Hacking in the Attack Kill Chain

Transcription

1

2 Hacking in the Attack Kill Chain Håkan Nohre, Consulting Systems Engineer, GIAC GPEN #9666, CISSP #76731 Erkan Djafer, Consulting Systems Engineer, CISSP # Chung-wai Lee, Cyber Security Partner Account Manager

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

4 About this LAB (I read the abstract ) It is not a sales session It is definitely not about Cisco products, designs, or definitive solutions! It is about offensive, not defensive techniques Hopefully, understanding how the attacker works we can build better defense or apply better risk management! Complimentary Cisco Live Berlin 2017 Breakout: BRKSEC-2309 It s Cats vs Rats in the Attack Kill Chain 4

5 Modified Kill Chain for this Breakout Note that attackers are not legally bound to follow the exact model. E.g. may establish persistence before lateral movement Recon Gain Foothold - Attack Delivery - Exploitation Command and Control Local Compromise Lateral Movement Establish Persistence Exfiltration 5

6 Focus on Methodology, not Tools! Kali Linux Metasploit Mimikatz PowerShell Empire 6

7 Lab Topology VPN to lab with AnyConnect 7

8 Lab1 Reconnaissance evil Internet /18 Try to get to IoT Directly - will not work Use OSINT recon against clients Client-A (VPN).38 Client-B (VPN).37 inside FW /24 IoT.211 AD.? 8

9 Lab 2: Gain Initial Foothold evil Spear phishing naïve end user - examine Excel with Macro - (examine RTF file) Internet /18 Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 9

10 Lab 3: Command and Control (CnC) evil Examine CnC - tcpdump, agent options Internet /18 Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 10

11 Lab 4: Local Privilege Escalation evil Go from mordiac to system on A Internet /18 Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 11

12 Pivoting Explained Permit outgoing HTTP Active Directory Client ip is Internet NGFW IoT Clients

13 Lab 5A: Lateral Movement against IoT evil Internet /18 Pivot attack against IoT via A - pivoting, metasploit - Bash shellshock exploit Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 13

14 Lab 5A: (cont) Local Privilege Escalation evil Internet /18 Pivot attack against IoT via A - Local recon (find out OS) - Escalate privileges Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 14

15 Lab 5B: Lateral Movement in AD environment Client-A (VPN) Client-B (VPN) evil Internet /18 FW inside /24 Pivot attack against AD via A - Dump credentials, mimikatz - WMI movement - Dump hashes - Pass-the-hash AD.? IoT

16 Lab 6A: Persistence with Golden Tickets evil Internet /18 - Take over workstationb (non Admin) - Create golden ticket to impersonate any user (even if all passwords are reset) Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 16

17 Lab 6B, 6C Persistence after Reboot evil Internet /18 Try to different methods to ensure you keep control after reboot - Schedule task - WMI subscriptions Client-A (VPN) Client-B (VPN) inside FW /24 IoT.211 AD.? 17

18 Remember Tell us if you have problems! Tell us if you have feedback! Have Fun! This lab does not even try to have the answers! We hope it helps you ask the right questions! 18

19 Appendix B Extra Turbo hacking lab evil Internet /18 Take over B via flash vulnerability Local Priv Escalation Dump hashes Pivoting via Port forwarding Hand over Metaploit -> Empire FW Client-A (VPN) Client-B (VPN) Clients /24 Infrastructure /24 IoT.211 AD.? 19

20 Post-Exploitation with PowerShell Very powerful scripting language included in Windows from Win7 Can leverage WMI,.NET, Win32 and do almost everything Key logging, Screenshots, CnC, grab passwords and hashes (Mimikatz) Is typically whitelisted and scripts not caught by Anti-Virus Can run from memory (no need to write file to disk: not caught by Anti-Virus) Can run on remote machine (if you know the credentials of target machine) 20

21 Internal Recon: Scanning? Noisy scanning typically not necessary for internal recon Attacker can just ask Active Directory politely to find out: What machines are in the domain? Which machines are the domain controllers? On what machines are domain admins logged on? Which machines run Exchange, SQL servers? Which machines are file servers?.and much more 21

22 What is a Hash? One-way function to convert password to hash For NT hash, MD4 is used Password Tunafish! So we don t have to store cleartext-passwords or send them over the network Instead we use the hash to store credentials (and authenticate) Crypto stuff Crypto stuff Stuff Hash d41d8cd.. 22

23 Understanding NTLMv2 NTLMv2 is a common network authentication method in Microsoft Active Directory for Net logons,file Shares, Web Sites etc. Client requests auth Server sends challenge Client sends response to challenge Server validates (with help of Active Directory) Auth Request Challenge(random no) Response 23

