Cats, Cats & Moar Katz: Windows Post Exploitation

yeah okay first of all welcome I'm Alex Ruben I'm talking a little bit about the post exploitation so this is kind of a quick high-level overview rundown on common techniques and tools that you may see it was environment you're conducting a pen test if there's a current attack happening okay a little bit about myself I finished my associates and information security bill air attack carry campus past December since then I enrolled at Wilmington University and computer network security I've had another year left there anybody interested we'll be posting the slides in the demo videos click Dropbox afterwards and it'll be a link on the Twitter account okay so anybody who's worked in a Windows domain environment will be a

little bit of a review but these are some things that I really want to cover or we get in so the big point with Windows domain environments is centralized authentication and security everything managed an Active Directory domain controller to log in your domain account you're actually authenticating to another server you're not authentic eating to your local machine brings us to the domain users versus local users that's your domain user that you're authenticating to when you log in it was a local user use the offending key the local machine and the important part about that is the password hashes are stored on my local machine the main environment those hashes are actually stored on the domain controller

user access tokens and single sign-on I'm gonna get to aware of access tokens that's how Active Directory keep track of what resources you have access to have permissions for and what systems you're logged onto so if you log into your workstation on your domain now there's actually going to be an access security token stored in memory for that computer so I'm going to kind of tell how the story of end test that's going on here use it as background for the attack that I'm going to demonstrate so you have been hired to Penn test a business with a moderately sized Windows environment already compromised a single workstation for a fishing so you somebody to download an executable and

run it hey you have a shelf all you have do you have a show now what do you do part of this presentation is after you to show what can you do move around to escalate to secure your foothold and that Windows domain environment okay before you do any of this have to identify what your going to be targeted so just shout it out what is the main target in the main environment and go for controller okay but there are also secondary targets they can hit along the way so what would be something else maybe network administrator's workstation get up on there yeah file share three logs into a lot you need to plan out what going to happen ahead of

time before you just start hacking Oh have your foothold in that one workstation their EGS callate okay maybe you don't have the permission gee maybe you only have a local account get your foot on the domain okay so one of the tools that's really good for that once you have a what's called a meterpreter shell is haschke dump the password hashes use hash cat to crack those hashes into plaintext passwords video demo that I recorded earlier I did do that okay so you have your meterpreter shell hash dump you receive it there out name and man hashes

everybody happy

so I already have this hashes on my windows system running windows hash cut so that they are that I can use hi crack these hashes so regular hash got it works with your CPU and it utilizes that reactor hashes then called CUDA hash cat that utilizes architecture allows you need much faster at this kind of task practice hashes like for instance in a Kali Linux VM ones I use at school this process may take about 30-40 minutes maybe an hour and see here takes about a second a little bit about what I'm typing in here at - a zero dictionary attack so I'm trying trying all the passwords at Rocky IV XP how many passwords millions of passwords

a lot actually taking the hatch of each of those airing it took the hash in the file if they match the password thousands that's the ODE you're using the hash type so ntlm hash cat Edmond 1000 put file target hashes and the word list that you use Center and it's done long process so they're all the plaintext passwords all the users on that system all right well you may be thinking in a domain environment why do I need the local user accounts think about you have a domain environment has to 300 computers not gonna want to image those one by one by one by one in an image server take one image push it across the network all

of them that local administrator account most likely isn't going to have a different password for every single workstation so if you get the local a local administrator password probably has a local administrator password for every single system one that do me you like my powerpoint real quick okay as I was saying the local administrator account is important

loggers the fun one so you may not have the password hashes that you can crack for the domain user sensor stored on the domain controller but sense for the user that you've compromised logging into that system with their domain account drop a key logger you already have full access to your shell you can actually use meterpreter they have a built in key logger module you just run a command it dumps it on there a recording keys ok we'll be coming back to that later okay when expand you and move laterally you have sufficient permission that one workstation they compromised you want to move out into the network give you to a file share the network

administrative computer if you can like I was saying local Minister logon is often reused on many if not all the workstations just because it would be incredibly difficult in over/under said a different one

file shares so the reason file shares are such a big target goes back to that single sign on the access tokens when a user authenticates their domain user their domain account creates that token that's stored in memory when they access the file share that single-sign-on they don't need to log into that again it passes Hogan so just think of all these users that are accessing the same system just dumping all their tokens in you can use memcache you can use meterpreter there are a few other tools that you can use those tokens and actually impersonate specifically if the domain administrator had logged on to the file share personate the domain admin job done right there

but let's say for our purposes not along on the file share but we were able to access the domain administrators workstation

