How Microsoft will MiTM your network
Download as PPTX, PDF0 likes98 views
The document discusses Microsoft's wake-up proxy service and its role in managing network devices, particularly in a scenario involving the upgrade from Windows XP to Windows 7. It outlines the challenges of deploying this service on networks with 802.1x access control and highlights various tools that can be utilized for network monitoring and vulnerability assessment without a formal toolkit. Key takeaways emphasize the importance of understanding network ports and protocols, along with the necessity of server and network administration skills.
![Netstat - Scenario
“netstat –ano”
UDP [IP]:25536 *:* 3480](https://image.slidesharecdn.com/howmicrosoftwillmitmyournetwork-190412011704/85/How-Microsoft-will-MiTM-your-network-6-320.jpg)
![Log Files
• <![LOG[Not becoming a guardian because we are the only machine in
the subnet running WakeUp Proxy Service]LOG]!><time=“x:x:x.xxx”
component=“SleepAgent” … >
• <![LOG[Sending a port-grabbing frame for x.x.x.x / xxMACxx from
xxMACxx]LOG]!><time=“x:x:x.xxx” component=“SleepAgent” … >](https://image.slidesharecdn.com/howmicrosoftwillmitmyournetwork-190412011704/85/How-Microsoft-will-MiTM-your-network-10-320.jpg)
How Microsoft will MiTM your network
- 1. How Microsoft Will MiTM Your Network And how to use tools without a toolkit!
- 2. 601 AOC / 101 ACOMS Tyndall AFB, FL Active Defense - July 2017 (FY18 Pathfinders) (FY19 Pathfinders) Brandon DeVault GCIA, GCED, Sec+
- 3. Aaron Rosenmund - @Arosenmund aaron.rosenmund@gmail.com https://github.com/arosenmund https://www.pluralsight.com/profile/author/aaron-rosenmund
- 4. Overview Event Scenario & Discovery Microsoft Wake-Up Proxy Service Tools that aren't tools? Key Takeaways
- 5. Scenario Details - Upgrading Windows XP to 7! - 3 or more Windows 7 Machines - Offending MACs matched peer Win 7 devices - Reoccurred in unpredictable patterns - Occurred after the post install script - Related to the SCCM agent? Layer 2 Switch 00:00:0A 00:00:0B 00:00:0C
- 6. Netstat - Scenario “netstat –ano” UDP [IP]:25536 *:* 3480
- 8. Tasklist - Scenario “tasklist /svc /fi “PID eq 3480” svchost.exe 3480 ConfigMgr Wake-up Proxy
- 9. Using PowerShell and WMI - Scenario • “get –wmiobject -class win32_service | ?($_.name -like “ConfigMgr Wake-up Proxy”)” | select *” PathName : “C:windowsCCMSleepAgentService.exe”
- 10. Log Files • <![LOG[Not becoming a guardian because we are the only machine in the subnet running WakeUp Proxy Service]LOG]!><time=“x:x:x.xxx” component=“SleepAgent” … > • <![LOG[Sending a port-grabbing frame for x.x.x.x / xxMACxx from xxMACxx]LOG]!><time=“x:x:x.xxx” component=“SleepAgent” … >
- 11. Microsoft Wake-Up Proxy Service • SCCM 2012 SP1 • “Configuration Manager supports traditional wake-up packets to wake up computers in sleep mode when you want to install required software, such as software updates and applications.” • “…on a network that uses 802.1X network access control, wake-up proxy will not work and can disrupt the network service.” https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/plan-wake-up-clients
- 12. SCCM Settings
- 13. Layer 2 Switch 00:00:0A 00:00:0B 00:00:0C Wake-up Proxy Service
- 16. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router Hello, Guardian Hello, Guardian Hello, Guardian .255 Broadcast DCERPC
- 17. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router B & C are awake A & C are awake A & B are awake ECHO
- 18. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router Nothing from C? Nothing from C? ECHO
- 19. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router Who has C’s MAC? x5
- 20. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router I got you bro! A’s MAC = A’s IP C’s MAC = A’s IP
- 22. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Layer 3 Router New Guardian Nomination
- 23. 00:00:0A 00:00:0B 00:00:0C Layer 2 Switch Existing User OR Malicious System
- 24. Microsoft Wake-Up Proxy Service Monitor and parse traffic from attached VLAN Undetected scanning of peer computer listening ports Craft custom packets for service exploits Ability to wake-up sleeping or powered off computersCompromised Box Anywhere in Domain
- 25. Tools that aren't tools?
- 26. netstat •Displays all active TCP connections and the TCP/UDP ports on which the computer is listening“-a” •Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names“-n” •Displays active TCP connections and includes the PID for each connection “-o” •(admin) Displays the binary program’s name involved in creating each connection or listening port“-b”
- 27. tasklist • Specifies the name or IP address of a remote computer“/s <Computer>” • Lists all the service information for each process without truncation“/svc ” • Specifies the types of processes to include in or exclude from the query“/fi <Filter>”
- 28. tcpdump •“tcpdump –nn –c 1000 | awk ‘{print $3}’ | cut –d. –f1-4 | sort –n | uniq –c | sort –nr” Top talkers after 1,000 packets: •“tcpdump –n –A –s0 port http or port ftp or port smtp or port imap or port pop3 | egrep –I ‘pass=|pwd=|log=|login=|user=|username=|pw=|passw= |passwd=|password=|pass:|user:|username:|password:|login:|pass |user ‘ –color=auto --line-buffered –B20” Clear text protocol passwords:
- 29. WMI objects & PowerShell • Searches through sysvol on your domain for passwords, files, usernames and anything else that may be erroneously stored in a publicly readable space. Domain_File_Search.ps1 • Domain Active directory queries from PowerShell using native .net libraries only for LDAP connections.Native AD-SCAN • Scan common ports of every endpoint of a give subnet. In progress to build out enumeration of adjacent networks by hop for additional enumeration and scanning. Power-SCAN
- 30. What is a toolkit anyway?
- 31. Key Takeaways! • Understand the ports and protocols on your network! • Server + Network Administration knowledge is a must! • Expensive Tools
- 32. Questions? • 601AOC.MDT.OMB@us.af.mil • Office: (850) 283-5280 • https://github.com/1dentified/ • Brandon DeVault - @SolderSwag • brandondevault@gmail.com • brandon.devault@us.af.mil