The Top 5 Ways I Own Your Internal Network

so Heath the cyber mentor Addams is a senior security engineer and founder of TCM security he has a strong back work background in network administration and information security including penetration testing Network design and implementation network security or and network security Heath currently holds multiple cyber security related certifications including though SCP though s WP and the e WP T Keith also proudly served as an officer in the Army Reserve outside of work he is an online cyber security instructor youtuber and twitch livestream err when Heath is not at work he enjoys spending time with his wife amber and therefore animal children so here we have the top five ways I own your internal network [Applause]

hi everybody so today we're talking about the top 5 ways I owned your internal network really quick Who am I so you already kind of got the introduction she covered a lot of it but I am a husband and hacker military vet I enjoy gaming overwatch mostly sports fan and animal dad we're actually up to 5 animals now we're close to the limit on the city so don't tell them but former accountant joined joined security not not too long ago about three years ago really hated accounting and made the switch over so day to day senior security engineer and business owner at TCM security and I do run a couple projects so one is veteran sec if

anybody in here is a military veteran we have a nonprofit organization basically it is for anybody that is current former it doesn't matter the country military that is interested in cyber security works in cyber security and there is close to a thousand of us now in that group so we just you know help each other out we do resume reviews or just networking help each other find jobs etc so if you're interested in that project to veterans tech comm the other project that I do is called the cyber mentor so I am a youtuber mainly I do twitch streaming and just makes cybersecurity videos usually related to ethical hacking or penetration testing so if you

are interested there is some material in there if you're interested becoming ethical hacker there's a lot of material in there other than that I do blog over veterans a comm occasionally I write on TCM - tech comm and you can find me pretty much twitch YouTube Twitter Instagram wherever at the cyber mentor okay so briefly why this talk so there are a couple reasons offensively we want to know how can we leverage these attacks inside of a network defensively we're going to talk about how can we defend against these attacks at least talk strategies and this is also for awareness so many of you might not have heard of these attacks at all so how can

we attack or defend if you don't know about it just bringing awareness to some of these topics quick notes so this is talking about internal networks internal network assumes reach so when we do a pen test on an internal network that means that either we were doing an external test you already got in we left a drop box we social engineered doesn't matter we're inside the network so when we talk about internals we're just inside the network this talk is based on my experience as a pen tester your mileage may vary if you are a pen tester here you might think that your top five is way different than mine so in my my career as a pen tester

this has been my top five and the only thing I asked for is if you please just hold questions till the end that way we can get through it I was gonna do a live demo today we've been having issues with live demos so I've got everything in the slides as well so we should have plenty of time with there's questions or there's plenty of time I'll be available to talk afterwards if you want to plus I've got stickers so okay so the first one is what's known as LL M&R that's link local multi so basically what it is is used to identify hosts in a network when DNS fails to do so this was

previously known as NB TNS and the key flaw here is that the service utilizes a user's username and their ntlm B to hash win appropriately responded to so we're gonna use a tool called responder to respond to these requests so before we get into the attack let's talk about how it kind of works so we have a victim and the victim here is trying to connect to a share let's just say the share is called hack me for whatever reason they try to connect to the share and they put hack em and it doesn't know how to resolve the server doesn't know what it's talking about so what's gonna happen is the victim is gonna send out a

broadcast message over the whole network and it's good to say hey does anybody know how to connect to this hack em and as the hacker sitting in the middle we're gonna say yeah I do just go ahead and send me your hash and I'll get you connected over there and the victim is just gonna say here you go here's my hash so what that looks like is we're gonna boot up a tool call the responder now responders part of in packet so there's an impacted toolkit if you've never used it it does come built-in to Kali the the github version I think is better so I would recommend if you're interested in running these tools or

practicing in a home lab the github version is is a little bit better so we run responder here and we are just sitting here listening for events and then we trigger an event so here is again that network access err trying to connect to a share that doesn't exist and when that happens in the network all of a sudden a hash comes through so we can see information here already that this is the hash type is the ntlm v2 hash it came over SMB version 2 and we identified the IP address that it came from we identify the domain which is Marvel and we identify F Castle as the user and then on top of that we get the

users hash credentials so depending on the security of their password of the complexity and length of their password we might be able to actually crack this so we could take this hash offline run it through something like John or hash cat and we try to crack it and when you see a weak password like this like password 1 we're gonna get it all day so this is still very common in networks where the password policies are like 6 8 even 10 characters we we get these hashes we take them offline and we crack them and then we use that to move laterally in networks so this is probably one of the first things I'll do

