Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
|
|
- Shawn Burke
- 5 years ago
- Views:
Transcription
1 Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
2 Who am I? Senior information security consultant at INFIGO IS Penetration testing (all sorts), IT/Security consulting, Splunk implementations Various duties at SANS Internet Storm Center Handler Mostly known for reverse engineering malware SANS GREM (GIAC Reverse Engineering Malware) course co-author SEC 504/542 instructor Previously Team Cymru Dragon Research Group member University of Auckland honorary researcher
3 About INFIGO IS Offices HQ Zagreb, Croatia Web: Subsidiaries: Skopje, Macedonia Sarajevo, Bosnia and Herzegovina Tirana, Albania Business lines Compliance consulting Security assessments Penetration testing, strongest team in the region! Security solutions IPS, SIEM, NMS etc. Strong security professionals team 15+ SANS, ISC2, ISACA cert. professionals
4 Agenda Preface Background story about this presentation Cases from the real world Finding the weakest link Pivoting and lateral movement on Windows infrastructure Defense mechanisms If any?
5 Preface Content of this presentation should be well known to security people There is always something you can learn, though Vulnerable infrastructure found in almost every (internal) penetration test Often dismissed by security personnel as a non-issue Really, is it a problem if you still have Windows 2003 or Windows XP machines? There are really no publicly/easily available RCE exploits The answer to the question above is YES!
6 Preface It all starts with a normal internal penetration test
7 Preface And this is the result Only 4 Windows 2003 servers in the whole network (out of 400 servers) Is it something we can ignore? CVSS V2 score certainly says yes.
8 Analyzing a typical attack these days So, let us analyze typical attack steps these days The attacker usually uses social engineering attack vectors to entice user to perform an action Execute attachment in an No matter how difficult it might be, really Or visit a web site that will serve an exploit Yay for Java and Flash So now the attacker is running in the context of the user
9 Where is the attacker currently? Domain controllers Member servers User workstations
10 Lateral movement In order to pivot the attacker first needs to become a local administrator Still think Windows XP and 2003 are not a problem? No? Good Yes? Ok, wait a couple of slides Privilege escalation on Windows is not as difficult as on other Oses Microsoft tends to underestimate local privilege escalation vulnerabilities Patched here and there Users running as administrators Maybe already started our executable with administrator privileges?
11 Lateral movement Wait, we have Windows 7 with UAC Exploiting UAC is not too difficult Writing to secure location Exploiting DLL high jacking vulnerability Some prerequisites are required A medium integrity process User must be in an administrators group Writing to secure location IFileOperation COM Object Usually injected into Explorer.exe Using Windows Update Standalone Installer (wusa.exe)
12 Lateral movement Now the attacker is ready for token stealing Usually performed with tools such as WCE or Mimikatz Mimikatz is the preferred tool Integrated with Metasploit Can be executed purely from memory through meterpreter Or even stealthier? PowerSploit Collection of PowerShell modules for penetration testing Supports Mimikatz Reflectively loads Mimikatz in memory using PowerShell
13 Lateral movement Maybe we do not even need tokens? What happens on a Windows XP or 2003 server
14 Lateral movement Ok, hopefully you will agree with me that Windows XP and 2003 should be upgraded ASAP Now that we have taken care of that, we can continue pivoting While passwords are nice, we actually do not need them Pass-the-hash attacks We want password hashes Ok we can easily generate them, NT hashes are simply MD4 hashes of password without salting
15 Abusing NTLMv2 Why this works? NTLM is calculated using purely a user s password NT hash CS = random 8 byte challenge, server CC = random 8 byte challenge, client CC* = (X, time, CC, domain name) V2-Hash = HMAC-MD5(NT Hash, username, domain name) LMv2 = HMAC-MD5(V2-Hash, CS, CC) NTv2 = HMAC-MD5(V2-Hash, CS, CC*) Reponse = LMv2 CC NTv2 CC*
