Upload
aron-stone
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Paul AsadoorianFounder & CEO, PaulDotCom Enterprises
http://pauldotcom.com [email protected]
POST Exploitation:Going Beyond The Happy
Dance
Carlos PerezHP / PaulDotCom
Note: Special happy dance outfits are optional
http://pauldotcom.com June 2010
Who am I?
• I had this really boring slide about who I am
• Then I realized that’s not really who I am
• What follows is the “Powerpoint” version of “a little about me”...
http://pauldotcom.com June 2010
Podcast
• 2005 - Present• ~ 200 episodes•Awards, blah• Thursdays 7PM EST
http://pauldotcom.com June 2010
PaulDotCom
John “Father John” Strand
Paul “Salad Shooter” Asadoorian
Larry “Dirty Uncle” Pesce
Mick “Jr. Salad Shooter” Douglas
Carlos “Dark0perator” Perez
Mike “The Original Intern” Perez
Darren “Girly Mustache” Wigley
?“Byte_Bucket”
Mark Baggett
http://pauldotcom.com June 2010
“Hail Nessus!”
• My day job: I work for Tenable Network Security as a “Product Evangelist”
• I use Tenable products and write blogs, publish podcasts, teach courses, and produce videos
• http://blog.tenablesecurity.com
Hail Hail NessuNessu
s!s!
http://pauldotcom.com June 2010
Carlos “dark0perator” Perez
• Carlos works as a Solution Architect for HP Infrastructure Consulting on the Security, Networking and Consolidation Practices
• He covers Central America, Caribbean and PR
• He is a Metasploit junky!!
http://pauldotcom.com June 2010
I Hacked The Gibson!
• Do the happy dance!
• Hacking the Gibson is quite the accomplishment
• Congratulations, your penetration test has begun
• Like ___, the importance is on what happens after you get in
You can fill in the blanks. I’m going with “burglary”.
http://pauldotcom.com June 2010
“POST-Exploitation”
• This is actually a really bad term as it doesn’t accurately describe the process
• “Exploitation” - Getting “shell” or remote command execution on the system
- But doesn’t neccessarily require an “exploit”
• “POST” - What happens after
- Should be: “things that must be done in order to make it worth your while and your clients money!”
http://pauldotcom.com June 2010
• Some say they don’t need exploits, let alone “POST-Exploitation”
• In general, these are the exceptions and likley have an advanced and well-defined security program (Ha!)
• In every test, you should:
- Tell you client something they didn’t know about their network
- Make them reconsider risk-based decisions
http://pauldotcom.com June 2010
“POST-Exploitation”
• Network Enumeration - Using the network interface to sniff and/or scan (even WiFi)
• Privilege Escelation - Got root?
• Pivoting - Attacking other systems
• MiTM Attacks - Arp cache poison, collect credentials
• Hiding - We need to do more of this on pen tests
http://pauldotcom.com June 2010
More “POST-Exploitation”
1.Local Enumeration - Collecting information from the host
2.Re-configuration & changing settings - Manipulation, not just for relationships anymore
http://pauldotcom.com June 2010
Focus
• We will focus on the local and network enumeration
• Re-configuring stuff is largely ignored, except by attackers
- This is where Paul comes in :)
• Automation in this space needs some work
- This is where Carlos comes in :)
http://pauldotcom.com June 2010
Local Enumeration“Stuff We Can Automate”
• Accounts & Passwords
• List defenses
- Firewall, A/V, etc..
• General System Information
- Screen capture, video screen capture
- Open ports, file shares, running processes
- Registry / configuration data
- Device data - Mic, webcam, USB, Wireless
You are being watched
We MUST Automate
http://pauldotcom.com June 2010
Local Enumeration - Manual
• Even with advanced Cylon technology, the following is still done manually:
- Go through file system and shares look for good stuff
- Backup files, configuration files, clear-text password files
http://pauldotcom.com June 2010
Re-Configure The System
• Change settings - DNS, hosts file
• Disable defenses - Drop shields, disable anti-virus
• Add file shares
• Add access methods (RDP, VNC, Telnet)
• Grab the print queueI find the above methods apply
nice to embedded device exploitation!
http://pauldotcom.com June 2010
Finding Vulnerabilities In Embedded Routers
• Linksys WAP54Gv3 Remote Debug Root Shell
• http://www.icysilence.org/?p=268
• Found by reverse engineering the firmare, and digging through open-source code
• User: gemtek / Pass: gemtekswd
• Great, now we can pwn routers!
http://pauldotcom.com June 2010
But what do we do with them?
