Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS

Transcription

1 Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS

2 Who am I? Senior information security consultant at INFIGO IS Penetration testing (all sorts), IT/Security consulting, Splunk implementations Various duties at SANS Internet Storm Center Handler Mostly known for reverse engineering malware SANS GREM (GIAC Reverse Engineering Malware) course co-author SEC 504/542 instructor Previously Team Cymru Dragon Research Group member University of Auckland honorary researcher

3 About INFIGO IS Offices HQ Zagreb, Croatia Web: Subsidiaries: Skopje, Macedonia Sarajevo, Bosnia and Herzegovina Tirana, Albania Business lines Compliance consulting Security assessments Penetration testing, strongest team in the region! Security solutions IPS, SIEM, NMS etc. Strong security professionals team 15+ SANS, ISC2, ISACA cert. professionals

4 Agenda Preface Background story about this presentation Cases from the real world Finding the weakest link Pivoting and lateral movement on Windows infrastructure Defense mechanisms If any?

5 Preface Content of this presentation should be well known to security people There is always something you can learn, though Vulnerable infrastructure found in almost every (internal) penetration test Often dismissed by security personnel as a non-issue Really, is it a problem if you still have Windows 2003 or Windows XP machines? There are really no publicly/easily available RCE exploits The answer to the question above is YES!

6 Preface It all starts with a normal internal penetration test

7 Preface And this is the result Only 4 Windows 2003 servers in the whole network (out of 400 servers) Is it something we can ignore? CVSS V2 score certainly says yes.

8 Analyzing a typical attack these days So, let us analyze typical attack steps these days The attacker usually uses social engineering attack vectors to entice user to perform an action Execute attachment in an No matter how difficult it might be, really Or visit a web site that will serve an exploit Yay for Java and Flash So now the attacker is running in the context of the user

9 Where is the attacker currently? Domain controllers Member servers User workstations

10 Lateral movement In order to pivot the attacker first needs to become a local administrator Still think Windows XP and 2003 are not a problem? No? Good Yes? Ok, wait a couple of slides Privilege escalation on Windows is not as difficult as on other Oses Microsoft tends to underestimate local privilege escalation vulnerabilities Patched here and there Users running as administrators Maybe already started our executable with administrator privileges?

11 Lateral movement Wait, we have Windows 7 with UAC Exploiting UAC is not too difficult Writing to secure location Exploiting DLL high jacking vulnerability Some prerequisites are required A medium integrity process User must be in an administrators group Writing to secure location IFileOperation COM Object Usually injected into Explorer.exe Using Windows Update Standalone Installer (wusa.exe)

12 Lateral movement Now the attacker is ready for token stealing Usually performed with tools such as WCE or Mimikatz Mimikatz is the preferred tool Integrated with Metasploit Can be executed purely from memory through meterpreter Or even stealthier? PowerSploit Collection of PowerShell modules for penetration testing Supports Mimikatz Reflectively loads Mimikatz in memory using PowerShell

13 Lateral movement Maybe we do not even need tokens? What happens on a Windows XP or 2003 server

14 Lateral movement Ok, hopefully you will agree with me that Windows XP and 2003 should be upgraded ASAP Now that we have taken care of that, we can continue pivoting While passwords are nice, we actually do not need them Pass-the-hash attacks We want password hashes Ok we can easily generate them, NT hashes are simply MD4 hashes of password without salting

15 Abusing NTLMv2 Why this works? NTLM is calculated using purely a user s password NT hash CS = random 8 byte challenge, server CC = random 8 byte challenge, client CC* = (X, time, CC, domain name) V2-Hash = HMAC-MD5(NT Hash, username, domain name) LMv2 = HMAC-MD5(V2-Hash, CS, CC) NTv2 = HMAC-MD5(V2-Hash, CS, CC*) Reponse = LMv2 CC NTv2 CC*

16 Lateral movement So now the attacker has a user s token Local network scan will identify all other machines/services reachable from the initially compromised workstation Pivoting commences The attacker can access any resource this user has access to If he is after your intellectual property, this might be enough For the sake of our story, we want to completely compromise the company If the user is admin elsewhere, the attacker is lucky

17 Lateral movement Execute process on another host How do we do that? Simply, copy the executable and execute it Well, it s not that simple really, but it s not complex either 4 main methods for remotely executing code Using WMIC

18 Lateral movement Using the AT command Does not work with Windows 8 (deprecated) at \\host HH:MM c:\windows\system32\calc.exe Using the SCHTASKS command Works on Windows 8 schtasks /create /tn INFOSEK /tr c:\windows\system32\calc.exe /sc once /st 00:00 /S host /RU System schtasks /run /tn INFOSEK /S host Do not forget to clean up the task chtasks /F /delete /tn INFOSEK /S host

19 Lateral movement Using the SC command sc \\host create INFOSEK binpath= c:\windows\system32\calc.exe sc \\host start INFOSEK Again, do not forget to clean up sc \\host delete INFOSEK What does the attacker want to start? Well, anything that will give the control back to him Might want to relay through the original host Careful attackers will try to leave as little artefacts as possible

20 Rinse and repeat Domain controllers Member servers User workstations

21 Lateral movement The attacker repeats the process On every machine runs Mimikatz Dumps all user hashes The main goal: get a domain administrator s hash We basically just need to find a machine where the domain admin logged in Usually via RDP His hash will remain in memory Some caveats apply here Mimikatz will dump it and this is game over

22 Rinse and repeat Domain controllers Member servers User workstations

23 Keys to the kingdom Once the Domain Controller gets compromised it is really game over Attacker can dump KRBTGT hash This allows creation of so-called Golden Tickets The attacker can impersonate absolutely anything Since everyone trusts whatever the DC tells them In the process the attacker can dump service passwords from compromised servers Allows creation of so-called Silver Tickets Tickets for services And all this happened because of a single Windows XP machine??? true story

24 Defense mechanisms Preventing such attacks is unfortunately not easy Well, the first step is: Get rid of Windows XP and Windows 2003 Plan upgrades to Windows 8.1 and Windows 2012 R2 as soon as possible Some best practice recommendations Create unique local account passwords Must not use same local administrator passwords on all workstations Be careful when creating golden images Same passwords allow an attacker to compromise every single workstation just by dumping hashes from a single (!) compromised workstation

25 Defense mechanisms Some best practice recommendations Deny local accounts from network logons Only domain accounts should be able to perform network logons This will prevent pass-the-hash attacks with locally dumped hashes When a password is same on multiple systems Restrict lateral movement with firewall rules Use firewalls between different VLAN s Prevents communication between workstations Do not use domain administrator accounts for RDP Implement different privilege levels Do not allow access from higher privilege level to a lower privilege level

26 Defense mechanisms With Windows 8.1 Microsoft added security features that prevent clear text password dumps But they can be changed by modifying a registry key So if the attacker has access to the machine, they can do all sorts of registry tweaking and wait Time is on their side Some Windows 8.1 and 2012 R2 features restrictedadmin RDP feature Reusable credentials will not be sent in plaintext during authentication and the target machine will not cache any reusable credentials

27 Defense mechanisms Some Windows 8.1 and 2012 R2 features Faster clearing credentials from memory After a logout, credentials will stay in memory for maximum of 5 minutes Watch out for usage of the runas command Protected users group New domain global group Requires functional level of Windows 2012 R2 Forbids NTLM, must use Kerberos Windows Digest is not cached Kerberos TGTs are valid 4 hours (instead of 10) Finally monitor your logs Attackers make mistakes, by monitoring anomalies they can be spotted!

28 Q & A

29 Thank you for your attention!