16 Lateral movement So now the attacker has a user s token Local network scan will identify all other machines/services reachable from the initially compromised workstation Pivoting commences The attacker can access any resource this user has access to If he is after your intellectual property, this might be enough For the sake of our story, we want to completely compromise the company If the user is admin elsewhere, the attacker is lucky
17 Lateral movement Execute process on another host How do we do that? Simply, copy the executable and execute it Well, it s not that simple really, but it s not complex either 4 main methods for remotely executing code Using WMIC
18 Lateral movement Using the AT command Does not work with Windows 8 (deprecated) at \\host HH:MM c:\windows\system32\calc.exe Using the SCHTASKS command Works on Windows 8 schtasks /create /tn INFOSEK /tr c:\windows\system32\calc.exe /sc once /st 00:00 /S host /RU System schtasks /run /tn INFOSEK /S host Do not forget to clean up the task chtasks /F /delete /tn INFOSEK /S host
19 Lateral movement Using the SC command sc \\host create INFOSEK binpath= c:\windows\system32\calc.exe sc \\host start INFOSEK Again, do not forget to clean up sc \\host delete INFOSEK What does the attacker want to start? Well, anything that will give the control back to him Might want to relay through the original host Careful attackers will try to leave as little artefacts as possible
20 Rinse and repeat Domain controllers Member servers User workstations
21 Lateral movement The attacker repeats the process On every machine runs Mimikatz Dumps all user hashes The main goal: get a domain administrator s hash We basically just need to find a machine where the domain admin logged in Usually via RDP His hash will remain in memory Some caveats apply here Mimikatz will dump it and this is game over
22 Rinse and repeat Domain controllers Member servers User workstations
23 Keys to the kingdom Once the Domain Controller gets compromised it is really game over Attacker can dump KRBTGT hash This allows creation of so-called Golden Tickets The attacker can impersonate absolutely anything Since everyone trusts whatever the DC tells them In the process the attacker can dump service passwords from compromised servers Allows creation of so-called Silver Tickets Tickets for services And all this happened because of a single Windows XP machine??? true story
24 Defense mechanisms Preventing such attacks is unfortunately not easy Well, the first step is: Get rid of Windows XP and Windows 2003 Plan upgrades to Windows 8.1 and Windows 2012 R2 as soon as possible Some best practice recommendations Create unique local account passwords Must not use same local administrator passwords on all workstations Be careful when creating golden images Same passwords allow an attacker to compromise every single workstation just by dumping hashes from a single (!) compromised workstation
25 Defense mechanisms Some best practice recommendations Deny local accounts from network logons Only domain accounts should be able to perform network logons This will prevent pass-the-hash attacks with locally dumped hashes When a password is same on multiple systems Restrict lateral movement with firewall rules Use firewalls between different VLAN s Prevents communication between workstations Do not use domain administrator accounts for RDP Implement different privilege levels Do not allow access from higher privilege level to a lower privilege level
26 Defense mechanisms With Windows 8.1 Microsoft added security features that prevent clear text password dumps But they can be changed by modifying a registry key So if the attacker has access to the machine, they can do all sorts of registry tweaking and wait Time is on their side Some Windows 8.1 and 2012 R2 features restrictedadmin RDP feature Reusable credentials will not be sent in plaintext during authentication and the target machine will not cache any reusable credentials
27 Defense mechanisms Some Windows 8.1 and 2012 R2 features Faster clearing credentials from memory After a logout, credentials will stay in memory for maximum of 5 minutes Watch out for usage of the runas command Protected users group New domain global group Requires functional level of Windows 2012 R2 Forbids NTLM, must use Kerberos Windows Digest is not cached Kerberos TGTs are valid 4 hours (instead of 10) Finally monitor your logs Attackers make mistakes, by monitoring anomalies they can be spotted!
