InSecure Remote Operations - NullCon 2023 by Yossi Sassi
•
0 likes•55 views
- The document discusses remote operations and credential exposure during remote management. It highlights the use of various living off the land techniques like RPC, WMI, PSRemoting and RDP. - It provides tips for preventing lateral movement without dedicated security products by leveraging configurations like LogonWorkstations to restrict where accounts can logon. - The key takeaways are to embrace a living off the land mindset, be aware of credential exposure risks during remote operations, and that single configurations can be effective for preventing issues like lateral movement when properly configured and monitored.
Report
Share
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
- 1. InSecure Remote Operations What Sucks, Rocks & a Super-CLI Yossi Sassi
- 2. WhoAmI • InfoSec Researcher; H@כk3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • The HAcktive Directory guy; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Volunteer (Youth at risk); Oriental Rock Bouzoukitarist; Aviator
- 3. ChatGPT was Not used in the making of this presentation, code & content
- 4. • Remoting ‘Mindset’ – LoTL examples • PSRemoting / WinRM • Credentials exposure during Remote Operations • Preventing Lateral movement without products • Tips & open-source toolZ What we’ll talk about
- 5. Living off the land… Remote Management or Lateral Movement? • Multiple LoLBins… • RPC: WMI, DCOM • ‘API heaven’ – e.g. IPC (MailSlots, NamedPipes..) • RDP • WinRM / PSRemoting etc.
- 6. Remote Procedure Call (RPC) •System service that is an inter-process communication (IPC) mechanism, enabling data exchange and invocation of functionality that is located in a different process. •The different process can be on the same computer, on the LAN, or in a remote location •The RPC service serves as the RPC Endpoint Mapper and Component Object Model (COM) Service Control Manager (Remotely – DCOM) •Many services depend on the RPC service to start successfully https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
- 7. The RpcSs System service https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements Application Protocol Protocol Ports RPC TCP 135 RPC over HTTPS TCP 593 NetBIOS datagram service UDP 138 NetBIOS Name Resolution UDP 137 NetBIOS Session Service TCP 139 SMB TCP 445 Dynamic port range TCP & UDP 1025 - 5000*, 49152 – 65535
- 8. Protocol / Port AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
- 9. What ports/protocols does tool XX use? (AND – why understanding pre-AuthN matters)
- 10. ‘Netstat loop’ – Ports Monitor
- 11. • Pass strings/objects/execute code between processes, local or remote – using Named Pipes • Communicate between local or remote powershell runspaces over one/two-way, encrypted pipe • Pass info between processes on same machine easily through IPC$ Inter-Process Communications (IPC)
- 12. • Can also use it for C2, without opening FW port, without local admin privileges – No need to Bind() server local port, just “rides” 445 ☺
- 13. Named-Pipe/SMB One-liner (Exfil data/C2 with No socket bind)
- 14. IPC C’n’C
- 15. RPC Not Available / Kerberos Clock Skew
- 16. •e.g. ‘RPC not available’ errors (host is online, yet no Kerberos) •Determine if clock skew exists • Net time computer (does Not require special permissions) • $varDate = Get-Date; Invoke-Command -ComputerName <IP> -ScriptBlock {set-date $using:varDate} -Authentication Negotiate • Cannot run winrm, or even ping(!) the host, because clock Diff, and no KRB? try WMI process create w/IP (NTLM) Invoke-WmiMethod -ComputerName <IP> -Class win32_process -Name Create -ArgumentList "w32tm /resync" TIP: Fixing Clock Skew issues Remotely
- 17. Fix Clock Skew Remotely
- 18. RDP – Windows admins’ favorite feature
- 19. RDP Attacks & adversary tools • Brute force • Change default user, default port… • Seth.sh • pyRdp .. and more
