Windows Post Exploitation

Слайд 4

About Me / Housekeeping
Samuel Gibson
Penetration tester
Former security administrator
Masters in Information Assurance

and Computer Security
CISSP
Lots of experience in the PCI space, but many verticals
My opinions are my own and do not represent my employer
Talk is educational – Hacking networks without written permission is illegal last I checked

Слайд 5

What to Expect
What this presentation is not about
Exploits
“L337 haxoring”
Finding sensitive

data
What is it about then?
Privilege escalation after initial compromise
Abusing configurations and features
Establishing baselines for attacker capabilities
Assumptions
Some initial internal system compromised
The tools used are demonstrative – not the only means

Слайд 6

Exploits are Cool, but Risky
Last option
Might get flagged by anti-virus
Alert target

organization
Impact system stability
Better to blend in
Use existing credentials
Many companies trust their users
Attackers can make an unsuspecting user a malicious insider

Слайд 7

FLOW OF TALK

Слайд 8

Flow of Talk
Attackers have goals (i.e. data theft)
Attackers usually need to

escalate and pivot
Gather credentials that allow access to more resources and accomplish the goal
Local user access (Initial Access)
Local admin access (Admin Access)
Domain admin access (Domain Admin Access)

Слайд 9

Details About the REDLAB Network

Слайд 10

$Important REDLAB User Accounts REDLAB\Administrator – Built-in Domain Admin Can access$

Important REDLAB User Accounts
REDLAB\Administrator – Built-in Domain Admin
Can access anything
REDLAB\Aadmin –

Alice Admin – Domain Admin
Can access anything
In use on WIN7ADMIN
REDLAB\Tuser – Tim User – Domain Users
Standard Domain Users member
In use on WIN7USER
REDLAB\SQLService – Important SQL Account – Domain Admin
SQL Server service account
Domain Admins member (can access anything)
In use on FILESRV

Слайд 11

Note on Privilege Escalation
Privilege escalation involves gaining additional privileges to gain

access to additional resources
Credential harvesting (accounts and/or passwords)
Stored passwords
Shared passwords
Easily guessed passwords
Password-spraying attacks
Password reuse
Paths
Local privilege escalation (Get SYSTEM, Get sensitive creds)
Network privilege escalation (Find path to data or SYSTEM)

Слайд 12

INITIAL ACCESS
WIN7USER: Non-admin

Слайд 13

Initial Recon
Situational awareness
Examine local system
Sensitive information (goal)
Privileges (current access)
Credentials (potential rights

of compromised account)
Examine network to enable pivoting to other systems
Share access
Printers
Active Directory

Слайд 14

Current rights (WIN7USER)
Whoami
Net user
Net localgroup administrators

Слайд 15

$Local Escalation Lots of options Unattended install file C:\Windows\Panther\Unattend.xml Automatic logon$

Local Escalation
Lots of options
Unattended install file C:\Windows\Panther\Unattend.xml
Automatic logon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Always install

elevated
Web.config strings
Config files
Modifiable schtask files
Unquoted service paths
DLL highjacking
Group Policy Preferences

Слайд 16

UNQUOTED SERVICE PATHS
File Permission-based Privilege Escalation

Слайд 17

Unquoted Service Paths
Issue when there is a space in a file

path and the attacker can write to the appropriate directory.

Слайд 18

$Potential Paths to Write EXE C:\Program.exe C:\Program Files (x86)\REALTEK\USB.exe This will$

Potential Paths to Write EXE
C:\Program.exe
C:\Program Files (x86)\REALTEK\USB.exe
This will throw an error

on reboot or when service is reloaded, but can run it.
Known since 2012 and not fixed. Best practices state that developers should wrap service paths in quotes (Help Eliminate Unquoted Path Vulnerabilities)
Standard users can’t write to C:\ or C:\Program Files in most cases…

Слайд 19

$File Permissions Permissions differ between built-in directories in C:\ and those$

