metagoofil -d target.org -t
docx,xlsx,pdf -l 100 -n 25 -o
out_directory -f out_file.html
 FOCA (ElevenPaths)
 https://www.elevenpaths.com/labstools/foca/index.html
 https://github.com/ElevenPaths/FOCA
 Process
 Download files
 Extract the metadata
 Analyze the metadata

WHAT ARE WE LOOKING FOR AGAIN?
 Technology stack
 Admin guides
 New User / New Hire how-to guides
 How to login to theVPN
 Default passwords for new hires
 User naming convention
 Login portals
 Webmail
 SSLVPN
 Password Self-Service

PASSWORD SPRAYING
 Brute Force Attack
 Lots of usernames, lots of passwords
 Password Spray Attack
 Lots of usernames,VERY few passwords
 ./ntlm-botherer.py –U ./users.txt –p Summer2018! –d target_domain.com
https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth
/user?originalDomain=target_domain.com/WebTicket/WebTicketService.svc
 Burp Suite Intruder / Cluster Bomb
 https://portswigger.net/burp/help/intruder_using.html
 https://portswigger.net/burp/help/intruder_positions.html
 MailSniper
 https://github.com/dafthack/MailSniper

ONCEYOU’RE IN…
 Steal creds or forge tickets
 Mimikatz -> https://github.com/gentilkiwi/mimikatz
 Kereberoast -> https://github.com/nidem/kerberoast
 Power Shell Empire -> http://www.powershellempire.com/
 Escalate privileges with PowerUp
 Part of PowerSploit (PowerShell Post-Exploitation Framework)
 https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

SE ATTACK SCENARIOS
 Physical
 “Site inspection“
 Look for sticky notes & whiteboards
 Phone calls
 Help desk (tried and true)
 Third party technology integrators (exploit complexity)
 Password reset notification for SaaS apps
 Social EngineerToolkit (SET)
 https://github.com/trustedsec/social-engineer-toolkit

PASSWORD SELF-SERVICE
 How easily can we find these answers?
 MyLife - https://www.mylife.com/
 FamilyTreeNow - https://www.familytreenow.com/
 Combine with social engineering attacks
 “Fun” quizzes on social media

RESPONDER
 Why does Responder work?
 Can’t resolve hostname via DNS? Try Link-Local Multicast Name Resolution (LLMNR).
 No luck with LLMNR? Try NetBIOS Name Service (NBT-NS).
 If any system replies, you can trust it. No need for validation.
 Web browsers automatically detect proxy settings viaWeb Proxy Auto-Discovery (WPAD) protocol.
 Fire up Responder
 # responder –I eth0
 WPAD, force client to authenticate
 # responder -I eth0 –wF

IT ONLY TAKES ONE SET OF CREDS

ANALYZEYOUR EXTERNAL ATTACK SURFACE
 OSINT gathering
 Port scans
 Nmap - https://nmap.org/
 Vulnerability scans
 Nexpose (Rapid7) - https://www.rapid7.com/products/nexpose/
 Nessus (Tenable) - https://www.tenable.com/products/nessus/nessus-professional
 OpenVAS (open source) - http://www.openvas.org/
 QualysGuard (Qualys) - https://www.qualys.com/qualysguard/

REDUCE SAID ATTACK SURFACE
 Consolidate (or eliminate) Internet-facing systems
and applications
 Close network ports that don’t need to be open
 Remove unnecessary files & replace existing files
(sanitize metadata)
 Disable inactive accounts
 Remove unnecessary privileges
 User access attestation process
 Implement multifactor authentication
 VPN + On-Prem Apps + SaaS Apps
 Security awareness training
 Don’t use corporate email for personal sites
 Don’t overshare on social media
 How to detect AND respond to social engineering
attacks

TIGHTEN UP ADMIN PRIVILEGES
 Stronger passwords
 Users = 8 characters, alphanumeric, upper + lower + special
 Admins = same complexity, but 20 characters
 Limit local admin rights
 Local Administrator Password Solution
 https://technet.microsoft.com/en-us/mt227395.aspx
 Privileged Account Management
 Privileged Session Management

DETECTION IS KING
 Technology
 Log Management = long term
 Security Information Event Management = short term
 Define normal
 Who has access to what?
 What does normal access look like (times, traffic volume, etc.)?
 Baseline privileged account activity
 Monitor for changes to privileged accounts and groups
 Passwords, domain group memberships, local group memberships

