SlideShare a Scribd company logo

Bsides-Philly-2016-Finding-A-Companys-BreakPoint

Download as PPT, PDF
Z
Zack Meyers

The document outlines techniques for identifying and exploiting vulnerabilities in a company's network, focusing on five primary methods: phishing, web application vulnerabilities, multicast name resolution poisoning, SMB relay attacks, and account compromise. It emphasizes a methodology that includes comprehensive planning, reconnaissance, automated and manual testing, and effective reporting. Additionally, the authors provide tips for both preventing attacks and improving security practices, along with resources for further training and information.

Technology
Related topics:
Information Security
1 of 48
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
Modern Day Hacking
Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
Things Have Changed Since the 90s
Overview • Goal: Break the mindset of “Scan then Exploit” • Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
1. Phishing • [surprise] Phishing actually works. [/surprise] • Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement • Full Blog Here: https://breakpoint-labs.com/phishing/
1. Phishing: Planning • Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) • We prefer to send email via Python (smtp module) • We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
CEOs Reaction to Opening the Phishing Email
1. Phishing: Scenario • 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
1. Phishing: Phishing Domains • The scenario will determine what domains we leverage • If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: – breakpoint-labs.com vs. breakpoint-lab.com • If our goal is more common threat we will emulate those TTPs: – ups-pkgtracker.com • Its important to submit domains to web content filters/proxies
1. Phishing: Finding Vulnerabilities
1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
1. Phishing: Execute Code • Click Analysis: We generally use Python to send email + create a unique link per email to targets • Credential Grabbing: We generally use PHP to prompt for credentials • Execute Code: Usually leverage Empire (Office Macro, HTA method)
Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
2. Web App Vulns: Step 3 • Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
2. Web App Vulns: Step 4 • Attempt to execute code: 1.php = <?php system(‘id’);?>
2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
Responder!
3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Segment the local networks with VLANS to prevent impact •Ensure that only NTLMv2 is in use rather than LM and NTLM
4. SMB Relay Attacks • SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. • The attacker needs the victim to initiate an HTTP or SMB connection. • This initiation can occur often from either: – LLMNR/NBNS spoofing – Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
So You Started a Scan
4. SMB Relay Attack Visual: Automated Process
4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
4. SMB Relay Attack: Nessus Scanner Scenario
4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: •Require SMB Signing •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Prevent SMB Traffic Outbound •Enable EPA (Extended Protection and Authentication)
5. Account Compromise
5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
Final Thoughts and Tips • Use Shodan and Censys.io for external reconnaissance • Make sure you investigate shares (enum4linux) • Unlinked Content enumeration on web applications is key • Passwords written down on sticky notes? Yea usually • Can you reset a PW via the Help Desk? • Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? • Once you get valid credentials try them across all the things
Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook Book: Black Hat Python Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel Talk: How to Shot Web - Jason Haddix Talk: How to be an InfoSec Geek - Primal Security Talk: File in the hole! - Soroush Dalili Talk: Exploiting Deserialization Vulnerabilities in Java Talk: Polyglot Payloads in Practice - Marcus Niemietz Talk: Running Away From Security - Micah Hoffman Talk: Beyond Automated Testing – Us! GitHub Resource: Security Lists For Fun & Profit
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs We Are Hiring!

More Related Content

PPTX
Web Hacking With Burp Suite 101
Zack Meyers
 
PPTX
Burpsuite yara
Rinaldi Rampen
 
PDF
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
PPT
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
PPT
Logical Attacks(Vulnerability Research)
Ajay Negi
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PPT
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Web Hacking With Burp Suite 101
Zack Meyers
 
Burpsuite yara
Rinaldi Rampen
 
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
Logical Attacks(Vulnerability Research)
Ajay Negi
 
How To Start Your InfoSec Career
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 

What's hot (20)

PDF
Is code review the solution?
Tiago Mendo
 
ODP
Lets exploit Injection and XSS
lethalduck
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPTX
Burp suite
SOURABH DESHMUKH
 
PDF
Logical attacks
Tabish Ali CCISO,ECSA,CHFI,CEH,COBIT5
 
PPTX
Owasp web application security trends
beched
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
PDF
Email keeps getting us pwned v1.0
Michael Gough
 
PDF
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
PDF
What can you do about ransomware
Michael Gough
 
PPTX
Zap vs burp
Tomasz Fajks
 
PPTX
Cyber ppt
karthik menon
 
PDF
Email keeps getting us pwned v1.1
Michael Gough
 
PPTX
Application Security Tools
Lalit Kale
 
PDF
Flashack
n|u - The Open Security Community
 
KEY
DVWA BruCON Workshop
testuser1223
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Is code review the solution?
Tiago Mendo
 
