Offensive Securitywith Metasploit15 October 2015TX DIR Telecommunications Forum
1
James Lee@egyp7Metasploit Developer Community Manager
# whoami
2
I Think Like an Attacker
What is Metasploit?
A tool for● Reconnaissance● Exploitation● Post-exploitationA Data Clearinghouse
A framework for improving and automating all of the above
A Brief History of Exploitation
Golden Era (up to mid-late 1990s)Silver Era (mid-late 1990s to mid 2000s)Modern Era (late 2000s to now)
Golden Era
Centralized ComputingUniversities, Research Orgs
Golden Era Exploitation
CredentialsConfiguration errors
Silver Era (mid 1990s)
Practical portable systemsRise of WiFiMuch greater use of technical mitigation
Silver Era Exploitation
CredentialsThe rise of client-sidesThe rise of web exploitation
Email Worms
ILOVEYOUSircamSobigMyDoom
Server-side Worms
ms00-078 IIS, solaris sadminms01-033 IIS(big list of vectors)ms02-039 SQLServerms03-026 dcomms04-011 lsassms05-039ms08-067
SadmindCode Red
NimdaSlammer
BlasterSasser
ZotobConficker
The web is the InternetUbiquitous mobile computingSecure Development Lifecycle (SDLC)
Modern Era
An exploit converts illegitimate access into
legitimate access
If exploits are getting harder, where do we go?
What do they all have in common?
Authenticated Code Execution by Design
Back to Golden Era Exploitation
CredentialsConfiguration errors
Modern Era Exploitation
CredentialsConfiguration errors
Windows authentication
NTLM hashes stored in SAMLogons handled by LSASS.exe● Cached for Single Sign On
Mimikatz
In-memory Windows password stealer● Plaintext password extraction● Meterpreter extension
Mimikatz in action
Core
Private
Public
Realm
Blank Username
SNMP Community
NTLM Hash
SMB Domain
Postgres DB
Username
Password
SSH Key
Non-replayable Hash
Oracle SID
SMB Authentication
Auth request; host:BOB
SMB Authentication
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with Challenge
SMB Authentication
Auth request; host:BOB
Challenge
SMB Authentication
Auth request; host:BOB
Challenge
Login successful
user:bob, bob’s hash encrypted with Challenge
windows/smb/smb_relay
SMB Relay
Auth request; host:B
OB
SMB Relay
Auth request; host:BOBAuth request; h
ost:BOB
SMB Relay
Auth request; host:B
OB
Challenge
Auth request; host:BOB
SMB Relay
Auth request; host:B
OB
Challenge
Auth request; host:BOB
Challenge
SMB Relay
Auth request; host:B
OB
Challenge
user:bob, bob’s hash encry
pted with
Challenge
Auth request; host:BOB
Challenge
SMB Relay
Auth request; host:B
OB
Challenge
user:bob, bob’s hash encry
pted with
Challenge
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
SMB Relay
Auth request; host:B
OB
Challenge
user:bob, bob’s hash encry
pted with
Challenge
Login successful
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
SMB Relay
Auth request; host:B
OB
Challenge
user:bob, bob’s hash encry
pted with
Challenge
Login successful
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
Login Failed go away
exploit/windows/smb/smb_relay
An exploit converts illegitimate access into
legitimate access
Post Exploitation
The Ps
PresencePersistencePivoting
Presence: Processes
Pivoting
Two* methods in Metasploit● Route● Portfwd
* Mostly
Payload
Reverse Payload
A tougher scenario
Payload
Bind Payload
A tougher scenario
How do I deal with this?
SMB Relay
Disable WPADBlock outbound SMBEnforce SMB 2.x onlyRequire signing
Windows Authentication
Don’t give users Local AdminLAPS - Local Administrator Password Solution
Password Theft
KB2871997● Disables digest auth● LSASS still has NTLM hashes
Don’t log into everything as DA
Pivoting
SegmentationEgress filtersAudit logons
Questions?
@[email protected]