44CON Hacking Enterprises

grep ‘in.security’ /etc/groups
A cyber security consultancy offering specialist technical and training services
Technical
• Vulnerability Assessments
• Penetration Testing
• Red Team Engagements
• Social Engineering Engagements
• Wireless Security Assessments
• Password Audits
• Build Reviews
• Firewall Reviews
© in.security Ltd 2019, all rights reserved

$whoami /all
Will Hunt
• Co-founder of in.security
• 10+ years in cyber
• Assists UK Government
• Hacker, formerly digital forensics
• Trained at various conferences including Black Hat USA/EU
• @Stealthsploit
• https://stealthsploit.com

$whoami /all
Owen Shearing
• Co-founder of in.security
• 14+ years in technical roles
• Trained at various bespoke events and conferences including Black
Hat Asia, USA and EU
• CREST CCT
• @rebootuser
• https://rebootuser.com / https://github.com/rebootuser

The LAB
The LAB
• The MGT network hosts LAB resources for all
students to access, including:
• Phishing Platform (Gophish)
• ELK Stack
• CTF Platform
• Kali network (attackers) – this is you!
• The Dev network - routable from attackers
subnet
• Two undiscovered, firewalled subnets!
+ a third subnet unlocked after training
completes!
MGT
Dev
Attackers

Topics…
MGT
A:ackers Dev
OSINT techniques
IPv4 / IPv6 discovery & enumeration
Automated vulnerability scanning
Introduction into exploitation frameworks & Mobile devices
Linux enumeration, shells, privilege escalation & post exploitation
P@ssw0rd cracking (Linux)
Windows enumeration
Creating & executing a phishing campaign
P@ssw0rd cracking (Windows)
Windows shells, privilege escalation, post exploitation & info gathering
Defensive monitoring
Restricted environment breakouts
Pivoting and lateral movement
Identifying further targets
Database/application enumeration & exploitation
Domain/trust compromise
Persistence & exfiltration

Our 45min Pwnage Plan…
Phish >
Kibana >
Phish#2 >
Enumeration >
Exfiltration >
Password Cr@cK5 >
SOCKS Proxies >
OOB Persistence!

Phishing – Delivery & Payloads
Delivery Examples
• Email, generic ‘campaign’ or targeted attack (spear phishing)
• SMS (Smishing) / Voice (Vishing)
• Web based (malicious/hacked website)
• Malvertising
Payload Examples
• Data collection via hosted forms (credentials, personal/sensitive information, payment details)
• Spoofing and/or content injection targeting legitimate websites
• Embedded code in attached Office documents (Macros, DDE)
• Exploiting vulnerabilities in client-side software (Flash, Acrobat, Java)

Gophish – Users & Groups
Using Gophish for a phishing campaign:
• Targets (Users & Groups tab)
• Email template
• Landing page
• Sending Profile
https://docs.getgophish.com/user-guide

Phishing – HTA Files
• HTML application
• Launched by mshta.exe on Windows
“In short, HTAs pack all the power of Internet Explorer - its object
model, performance, rendering power and protocol support - without
enforcing the strict security model and user interface of the browser”
https://docs.microsoft.com/en-us/previous-versions//ms536496(v=vs.85)
• A nice overview of HTA/command execution
https://9to5it.com/using-html-applications-as-a-powershell-gui/

Phishing – HTA Files
<script language="VBScript">
window.moveTo -4000, -4000
cmd = "powershell.exe -c Test-Connection 10.133.251.10"
Set runme = CreateObject("Wscript.Shell")
result = runme.Run(cmd, 0, true)
window.close()
</script>
• Cmd – command we are executing
• 0 – set to hidden
• True - wait for command to complete before continuing

<DEMO>
[Phishing]

Monitoring & Alerting
• Elasticsearch Logstash Kibanna (ELK)
https://www.elastic.co/products
Kibana - a web-based frontend to allow real-time,
visual analysis of collected data in Elasticsearch
Elasticsearch – based on Apache Lucene, a NoSQL
(JSON based/document store model) database
Logstash – a tool to intake, process and output log data
from various sources

Sysmon
• Part of the Sysinternals suite
https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon
• A configuration file can be supplied (-i) containing the desired rules
• A great template config from @SwiftOnSecurity
https://github.com/SwiftOnSecurity/sysmon-config

A/V & AMSI
• So, why did our initial phish with msfvenom generated HTA fail?
….
• Well, this would be due to Windows Defender/Antimalware Scan Interface

DEMO…
[Monitoring]

Unicorn
• Created by TrustedSec / https://github.com/trustedsec/unicorn
• Simple to use, well documented and regularly updated with new techniques/evasion methods
• A number of payloads rely on a msf handler listening on the attacking system (all required
configs are generated by the tool)

DEMO…
[Phishing #2]

Information Gathering
Some questions we’re going to be asking ourselves
• What permissions does the compromised account hold?

• Do we have access to any users with interesting group memberships or delegated
rights within the domain?

• What systems/networks does the compromised host have access to?

• What systems/networks does the compromised host have access to?
• […
• …]
• What systems are deemed to hold important/sensitive data?