28 Q & A
29 Thank you for your attention!
Useful Hacking Series
Useful Hacking Series Welcome to the Useful Hacking Series, in this series of 20 Episodes our world-renowned penetration tester/international speaker will share with you the top useful tips used during
More informationPass-the-Hash Attacks
Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics PtH Attack
More informationTracking Evil with Passive DNS
Tracking Evil with Passive DNS Bojan Ždrnja, CISSP, GCIA, GCIH Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant with INFIGO IS (Croatia) Mainly doing
More informationPass-the-Hash Attacks. Michael Grafnetter
Pass-the-Hash Attacks Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 PtH History and Future 1988 Microsoft releases Lan
More informationHacking in the Attack Kill Chain
Hacking in the Attack Kill Chain Håkan Nohre, Consulting Systems Engineer, GIAC GPEN #9666, CISSP #76731 Erkan Djafer, Consulting Systems Engineer, CISSP #535930 Chung-wai Lee, Cyber Security Partner Account
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationMike Pilkington. SANS Forensics and IR Summit June, 2011
Mike Pilkington SANS Forensics and IR Summit June, 2011 Since graduating from UT- for a large oil and gas services company Systems Admin, Network Admin, and Security Analyst My current role focuses on
More informationFrom Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE ]
From Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE-2018-0886] Eyal Karni, Preempt Research Team Contents 1. Introduction...3 2. Vulnerability...4 2.1 Issue #1...4 2.2 Toward
More informationSegmentation for Security
Segmentation for Security Do It Right Or Don t Do It At All Vidder, Inc. Segmentation for Security 1 Executive Summary During the last 30 years, enterprises have deployed large open (flat) networks to
More informationAPT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon - Shusei Tomonaga JPCERT Coordination Center
APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon - Shusei Tomonaga JPCERT Coordination Center Self-introduction Shusei Tomonaga Analysis Center at JPCERT/CC Malware analysis, Forensics
More information10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.
10 Active Directory Misconfigurations That Lead to Total Compromise hello@javelin-networks.com +1-888-867-5179 Austin, TX 201 W 5th St. 1. Group Policy Preferences Visible Passwords Group Policy Preferences
More informationPentesting Windows Domains
Pentesting Windows Domains Active Directory security model and weaknesses 2017-01-09 Jean MARSAULT AGENDA / 01 Introduction / 02 The Active Directory model & Windows domains / 03 Pentesting Windows domains
More informationA Process is No One: Hunting for Token Manipulation. Jared Atkinson & Robby Winchester
Jared Atkinson Robert Winchester A Process is No One: Hunting for Token Manipulation Jared Atkinson & Robby Winchester @jaredcatkinson Adversary Detection Technical Lead @ SpecterOps Developer: PowerForensics
More information10 Ways Credit Unions Get PWNED
10 Ways Credit Unions Get PWNED NASCUS 2017 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Intro I am going to share with
More informationBecoming the Adversary
SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id /usr/bin/whoami Most public research == Android Something different today 2 Overview Introduction
More informationAttacking and Defending Active Directory July, 2017
Attacking and Defending Active Directory July, 2017 About: Adam Steed - @aboy 20 years of experience in IAM, working for financial, websites, and healthcare organizations Associate Director Protiviti Security
More informationDetecting Lateral Movement through Tracking Event Logs (Version 2)
Detecting Lateral Movement through Tracking Event Logs (Version 2) JPCERT/CC December 05, 2017 Table of Contents Detecting Lateral Movement through Tracking Event Logs (Version 2) 1. Introduction... 2
More informationPost-Exploitation with WCE v1.2
Post-Exploitation with WCE v1.2 Pass-the-Hash. Pass-the-ticket & more Date: 01-07-2011 Author: Hernan Ochoa Windows Authentication h1 = LMHash( pwd1 ) h2 = NTHash( pwd1 ) SAM
More informationSANS Hackfest. Secret Pentesting Techniques Part 2. Dave Kennedy Founder, @HackingDave
SANS Hackfest Secret Pentesting Techniques Part 2 Dave Kennedy Founder, CEO Twitter: @TrustedSec, @Binary_Defense @HackingDave David&Kennedy s&background& Founder of TrustedSec. Co-Founder and CTO Binary
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationIMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP
IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP North America Latin America Europe 877.224.8077 info@coalfire.com coalfire.com Coalfire sm and CoalfireOne sm are registered service
More informationDeploy and Configure Microsoft LAPS. Step by step guide and useful tips
Deploy and Configure Microsoft LAPS Step by step guide and useful tips 2 Table of Contents Challenges today... 3 What is LAPS... 4 Emphasis and Tips... 5 How LAPS Work... 6 Components... 6 Prepare, Deploy
More informationPremediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.