File Permissions
Permissions differ between built-in directories in C:\ and those

created after install (DLL highjacking similar)

Слайд 20

GROUP POLICY PREFERENCES
Examining Network Resources

Слайд 21

Group Policy Preferences
Historically used to set local admin user’s password via

GPO. Password is encrypted in GPO
Microsoft published the hardcoded password back before 2012 (https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx)

Слайд 22

Microsoft Patched in 2014
MS14-025 (https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevate)
This will prevent admins from setting passwords

using the old GPO settings
It does not remove the old passwords from the GPO
Consider Local Admin Password Solution
Allows a single account to exist across an environment with unique passwords per endpoint
Stores passwords in plain text in AD computer object
You can delegate the access and log it
This is still a win for defenders

Слайд 23

Powerup.ps1
Part of PowerSploit
Does the checks we just discussed and more quickly
Consider

running against corporate images prior to deploying

Слайд 24

FINDING ADMIN ON OTHER SYSTEMS
Finding Shares Using Current Credentials

Слайд 25

Eventually Look to Other Hosts
Can’t escalate locally or need to find

target data
Search for shares (Powerview’s ShareFinder)
Might be able to read sensitive files (unattended install, KeePass databases, SYSVOL share, etc)

Слайд 26

Find-LocalAdminAccess

Слайд 27

WRITE PERMISSIONS ON SHARES

Слайд 28

Coaxing Hashes out of Users
If you have write access to a

share, a malicious .lnk can gather hashes from users who access that share
Can make the path an internal system or one on the Internet in some cases (We’ll circle back to this)

Слайд 29

CHECK NETWORK DEVICES
Printers or Other Systems with Default Credentials

Слайд 30

Check Printers for Default Passwords
Printers often have default admin credentials
MFPs have

ability to scan to share over SMB
Domain user creds (Enumerate further info)
Domain Admin creds (Keys to kingdom)
Other systems might have service accounts

Слайд 31

KERBEROASTING
Still as a Regular User

Слайд 32

Windows Hashes (Stored)
LM (Passable)
local account creds
AD DC password storage
Old and quite

insecure
NTLM (Passable)
Local account creds
AD DC Password storage
Newer, better, unsalted
chad:500:aad3b435b51404eeaad3b435b51404ee:ed50bdc9faa370e31ac4ee119fd51f48:::
Domain Computers have local user NTLM hashes
Domain Controllers have all domain user NTLM hashes

Слайд 33

Kerberos (Oversimplified)
Centralized user authentication that relies on a centralized infrastructure for

authentication
Does not send password over network
User accounts request service tickets from Key Distribution Center (KDC) by requesting a Ticket-Granting Ticket (TGT)
TGT contains response encrypted with the user account’s NTLM password hash!!!
User decrypts the TGT and uses that value to prove its identity and gets a ticket to authenticate to the target resource

Слайд 34

SQL Server Express on FILESRV
Service Principal Name (SPN) in Active Directory

Слайд 35

Important SQLService Account Details
SamAccountName : sqlservice
DistinguishedName : CN=Important SQLService,CN=Users,DC=redlab,DC=local
ServicePrincipalName : MSSQLSvc/FILESRV.redlab.local:SQLEXPRESS
SPNs

uniquely identify service accounts in AD and can associated a service instance to its logon account even if a client does not know the account name

Слайд 36

Attacking Kerberos
Attacking Kerberos: Kicking the Guard Dog of Hades
It’s possible to

request a Ticket Granting Ticket (TGT) for any service account from the Key Distribution Center (KDC) *Domain Controller*
A portion of the TGT is encrypted with NTLM hash of the target service account’s password
If you can guess the plaintext password that creates the NTLM hash that decrypts the TGT, you’ve discovered the target service account’s password
This used to require local admin rights, but no longer does. (Kerberoasting without Mimikatz)

Слайд 37

Kerberoasting Attack

Слайд 38

Crack Kerberos TGT

Слайд 39

PASSWORD SPRAYING

Слайд 40

Get a List of Domain Users
Any authenticated user can pull a

list of all domain users
This list of users can be used in password spraying attacks