I will usually when I'm doing a pen test I will boot up responder as one of the first things a good time to do it is that like 8:00 in the morning or right after right after he's getting back from lunch because you need a lot of traffic in the network for this to actually be successful so overnight usually not the best idea but so we'll run this we might run scanning or different types of you know scans the network to generate some traffic and maybe get this moving but let's talk about defenses really quick and this this first one this LM in our poisoning is going to come back into play here in a few minutes as well with

another attack so the best best resolution here is to disable a lemon R and M BTN s so if you just disable L LM and r then MBTs takes over and you saw the same kind of issue if there was a reason that a company does not disable this then or cannot disable this then we would we would recommend to use network access control so if tacker can't you know just easily plug in a device and get access to your network and also the thing that really blocks this attack is to have strong unique passwords you're gonna see later in one of the attacks we have a 14 character password that gets cracked and I think that we have the longest I've

cracked is a 19 character password which was a Bible verse so like it really it really is more of not using common words with a combination of length and a combination of complexity so not just length in the policy is is really big and you're gonna see that as a common theme and as an attacker bad passwords are what's gonna get us around the network more often than anything else okay so the second one is called past the password or past the hash so if we crack a password like we just did or we can dump Sam hashes on a machine then we can leverage both of those for lateral movement and we can use a tool called

crack map exec to do that so crack map exec just takes the if you see here the username of Frank Castle the domain of Marvel and then the password that we cracked and all we do is we sweep that subnet that we're in and you can see that it found not only the Punisher which was at dot seven it found spider-man over at dot six as well so this user has local admin rights on this machine and from here I mean we can use something like PS exec to get on to the machine we can use we can use crack map exec with like a switch of - - Sam to dump the the Sam hashes off of this

machine as well so just being able to pass this password around is super critical I had a assessment two weeks ago that was using a cyber Ark so if you don't know cyber-ark it's a privileged access management tool basically it is a password rotation tool they utilize complex passwords you log in as a user and then in order to get your account you'll check out an account that passwords good for like eight hours then you check back in the account that password rotates so cracking those passwords via LM an are very very difficult to do but we were able to do one of the other attacks that you'll see here in a minute which called SMB relay get onto a machine and

dump the hashes one of the hashes was a tech support user didn't have to crack the password I'll just pass it around and got into every single machine in the network so a password reuse like this is very common especially at the local level and that was a company that spent millions of dollars on cybersecurity and we own the domain controller without ever touching a domain account ever compromising a domain account so super super critical to care about not only your domain passwords but also your local passwords here same thing with the local hashes again you don't have to have a password so if we just grab the the hash here and we put it into crack

map we can try to pass it around in this instance this password wasn't actually this local account wasn't reused so we only pwned the same machine that we had before but again this is a situation where we would use this tool and try to get multiple machines in the network and just get lateral movement because you never know what you're gonna find on the next machine okay so this is hard to completely prevent but we can make it a lot more difficult so limiting account reuse so avoid using local admin passwords raising the local admin passwords disable your guest accounts disable your admin accounts limit who is the local administrator I know everybody on in the network wants to be a local

admin but they don't need to be a local admin on top of this utilizing strong passwords again this is a theme that you're gonna see come through over and over again the longer the better long sentence like a 40 character sentence perfect never gonna get cracked and then again privileged access management can help prevent some of this pass the hash past the password attack so a tool like cyber-ark or a tool like psychotic I can really really help improve your security overall when it comes to this attack ok so the next one is token impersonation so what are tokens they're just temporary keys on a machine you could think of them like a cookie for a

