Mapping the Penetration Tester's Mind: 0 to Root in 60 min

um so this is gonna try to get you into the mindset and try to get you into working through the methodologies that most pen testers use and trying to break away from I want technical exploit to get access to everything so we're gonna take a look at the human factors we're going to look at some beta best practices some vulnerabilities and stuff outside of technical technical stuff and how to build on that and actually break into AI the hands-on stuff so a little bit about me I've been doing this for a long time I actually started my own security InfoSec company when I was 17 I was still in high school so I've been doing this professionally

for about 13 years now I spent a good amount of time in the PCI space I like to call it doing time because it's more focused on very scoped segments very limited things that you can and can't do and it's not really that fun love the social engineering stuff and physical security if you're not familiar with it tool is a fantastic organization if you want to learn how to lockpick stuff like that so some of the cons that I've been we do something

is it signal give me one second here

see if there's any better

cool everybody can see that all right so I've done a lot of these conferences in particular I'm a big proponent for b-sides make sure you attend these things these things are free go out and talk at these things I want to I don't want to be the guy standing up here all the time I want to hear you guys take part in these conferences that's what makes these things so good that you guys probably have ideas that you want to see up here and other people want to see those things to be up here next time I really want to see everybody else up here besides myself I don't really like to hear myself talk that much I'll I but

some of the publications that I've done I've been doing a lot of these over the last couple of years in particular last year I did about 11 and 13 somewhere in there conferences and have a couple of different presentations that I've done and later on this year I got a book coming out with the same title as this talk so you can check for that later enough personal plugs how many people are familiar with what really a pen test is and the purposes of a pen test things like that yesterday all right cool I won't have to cover this too much so basically the idea between behind a pen test is to make sure that you have

somebody to take a look at your environment whether its infrastructure physical technical best practices social engineering whatever it is to get a good idea of what an attacker is actually going to be able to gain access to this can be either leveraging like I said the social engineering stuff the person the person this could be leveraging technical vulnerabilities this can be alleged leveraging a lot of different things the idea is to get the idea get an idea of what a potential attacker or malicious user could gain access to so pen tests are really valuable in particular because it'll get you the ability to focus on something specific if you're looking for that if you want

to do web app testing if you want to do network level testing if you want to do something that's more of the human based factor you can scope a pen test you can get an idea of what is applicable to that specific system or technology it's also a good way to make sure that later on in particularly if a breach or something does happen that you can make sure that you've taken good steps that your the organization isn't going to end up with major fines etc or if if they do end up with them it's gonna be limited to whatever the actual data was that that left so a couple types of testing there's there's white

box testing black box testing and then obviously a hybrid of the two depending on the scope and depending on the application depends on what is a recommended way to approach this white box testing obviously is going to be where you have everything laid out ahead of your time you know exactly what you're gonna touch these are mostly your compliance style audits or compliance style pen tests they'll tell you exactly what exactly what you can and can't touch where they are how to get to them and everything like that whereas the black box testing gets you a much more real-world example of what a pillow of what a potential attacker or malicious user could gain access to but it takes a

lot of time it can cost a lot of money and most one organizations just don't want to dump that that kind of investment into a pen test so most organizations will pick a hybrid of this where you start to get a little bit more information whether you focus on internal external etc so getting into a little bit of the methodology and I'm gonna I'm gonna spend a little bit of time on the best practices and methodology and why this is important and then we'll start to break into more of the hands-on technical stuff and start walking through the process of how to actually do this stuff so the methodology is very important because if you're familiar anybody familiar with

PETA's cool couple hands oh it really gets just a standard out there for how you can actually do pen tests and then it can be reproducible later on so the ability to make sure that you're going through each steps can also give you a good quality in the way that you're gonna actually have a pen test done so obviously first you're gonna start with your reconnaissance stuff this is we're gonna start to get in your intelligence this is where you're gonna start getting the nuts and get more information about the nuts and bolts of what you're actually going to touch then from there you're going to start doing scanning and VA this is we're gonna mix between

passive and active reconnaissance start doing port scans vulnerability enumeration things like that and then finally you're gonna progress into the actual exploitation phase and then because the value of it isn't really the actions that you're doing it's that report that you're going to hand you your client afterwards that report is what they're going to gauge not only your ability to actively do the exploitation but also going to gain the in front of the return on investment and actually make sure that next time that they come through and want to do a pen test that they want you to come out and do it because if they can't read the information and follow everything that you're doing it had no value if they

