Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
1 like288 views
Portia is a tool developed by Michael Gianarakis and Keith Lee to automate techniques for internal network penetration testing after a low privileged account is compromised. It addresses issues faced with existing tools, providing features for privilege escalation and lateral movement while bypassing security measures like AMSI and AppLocker. The tool also incorporates various modules for credential dumping and searching for sensitive information like PAN numbers and passwords across the network.
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
- 1. Portia - Finding Your Way To Domain Access Michael Gianarakis Keith Lee
- 2. #whoami • Michael Gianarakis (@mgianarakis) • Director of SpiderLabs APAC • SecTalks Brisbane • Flat Duck Enthusiast • Keith Lee (@keith55) • Senior Consultant at SpiderLabs APAC
- 3. Motivation • We do a number of internal network penetration tests as part of our day to day • There are a bunch of awesome tools and techniques for capturing and cracking credentials (e.g. Responder) • We wanted to fill the gap after cracking a low privilege password hash from NetBIOS/LLMNR/WPAD attacks etc. to compromising the entire domain • Also to help with a few common issues that we as penetration testers face • Developed a tool, Portia to help with this.
- 4. Motivation • We developed Portia because we found similar tools had a number of issues • Limited support and success with recent versions of Windows • Not as effective against systems that have implemented common hardening techniques • Wanted a single, but modular tool to cover a number of techniques rather than multiple tools
- 5. Portia • Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised • Privilege escalation • Lateral movement • Convenience modules • Portia is a genus of jumping spider that feeds on other spiders - known for their intelligent hunting behaviour and problem solving capabilities usually only found in larger animals
- 6. Portia basic workflow • Checks the credentials • Enumerates list of users in Domain Admin group • Check if account if part of Domain Admin group • Checks SYSVOL for stored credentials • Sync times with DC and exploits MS14-068 if vulnerable • Also checks for MS08-067 and MS17-010 • Checks which hosts the account has admin access on • Checks for impersonation tokens belonging to Domain Admin group • If found, use the impersonation token and run Mimikatz to target domain controller • If not found, runs Mimikatz and dumps local password hashes • If any new passwords/hashes found, tests the credentials and then use them to access other hosts in the network • Continue to do so until all password/hashes have been exhausted or when all hosts have been compromised. • Continues with post exploitation modules like finding interesting files, search disks and memory for PAN numbers (if option is enabled)
- 7. Starts with the “low-hanging fruit”
- 8. Storing passwords in SYSVOL or Group Policy Preference (GPP) • Credentials may be stored in Group Policy Preferences • Locations in Group Policy Preferences where credentials may be saved • Drive Maps • Local Users and Groups • Scheduled Tasks • Services • Data Sources
- 9. Storing passwords in SYSVOL or Group Policy Preference (GPP) • When a new GPP is created an XML file is created in SYSVOL which contains relevant configuration data including potentially passwords • Any authenticated domain user account is able to access it • Passwords are encrypted using a “known” 32-byte AES key. • “Known” because Microsoft published it on MSDN
- 10. Storing passwords in SYSVOL or Group Policy Preference (GPP)
- 11. Storing passwords in SYSVOL or Group Policy Preference (GPP) • MS Patch - MS14-025 (KB2962486) • Unable to create new GPO preferences that rely on saved passwords • Doesn’t remove the old insecure passwords • Have they disabled or removed the old account that were used in GPP previously?
- 12. MS14-068 (KB3011780) Vulnerability in Microsoft Windows Kerberos KDC • An attacker will be able to use an unprivileged domain user account and elevate the privileges to that of a domain administrator account. • A Privilege Attribute Certificate (PAC) can be forged that would be accepted by the KDC as legitimate. Can create a fake PAC claiming the regular user is a member of the domain administrators group.
- 13. MS08-067 and MS17-010 • MS08-067 (that old chestnut) • Buffer overflow vulnerability triggered by a specially crafted RPC request. • Old and mostly patched out but sometimes you get lucky. • MS17-010 • Thanks Shadow Brokers/Equation Group • Flaw with how SMBv1 handles certain requests that can result in remote code execution
- 14. Assuming no passwords in SYSVOL and MS14-068, MS08-067 and MS17-010 are not exploitable - what’s next?
