Top 5 Ways I Own You Internal Network

so Oh going back a little bit the how I got here so I am former accountant picked that because it was safe I really know what I wanted to do I think I graduated college with 170 180 semester hours so it's a degree and a half if you're not trapping and ended up joining the military I still don't know what I wanted to do and when I got the military one got my MBA in computer information systems ended up just walking out of a job as an accountant and luckily got a job in help desk and kind of learned about ethical hacking thought it sounded sexy and kind of pursued that so pretty much studied day and night I

you know got my applause that plus security plus everything you were supposed to do work my way through certifications and landed a job as a senior network engineer at a National Lab and then ended up being a pen tester after that so from health best day one two pen tester was approximately two years and this is just one of those fields if you're looking to get into it that if you want to be a pen tester you just kind of got to put in the work you got to study and that's really what makes a difference between somebody who wants to be in the field and somebody is going to make it into the field is the

people that are willing to put in their effort and those people that you know this is a field that changes what seems like every day there's something new every day so if you're willing to put in that effort study keep up with the times this is the field for you so that's kind of kind of Holland from accountant into a pen tester and so on to this talk so we're gonna be talking about internal networks and I have another next screen but internal is basically maybe assume compromise you just assume that either I drop the box in your network or I fished you not in it doesn't we're in your network so it's not coming

from the outside we're already inside and it's going to be mostly of talking about Active Directory attacks since fortune 500 I think 95 percent or greater uses Active Directory so this whole talk is going to focus around Active Directory attacks so why this talk well there's offense defense and awareness so if you're a baby pentesters might be good for you if you're looking to get in the field this might be good for you if you're seeing your pet tester it's probably redundant information but if you can learn how to leverage these attacks and then you can learn how to defend against these attacks we'll talk about offense and defense on this side and just for general awareness so if

you're a c-level or anybody else just like hey I know about these attacks here's how here's what the common ones are and here's how we can defend against them so some notes before we get started again internally as inside network this talk is based on my experience as a pen tester your experience and your mileage may vary so you may have a different top five that I do you might have different recommendations for defenses than I do and then this talk is going to have live demonstrations I'm on like fun Wi-Fi so we'll see how that goes but please hold questions until the end if you can come see me afterwards I do have stickers or

business cards if you want a pen test but other than that where you get started so number one item number one is LLM an hour poisoning so what is Ella I'm an arts answer legal multiply cast name resolution we use this to identify hosts when DNS fails previously it was used by what was called MB TNS so if the chain would be a llamar than mb t and s if element R fails then you go down n be TNS and the key flaw of this is that it uses a user's username and their ntlm B to hash when they are propably responded to so we're going to use a tool called responder to respond to these requests

do Amanda Mills and we'll talk about this attack a little bit more in depth so let's assume here that we have a victim and a server the victim is going to say hey can you connect me to this file share and for whatever reason they type the file share and wrong or there's a you know a little share out there it's just not resolving and the server has no idea what's going on do you this isn't working so then the victim is going to send out a broadcast message and it's going to say hey does anybody know how to connect to this and we'll say I do go ahead just sent me send your hash my way and I'll get you

connected and then those send over the hash and we'll just intercept it so this is what I do before I even run any nmap scans and he necessary thing I'm firing this up first thing in the morning usually or at lunch time when people are generating a lot of traffic this is the best time for it but when you can generate some traffic as well with your dead map scans so I kind of run this prior to so let's go ahead and we'll take a look at a live demonstration and cross our fingers that actually works

all right so I got my little cheat sheets I don't have to sit here and type this out

and

all right so we're loading up responders and all we're doing here is we're doing the man in the middle over to sake responder he listed on this tunnel that I'm connected to which is just a VPN into my network here so in case you're wondering you can see the poisoners here at LNR and meet again s dns I've got some servers running we're just listening for any sort of events and to nudge this along I'm going to go ahead and just push it at end so we're going to come down here and I'm just going to point a file share it myself

okay and go back and nothing's happening okay so that's how the live demo works right we'll see if I trigger them a little more time you see if I give the word if not that's all right what's that just a bit of it what's fine so I'm gonna

all right so it's not going to work that's fine that's why we have backup slides so

all right so we run responder we submit this as you saw and what we come through is a hash it looks like this so on the hash you can see that we are getting a hash from 10.0 down three done seven and the person we're taking the hash from is Marvel /s castle this is Frank Castle aka the Punisher so he grabbed this ntlm b2 hash now there's a couple options we can do from here step one what we're gonna do is this part and then step two you'll see later as an alternative option so we're going to take this hash and we're going to run it off line the hash cap down there is modulo 5,600 for