24 Understanding NTLMv2 If client sends correct response to challenge it is authenticated Response is calculated from hash that is calculated from password Auth Request Challenge(random no) Response Hash Password Crypto stuff Username Timestamp Crypto stuff Other stuff Challenge(random no) 24

25 Pass-the-Hash If attacker has the hash, he does not need the password He can use a modified client that supplies the hash without calculating it from password Auth Request Challenge(random no) Response Hash Password Crypto stuff Username Timestamp Crypto stuff Response Other stuff Challenge(random no) 25

26 Overview: Hoarding Hashes On new compromised host Grab local hashes Grab hashes of logged in users/services Try Next Host w credentials. N Y Domain Admin? Partytime! Passwords/Hashes 26

27 Grab Local Hashes With system privileges it is possible to grab local password hashes from registry (not a vulnerability, it is same for other OS including Unix) Functionality (of course) included in Metasploit, PowerShell Empire Note: Local hashes only relevant to local computer But maybe same password is used on more than one computer? Grab local hashes meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cisco:1000:aad3b435b51404eeaad3b435b51404ee:579a13a46633f286db9155f5a612c765::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 27

28 Mimikatz Grab from LSASS It has nothing to do with cats! Grab hashes of logged in users/services A tool run on compromised host that can (among many things) grab credentials from logged on users and services from memory Minicatz? LSASS (Credentials cache) User Password Hash scratchy S3cret! aad3db5 28

29 Why is the Password/Hash Cached? In Active Directory Domain, the user logs in once to his computer and can then access domain resources without any further logon User-friendly! And Single-Sign-On is good for security too! but client has to cache hash of password to authenticate transparently File Server Scratchy Logs in Once Authenticate many times Web Server Credentials cache User Password Hash Scratchy S3cret! aad3db5 NGFW Security Appliance 29

30 So let s consider Kerberos In Greek mythology, Cerberus was the Threeheaded Monster Dog that guarded the underworld. Kerberos is the preferred authentication mechanism in Active Directory (used in Unix Environments before Microsoft adopted it). Note that it may be difficult to fully replace NTMLv2 with Kerberos due to legacy OS, appliances etc. so most AD domains use both methods! Monster dog? Rosemary, CISO 30

31 How Kerberos Works 1: Getting the TGT 1. Client authenticates by encrypting timestamp with its hash It is Scratchy Timestamp NT hash Crypto AS-REQ Auth 31

32 How Kerberos Works 1,2: Getting the TGT 2. Domain Controller sends back a Ticket-Granting-Ticket (TGT), encrypted with the Kerberos Service (KRBTGT) hash. Only the Domain Controllers can read the ticket that includes info on username, group belongings, validity It is Scratchy TGT TGT AS-REP Crypto KRBTGT hash Username:Scratchy Ticket lifetime Groups 32

33 How Kerberos Works 3: Getting the TGS 3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.g file service, web proxy). It includes the TGT in request. I can decrypt All TGTs! TGS-REQ fileservice TGT TGT Service Hash File Server 33

34 How Kerberos Works 3,4: Getting the TGS 3. Client requests a Ticket-Granting-Service (TGS) for a specific service (e.g file service, web proxy). It includes the TGT in request. 4. Domain Controller decrypts TGT. If valid it creates a TGS populated with values from TGT and encrypts it with the hash of requested service. TGT TGS-REP Username Ticket lifetime Groups TGS Crypto TGT Service Hash File Server 34

35 How Kerberos Works 5: Contacting Service 5. Client presents the TGS to server. Server can validate TGS (decrypting it with its hash) and gets back info on User, Ticket Lifetime, Groups and can proceed to allow/disallow the request. 6. (No need for Server to contact Domain controller to verify anything!) Username Ticket lifetime Groups TGT AP-REQ Decrypt TGS TGS File Server Service Hash 35

36 So all is fine? Kerberos is well-proven (20 years old), used in Unix environments before Microsoft adopted it The big issue: All security depends on the master key (KRBTGT hash)! That typically changes very rarely, at domain functional level upgrades If Domain Controller is compromised, it is disastrous! Very good white paper (explaining next attack) Guys-Don't-Get-It-wp.pdf 36

37 But Hey! Our Domain Controller was compromised So by dumping hashes Itchy (the attacker) got the KRBGT hash! Krbtgt :$NT$e eda994a585b79c::: This is like being able to print his own passport! Now Itchy can create his own TGTs! = Golden Tickets KRBTGT hash Crypto TGT Username: supercat Groups: x,y, z Lifetime: 10 years 37

38 Access to lab AnyConnect to: dcloud-sjc-anyconnect.cisco.com Credentials via lab proctor Username : xxxxxx Password : yyyyyyy Download lab guide from Download lab prezo from 38

39 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#ltrsec-3000

40 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at

41 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 41

42 Thank you

43