Premediation The Art of Proactive Remediation Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C. Overview Case Study Remediation Overview Premediation
More informationActive Directory Attacks and Detection Part -II
Active Directory Attacks and Detection Part -II #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways How to
More informationRastaLabs Red Team Simulation Lab
RastaLabs Red Team Simulation Lab LAB OUTLINE Description RastaLabs is a virtual Red Team Simulation environment, designed to be attacked as a means of learning and honing your engagement skills. The focus
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationWhen the admin fails on security Christoph Falta ITSECX
When the admin fails on security Christoph Falta ITSECX 2012 09.11.2012 What s this all about? Point out common vulnerabilities in a windows environmnet Point out attack scenarios that leverage these vulnerabilities
More informationWindows authentication methods and pitfalls
Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks 1996-2013 - P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication
More informationHacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center
Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test Tyler Rasmussen Mercer Engineer Research Center About Me Cybersecurity Engineering Intern @ MERC Senior IT/Cybersecurity
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationPost-Exploitation Hunting with ATT&CK & Elastic
Post-Exploitation Hunting with ATT&CK & Elastic John Hubbard @SecHubb SOC Lead at GlaxoSmithKline SANS Author & Instructor SEC455: SIEM Design & Implementation SEC511: Continuous Monitoring & Security
More informationALL ROADS LEAD TO DOMAIN ADMIN BREACH TO CDE A SECTOR CONFERENCE PRESENTATION OCTOBER 2016
BREACH TO CDE ALL ROADS LEAD TO DOMAIN ADMIN A SECTOR CONFERENCE PRESENTATION OCTOBER 2016 Introduction Yannick Bedard Security Consultant Network Penetration Testing SpiderLabs, Trustwave email: ybedard.infosec@gmail.com
More informationKERBEROS PARTY TRICKS
KERBEROS PARTY TRICKS Weaponizing Kerberos Protocol Flaws Geoffrey Janjua Who is Exumbra Operations Group? Security services and consulting Specialized services: Full scope red-team testing, digital and
More informationLateral Movement Defcon 26. Walter Mauricio
Lateral Movement 101 @ Defcon 26 Walter Cuestas @wcu35745 Mauricio Velazco @mvelazco About Workshop goals Lab Environment Hands-on exercises & CTF #Whoarewe Walter Cuestas (@wcu35745) Mauricio Velazco
More informationA Taste of SANS SEC 560: Adventures in High-Value Pen Testing
All Rights Reserved 1 Network Penetration Testing and Ethical Hacking A Taste of SANS SEC 560: Adventures in High-Value Pen Testing SANS Security 560 Copyright 2015, All Rights Reserved Version 2Q15 All
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationCONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7
CONTENTS IN DETAIL FOREWORD by HD Moore xiii PREFACE xvii ACKNOWLEDGMENTS xix Special Thanks... xx INTRODUCTION xxi Why Do A Penetration Test?... xxii Why Metasploit?... xxii A Brief History of Metasploit...