Changing the DNS serverto ones that you own, pwn
Several embedded routershave poor security and weak
authentication
http://pauldotcom.com June 2010
Hacking Printer Example
• “Fun With Printers” by Matt
- http://www.attackvector.org/?p=110
• Printers are fun, and so is changing the display
• But there are more evil things...
http://pauldotcom.com June 2010
Hacking Printer Example
• Tell printers to store jobs:
- @PJL DEFAULT HOLD=STORE
• Download stored jobs:
- 0:\savedevice\savedjobs\heldjobs
• Simple, yet effective POST-Exploitation that will retrieve information stealthily
• Notice there is no “exploit”
• You may need to customize your “POST-Exploitation” activities
http://pauldotcom.com June 2010
The Trick
• Being able to do “POST-Exploitation” across multiple platforms
• Windows - Has great coverage, especially in Metasploit thanks to Carlos
• Linux - Tons of stuff exists to automate
• OS X - Seems to want to behave differently thank Linux/UNIX
- Each release changes the commands!
http://pauldotcom.com June 2010
Windows
• Microsoft in latest versions of Windows has worked hard to provide layers to secure the System.
- Windows Vista
- Windows 7
- Windows 2008
- Windows 2008 R2
• New management tools have been added
http://pauldotcom.com June 2010
Windows
• Access to Registry has been limited
• Access to Operating System files is more limited
- %SYSTEMDRIVE%
- %PROGRAMFILES%
- %WINDIR%
• For compatibility some of this access is now Virtualized
http://pauldotcom.com June 2010
Windows
• Sadly the data is not secured to well
• We can read application data and configuration even with out “Administrator” on Vista/7/2k8 R2- HKCU\
- %APPDATA%
- %HOMEPATH%
- %LOCALAPPDATA%\VirtualStore (Virtualized FS)
- HKCU\Software\Classes\VirtualStore (Virtualized Reg)
http://pauldotcom.com June 2010
WindowsPowershell
• Powershell is now the foundation for all future MS Enterprise Products
- Exchange
- SQL Server
- System Manager
- Hyper-V
- Windows 2008 and beyond
http://pauldotcom.com June 2010
WindowsPowershell
• Powershell is in use by third parties other than Microsoft
- VMware
- Citrix
- F5
- Others….
• Access to .Net, multitude of command-lets and OS commands
http://pauldotcom.com June 2010
Windows Powershell
• Not too shell friendly since it breaks regular shells like ncat, nc and even Meterpreter
• But there are other ways to use it
http://pauldotcom.com June 2010
WindowsPowershell
• We can identify Snap-Ins, including their version
• We can identify the execution policy of scripts
• We can tell if the default profile is loading any libraries by default for a user.
• If running as SYSTEM we will enumerate all users in the host
http://pauldotcom.com June 2010
http://pauldotcom.com June 2010
WindowsPowershell
• Works with WMIC also
• On Meterpreter just
- execute -H -f cmd.exe -a "/c powershell Get-Service > out.txt”
• Thankfully most third party and some MS Snap-Ins require an execution policy of RemoteSigned
*Yes a Meterpreter script in on it’s way ;)
http://pauldotcom.com June 2010
Windows Persistence with UAC
• Most tools and scripts for Persistance fail with UAC
• But UAC Protects the system not the user
- %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://pauldotcom.com June 2010
Windows Virtualization
• More and more companies are virtualizing
• VDI is being pushed by all vendors (Citrix, Vmware and MS)
• Most solutions have a centralized system for management ““One system to rule them all, one One system to rule them all, one system to find them, one system to system to find them, one system to bring them all and in the darkness bring them all and in the darkness
bind them”bind them”
http://pauldotcom.com June 2010
http://pauldotcom.com June 2010
Windows Virtualization
• When attacking Virtual Environments getting all the info on the managements systems is critical
- Products
- Databases
- Scripting environments
- Managed Systems
http://pauldotcom.com June 2010
http://pauldotcom.com June 2010
WindowsVirtualization
• When attacking client systems look for managements products and interfaces
• Also look for desktop virtualization products and VDI clients
• In many clients the data is shifting to virtual system
• Knowing how to get to it and work in this environments is crucial
http://pauldotcom.com June 2010
WindowsVmware Local Tools
• When VIX is installed vmrun is your new found friend
• Control VM’s State, Manage Files, Take Screenshot and Execute commands.
• Works Against ESX, WorkStation and Server
• CD to VIX Program Files folder to run- 32 bit - %PROGRAMFILES%\Vmware VIX\
- 64 bit - %PROGRAMFILES(x86)%\Vmware VIX\
http://pauldotcom.com June 2010
http://pauldotcom.com June 2010
Final Notes
• All Meterpreter Script will be available in the coming weeks in Metasploit
• Additional scripts that we where not able to cover do to time will also be released and discussed in our blog
• If we know the VM password we can copy files from and to the VM
• We need more people to help work on OS X and Linux “POST-Exploitation”
http://pauldotcom.com June 2010
Don’t Forget:http://www.securityfail.com
• Presentations: http://pauldotcom.com/presentations.html
• Radio: http://pauldotcom.com/radio
• Live Stream: http://pauldotcom.com/live
• Forum: http://forum.pauldotcom.com/
• Mailing List: http://mail.pauldotcom.com
• Webcasts: http://pauldotcom.com/webcasts
• Insider: http://pauldotcom.com/insider
• Email: [email protected]