David Young - There's No Place Like (Dual)Homed

um my talk is going to be over uh there's no place like a dual home um i want to thank everybody for attending and watching so first off who is david e young jr well i've worked in the it industry for approximately 23 years last 10 11 years in the security industry i have now worked in healthcare government financial and utility industries uh i'm a very amateur lock picker avid gamer pc master race i like nerd car rap and dubstep and i'm into anime and gundam models so first off before we get into this talk we of course have to give the disclaimer i'm going to read this i do apologize for reading it directly

the views opinions and research expressed in this presentation are those of the researcher and do not represent any current or past employers all questions and concerns regarding this research should be forwarded to the researcher for comment and consideration so what are we going to talk about today well we're going to discuss a little bit about what the standard definition of a dual home system is why people would use a dual home system um talk a little bit more on but wait there's more going deeper that i discovered in mine a little bit of a demo video that i have and then discuss how to prevent this from happening on your network um now the questions because of the way

besides columbus is doing the presentation format questions will of course be available in the chat afterwards and i will make sure to make myself available to answer any questions that time so let's go over a dual home system so the standard definition of a dual home system is more than one network interface now generally this was put in equipment for redundancy you'd see server class a lot of network type equipment would have dual interfaces so that if something happened to the one interface you could easily be back up and running quickly on the second interface um now what's interesting with windows and the windows os when you put two network interfaces in you can then set them up on different

subnets so you essentially you can create uh a a kind of a homemade os based router or or hidden network behind that second interface and this is a little graphic that kind of exemplifies this now what was kind of funny was way back in the i 386 days and yes i'm dating myself a little bit there i had cable modem and then i had an old system that had two network interfaces and it really didn't have the router but it was a dual home system where i used internet connection sharing back in the windows 95 98 days and i bridged those across so that i could have multiple systems behind a small hub connected into that one

so that they all got internet and had internet access well why would you use a dual home system you know but why and i wondered this too so before we de dive into this a little bit more i'm going to give you a little bit of a story so we're on an assessment now this assessment is we already kind of know the network uh we work for the company uh we're provided with all the information we know kind of the ins and outs of the network at that time we're told at one point that they do have a lab environment and they were told us that even if you find it you'll never get into that lab

environment well that was kind of mistake number one never challenge someone going on an assessment because they will do everything they can to figure out how to get in there so based on this information and we kind of knew where it was we kind of went looking for it so let's kind of go over why you use a dual home system now in like the previous slide its original concept and thought pattern was to be used for network redundancy that was the original thought on a windows system though you can set the second interface to a different subnet so this helps create a whole different network within a network per se if you want to do that now

sometimes if you're using a legitimate use that other subnet could be a backup network or something like that where you're pulling backups onto that or even remote management ilos are are known for that that's more at the hardware level though not at the os level of course so with this network second network interface you can then have a lab a dev a test environment without the additional cost of network hardware you don't have to buy you know a switch and get it plugged in and go through all the processes within the company of first figuring out you know how are you going to purchase it where does the money come from then of course the process of getting it

approved then once it's purchased uh of course then you've got to work with your your it our networking staff to get it installed to get it configured that type of thing and generally no offense to those departments they're all busy everybody's you know extremely busy doing everything they can to do what they can and sometimes these things fall on the wayside because they're not a priority in order to maintain the network and keep the company running and i'm i'm not faulting any companies i've worked uh in i.t and all aspects of iit and i know what it's like to be there but sometimes these processes is what create these problems in the first place so how do you discover a dual home

system well first off during your normal recon say you are able to get onto a system uh primarily as this is showing it's a window system and we were using cobalt strikes so as you can see this is a beacon and i run the ipconfig on this now what's interesting is i see okay well there's a one nine two one six eight twenty dot ten that's we'll say is these uh expected network but then we see a second network interface on there and i'm like well what is this 10 10 50 network what what is there and okay so we have two different ip addresses and 10 1050 according to all our documentation wasn't supposed to be any aspect of that