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Lab Setup AJLAB.COM: 2 Domain
More informationLive Adversary Simulation: Red and Blue Team Tactics
SESSION ID: HTA-T06 Live Adversary Simulation: Red and Blue Team Tactics James Lyne Head of R&D SANS Institute @JamesLyne Stephen Sims Security Researcher & Fellow SANS Institute @Steph3nSims Agenda 2
More informationActive Directory Attacks and Detection Part -III
Active Directory Attacks and Detection Part -III #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways Abusing
More informationState of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges
State of the (Information Security) Union (or: How not to use Krebs as an IDS ) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges My background IT Systems / Network Administrator for City
More informationThe of Passw0rds: Notes from the field
The L@m3ne55 of Passw0rds: Notes from the field Ben Williams Senior Security Consultant Previously Presented at various conferences including BlackHat and other smaller conferences in Europe Exploitable
More informationWho am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB
@markmorow Who am I? Identity Product Group, CXP Team Premier Field Engineer SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB Under the hood: Multiple backend services and hybrid components Hybrid Components
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More informationEthical Hackers Perspective Things that Make a Hacker's Job Easy
WEALTH ADVISORY OUTSOURCING AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor Ethical Hackers Perspective
More informationPrivilege Escalation via Client Management Software
Privilege Escalation via Client Management Software November 21, 2015 November 21, 2015 Matthias Deeg BSidesVienna 0x7DF 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA,
More informationGetting over Ransomware - Plan your Strategy for more Advanced Threats
Getting over Ransomware - Plan your Strategy for more Advanced Threats Kaspersky Lab Hong Kong Eric Kwok General Manager Lapcom Ltd. BEYOND ANTI-VIRUS: TRUE CYBERSECURITY FROM KASPERSKY LAB 20 years ago
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Updated 3-3-18 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets Introduction
More informationSecuring Active Directory Administration
Securing Active Directory Administration April 18, 2019 Sponsored by @BlackHatEvents / #BlackHatWebcasts Agenda On-Prem AD vs Azure AD Evolution of Administration Exploiting Typical Administration Methods
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationTactics, Techniques, and Procedures
Dec 8, 2017 This report maps Cobalt Strike's actions to MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix. Command-Line Interface Command-line interfaces provide a way of interacting
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More information3. Apache Server Vulnerability Identification and Analysis
1. Target Identification The pentester uses netdiscover to identify the target: root@kali:~# netdiscover -r 192.168.0.0/24 Target: 192.168.0.48 (Cadmus Computer Systems) Note: the victim IP address changes
More information7 EASY ATTACKS AGAINST ACTIVE DIRECTORY
NEW TITLE: 7 EASY ATTACKS AGAINST ACTIVE DIRECTORY And How to Prevent Them Through Good Practices and a Little Group Policy ABOUT ME Kevin McBride Security Specialist at Meridian Credit Union 12 years
More informationPOST-EXPLOITATION WITH WINDOWS POWERSHELL
POST-EXPLOITATION WITH WINDOWS POWERSHELL Jerold Hoong, OSCP Associate, Singapore 27 th May 2015 ASPAC Hacknet Conference and Security Training Agenda No. CHAPTER 1 PowerShell 101 2 Exploitation Frameworks
More informationIt s Cats vs. Rats in the Attack Kill Chain! Szilard Csordas Cisco
It s Cats vs. Rats in the Attack Kill Chain! Szilard Csordas Cisco The Challenge Attackers are skilled and motivated Attackers are engineers Learn from others, reuse code or write your own Test before
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationExpert Webinar: Hacking Your Windows IT Environment
Expert Webinar: Hacking Your Windows IT Environment Presenters: Liam Cleary Microsoft MVP, Blogger helloitsliam@protonmail.com Jeff Melnick Pre-Sales Director, Netwrix Jeff.Melnick@netwrix.com www.helloitsliam.com
More informationColin Gibbens Director, Product Management
SOAR = Human Intelligence and Creativity at Speed of Machine Abhishek Narula EVP, Head of Product and Engineering Colin Gibbens Director, Product Management 1 2 What is Security Orchestration Why do I
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 1-11-17 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets
More informationCourse overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)
Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationPenetration testing.
Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external
More informationWho am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB
@markmorow Who am I? Identity Product Group, CXP Team Premier Field Engineer SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB Active Directory Domain Services On-premises App Server Validate credentials
More informationHands-On Ethical Hacking and Network Defense Chapter 6 Enumeration
Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 2-22-14 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationFactotum Sep. 24, 2007
15-412 Factotum Sep. 24, 2007 Dave Eckhardt 1 Factotum Left Out (of P9/9P Lecture) The whole authentication thing There is an auth server much like a Kerberos KDC There is an authentication file system
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationToken Kidnapping. Cesar Cerrudo Argeniss
Token Kidnapping Cesar Cerrudo Argeniss Who am I? Argeniss Founder and CEO I have been working on security for 7 years I have found and helped to fix hundreds of vulnerabilities in software such as MS
More informationWindows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich
Windows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich Intro The objective of this exercise is to prove that gsecdump and msvctl actually work as prescribed. These tools can be used to reinject
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationPenetration testing of corporate information systems: statistics and findings
Penetration testing of corporate information systems: 2019 Contents Introduction... 2 Executive summary... 2 Source data... 3 Overall results...4 External pentesting: results... 5 Internal pentesting:
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationActive directory : How to change a weak point into a leverage for security monitoring Vincent LE TOUX ENGIE France OSSIR 2017 Paris (France) April,
Active directory : How to change a weak point into a leverage for security monitoring Vincent LE TOUX ENGIE France OSSIR 2017 Paris (France) April, 11th 2017 CONTENTS Chapter 1 Why focusing on Active Directory?