machine essentially and there are two types of tokens that you see so one is called a delegate which if you logged into that machine or use remote desktop to log into that machine you're gonna leave behind a delegate token the other one is impersonate so this is non interactive so delegates you can think of as interactive impersonate you can think of this non interactive and basically that is like attaching a network drive having a domain logon script etc so what happens is if a user say you're using your computer but for whatever reason a domain admin remotes into that desktop or helpdesk remote than that desktop and they've got domain admin privileges they're leaving behind this token until

the computer is restarted so let's see why it's bad so here is the user you see we've got authority system here so we're a we own the system but we can actually impersonate this Marvell F Castle this is the machine we owned he's actively logged in we can impersonate him and act as if we are a user on the domain so when we impersonate this token here you see up at the top we initialize a shell and then we do a Who am I and you see now that we are we are Marvel Frank Castle come through and we try to run a Mimi cats command here this is a PowerShell version of Mimi cats and

basically what we're trying to do is access the domain controller and dumped the NTDs or the LSA and get all the passwords or at least the hashes and take those offline and either utilize them or try to crack them etc so here we have access denied because this user is not a domain administrator however if the domain admin was available we can repeat the process and you see that Marvel administrator is actually here we impersonate administrator we say Who am I again now we are Marvel administrator we run the same command over again and we dump all the hashes so once we own the Kerberos ticket granting ticket hash we own your domain we can do a golden

ticket attack and pretty much login to any machine we want once we take these hashes also we will take these hashes offline and try to crack them we do this because this will give us an idea of what your password policy was and how strong your passwords are so for cracking 30% or 50% of your passwords we can bring that back and give you statistics and say hey like this is really bad this is something that you need to focus on and actually how some data to back it up so mitigation strategies limit your user group token creation permissions so the mitigation strategies are kind of difficult it's hard to prevent Fowley another thing is account tearing so if

you have say you have Bob and Bob's a domain administrator chef Bob have a local or a regular domain user account and then maybe a bob - a for a domain administrator and Bob - a only logs into the domain controller you know you're not using that domain admin account anywhere else in the network other than domain controllers this will prevent us from ever being able to compromise an account with token impersonation at least one that is sensitive to do anything incredibly damaging and again local a ban restriction we're not able to run this attack if we can't be on the machine so if we don't if we can't like PS exec or use something to get a local admin

account and actually gain a shell on the machine this isn't gonna happen anyways so it's it's all it's all a common theme here and it's just gonna keep repeating itself and it's just these really common things that takedown can take down major networks all right so when I told you guys earlier that responder come back into play this is where it comes back into play and this is called SMB relay so basically instead of capturing the hashes and taking them offline and trying to crack them what we can do is pass that hash over and what's called a relay attack and we can try to gain access to a machine with that account now the account that's being relayed has

to be an AB and on the machine for it to be any sort of useful information that we're gonna gather the other thing is the big thing here is that SMB signing has to be disabled now that's useful because SMB signing is disabled on all regular Windows operating systems only the servers come with SMB enabled signing enable so unless administrators already gone in here and done this this could be an attack that easily gets us onto other machines so the again the relayed credential has to be not only a credential that's coming from a different machine but it has to be a administrator on that machine as well so we've got administrators in the networks

on multiple machines this is where things can get bad so one thing that we do is we turn the SMB and HTTP capturing because we're actually just gonna relay this we take this off of responder and it just kind of looks like this instead of where it was all green now it kind of looks like a little bit of a Christmas tree it's got some red some green just saying that it's off and we both put up another tool which is called ntlm relay X the other tool that we could use here is SMB relay so both kind of do similar things here we're selecting a target file so we'll put the targets that we want to identify

maybe we've done a scan we've identified what users or what machines have SMB signing disabled and we just target those with anything in the network so we sit here we listen we wait an event occurs again same thing as before but this time you can see that the attack has succeeded it's trying to connect from 10.0 to 3.7 against 10.0 that three to six Marvell Frank Castle is a administrator on that machine so it connects and then automatically you can see down there dump the Sam so we've got all the local machine or local account hashes on that machine other things that you can do you can utilize like Metasploit empire and you can actually