network or anywhere on that network so then you know in the thinking is okay well they have a hidden network and i'm going to air quote that in a sense that they had a network that nobody else knew about that they had created kind of on their own by just throwing in a seven to ten dollar network card uh into uh the system so now you see you've compromised the dual home system what is the new network you see a second adapter is there anything behind it now there are various methods uh to use the initial device as a pivot uh the most common one is to set up a proxy through it uh or there or

other tools where you can install some of the tools on the compromise system and scan behind it now installing tools can unfortunately trigger you know their av their ids ips can trigger all kind of alerts and let them know that you're there if you're trying to be a bit stealthy you kind of want to avoid that you might want to make sure you you live off the lan as they say and use some of the built-in tools within windows if you can in order to keep from being detected now obviously if you're already compromised the system theoretically should be detected but a lot of times you're not and then there's this thing called smb name pipe which you can use

now you can use the initial target as a pivot to perform a quick ping sweep another good one is arp dash a this kind of shows you the arp tables and kind of reveals to you all the other systems that this target that you're on has already talked with

so here's a quick screenshot uh once we're on that system we do uh run the shell run at arp dash a i can see the interface 192.168.20.10 it's talked to different addresses on the 192.168 area okay then i see um looking at the 1010.5 interface and i says i'm like well wait a minute it's talked to a 1010 50.10 so it has talked to other devices on that other side of that interface well that proved to be very interesting so how can you get the systems behind the dual home one that you've initially compromised how can you get to those other systems behind there now like i said you can use a proxy pivot now in my experience of using a proxy

pivot whilst effective they the technique can be very slow and i seem to have or i personally have had issues with not you can't get all the tools you might want to use to work through that proxy pivot so there have been some issues with that now after a little bit of research and working with one of my co-workers we found that cobalt strike can do something called an s b named pipe and we said well can we use this can we use this smb named pipe in order to tunnel through from one interface to the other into that further network so this is the route we decided to go with um so what is an smb name pipe so

name pipes are like open tcp ports where the client can connect to a server listening to a given port a process is registered and then the name pipe and connections to that smb to the endpoint are sent to this process so another good reason to use s p name pipe is on networks if you're dealing in a network that's monitored they have a blue team that's watching traffic sometimes if they see http or https traffic going from one device to another device that might raise some alarms but smb in a windows environment or if there are windows in that environment that traffic is everywhere it's hard to really filter down now a good finely tuned uh blue team

will know that if smb is talking from one endpoint device to another endpoint device this isn't right because generally that smb is normally talking from endpoint device to servers um and also to a lot of the times when you use the smb that's not blocked because of it being a windows environment but a lot of the other channels that you might use whether it be tcp or http or https might be blocked if you are dealing with any firewalls in between there now fortunately with this situation there are no firewalls other than possibly what's enabled on the endpoint device that we've compromised itself but we were fortunate and we did not run into any of that

so but wait there's more so as we compromised the initial host and then we're able to use smb name pipe and to get into another host inside of that 10 1050 network looking around on different machines in there or fight you know finding different machines and running some arps and we did do some initial ping scans to try to figure out what's on those networks i was able to discover that there was another on the 10 10 50 another dual home system there and it had a we'll say a 1 7 to 16 address range so it was even a different subnet so essentially they had gone three deep and creating the this uh in

secret environment that they had running um so then the question became well can cobalt strike with the s p name pipe drill even further in there and that says pip i do apologize pipe connect into those areas essentially go three deep so we go from the compromised hose into another host within there with smb name pipe on that second interface on the initial compromise hose and then from that host that's dual home can we use smb named pipe to tunnel through into that third network that we're finding and what was really interesting is that yes we were able to do this now here's an interesting uh lovely diagram so user a on pc box a now this is in a lab

environment that i set up so that we can protect the innocent of where this really happened is the initial compromised host uh we were able to get on that host we'll say because it was missing a patch um and then we escalated up uh the star or the red you know the star there represents that i have system level privileges on it and then via smb named pipe i was able to tunnel through it into box b and as you can see it came through a system because they were doing password reuse throughout this these two other environments so that made it easier that everything that i dumped off of the user a box and from previous areas

within this assessment i was able to reuse hashes and tie through through s b name pipe into box b and then also into box c