More informationPractical Network Defense Labs
Practical Network Defense Labs ABOUT This document showcases my practical hands-on engagements in the elearnsecurity HERA labs environment for the Network Defense Professional certification course. I utilized
More informationPLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY
PAGE 2 IN CEE PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY MAR 2017 IGOR SHASTITKO About Consalta Every business deserves an opportunity to grow! We
More informationCIS Top 20 #5. Controlled Use of Administrative Privileges
CIS Top 20 #5 Controlled Use of Administrative Privileges CIS CSC #5: Controlled use of administrative privileges What is a privileged Account? Why are they Dangerous? What can we do about it? How
More informationTraining: Hardening Microsoft Environments
Training: Hardening Microsoft Environments Date of the training: March 12-13,2018 in Heidelberg, Germany Book Now using the voucher code: TR18HMTSEB and save an additional 5% of the current valid rate
More informationBack to Basics: Basic CIS Controls
Back to Basics: Basic CIS Controls Chad Waddell Enterprise Consultant Center for Internet Security 2 https://www.cisecurity.org/ Non-profit organization founded in 2000 Employs closed crowdsourcing model
More informationDNS Cache Poisoning Looking at CERT VU#800113
DNS Cache Poisoning Looking at CERT VU#800113 Nadhem J. AlFardan Consulting Systems Engineer Cisco Systems ANOTHER BORING DNS ISSUE Agenda DNS Poisoning - Introduction Looking at DNS Insufficient Socket
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationCritical Hygiene for Preventing Major Breaches
SESSION ID: CXO-F02 Critical Hygiene for Preventing Major Breaches Jonathan Trull Microsoft Enterprise Cybersecurity Group @jonathantrull Tony Sager Center for Internet Security @CISecurity Mark Simos
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationHunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio
Hunting Lateral Movement with Windows Events Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco $whoami Peruvian Recovering pentester, threat management lead @mvelazco Derbycon, Bsides, Defcon
More informationGlobal Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationA GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING
A GUIDE TO 12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at
More informationBreach-zilla: Lessons Learned from Large-Scale Breaches
Breach-zilla: Lessons Learned from Large-Scale Breaches Ed Skoudis v4q11r Breach-Zilla 2011, Ed Skoudis 1 $ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996
More informationEvolution Of The Need For IAM. Securing connections between people, applications, and networks
Evolution Of The Need For IAM December 2006 Evolution Of The Need For IAM Identity issues are nothing new Who steals my purse steals trash / But he that filches from me my good name / Robs me of that which
More informationOne Hospital s Cybersecurity Journey
MAY 11 12, 2017 SAN FRANCISCO, CA One Hospital s Cybersecurity Journey SanFrancisco.HealthPrivacyForum.com #HITprivacy Introduction Senior Director Information Systems Technology, Children s Mercy Hospital
More informationModule 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services
Following topics will be covered: Module 1: Penetration Testing Planning and Scoping - Types of penetration testing and ethical hacking projects - Penetration testing methodology - Limitations and benefits
More informationCSC 5930/9010 Offensive Security: Lateral Movement
CSC 5930/9010 Offensive Security: Lateral Movement Professor Henry Carter Spring 2019 Recap Symmetric vs. Asymmetric encryption techniques Authentication protocols require proving possession of a secret:
More information