add a command back like in this in this ntlm relay acts we can actually use a command feature and push a command in that will give a shell back to us and we can have full interaction with this another way to do that is with SMB relay you can use Sox didn't have a shell on that as well so this is this is very bad and still very common and all the mitigation strategies are still gonna be kind of the same as what you're seeing before so we can enable SMB signing on all devices that is the recommendation that we make as pentesters this can be an issue it can cause file performance issues the

data that's out there says fifteen percent increase in time for file transfers some people have reported longer so you might get some as an administrator you might get some feedback from your users that you know file transfers are taking longer but it is for security purposes you could also disable ntlm authentication so if you don't have the untell m2 authenticate with this tap won't work either but if Kerberos stops working then windows will default back to and tell him so on top of that again the account tearing that we talked about having your domain admins you know and you're you're powerful accounts not be allowed to be relayed like this so you have to limit

that same thing with the local AB and restriction so you might run into issues where people it might increase the amount of service tickets if you're limiting the local admin people will need something to be installed they're gonna put in helpdesk tickets for that since they can't do it themselves so it might cause some headaches but again it's for the better of security okay last one is Kerberos sting so Kerberos sting basically Kerberos is a way of authentication method right so if we look here we've got a domain controller up at the top of the triangle we can call this domain controller a KDC that's a key distribution center so what's going to happen is the victim or the

user is going to request a ticket and this is how authentication works we request the ticket provide our ntlm hash and we receive a TGT back which is a ticket granting ticket so and that comes back with encrypted with the Kerberos ticketing hash and the only thing that we need to do this is a valid account credential so if we've compromised a domain account at all we've got a username and a password this attack is gonna work it's not going to be successful but you're at least going to be able to do part of it so the second part of this is we have this application server down here can be application server can be a sequel server could be

whatever you want when we have these applications in the network they have what's called a service principle name or an SPN and that's going to come back here and play in a second so what we do is say we want to access this application server well we're going to say to the KDC I want a service ticket a TGS for this server it's gonna say ok I will give you a service ticket I'm gonna encrypt that with the server's hash so we're gonna take that TGS that's encrypted with the server's hash and we're gonna pass that over to the server and if we have access to the server it's going to decrypt it on the server side if we have access to

it it'll give us access the hope process for us as an attacker stops at four so we're only receiving that ticket because it's encrypted with the hash so this looks something like this so we run an attack again in packet comes into play and we say Python get user SPNs so we're getting the ESPY ends in the network you see I'm using the Frank Castle password that I've gathered before I'm using a I'm identifying the domain controller IP address and then I'm using a request so I'm requesting this and out comes this Kerberos ticket granting service ticket hash here down at the bottom and another thing that we can see here and this is super common in

networks this is why this is really dangerous is if you look at the sequel service here that's been requested it's a member of the domain administrators we see service services as domain administrators all the time and this is where it gets really bad so if we have if we have an account with a bad password that's utilizing services and that account is a domain administrator it's also a game over situation so here we go into hash cat again we attempt to crack the hash and you see that we have cracked a 14 character hash of my password one two three pound so even though it is 14 characters really not that secure of a password and now we've

owned a domain administrator so mitigation strategies here strong passwords lease privilege that's really what it comes down to questions yes

not enforced this also good yep yes not a blue Timur so I'm not I'm not strong in the detect detection side of it honestly so yes

depends on the organization so if they've got like a six or eight character password policy you're looking at like at least fifty percent the one that I was talking about last week where I her two weeks ago where I had I was up against cyber-ark that was we cracked two passwords out of the whole thing so I mean cyber-ark works as long as you're utilizing strong and not reusing and using strong local passwords as well so it just depends on the organization but anywhere from I would say 25% is probably the average LLM in our poisoning yeah so I see that on pretty much every network I encounter I don't know I can't remember the last time

we've seen it off it I think it really depends on your clients like I watched a Black Hills InfoSec and they say they're seeing it on one of three but I'm guessing their clients are probably repeat they kind of know they might have more like of the elite clients as well so they're probably seeing a decrease in that LM in our own networks but I I see it pretty much everywhere yes

I don't think in the hash strengths now [Music]

anything else all right thank you everybody [Applause]