SlideShare a Scribd company logo

Bsidesnova- Pentesting Methodology - Making bits less complicated

Download as PPTX, PDF
O
Octavio Paguaga

The document discusses various penetration testing techniques including: 1. Using OSINT techniques like disabling content security policies to scrape invite links from a site. 2. Checking domains with services like VirusTotal to see their categorization and reputation over time. 3. Using Azure domain fronting to hide command and control domains from network defenders. 4. Enumerating Active Directory with tools like Bloodhound to find high privilege accounts and exploit delegation.

Related slideshows

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
1 of 36
Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
Bsidesnova- Pentesting Methodology - Making bits less complicated
OSINT https://generated.photos
Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
Bsidesnova- Pentesting Methodology - Making bits less complicated
Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Azure domain front photos go here
Azure Domain Fronting
Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
Commands used
Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
Bsidesnova- Pentesting Methodology - Making bits less complicated
KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
Manual Enumeration • Description Field • Get-DomainUser | select Description
Bloodhound & ACLs
GenericWrite permissions
Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
Delegation • https://adsecurity.org/wp-content/uploads/2015/08/Visio-KerberosDoubleHop-Visio.png
Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
Unconstrained Delegation Demo
Bsidesnova- Pentesting Methodology - Making bits less complicated
DPAPI Data Protection API
• The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
Getting creds from Chrome
Getting creds from Chrome
Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
Access Credential Manager Vault
• https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi • https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential- manager-saved-credentials • https://www.harmj0y.net/blog/redteaming/operational-guidance- for-offensive-user-dpapi-abuse/
Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

More Related Content

Bsidesnova- Pentesting Methodology - Making bits less complicated

  • 1. Pentesting Methodology - Making bits less complicated Octavio Paguaga TrustWave Government Solutions
  • 2. Introduction & Thank yous • Senior Security Consultant at TrustWave Government Solutions • Thank you • Steve Borosh @rvrsh3ll • Will Schroeder @HarmJ0y • Andy Robbins @Waldo • Jimmy Bayne @bohops • hacktheplanet Discord & Bloodhound Slack Channel • @b33f & @ippsec  Check out their content/Patreon • Jason Lang – CuriousJack – • https://www.youtube.com/watch?v=kf829-tm0VM
  • 5. Clear violation of Terms of Service, but… • Disable Content Security Policy • Open Developer tools var jqry = document.createElement('script'); jqry.src = "https://code.jquery.com/jquery-3.3.1.min.js"; document.getElementsByTagName('head')[0].appendChild(jqry); jQuery.noConflict(); setInterval(function() { window.scrollTo(0, document.body.scrollHeight); }, 500);
  • 6. Clear violation of Terms of Service, but… jQuery('button[data-control-name="invite"]').each(function(index, value) { setTimeout(function() { jQuery(value).trigger('click'); }, index * 1000); });
  • 8. Domain Ownership • Phishing Domain • C2 Domain • Domain Fronting • https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/ • https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front- 7423b5ab4f64
  • 9. Services to show categorization • https://fortiguard.com/webfilter • Fortiguard shows “Newly Observed Domain” • https://www.virustotal.com/gui/domain/ • Virus Total shows clean now and 12 months ago • Trustedsource.org • shows the site as Uncategorized with a reputation as Unverified • https://talosintelligence.com/reputation_center • Not blacklisted. Unknown to Talos Intelligence too (Cisco) • https://urlfiltering.paloaltonetworks.com/ • Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days • https://sitereview.bluecoat.com/#/ • Blue coat (Symantec) shows it as Business Economy category • https://www.brightcloud.com/tools/url-ip-lookup.php • Webroot shows Moderate Risk and category “Home and Garden”
  • 10. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 11. Azure domain front photos go here
  • 13. Commands used • curl -H "Content-Type: BSIDES_CHARM" bsidescharm.azureedge.net • curl bsidescharm.azureedge.net • https://blog.cobaltstrike.com/2019/02/19/cobalt-strike-team-server- population-study/ • https://www.flashpoint-intel.com/blog/the-challenges-of-cobalt- strike-server-fingerprinting/
  • 15. Azure Filtering to hide from defenders https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
  • 16. Phishing Payload • HTA • SharpShooter • TikiTorch • demiguise • EvilClippy
  • 17. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 19. KERBEROASTING • Targets accounts with Service Principal Name • e.g. MSSQLSvc/<FQDN> is assigned to a username • The password of the username is used to sign the TGS provided to the client. • hashcat –m 13100 <TGS> <wordlist> SPN Username MSSQLSvc/SQL01.east.com Oaktree
  • 20. Active Directory • SUCCESS! • Where do we start • Enumerate local machine • PSP’s • Whoami ? • What tools/scripts can I run • Manual Enumeration of AD • Bloodhound
  • 21. Manual Enumeration • Description Field • Get-DomainUser | select Description
  • 24. Other ACL types • ForceChangePassword • AddMembers • GenericAll • GenericWrite • WriteOwner • WriteDACL
  • 26. Delegation • Unconstrained • Constrained • For a given computer or user account, this attribute specifies the list of service principal names (SPN) corresponding to Windows services that can act on behalf of the computer or user account. • msDS-AllowedToDelegateTo • Resource Based Constrained Delegation • “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified S4U Kerberos ticket request process to compromise the computer itself.” • https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer- takeover/ Accounts trusted for delegation (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • 30. • The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs that call the CryptProtectData() function and the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
  • 33. Notes for Demonstration • Credentials are stored in user's profile. Can use Seatbelt to identify these. • Run vault::cred within Mimikatz before continuing • Usually in: • %appdata%MicrosoftCredentials • %localappdata%MicrosoftCredentials • We can unlock the credential blob by requesting the masterkey as the user by using the /rpc flag • We can unlock any credential blob if we can obtain the masterkey of a domain admin.
  • 36. Notes /export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)