Upload
doxuyen
View
216
Download
0
Embed Size (px)
Citation preview
Hacking in the Attack Kill Chain
Håkan Nohre, Consulting Systems Engineer, GIAC GPEN #9666, CISSP #76731
Erkan Djafer, Consulting Systems Engineer, CISSP #535930
Chung-wai Lee, Cyber Security Partner Account Manager
LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
About this LAB (I read the abstract )
• It is not a sales session
• It is definitely not about Cisco products, designs, or definitive solutions!
• It is about offensive, not defensive techniques
• Hopefully, understanding how the attacker works we can build better defense or apply better risk management!
• Complimentary Cisco Live Berlin 2017 Breakout: BRKSEC-2309
“It’s Cats vs Rats in the Attack Kill Chain”
4LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Modified Kill Chain for this Breakout
• Note that attackers are not legally bound to follow the exact model ….
• E.g. may establish persistence before lateral movement…
5LTRSEC-3300
Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Focus on Methodology, not Tools!
• Kali Linux
• https://www.kali.org/
• Metasploit
• http://www.rapid7.com/
• Mimikatz
• http://blog.gentilkiwi.com/mimikatz
• PowerShell Empire
• http://www.powershellempire.com/
6LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Topology
7LTRSEC-3300
VPN to lab with AnyConnect
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8LTRSEC-3300
Lab1 Reconnaissance
FW
inside
198.19.10.0/24
“Internet”
198.18.128.0/18
Client-A (VPN)
.38
Client-B (VPN)
.37
evil2
.133.111
IoT
.211
AD
.?
Try to get to IoT Directly
- will not work
Use OSINT recon against clients
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9LTRSEC-3300
Lab 2: Gain Initial Foothold
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Spear phishing naïve end user
- examine Excel with Macro
- (examine RTF file)
inside
198.19.10.0/24
FW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19..10/24
10LTRSEC-3300
Lab 3: Command and Control (CnC)
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Examine CnC
- tcpdump, agent options
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
11LTRSEC-3300
Lab 4: Local Privilege Escalation
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Go from mordiac to system on A
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pivoting Explained
12LTRSEC-3300
IoT
Active
Directory
Clients
Internet NGFW
Permit outgoing HTTPClient ip is
198.18.19.38
198.18.19.38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
13LTRSEC-3300
Lab 5A: Lateral Movement against IoT
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Pivot attack against IoT via A
- pivoting, metasploit
- Bash shellshock exploit
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
14LTRSEC-3300
Lab 5A: (cont) Local Privilege Escalation
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Pivot attack against IoT via A
- Local recon (find out OS)
- Escalate privileges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
15LTRSEC-3300
Lab 5B: Lateral Movement in AD environment
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Pivot attack against AD via A- Dump credentials, mimikatz
- WMI movement
- Dump hashes
- Pass-the-hash
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
16LTRSEC-3300
Lab 6A: Persistence with Golden Tickets
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
- Take over workstationB (non Admin)
- Create golden ticket to impersonate any
user (even if all passwords are reset)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
inside
198.19.10.0/24
17LTRSEC-3300
Lab 6B, 6C – Persistence after Reboot
FW
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil2
.133.111
IoT
.211
AD
.?
Try to different methods to ensure you
keep control after reboot
- Schedule task
- WMI subscriptions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remember
• Tell us if you have problems!
• Tell us if you have feedback!
18LTRSEC-3300
Have Fun!
This lab does not even try to have the answers !
We hope it helps you ask the right questions!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19LTRSEC-3300
Appendix B – Extra Turbo hacking lab
FW
Infrastructure
198.19.10.0/24Clients
198.19.19.0/24
“Internet”
198.18.128.0/18
Client-A (VPN)
.19.38
Client-B (VPN)
.19.37
evil1
.133.110
IoT
.211
AD
.?
Take over B via flash vulnerability
Local Priv Escalation
Dump hashes
Pivoting via Port forwarding
Hand over Metaploit -> Empire
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Post-Exploitation with PowerShell
• Very powerful scripting language included in Windows from Win7
• Can leverage WMI, .NET, Win32 and do almost everything
• Key logging, Screenshots, CnC, grab passwords and hashes (Mimikatz)
• Is typically whitelisted and scripts not caught by Anti-Virus
• Can run from memory (no need to write file to disk: not caught by Anti-Virus)
• Can run on remote machine (if you know the credentials of target machine)
20LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Recon: Scanning?
• Noisy scanning typically not necessary for internal recon
• Attacker can just ask Active Directory politely to find out:
• What machines are in the domain?
• Which machines are the domain controllers?
• On what machines are domain admins logged on?
• Which machines run Exchange, SQL servers?
• Which machines are file servers?
• ….and much more
21LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is a Hash?
• One-way function to convert password to hash
• For NT hash, MD4 is used
• So we don’t have to store clear-text-passwords or send them over the network
• Instead we use the hash to store credentials (and authenticate)
22LTRSEC-3300
Crypto
stuff
Hash
Password
Stuff
Tunafish!
Crypto
stuff
d41d8cd..
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding NTLMv2
• NTLMv2 is a common network authentication method in Microsoft Active Directory for Net logons,File Shares, Web Sites etc.