I actually want to take a second and do the mini cats demo real quick this is also another way to get password Mimmi cats a ram trading goal so it pulls information out of running memory plays on the screen for you so for instance any local user accounts that are logged in on the system give me cats to actually dump those plaintext passwords out of memory kind of scary [Music] so this one actually has the initial attack in it yeah I set up a listener in Metasploit not a backdoor doubt exe really safe as a show so right now I am the student user escalate system and now the system itself so the mimikatz module there's also a

standalone version you can robust and bam there's some plaintext passwords so in newer versions of Windows you actually have to migrate in local security process the elf asked about Exe process be able to do that but in Windows 7 it doesn't care they kind of got smart about it and actually virtualized and isolated the else has process so this still works very specific conditions but it's a lot harder to do and we just done plenty of other tools you need and something wrong but this specific techniques not work nearly as well

so you are now on the look of the network administrator Oh by admin account you might do Harley logger up keylogger gonna type in the main password so he types it in you have an administrator shell on the typically this is where your job is at pentester would be I need to vulnerability testing on other things but as far as the domain goes you have the keys to the kingdom you have everything you can access anything you want at this point if you're an attacker of the malicious variety ah you keep going because you're not getting paid to hack this network hey you want to get your money's worth oh you want you want stick around for a

while so you want to persist in the network net cut is a fantastic tool for that there's also persistent role perfectly well I have demos for both of them that cut it actually creates a listening port that hosts

so this is me configuring the registry on the target so that on startup this process starts running I'm uploading the net cut executable and then I restart the computer I rebooted and when it comes back up I also open the firewall port for that one when they get 9,000 and when it comes back up it now has a listing service on 9000 if I connect two drops of Michel

at the registry entry if the backdoor is running I just use the same tool netcat for listening and reading connections to my target system on port 7000 that'll work as many times as you want it to back and then there's also method interpreter there's also another partner at the beginning of this just to show some of the fun stuff that you interpret or take a screenshot victim

hey hey there's so it doesn't seem too bad but imagine if you have some important spreadsheet up on your screen budget so this is a persistent module meterpreter if he now okay they're run persistence - X this service starts up when you boot cease - you for when a user logs in - high five it actually beacons out hey every five seconds doesn't create a listening for it tries to initiate a reverse so think about how firewalls work they don't trust things on the outside they don't want things coming into the network so we're using target machine connection truck the firewall trust things on the inside port 9000 my IP address that connect back hey it'll automatically create a

listener to that connection runs it's a VB vbscript that manages this whole process and I have another show now at this point if I want to connect back in all I have to do is set up a listener on that port on that IP address wait about five seconds and another mercury

you

further learning so there's all kinds of a dish functionality in net pad hash patent in the ads Metasploit meterpreter all the tools we whenever there's so much more they can do that we can't talk about in 20 minutes so much fun stuff like for instance meterpreter you can greenshaw's you can turn the webcam the microphone loggers whatever you want you have full access to um I recommend we do try it yourself a lab please in a lab

okay so that that's how I simulate all this I had two VMs I had Kali and I had Windows seven now I was using one to attack the other it all took place inside this one laptop it's a really easy setup you can send up a couple different versions of Windows Kali Linux you spin up one at a time to attack them easy to see what holes you can find and then go one about how to fix them honestly that that's the point of all this we Dixie's hole so these tools don't work anymore

there we go question

you the persistence module I have not done it that way I believe it is I believe the scripture that it downloads his only configured to do reverse TCE but there are plenty of other told you yes with that one persistence module it's very good at what it does but it only does that okay but there are plenty of other tools okay you can configure deuce on any port very versatile

you

so your main passwords are not actually with the token for to authenticate to the domain control that gives you ticket or token they use then authenticate any other resources that that's security tokens with sitting memory so you can actually use interpreter to impersonate that token and then afford any traffic through that system it looks like it's coming from the token you're impersonating a domain controller okay use that as a pivot point you can also use mini cat what's kind of it attacks and you can actually create your own kerberos but the director uses authentication so he do get the domain administrator hash and actually create your own ticket signing ticket and rate your own access letter

complete and the cat is also with very versatile they're dumping bastard

interesting yeah

okay so I know you said it's a trump grading but with 10 min me cats they got smart okay so the entire Alsace process local security manager but isolated the entire thing in memory it is really difficult once a impossible but extremely difficult to get mini cast to work in that way on Windows 10 so specifically in Windows 10 there is a feature called credential guard which is what virtualizes that process want to make sure that's running make sure that that process is um for the local administrator your domain is so big that you think you have to have same image for everything the same local ministry to password it get something read okay make it something that Ash guys are

gonna crack in a second because that that password is only valid there are there tax foot for that purpose

you

course it does yeah you

I didn't know that yeah

you

Kali Linux you know the right foot it's free open source that's getting too

yeah

there's a you

also whatever Microsoft DreamSpark is called now

Microsoft's been getting a lot better of allowing people robbery download copy there are resources out there

yeah it'd be fantastic

I'll top my head now yeah you okay

you

got somebody could absolutely could it just doesn't happen very often it doesn't happen very often it's more the administrator gets in that mindset this is the main environment they didn't need to worry about a local look and then they push out that image same password for every single but there are ways to mitigate it like that you don't see it very often

you

you

yeah you

you they may be that Irish a log

you

that's card yep yes if it runs happy

you

um it's my understanding that it's an all windows 10 to double check that understand yeah

you

yes

thank you for coming [Applause]