so so going even further down the yellow brick smb name pipe road so i was even to go even deeper as i said in this third makeshift network i was able to gain full control of all systems at each level and then i was also able to exfoliate x filtrate uh sensitive data and more password hashes as i went in because they did have a few passwords that were local only to those small work group networks that they had created one of the main things too that popped up three levels deep was they had went out and bought a off-the-shelf nas system which you know something they were using for drive storage and they were storing files there

and unfortunately with that they had left all the default credentials on that so i was able to log into those uh those uh mini nas those hard drive storage systems pull all the data off of them and then show that i was able to compromise all the way into those systems so we're going to get a little brave now now um i am not going to try this live i'm going to use a demo video that i had created previously because i'm not quite brave enough to do that let me just switch over here

so as you can see i'm showing that i've already compromised box a and i've escalated this the the star as it designates here in cobalt strike and at this time i um i don't show in this video but i've already done the arp a and i've already figured out that there's another box back behind there on 10 10 50 10 via the arp a command through a shell so i go in i add it in as a target i don't put any information because i'm not sure you know what type of os this target is i know it's a windows uh you know is it windows 10 windows 7 a server class or anything i just put in the ip so that

i can target it via cobalt strike and then i use ps exec to log in and i used a box a to box b listener that i created which is the smb named pipe listener that i've created and i called it box a to box b and reusing the administrator local administrator credentials which unfortunately was shared throughout this environment and launched the attack waited for it to come back and then as you can see based on this and with this little chain linkages here i am now tied into that system and cobalt strike does an interesting thing it sees the other interface already the 172 1650 and kind of gives me a hint that this

system is dual homed also so once i get on that system i need to interact with it and as i'm pointing out here change the sleep time so that i can interact a little bit quicker with it which i just change it to sleep zero and as we're waiting for that to cycle back around

skip ahead a little bit here i'll still see it's talking back through the initial host that i've uh that i compromised so then i decided to say okay let's dump some hashes and let's run meme cats on us and pull anything we can and there are clear texts on this and that i also looking at the credentials tab i notice that the hashes are the same for the administrator from both sides and this is all that i pulled off a box b now based off of that and seeing okay now i'm going to do this ipconfig on the box and i'm like oh well wait a minute this system has two network interfaces so can i go even deeper so i'm going to do

an arp dash a and i can say oh well it's it's 50.5 but it's been talking to 50.10 well can i target that 50.10 and create another connection and essentially go 3d now unfortunately i've kind of spoiled this and showing the yes you can so i add the target i put it as an unknown as i said because i'm not sure what the system is so i've got the target set up and i'm going to say okay let's use the box b administrator password but let's take out the domain because it's actually a work group and i forgot i need to create the named pipe listener so let's add it so this is going to be

as i call it box b to box c it's going to be an s b named pipe one more there we go but the host is going to be the second interface in box b which is the 172 16 50.10 and unfortunately when you click away your pop-up drops away and you have to start all over beginning end so i enter in the information in the drop down i select smb named pipe i set it to 172 1650.5 which is where i want from that box c to talk into in box b and hopefully that talks back back all right i select a port for it and then now i'm going to say okay well

let's ps exec into that box using box b administrator credentials which if you look the hashes are the same

and i'm going to choose the session that's on box b already i'm going to launch that and we gotta wait for it now it gets a little bit it does get a little laggy but as you can see now let's pause that i now have access system level access on 172 1650 50. 5 50.10 sorry through 172 1650.5 so essentially now and as you can see with the little chain links there the cobalt strike shows i have access three networks deep all because they use dual network systems here

so hit play and of course uh that time i'm going to interact with that system then i'm going to uh change it to sleep zero so they interact as fast dump some more hashes also run mimikatz on it i also did some more exploring but for this example for the talk i just kind of show getting getting the target and also getting the credentials off of it at the time and as i show there that i have now landed on 172 16 uh 50.10 now co-op strike has this interesting visualization which i'll show again the pivot graph and this is what i showed before in my slide deck and i kind of move it around here to

give you a better view so essentially i am daisy chained from box a through s b name pipe into box b through two interfaces there through an smb name pipe into box c