PowerView
• Part of the PowerSploit package
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
OR, for the latest version 3 (development) version
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
• PowerShell script that provides numerous functions for situational awareness and domain
enumeration
• A great ‘cheatsheet’ on functions and usage by @harmj0y
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
• Functions include: Get-DomainUser, Get-DomainGroup, Get-DomainGroupMember
Get-NetDomain, Get-DomainPolicy, Get-DomainTrust, Get-DomainComputer,
Find-DomainShare + LOADS more

DEMO…
[Enumeration]

Password Managers - KeePass
• Password managers/vaults are often used to store privileged credentials
and information
• KeePass uses .kdb files (v1) and .kdbx files (v2) to store the database
• We can’t just give the file to a password cracker so we need to extract
the hash
• keepass2john can do this and it comes shipped with Kali
• We could then either install KeePass and load the database, or access
directly over the command line using a tool like kpcli

How Can We Exfil The DataZ?
Transferring files using PowerShell
$FileName = “<target_file>”
$base64string =
[Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName))
ReadAllBytes – Opens a binary file, reads the contents into a byte array and
closes the file*
* https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes

DEMO…
[Exfiltration]

Offline Password Cracking
Success depends on a number of factors
• Algorithm complexity
• Password length / complexity
• Hardware (GPU/FPGA/ASIC)
Password cracking process
• Hash the clear text candidate
• Compare to stolen hash
• No match? Start again
• Match = Win!

Brute Force Attack
• Try every possible combination of every character
• Not used 99% of the time…
Pros
• 100% GUARANTEED to crack
Cons
• You likely won’t be around to see it happen!

Brute Force Attack
• Key space = char set ^ length
• 8x NVIDIA GTX 1080 Ti GPUs - Windows passwords @ 513 GH/s*
(full 95 char set)
• 8 char NTLM = 3.5 hours
• 9 char NTLM = 14 days
• 10 char NTLM = 3.7 years
• 11 char NTLM = 351 years
• 12 char NTLM = 33,401 years
• 13 char NTLM = 3.2 million years
*h:ps://gist.github.com/epixoip/ace60d09981be09544fdd35005051505

Dictionary Attack
Wordlist Rules
insecurity Insecurity
Password 1nsecurity
monkey ins3curity!
1234567 Ins3cur1ty
Qwerty in53cur!ty
letmein
• Wordlist contains password candidates
• Most commonly used
• Can be mangled with rules
Pros
• Wordlists contain common passwords
• Mangling addresses the human element
Cons
• Only as good as your dictionary/rules

DEMO…
[Cracking]

Routing in Metasploit
• Traffic to target networks can be routed over existing sessions…
• To add a route
route add <$network> <$mask> <$sessionID>

SOCKS Proxies
• A server that can establish a connection to a destination on behalf of a client
• Metasploit SOCKS modules
auxiliary/server/socks4a
auxiliary/server/socks5
”This module provides a socksx proxy server that uses the built-in Metasploit routing to relay connections” *
• This functionality allows programs external to Metasploit, to utilise configured
routes within msf and gain access to the target system(s)/network(s)
…with the help of proxychains

SOCKS Proxies & Proxychains
• Proxychains / http://proxychains.sourceforge.net
• Allows/supports TCP (not UDP - with the exception of DNS)
• Used to allow *any program to run through a SOCKS proxy
• Configuration file @ /etc/proxychains.conf
• Then run a program through the proxy!
proxychains smbclient -W insec-xxxx.local //10.133.50.xxx/<$fileshare> -U <$targetUser>%<$password>

DEMO…
[SOCKS & Shellz]

Hiding Data
• Alternate Data Streams (ADS) allow one file system entry to contain multiple data
sets (NTFS only)
• Original file is always the ‘main’ stream, additional streams are appended to
filename and are colon delimited
File.txt File.txt:secretdata.txt:$DATA
File.txt:shell.exe:$DATA
• One option to trigger – wmic process call create File.txt:shell.exe
• A nice article by Oddvar Moe on executing files from ADS
https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Exfiltrating Data Over ICMP
• ICMP doesn’t use ports (types) and is often left enabled, forgotten and not
monitored
• Overcomes network egress issues when usual channels are blocked
• icmpsh is a reverse ICMP shell (https://github.com/inquisb/icmpsh)
• Server works in C, Perl, Python
• Client is Win32
• We have to disable ICMP replies from the attacking host and then start
the ICMP server
sysctl -w net.ipv4.icmp_echo_ignore_all=1

Our 45min-ish Pwnage Plan…
DEMO…
[ADS & OOB ICMP… If time persists!]

Phish
Kibana
Phish#2
Enumeration
Exfiltration
Password Cr@cK5
SOCKS Proxies
OOB Persistence

</DEMO>

Much, Much
More…
June 6th/7th
@44CON
h9ps://44con.com/44con-training/hacking-enterprises-exploiCng-insecurity/

44CON Hacking Enterprises

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 44CON Hacking Enterprises

Similar to 44CON Hacking Enterprises (20)

Recently uploaded

Recently uploaded (20)

44CON Hacking Enterprises