Lets exploit Injection and XSS
lethalduck
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Burp suite
SOURABH DESHMUKH
 
Logical attacks
Tabish Ali CCISO,ECSA,CHFI,CEH,COBIT5
 
Owasp web application security trends
beched
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Api security-testing
n|u - The Open Security Community
 
Intro to Web Application Security
Rob Ragan
 
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Email keeps getting us pwned v1.0
Michael Gough
 
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
What can you do about ransomware
Michael Gough
 
Zap vs burp
Tomasz Fajks
 
Cyber ppt
karthik menon
 
Email keeps getting us pwned v1.1
Michael Gough
 
Application Security Tools
Lalit Kale
 
Flashack
n|u - The Open Security Community
 
DVWA BruCON Workshop
testuser1223
 
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Ad

Viewers also liked (20)

PPTX
Parque benito juárez
Daniela PLuche
 
DOCX
Milind_Padwal
milind padwal
 
PPTX
SplunkLive! Toronto - Ceryx
Splunk
 
PDF
Splunk app for_enterprise_security
Greg Hanchin
 
PDF
Cybersecurity tips for employees
Priscila Bernardes
 
PPT
La revolucion rusa
maricalvhi
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PPTX
U.d.9. la restauración
oscarjgope
 
PPT
Tema 3 1ºESO El relieve de América. Curso 2015/2016
Chema R.
 
DOCX
Sesión de aprendizaje nº18
Yesenia Anabel
 
PPT
Confronta Los Gigantes En Tu Vida!
Centro de Vida Victoriosa (Iglesia)
 
PPTX
París 2010
Manuel Herrán
 
PDF
Copiar y pegar
Martín Martínez
 
PPTX
Fabrica del mal o fuente de bendición
José Jorge
 
PPTX
Cositas que llegan muuuy pronto y otras no
Patricia Rangel Olea
 
DOCX
Guía para el alumno
Jenny Medel
 
ODP
La materia
Trinidad Rodriguez Gallardo
 
PPTX
Trabajo Grupal
mafer
 
PPT
Anabela Cofre
guestcb81f09
 
Parque benito juárez
Daniela PLuche
 
Milind_Padwal
milind padwal
 
SplunkLive! Toronto - Ceryx
Splunk
 
Splunk app for_enterprise_security
Greg Hanchin
 
Cybersecurity tips for employees
Priscila Bernardes
 
La revolucion rusa
maricalvhi
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
U.d.9. la restauración
oscarjgope
 
Tema 3 1ºESO El relieve de América. Curso 2015/2016
Chema R.
 
Sesión de aprendizaje nº18
Yesenia Anabel
 
Confronta Los Gigantes En Tu Vida!
Centro de Vida Victoriosa (Iglesia)
 
París 2010
Manuel Herrán
 
Copiar y pegar
Martín Martínez
 
Fabrica del mal o fuente de bendición
José Jorge
 
Cositas que llegan muuuy pronto y otras no
Patricia Rangel Olea
 
Guía para el alumno
Jenny Medel
 
La materia
Trinidad Rodriguez Gallardo
 
Trabajo Grupal
mafer
 
Anabela Cofre
guestcb81f09
 
Ad

Similar to Bsides-Philly-2016-Finding-A-Companys-BreakPoint (20)

PDF
Real life hacking101
Florent Batard
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PDF
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
PPT
Intro To Hacking
nayakslideshare
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
PDF
Tw noche geek quito webappsec
Thoughtworks
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PPT
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PDF
SOHOpelessly Broken
The Security of Things Forum
 
PPT
Security & ethical hacking p2
ratnalajaggu
 
PPT
Security & ethical hacking
Amanpreet Singh
 
PPT
Network security
Akhilesh Jain
 
PDF
Ethical hacking
Khairi Aiman
 
PPT
Network Security Attacks, and Solutions.
gregtap1
 
Real life hacking101
Florent Batard
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
Intro To Hacking
nayakslideshare
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Tw noche geek quito webappsec
Thoughtworks
 
Invited Talk - Cyber Security and Open Source
hack33
 
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
SOHOpelessly Broken
The Security of Things Forum
 
Security & ethical hacking p2
ratnalajaggu
 
Security & ethical hacking
Amanpreet Singh
 
Network security
Akhilesh Jain
 
Ethical hacking
Khairi Aiman
 
Network Security Attacks, and Solutions.
gregtap1
 

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation theory and applications.pdf
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Bsides-Philly-2016-Finding-A-Companys-BreakPoint