- 15. Impersonation Token • What is Impersonation Token? • When a user logs into a system a delegation token is created which is converted to an impersonation token once the user logs out. • The impersonation token has the same rights and properties as the delegation token. • The delegation and impersonation tokens, once created remains on the system until it is rebooted. • If a Domain Administrator impersonate token is found can use Mimikatz or add to the Domain Admin group to dump credentials on DC
- 17. Portia - Impersonation Tokens • If no impersonate token is found, the Portia runs Mimikatz as well as dumps local password hashes • If there are any new passwords/hashes they are added to the database and and the process starts again • The new passwords will be tested against every host until there are no new passwords
- 18. Shared Local Administrator Passwords • IT administrators uses a default Operating System (OS) image (with the software installed) and roll out to new users. The OS is configured with a default password. • In order for the IT staff to support the workstations/servers, it’s easy to use a single default local administrator password. • From an offensive perspective you can exploit this to move from compromising one host in the network to compromising 100 hosts in the network • Portia detects if multiple machines are using the same local administrator password • Does not matter if the machines are connected to the domain
- 19. AMSI • Anti-Malware Scan Interface • Designed to detect and prevent script attacks • Implements a number of security checks • Provides file, memory and stream scanning, content source URL/IP reputation checks as well as other techniques • Includes additional calls for scripts that use obfuscation or layer-dynamic code evaluation • Portia implements two techniques to bypass AMSI
- 20. AMSI Bypass Technique 1 • If .NET v2.0.50727.4927 is installed you can force the use of PowerShell v2 using the -Version option. • PowerShell v2 does not support AMSI. • Portia checks for the appropriate versions and forces the use of PowerShell v2
- 21. AMSI Bypass Technique 2 • Another technique to bypass AMSI is to unload AMSI from the current process. • This technique was created by Matt Graeber • Simple one-liner that unloads AMSI from the current process and doesn’t require elevated privileges
- 22. App Locker Bypass • Portia implements a number of App Locker bypass techniques: • Weak Path Rules • MSBuild.exe • CScriptShell
- 23. App Locker Bypass - Weak Path Rules • Exploits inappropriate folder permissions. • By default Windows allows read and write access to the following folders: • C:WindowsTasks • C:WindowsTemp • C:Windowstracing • A binary that executes from these folders will not be blocked by App Locker • Portia loads PowerShell into the Tasks directory.
- 24. App Locker Bypass - MSBuild.exe • Injecting code into signed Microsoft binaries will execute without being picked up by Device Guard. • MSBuild.exe allows for “inline tasks” which can be used to can compile and execute code in memory on the target. • Can be used to execute arbitrary code on that target.
- 25. App Locker Bypass - CScriptShell • CScriptShell is a tool that allows you to bypass application whitelisting and PowerShell restrictions. • Developed by Cn33liz and using a technique developed by SubTee that lets you run .NET code inside JScript or VBScript
- 26. Invoke-Obfuscation • Portia supports the Invoke-Obfuscation tool developed by Daniel Bohannon. • Invoke-Obfuscation is a PowerShell script obfuscation that can assist with AV bypass.
- 27. Invoke-ReflectivePEInjection • The Invoke-Mimikatz script which is commonly used run and outdated version of Mimikatz that can have issues with Windows 10. • Portia uses the Invoke-ReflectivePEInjection script which runs the latest version of Mimikatz (or any binary) in the memory of the target host which is more reliable on recent versions of Windows.
- 28. Portia - Hunting for Correct Credentials to access SMB Shares/Folders • $ python portia.py -d CORP -u milo -p Password1 -M shares
- 29. Portia - Current Modules • Wireless Passwords • WinvNC, Ultravnc • Putty • SNMP • Browser Credentials (Firefox/Chrome) • Dumping KeePass Credentials • Filezilla sitemanager.xml • Apache HTTPd.conf • Unattend.xml, Sysprep.xml, Sysprep.inf • Passwords stored in documents labelled *password* • IIS Credentials (ApplicationHost.config) • PAN numbers in files/memory • Enabling RDP • Automatically compromise and search MSSQL databases for sensitive information
- 30. Automatically Compromising MSSQL • Look for weak passwords for the sa account • If it’s successful it enables xp_cmdshell and adds a local admin account on the box • Dumps hashes, cleartext credentials • Looks for any interesting information stored in the databases for example credit cards and passwords etc.
- 33. Portia - Find Interesting Files
- 34. Portia - Dumping Browser Credentials • Uses various Powershell scripts • First checks for Firefox or Chrome • Checks the current logged in user and checks whether we have the hash or password belonging to the user • Powershell script that runs in the user session that dumps the credentials to a file
- 35. Portia - Searching for PAN on Disk and In-Memory • Portia uses modified versions of the following tools • https://github.com/jksdua/credit-card-finder (Disk) • https://github.com/Shellntel/scripts/blob/master/mem_scraper.ps1 (Memory) • Portia enumerates the list of installed applications on the hosts where we have admin access on • Portia enumerates the processes running on the hosts where we have admin access on • Portia produces a table mapping which processes/programs are running on which hosts and what processes are common. This will allow an attacker to find interesting ‘processes’ to dump and find PAN numbers.
- 36. Portia - Searching for PAN on Disk and In-Memory
- 37. Portia - Analysing Hashes • Currently has some basic analysis of hashes • Blank hash • Accounts using the same hash • Future improvements • Checking for password reuse between local admin account and domain admin
- 38. Portia - Analysing Hashes
- 39. Future Enhancements • Support for attacking targets in adjacent networks via proxying through trusted hosts • Data exfiltration modules • More database modules • Docker Image • Easy setup
- 41. Demo