LOGGING AND MONITORING – WEB SERVERS
From https://zeltser.com/security-incident-log-review-checklist/
Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication Error code 401, 403
Invalid request Error code 400
Internal server error Error code 500

LOGGING AND MONITORING – NETWORK DEVICES
Look at both inbound and outbound activities.
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
Traffic allowed on firewall “Built … connection”,“access-list … permitted”
Traffic blocked on firewall “access-list … denied”,“deny inbound”,
“Deny … by”
Bytes transferred (large files?) “TeardownTCP connection … duration … bytes …”
Bandwidth and protocol usage “limit … exceeded”,“CPU utilization”
Detected attack activity “attack from”
User account changes “user added”,“user deleted”,
“User priv level changed”
Administrator access “AAA user …”,“User … locked out”,
“login failed”

LOGGING AND MONITORING – LINUX
Successful user login “Accepted password”,“Accepted publickey”,
“session opened”
Failed user login “authentication failure”,“failed password”
User log-off “session closed”
User account change or deletion “password changed”,“new user”,
“delete user”
Sudo actions “sudo: … COMMAND=…”“FAILED su”
Service failure “failed” or “failure”

LOGGING AND MONITORING – WINDOWS
Event IDs are listed below forWindows 2000/XP. ForVista/7 security event ID, add 4096 to the event ID.
Most of the events below are in the Security log; many are only logged on the domain controller.
User logon/logoff events Successful logon 528, 540; failed logon 529-537, 539; logoff
538, 551, etc
User account changes Created 624; enabled 626; changed 642; disabled 629;
deleted 630
Password changes To self: 628; to others: 627
Service started or stopped 7035, 7036, etc.
Object access denied (if auditing enabled) 560, 567, etc

MISDIRECTION
 Fake admin account(s)
 Systems and apps
 Obvious names (admin, administrator, root) / limited access
 In AD, attackers will be looking for SID 500
 DISABLE THE ACCOUNTS (so they can’t actually login anywhere)
 Honeycreds / Honeytokens
 https://github.com/Ben0xA/PowerShellDefense/blob/master/Invoke-HoneyCreds.ps1
 https://canarytokens.org/generate

FUNDAMENTALS FTW
 Prevention
 System, network, & application hardening
 Detection
 Logging and monitoring
 Response
 End user security awareness training
 IT/Security employee training
Image via NIST

RESOURCES
 Identity and Access Management 101
 https://www.slideshare.net/JerodBrennenCISSP/identity-and-access-management-101
 WhatYou Need to Know About OSINT
 https://www.slideshare.net/JerodBrennenCISSP/what-you-need-to-know-about-osint
 https://www.youtube.com/watch?v=aaN6OCpBBaQ
 Performing OSINT Gathering on CorporateTargets
 https://www.pluralsight.com/courses/osint-gathering-corporate-targets
 Buscador OSINTVM
 https://inteltechniques.com/buscador/

MORE RESOURCES
 IT and Information Security Cheat Sheets
 https://zeltser.com/cheat-sheets/
 Detecting Offensive PowerShell Attack Tools
 https://adsecurity.org/?p=2604
 LLMNR and NBT-NS Poisoning Using Responder
 https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/
 Consumer-Centric Identity Management (KuppingerCole)
 https://www.slideshare.net/shivan82/2016-0426-webinar-consumerfocused-identity-management
 Common Sense Security Framework
 https://commonsenseframework.org/

QUESTIONS / COMMENTS / DISCUSSION

CONTACT INFO
 Email – Jerod.Brennen@OneIdentity.com
 LinkedIn - https://www.linkedin.com/in/slandail/
 Twitter - https://twitter.com/slandail
 GitHub - https://github.com/slandail
 SlideShare - https://www.slideshare.net/JerodBrennenCISSP
 Speaker Deck - https://speakerdeck.com/slandail/

Hacking identity: A Pen Tester's Guide to IAM

More Related Content

What's hot (20)

Similar to Hacking identity: A Pen Tester's Guide to IAM (20)

More from Jerod Brennen (13)

Recently uploaded (20)

Hacking identity: A Pen Tester's Guide to IAM