so that's essentially how we were able to get three deep into this network and find this hidden lab dev network that they had set up and told us that we would never find and we'd never be able to get into well at this point in time uh of course like i said i found the little off-the-shelf home nas that they had put in there i had exfiltrated all of course all the passwords from this local networks that they were the work groups that they were using i also exfiltrated all the config files this was mainly for config files and different system files for setting up some very secure network areas and we were able to use show that

information that we were able to gather those and what we could have done you know as a malicious actor is we could have re-reviewed those config files altered them some way to get some type of persistence put them back in place and they would have never known that we were there so what if we don't have cobalt strike and this is kind of the issue i'm running into now because i'm at a new company and i don't have access to cobalt strike there has been an smb named pipe added to metasploit but i tried i've tried several times and i still continue to work on it i was only able to go we'll say from box

a to box b i can't seem to get it to go from box b to box c and talk all the way back to box a which talks to me i just i haven't been able to work on it i'm hoping somebody else would be willing to help me out with this or if they see this talk they have got it working in this type of method and they can let me know because i would love to be able to provide a way that users can see this and work on this and and use this without uh if they don't have the option of a cobalt strike license uh even though uh i hope one day to

go back to using cobalt strike and cobalt strike is a wonderful tool but you know there has to be either either via metasploit or if they know some other c2 software out there that uses smb namepipe that possibly can do this that's open source and free and that we can possibly use here i link the reference material the blog from cobalt strike on smb help on smb beacon and also on named pipe pivoting and then also uh the article that i used for that says it's smb name pipe pivoting on interpreter i think my terpreter works if it's if you're named pipe pivoting and you're all on the same network you're not hopping through from one

interface to another interface um i imagine it works really good if you're hopping from machine to machine via smb name pipe which i can see advantages to that in a network if you're also wanting to be a little stealthy you're wanting to hide your traffic you don't want you to be noticed if you're using smb traffic again like i've said previously this would prevent you from being spotted as easily versus doing you know http or https traffic from pc to pc so yeah if you could go ahead and fix your broken stuff that would be great so some of the mitigations so the biggest one that came out of this after we did our out briefing on this was really

look at your policies and procedures um it it was kind of interesting that the biggest problem that they they needed a lab dev environment but they ran into issues with uh budgeting and knowing how to get the equipment ordered get it installed get it set up properly uh that was the biggest thing that we heard was yeah we get that we understand that we shouldn't have done that but the problem is we needed this dev environment we needed we thought this was the most secure way that we could set it up on our own and that's what happens users need something done they are going to find a way to do it another big thing is of course if you do

set up properly use a proper network segmentation with firewalls consider two-factor authentication especially if there it's highly sensitive data behind in those areas and you know i'm a fan of if if it's really really high sensitive it should have a true air gap yeah you have to come up with a procedure or policy or way to move the data from inside that air gap network to on your regular network so it's a matter of you know which way do you want to work with that um also user education um you know i don't want to beat up on the user that's why it's kind of in the bottom of my list here because um account

i apologize for that my microphone died so i had to switch batteries user education i was saying password reviews uh also let them know that setting up home brewed networks bringing in equipment that's not authorized or not approved does not provide adequate security does open things up and cause more problems than they might know also consistent hardware inventory of your environment catching when you notice that for some odd reason now john's pc now has two network cards why does it have two network cards that's not what we issue out standard how did that happen um i so you know keeping a good inventory of your systems and keeping track of that is really important

so uh questions um i'm going to leave this only up here for a second i will be in the chat available uh to answer any questions anybody has once they watch this talk um i will put up my information that is my twitter account if you wish to contact me that way or my email and you know i'm not afraid of any spam uh because gmail does have some decent filters so i'm not too worried about that so i do want to thank b-sides i really want to thank b-sides i did have emergency pop-up and i did have to record this video a little bit later than the deadline and i appreciate them giving me the opportunity

to go ahead and record it um at this time when i've got it done and get it to them and i do appreciate them accepting me uh to talk uh at these sides i really do enjoy b-sides and i do hope to be able to shake hands and see people next year face-to-face uh but um you know it is what it is with the whole uh world and how everything's going on right now so hopefully that's all cleared up by next year and we can all see each other face to face then again i want to thank everybody for watching my talk and attending i want to thank besides columbus and everybody i hope you have a good day

thank you