  • 1. Finding a Company’s BreakPoint By: Zack Meyers & Andrew McNicol
  • 3. Agenda ~$ whoami Overview Our Methodology How to Go Beyond a Scan 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise Final Thoughts and Tips Useful Training and Links
  • 4. ~$ whoami Zack Meyers (@b3armunch) Andrew McNicol (@primalsec) Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSidesCHARM, BSidesDC, RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Python, CTFs, Learning, long walks on the beach ( @AnnapolisSec)
  • 5. Things Have Changed Since the 90s
  • 6. Overview • Goal: Break the mindset of “Scan then Exploit” • Cover 5 ways we commonly break into a network: 1. Phishing 2. Web Application Vulnerabilities 3. Multicast Name Resolution Poisoning 4. SMB Relay Attacks 5. Account Compromise
  • 7. Our Methodology (High Level) Planning and Scoping Reconnaissance Mapping Automated Testing Manual Testing Reporting Remediation Support
  • 8. How to Go Beyond a Scan 1. Mindset: Fail 1000s of times and Continue Trying 2. Recon + Mapping: Find Systems + Content Others Have Missed 3. Automated Testing: Run the appropriate tool for the job 4. Manual Testing: Identify, Understand, and Fuzz all Areas of Input Research all Version Specific Vulnerabilities Combine Findings, Remove False Positives, and Abuse Features 1. Reporting: Highlight Business Impact
  • 9. 1. Phishing • [surprise] Phishing actually works. [/surprise] • Here is the process we generally follow: 1. Planning: Goals, ROE, what happens when the user clicks? 2. Determine Scenario: Ransomware, Targeted, etc. 3. Determine Phishing Domains 4. Find Vulnerabilities: Email Spoofing 5. Execute the Engagement • Full Blog Here: https://breakpoint-labs.com/phishing/
  • 10. 1. Phishing: Planning • Work with the customer to understand their needs for the Phishing campaign (Compliance, Part of a larger engagement, etc.) • We prefer to send email via Python (smtp module) • We generally perform these three types of engagements: 1. Click Analysis: Determine how many users clicked a link 2. Credential Gathering: Prompt for Credentials 3. Execute Code: PowerShell, Office Macros, HTAs, etc.
  • 11. CEOs Reaction to Opening the Phishing Email
  • 12. 1. Phishing: Scenario • 2 Main Types of Scenarios: Common Malware, and Targeted Attacker UPS Tracking Ransomware: Cloned Site + Password Prompt:
  • 13. 1. Phishing: Phishing Domains • The scenario will determine what domains we leverage • If our goal is to perform a more targeted attack we will attempt use a similar domain to the target organization and clone login portals: – breakpoint-labs.com vs. breakpoint-lab.com • If our goal is more common threat we will emulate those TTPs: – ups-pkgtracker.com • Its important to submit domains to web content filters/proxies
  • 14. 1. Phishing: Finding Vulnerabilities
  • 15. 1. Phishing: Finding Vulnerabilities Outlook client – Email below is sent from a Gmail account:
  • 16. 1. Phishing: Execute Code • Click Analysis: We generally use Python to send email + create a unique link per email to targets • Credential Grabbing: We generally use PHP to prompt for credentials • Execute Code: Usually leverage Empire (Office Macro, HTA method)
  • 17. Is your input being presented on the screen? -> XSS Is your input calling on stored data? -> SQLi Does input generate an action to an external service? -> SSRF Does your input call on a local or remote file? -> File Inclusion Does your input end up on the file system? -> File Upload Does your input cause another page to load? -> Redirect Vulns Can we enumerate technology and versions? -> Lots of Vulns 2. Web Application Vulnerabilities
  • 18. 2. Web App Vulns: File Inclusion File Inclusion vulns can lead to code execution “php include()” Sometimes they are limited to just file inclusion “php echo()” LFIs normally require you to get your input on disk then include the affected resource (log poisoning) RFIs are normally easier to exploit as you can point them to an external resource containing your code
  • 19. 2. Web App Vulns: Step 1 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 20. 2. Web App Vulns: Step 2 Unlinked resource “debug.php”- HTTP 200 OK and blank screen
  • 21. 2. Web App Vulns: Step 2 Never underestimate the power of a good lunch!
  • 22. 2. Web App Vulns: Step 3 • Parameters are fuzzed to enumerate inputs. "page=test" gives back a different response "Failed opening 'test' for inclusion”
  • 23. 2. Web App Vulns: Step 4 • Attempt to execute code: 1.php = <?php system(‘id’);?>
  • 24. 2. Web App Vulns: Step 5 IN REAL LIFE: The web service was running as SYSTEM!
  • 25. 3. Multicast Name Resolution Poisoning A majority of the time internal networks will have name resolution traffic enabled with the following protocols: Link-Local Multicast Name Resolution (LLMNR) Netbios Name (NBT-NS) services. Multicast DNS (mDNS) By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic and perform Man in the Middle (MITM) attacks.