this type of attack I just put this to rock you because I knew the password was weak but you run this against a worthless cut somewhere of those how it works try to cut the password and then see what happens in this event this is very very common by the way it's probably one of the most common is that we just crack these these easy or these weak passwords so here is the mitigation strategy now the top parts just kind of like the you know here's how you turn it off the best this idea is to show at all of an R and M V T and s so because one is a failover to the other you have to

turn off both but if you can't do that or you're use to do that for whatever reason the other option network access control make it a little bit more difficult so he goes and plugs into your network they don't just leave a drop box and get right on the network the other option as well is she requires strong passwords still to this day I have a pen test coming up in a couple weeks and they're using six character passwords at a major major university so honestly 14 characters is good I even belong ger the better less you're gonna hear me harp on this a lot password policies probably one of the biggest things but if you can use non

common words like my password one two three is a long password but it's still you know it still got common words and will get cracked I think the longest we practice 19 characters that's because it was a Bible verse so like you're not being smart unfortunately like so the longer if you can do a full sentence like 40 40 characters or whatever in full sentence that's fine but the longer the better just a rapid over Packham all right so moving on the the second most common is past the password / past the hash and what are this well if we crack the password like we just did we can attempt to pass it around or if we can

get on to a machine with something that we captured then we can try to dump the Sam on a Windows machine and use those hashes for lateral movement I'm not going to attempt any live demo here so we can use a tool called crack map exact crack rock music is really good here all I'm doing is you saw that was in the top three Network I'm just sweeping that whole network with that user that we found in the domain and the password and you can see it's spreading across there's a DC that I found it found the Punisher machine if I don't spider-man's machine well if you look through with a poem on the right hand side here we own

the Punisher which we expected and we don't spider-man so it means we are also an administrator on the spider-man machine and now we can go over there and try to get a shell on that machine using the credentials that we just found so with that we could run something like PS exact say we get the shell and then we're a system on the machine we just run hash done and you can see by the the 500 ID that that's the administrator and we just grab the second part of that hash there and this turns into pass the hash so you can use crack nap exact same thing use the user of s castle just happened to be

the admin on the machine and then the hash of that - local you pass it around here we didn't give anything extra out of it but I have had pen tests where I passed the administrator password and got every single computer in the network because they were reusing that password so if you're imaging the same password over and over and over this is where we get you and then you'll see some other attacks like token impersonation and things we're going to talk about where all we have to do is start moving laterally to these machines maybe this machine doesn't find anything but maybe the next machine might have you know IT information or a user on it that we can

leverage or anything it's all about moving laterally until they came to vertically so this is kind of what passed the hatch looks like we'll talk mitigation so limit your account reuse don't reuse your local administrator passwords you can disable your guest an administrator talents and limit who is a local administrator so too many too many places let everybody be an admin on their computers and let people be admin on multiple computers and this is kind of where we take advantage of this same thing harpy again is the strong passwords so if we can't get onto your machine we can't crack a password then you know it's going to be a lot more difficult life for us independent server

and then lastly Pam is out now cribbage access management so tools like psychotic or cyber are where you have a check-in checkout function of a account so that what that does is you check in the account or you check out the account it rotates the pass or it gives it to you for eight hours and then it automatically checks back and rotates the account again so you only have a password for a temporary amount of time and they're storing them at fifteen to thirty characters in length depending on the sensitivity and everything else so that's where a lot of the fortune 500 are moving to this pan type of solution all right so third is token

impersonation so tokens are temporary keys you can think of them as cookies for computers they allow you to have access without having to provide credentials each time you access a file and there's going to be two types of tokens there's a delegate token and there's an impersonator token so delegates like you remote desktop into a computer and it person AIT's not interactive so it's like attaching your network drive and let's see why it's bad so we've got a user here we've got say we've got this shelf and we list the tokens and right now you can see the get UID at the top or authority system and I say listen tokens with this tool called

incognito which is built-in or you could load it from meterpreter you see here marvel desk castle we'll go ahead and just do a click Who am I will impersonate the user up top and then go into a shell and you can see that we've impersonated this user and we are now as castle and if we try to run a MeetMe cats try to dump hashes with BB cats you can see that we're getting an access denied there that's because we're not a domain administrator if we repeat the process and we impersonate a domain administrator scroll through really fast you'll see that we don't the hatches so this happens when say somebody is a domain administrator at the remoting in

two computers to fix problems or just to remote it or you know you don't have that account segregation and I've got the Kerberos ticket granting ticket account highlighted because we use that to generate what's called a golden ticket we generate that golden ticket we're getting on your domain controller it's game over so we could dump this this is pretty much over so again we'll talk mitigation here but you should really limit your user group token token creation permissions and really when it comes down to is account tearing your domain administrators should only be using their domain accounts to access the domain controller and things that are important they should not be using it for anything and