• Client requests auth
• Server sends challenge
• Client sends response to challenge
• Server validates (with help of Active Directory)
23LTRSEC-3300
Auth Request
Challenge(random no)
Response ✔
✔
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding NTLMv2
• If client sends correct response to challenge it is authenticated
• Response is calculated from hash that is calculated from password
24LTRSEC-3300
Auth Request
Challenge(random no)
Response
Username
Timestamp
Other stuff
Crypto
stuff
Crypto
stuff
Hash
Password
✔
Challenge(random no)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pass-the-Hash
• If attacker has the hash, he does not need the password
• He can use a modified client that supplies the hash without calculating it from password
25LTRSEC-3300
Auth Request
Challenge(random no)
Response
Hash
Username
Timestamp
Other stuff
Crypto
stuffResponse
Crypto
stuffPassword✖ ✖
✔
Challenge(random no)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26LTRSEC-3300
Overview: Hoarding Hashes
Domain
Admin?
Try
Next Host
w
credentials.
On new compromised host
Grab local hashes
Grab hashes of logged in users/services
N
Y
Partytime!Passwords/Hashes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Grab Local Hashes
• With system privileges it is possible to grab local password hashes from registry
• (not a vulnerability, it is same for other OS including Unix)
• Functionality (of course) included in Metasploit, PowerShell Empire
• Note: Local hashes only relevant to local computer
• But maybe same password is used on more than one computer ?
27LTRSEC-3300
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cisco:1000:aad3b435b51404eeaad3b435b51404ee:579a13a46633f286db9155f5a612c765:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Grab local hashes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mimikatz – Grab from LSASS
• It has nothing to do with cats!
• A tool run on compromised host that can (among many things) grab credentials from logged on users and services from memory
• http://blog.gentilkiwi.com/mimikatz
28LTRSEC-3300
User Password Hash
scratchy S3cret! aad3db5…
Mini-
catz?
LSASS (Credentials cache)
Grab hashes of logged in users/services
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29LTRSEC-3300
Why is the Password/Hash Cached?
• In Active Directory Domain, the user logs in once to his computer
• … and can then access domain resources without any further logon
• User-friendly! And Single-Sign-On is good for security too!
• …but client has to cache hash of password to authenticate transparentlyFile Server
Web Server
NGFW Security
ApplianceUser Password Hash
Authenticate
many times
Scratchy
Logs in
Once
Credentials cache
Scratchy S3cret! aad3db5…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
So let’s consider Kerberos
• In Greek mythology, Cerberus was the Three-headed Monster Dog that guarded the underworld.
• Kerberos is the preferred authentication mechanism in Active Directory (used in Unix Environments before Microsoft adopted it).
• Note that it may be difficult to fully replace NTMLv2 with Kerberos due to legacy OS, appliances etc. so most AD domains use both methods!
30LTRSEC-3300
Rosemary,
CISO
Monster
dog?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Kerberos Works – 1: Getting the TGT
1. Client authenticates by encrypting timestamp with its hash
31LTRSEC-3300
NT hash
Timestamp
Crypto AS-REQ
Auth
It is Scratchy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32LTRSEC-3300
How Kerberos Works – 1,2: Getting the TGT
2. Domain Controller sends back a Ticket-Granting-Ticket (TGT), encrypted with the Kerberos Service (KRBTGT) hash. Only the Domain Controllers can read the ticket that includes info on username, group belongings, validity…
Crypto
Username:Scratchy
Ticket lifetime
Groups
AS-REP
TGT
KRBTGT
hash
It is Scratchy
TGT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33LTRSEC-3300
How Kerberos Works – 3: Getting the TGS
3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.gfile service, web proxy). It includes the TGT in request.
TGS-REQ fileservice
TGT
I can decrypt
All TGTs!
TGT
File Server
Service Hash
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34LTRSEC-3300
How Kerberos Works – 3,4: Getting the TGS
3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.gfile service, web proxy). It includes the TGT in request.
4. Domain Controller decrypts TGT. If valid it creates a TGS populated with values from TGT and encrypts it with the hash of requested service.
Crypto
TGT
TGT
File Server
TGS-REP
TGS
Service Hash
Username
Ticket lifetime
Groups
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35LTRSEC-3300
How Kerberos Works – 5: Contacting Service
5. Client presents the TGS to server. Server can validate TGS (decrypting it with its hash) and gets back info on User, Ticket Lifetime, Groups… and can proceed to allow/disallow the request.
6. (No need for Server to contact Domain controller to verify anything!)
TGT
File ServerTGS
Username
Ticket lifetime
Groups
AP-REQ
TGS
Decrypt
Service Hash
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
So all is fine?
• Kerberos is well-proven (20 years old), used in Unix environments before Microsoft adopted it
• The big issue: All security depends on the master key (KRBTGT hash)!
• That typically changes very rarely, at domain functional level upgrades
• If Domain Controller is compromised, it is disastrous!
• Very good white paper (explaining next attack)
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
36LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
But Hey! Our Domain Controller was compromised
• So by dumping hashes Itchy (the attacker) got the KRBGT hash!
• This is like being able to print his own passport!
• Now Itchy can create his own TGTs! =
37LTRSEC-3300
Golden Tickets
Crypto
KRBTGT
hash
Username: supercat
Groups: x,y, z
Lifetime: 10 years
TGT
Krbtgt :$NT$e27385934250848521eda994a585b79c:::
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access to lab
• AnyConnect to: dcloud-sjc-anyconnect.cisco.com
• Credentials via lab proctor• Username : xxxxxx
• Password : yyyyyyy
• Download lab guide from• https://cisco.box.com/v/labbguide
• Download lab prezo from• https://cisco.box.com/v/
38LTRSEC-3300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRSEC-3000
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
LTRSEC-3300 41
Thank you