  • 27. 3. Enter Responder.py Responder is a Python script that aids in: Multicast Protocol Poisoning (LLMNR, NBT-NS, mDNS) WPAD Spoofing (Web Proxy Auto Discovery) using a non authorized server as a proxy server for all HTTP requests to the Internet. MITM Attacks (Intercepting credential exchanges between hosts leading to password cracking, pass the hash, SMB relay attacks, etc.) Rouge Server Services (SMTP, IMAP, POP3, SMB, Kerberos, FTP, HTTP, HTTPS, DNS, LDAP, SQL, etc.)
  • 28. 3. Responder.py - Use Case 1 Rouge Services Syntax: ~$ responder -I eth0 -f
  • 29. 3. Responder.py - Use Case 2 WPAD Syntax: ~$ responder -I eth0 -bw
  • 30. 3. Responder.py - Use Case 3 Analyze Syntax: ~$ responder -I eth0 -A
  • 31. 3. Prevent Multicast Name Communication Attacks Preventing multicast communication attacks through: •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Segment the local networks with VLANS to prevent impact •Ensure that only NTLMv2 is in use rather than LM and NTLM
  • 32. 4. SMB Relay Attacks • SMB relay attacks occur once an attacker inserts themselves in between the NTLM Challenge/Response protocol exchange. • The attacker needs the victim to initiate an HTTP or SMB connection. • This initiation can occur often from either: – LLMNR/NBNS spoofing – Automated processes attempting to authenticate to systems (ex. patch management, antivirus updates, vulnerability scanners, custom admin scripts, etc.)
  • 33. So You Started a Scan
  • 34. 4. SMB Relay Attack Visual: Automated Process
  • 35. 4. SMB Relay Attack: Multicast Poisoning Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 36. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 37. 4. SMB Relay Attack: Multicast Poisoning Cont. Attackers IP: 192.168.56.103 Windows Client (Target): 192.168.56.105 Windows DC: 192.168.56.102
  • 38. 4. SMB Relay Attack: Nessus Scanner Scenario
  • 39. 4. Prevent SMB Relay Attacks Preventing SMB relay attacks through: •Require SMB Signing •Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution) •Prevent WPAD Poisoning w/ WPAD file entries in DNS •Prevent SMB Traffic Outbound •Enable EPA (Extended Protection and Authentication)
  • 41. 5. Account Compromise Combines several vulnerabilities to demonstrate risk: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Reqs (Low) = - Account Compromise (Critical)
  • 42. 5. Acct Comp: Username Enumeration Password Reset Feature “Email address not found” Login Error Message “Invalid Username”’ Contact Us Features “Which Admin do you want to contact?” Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs User Registration “Username already exists” Various error messages, and HTML source Google Hacking and OSINT Sometimes the application tells you
  • 43. 5. Acct Comp: Automation Controls Pull the auth request up in Burp’s Repeater and try it a few times No sign of automation controls? -> Burp Intruder - No account lockout - Non-existent or Weak CAPTCHA - Main login is strong, but others? (Mobile Interface, API, etc.)
  • 44. 5. Acct Comp: Weak Passwords We as humans are bad at passwords…here are some tricks: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: winter2015… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” Lots of wordlists out there, consider making a targeted wordlist Research the targeted user’s interests and build lists around those interests
  • 45. 5. Acct Comp: Default and Shared Attempt to brute force across all the things Brute Force Tools: Burp Suite’s Intruder, Hydra, CrackMapExec, MSF SMB modules, Nmap, etc. Always try default creds for any given technology We commonly see shared Linux root creds, and shared Windows local admin creds across the entire enterprise
  • 46. Final Thoughts and Tips • Use Shodan and Censys.io for external reconnaissance • Make sure you investigate shares (enum4linux) • Unlinked Content enumeration on web applications is key • Passwords written down on sticky notes? Yea usually • Can you reset a PW via the Help Desk? • Put a focus on feature abuse: What does the technology let you do? How can you abuse that functionality? • Once you get valid credentials try them across all the things
  • 47. Useful Trainings & Links Free Training: Cybrary CTFs: Vulnhub, Past CTF Writeups, Pentester Lab Training: Offensive Security, SANS, SecurityTube Book: Web Application Hackers Handbook Book: Black Hat Python Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel Talk: How to Shot Web - Jason Haddix Talk: How to be an InfoSec Geek - Primal Security Talk: File in the hole! - Soroush Dalili Talk: Exploiting Deserialization Vulnerabilities in Java Talk: Polyglot Payloads in Practice - Marcus Niemietz Talk: Running Away From Security - Micah Hoffman Talk: Beyond Automated Testing – Us! GitHub Resource: Security Lists For Fun & Profit
  • 48. Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs We Are Hiring!