Слайд 41

Password Spray
Attempt a single password against all known accounts
Helps prevent account

lockout if attackers are careful
Continue this cycle with each new set of creds

Слайд 42

ADMIN ACCESS
Further Local Attack Opportunities

Слайд 43

Extract KeePass Keys
KeePass is a popular password database
Shared between users
With admin

rights, it’s possible to scrape the keyPass process memory and recover the plaintext master password (https://github.com/HarmJ0y/KeeThief)

Слайд 44

KeePass Extraction Demo

Слайд 45

NETWORK-BASED ATTACKS
LLMNR, NETBIOS, and WPAD

Слайд 46

Attacking LLMNR, NETBIOS and WPAD
Kevin Bryant and Travis Robelia presented on

Responder in their talk Your Systems are Just Asking to be Compromised
Inveigh allows the same thing from Windows via PowerShell, though you can give it some help with a .lnk file (Net NTLM hash can crack or relay)

Слайд 47

LOCAL ADMIN CAN DUMP LOCAL CREDENTIALS

Слайд 48

Metasploit Simplifies This
I personally use Metasploit with credentials more than I

use it to exploit things
Password spraying
Credential management
Dumping credentials
Mimkatz
Hashdump

Слайд 49

Mimikatz (on Win7Admin)
Windows systems prior to 8.1 and Server 2012 stored

plaintext passwords in memory to support single sign-on
Mimikatz can dump plaintext WDigest credentials from memory

Слайд 50

The WDigest Issue is Patched
Server 2012 and Windows 8.1 and

newer OS are not vulnerable by default
https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a patches Windows 7 and Server 2008
It’s possible to set this registry key to ‘1’ to revert behavior for backwards compatibility.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential

Слайд 51

Consider Setting that Key to ‘0’
Create that key and monitor it

for changes
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0

Слайд 52

DOMAIN ADMIN
Hashes and Pivots

Слайд 53

Can use AD Admin Account to Dump Domain Hashes

Слайд 54

Hashes Can Be Cracked or Passed
Attackers can pass those hashes to

the SMB service to authenticate as the user, without cracking
Many tools do this
Cracking the hashes allows authentication against services that do not allow pass-the-hash
Cracking also allows further password guessing/mangling
Passing is worth discussing

Слайд 55

Pass the Hash

Слайд 56

Pass the Hash
Only works for members of the local Administrators group
Can

be mitigated to some extent by
Deploying Microsoft LAPS
Deny Access to this Computer from the Network

Слайд 57

WRAP UP

Слайд 58

Lots of Content
Survey of methods of escalating privileges and gathering credentials

available to all levels of attacker
Attacks start from some point and move in an opportunistic manner
One path might have been as follows
Start with limited access as the TUser account.
Conduct Kerberoast attack to crack SQLService account’s password
Dump hashes from Domain Controller
The goal of attacks isn’t to get Domain Admin, but to accomplish some goal (DA might not be necessary)
Steal data, make money, etc

Слайд 59

Questions?
I work for a company called Sikich LLP
Pentesting / QSA

/ Forensics
samuel[dot]gibson[at]sikich[dot]com
Feel free to email me with general questions samuel[at]surgicalmittens.com
I’m often in the ECInfosec Slack channel

Слайд 60

Next Months MeetUp:
Monday March 5th!
(Speaker Matt Miller)

Слайд 61

Recordings on website:
ECInfoSec.com

Слайд 62

Donations and company sponsorships are welcome to help grow EC InfoSec!

Слайд 63

Contact us!
On MeetUp.com
admin@ECInfoSec.com

Слайд 64

Chat with each other on Slack!
Join Link On Website: ECInfoSec.com

Слайд 65

Raise your hand if you would be willing to present a

topic
in April or May!

Слайд 66

Windows Post Exploitation

Содержание

Thanks for coming!