everything so you should ideally have two separate accounts ones like there everyday use the other one is your domain administrator account same thing with the local admin restriction we need administrator on the computer to actually be able to do token impersonation you saw your authority system so it still boils down to limiting those local admin rights to prevent this in the first place all right so playing off of number one which was fellow of an hour poisoning we have something called SMB relay so an SMB relay attack uses responder and captures the hatches but instead of capturing them and trying to cocktail offline we can just pass them across the network to a different machine and try to leverage

a shell that way so there are some requirements SMB signing must be disabled and that is disabled by default on all Windows machines except servers so you're not gonna get on the domain controller with this unless for some reason they disabled it but you can move on or really pretty easily so if SMB signing is disabled and you can push just across it's pretty straightforward so the relay credentials unless being added on the machine is why'd you dump ashes or do anything that you use so we could take a look first thing here we just make a small change to responder so you know the configuration should not intercept the SMB or HTTP because we're actually just

going to relay these and that's kind of what it looks like now and then we boot up this one here is Python forward NT om relay acts as part of in packets or responders part of in packet this is part of impact it's a really good tool kit for an internal pentesting so we're just booting this up and this relay is just going to be listening for the hash to come through and then you specify the target in your target subtext what you want to attack in this instance we're going to attack sparta man because he saw earlier that we already had access to spider-man so this is going to function but we're just going to trigger that and then trigger

an event and then here's what happens now you see that if at the top it says we're going to try to connect 2.6 as Marvel s Castle it succeeded and you look at the bottom it starts dumping the local sand hashes for the machine now this is a proof of concept you can take this a lot further get a show with meterpreter and Empire whatever etc and go farther than this but just because the SME signing is disabled and we don't ever have to know the password of the account that we're intercepting so that's that's what's key takeaway here is because of that we just leverage you could have 20 30 40 character passwords and we're so good at this so let's talk

mitigation first of all enable SME signing all of Isis the pro here is a complete stop C attack the con is it can cause performance issues when you're copying files so what I've read in her is fifteen percent increase in time I pearl saw her longer than that as well so depending you know you might get some people complaining you're you know admins pushing back from this and that's one of the reasons there so the other option is to disable ntlm authentication completely stops the attack but if Kerberos stops working either you have issues where we have to revert back to ntlm and you're back at the same spot you were the other options here are

account tearing which I've been harping on and local admin research in which I've been harping on so honestly it comes down to SMB signing and just enabling that across the network that's the main recommendation but if people fight back you kind of have these other options and these are just best practice as it goes anyway all right let's talk about the last one real quick so this is Kerberos state and if you know what Kerberos is it's a authentication method used by Windows and they use tickets so if you see here one two two basically we have a domain controller or a server and we're going to call it a KDC which is a key distribution center the key

distribution center we're gonna request a ticket from so we're gonna request this TDT its ticket granting ticket and the server is going to say okay we'll grant you a ticket you bought that indicated now see we have a application server down here can be sequel could be whatever you want it to be from here what we can do is to the KDC we could say hey I want this service ticket which is called the TGS I want the service ticket the server says ok I'll give you the service ticket and while we're at it we're going to encrypt these servers account hash so they're gonna tell them hash or however words if not it's a

Kerberos ticket hash actually so the Kerberos ticket hash comes through and you take that and you're supposed to present it to the application server and that's where it decrypts the hash and says okay do you have permissions do you not have permissions to actually use this service and then it allows you in well we don't have to do five and six we can stop at four and take the hash and try to crack it so we can use something out of it packet as well called get user SPN so SPNs service principle name that's used by services so we'll look for the SPS using our credential that we found so all we have to have here for

this to work and I think it said that up there is no it didn't say all you have to have is a valid ticket so once you have the ticket meaning you have a valid login with the user here we point to the GC for our request we make the request and you can see we get this hydrated DC we get a service sequel service and if you look over in the member of it's in my room domain admins so you see service counts all the time with improper permissions domain admin for what reason and here we get this big the long hash this Kerberos hash and if we were to take it and try to crack it

you can see that with hash cap of 13 100 as the module my password 1 2 3 pound technically meets the 14 character requirement but still is found with just rock you so we could love her just account now has a domain admin and that would be game over or for lateral movements they had appropriate permissions so mitigation strategies strong passwords least privilege I'm a broken record up here but this is really really comes down strong passwords least privilege eliminating users what they can and can't do in the network and again this is this is top 5 this is the basics these have been around for a while if you're seeing your pen testers I see some of you in here it's not some

new news it's all news but it's still coming up and it's still coming up because these are just a lot of this just common defaults in a network right table Windows comes by standard nobody changes it they just install it and they let it run you let your users have 6 character a character passwords we're gonna have a field day so I mean that's that's really what it boils down to you so I've set the same four or five things across the board you eliminate those four or five things you make it a lot more difficult on us as a pen tester questions perfect thank you I've got a YouTube video of it already if you want to watch it now I can give

science to anybody else perfect thank you guys