- 20. RDP MiTM •Get netNTLM, at minimum •Can also get clear text password, if NLA is Not used •Downgrades session, fakes certificate, attempts CredSSP •Can also get clipboard/typed text directly to attacker •Victim is totally unaware (RDP session functions normal, just a bit slower initial connection time)
- 21. RDP MiTM
- 22. Getting Clear-Text password from any RDP Server •With proper permissions – can disable NLA remotely – either by modifying the Regkey directly, or via Powershell: (Get-WmiObject -class Win32_TSGeneralSetting -Namespace rootcimv2terminalservices -ComputerName SRV1 -Filter "TerminalName='RDP- tcp'").SetUserAuthenticationRequired(0) • More silent, efficient & quicker than mimikatz etc. ;-) • Can use inveigh/responder to relay the Registry command, and/or ‘net localgroup administrators /add user’
- 24. • Remote Desktop Protocol (RDP) • Remote WMI access over RPC/DCOM • Remote event log management | service management • SMB file share access • PsExec • Other… • Yet “overlook” PSRemoting, always encrypted, single port 5985 or 5986, does all of the above, and much more??!? Soooo… You perform Remote Management using:
- 25. PSRemoting Architecture Remote Computer Local Computer PowerShell Wsmprovhost Endpoint WinRM Listener (HTTP) WS-MAN Traffic
- 27. Copying to/from remote session •Copy-item –ToSession $pssession c:myConfig.txt c:folder-on-remote-srv •Local Variables cast to remote session with $using •Local functions cast to remote session with ${function:My-Function}
- 28. Copy files without SMB
- 29. For the Blue Team - Just Enough Access – Secure constrained remote access • Utilizes PS Session Configurations –WSMan config (per nic/IP, http/s, limit bandwidth and more) –All the Logging you can ask for –Transcriptions –ConstrainedLanguage –Virtual Account (virtual SID) –Whitelist scripts, apps, commands, parameters – anything!
- 31. Mapping / Hunting for WSMan sessions • EDR/Sysmon etc. (wsmprovhost.exe) • WinRM / PowerShell-operational logs • Try Get-RemotePSSession ps1
- 33. Remote Operations: Credentials Exposure Action/Tool Logon Type Creds on Target Notes Console login 2 Yes* * Except when Credential Guard is enabled RunAs 2 Yes* * Except when Credential Guard is enabled RDP 10 Yes* * Except when Remote Credential Guard enabled Net Use 3 No Inc. /u: parameter PS Remoting 3 No -u <username> -p <pass> PsExec w/Creds 3+2 Yes PsExec no Creds 3 No Remote SchedTask 4 Yes Password saved in LSA (on disk) Run as a Service 5 Yes Password saved in LSA (w/account) Remote Registry 3 No
- 34. Let’s get advice from Microsoft… ☺
- 36. Get TGT without ANY lsass secrets
- 37. Process token -> TGT
- 38. “Mitigation” – Virtual accounts
- 40. But… the adversary can edit the Role Capabilities file ☺
- 41. But… Defenders can monitor for file/config changes, hash change etc’ (e.g. sign config file)
- 45. “Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
- 47. Preventing DAs from logging to EndPoints Living off the land • Before setting LogonWorkstations, 1st reduce/”cleanup” priv users • Ensure DA(s) not running on other targets to prevent services & applications interruption (e.g. IIS AppPools, SchedTasks, Svc) • Add at least one PAW/”Jump host” together with the Target(s) – Protect/Harden PAW (.. & consider a Shielded VM) • Monitor changes of LogonWorkstations attribute (see github) • Other configuration options exist (e.g. Restrictive GPOs)
- 49. Key Takeaways • Embrace ‘Living off the land’ mindset (Red & Blue) • Note Credentials exposure during Remote Operations • A single configuration can do more than few products (e.g. lateral movement prevention) • PSRemoting Rocks! And JEA is effective. But …. • Almost no security features are enabled by default. proper configuration is needed. And can be bypassed (e.g. Invisi-Shell) • Logging and continuous monitoring can be effective (and tools) • Check out github.com/YossiSassi for code & scripts
- 50. Everything is a set of nested ‘if’ statements