can't fix it it's not gonna secure anybody all that work that was done isn't isn't gonna go anywhere so reconnaissance this is the where you start doing your information gathering this is going to be your passive and active stuff this is gonna be your who who is information your dig information a lot of that stuff some of the tools out there I'll do it all where they'll start to branch from one you know one piece of information to the next and really give you the full idea of what's out there and what's available to the internet and then you get your new vulnerability assessment and your network survey this is where you take that information and will actively start

to figure out what could potentially be leveraged this is where you're gonna start seeing your correlation for Metasploit packages this is where you're gonna start seeing correlation for code or releases out there whether it's you know in core or Metasploit or any of the other vulnerability assessment scanners out there this is where you're gonna start getting the nuts and bolts and figure out whether you're gonna end up having to spend two days on something or if you're gonna spend an hour on something to figure out if you can actually get a shell or root or whatever you have or depending on the system and then we start going into the process of verifying whether that information is

actually going to be valid for that so a lot of times you'll start seeing false positives in vulnerability assessment tools this is where you're actively going to start testing this is where you start moving into the exploitation phase and really get into the fun stuff and then password attacks the reason that I actually pull this out now is because personally as a pen tester I don't really do password cracking anymore the ability to do so takes a lot of time takes a lot of processor power and in a functional level you don't really have to do with that much anymore and I'll actually start to touch on it once you start getting to the hands-on about

what's called pass the hash anybody familiar okay a couple hands cool so the ability to actually gain access to the host without ever having to crack the password it saves a lot of time it has really cool and slides and when he'd start telling organizations that you never had to touch their passwords or crack their passwords or anything they start to get a little bit scared and whether it's fear or not it does actually start to impress upon the point that it's imperative to deploy some of the security tools security utilities and monitoring stuff and then finally reporting an analysis this is this is that key all that stuff all those hours whether it was a one

week engagement a two-hour engagement or a six-month engagement if you can't put it into writing so that someone from not only the the testers the people out there in the trenches can understand it but also the the executives and the management can understand it that's where you're going to start seeing people coming back to you time after time after time to make sure that they that you're the one that's actually doing those tests if you can't translate that information so that those people can read it and clear English that it's again it loses that value so to touch a little bit about tools some of the tools out there these can be open source these

can be purchased tools these can be a lot of different things in particular on the board here we've got multi multi go from anybody familiar cool couple hands really good you it's really good utility for getting information about doing passive analysis this is going to get a lot of your Whois information start to tie machines to each other and then next post is a vulnerability assessment management tool I don't really push products or anything throughout but you'll see this actually come up later on it I like next blows over some of the other utilities just because of the direct relation to Metasploit and then that brings us actually to metasploit I hope that we have a good number of hands

who's familiar with my display there we go so Metasploit is the actual exploitation framework it's got a lot of packages built in it's recently been a quite well fairly recently been acquired and now not only has community support but also has actual corporate R&D dollars being to invest it into it and then you have things like can enable an end map to start doing some of your network level stuff and you'll see where kind of each one of these starts to tie in as we move forward here and this is where we actually start getting into so that was all the bland you know informational stuff the next part is where we start actually applying these type of

methodologies this type of understanding to an engagement so the first things obviously when you actually start defining your scope and you start looking at those SSO W's and what you're actually going to be testing what are you going to start looking for and what is the importance for some of this stuff so in particular make sure you have permission this is this is a key thing if you do not have permission to touch a machine even if you're in an engagement and it's a third party do not touch that unless you engage with the owner this will not only save your butt later on but it could potentially keep you from owning people fines so it's very

important to make sure that you have permission to touch any of the machines that you're going to later on and then the understanding whether you're so having that scope is for an internal external happen perchance what the objective is if they're looking specifically to have PCI information or HIPPA information or something like that if you as a tester have a clear understanding of what that goal is you'll be able to apply your message and apply the things that you learn to focus on stuff unlike most of the malicious attackers you know and open attackers out there they have as much time as they want to dedicate to this stuff they can put in weeks months whatever for most of

us pen testers we only have X number of hours that we can fit all this stuff in so by understanding what the goal of that pen test is really make sure that the quality of work and your focus and your efforts are not going to be wasted and then you also want to make sure that if there's anything that's not a standard test that you clarify that ahead of time so most of the times organizations don't really want to test whether they will convolve to a denial of service or if they do during business hours is a bad time to test that so making sure that you clarify if you're going to do something off of the norm or

something that could potentially bring down a system that you want to make sure that those are in clear testing hours not only that you want to make sure that if anything does happen you have somebody on the line that can directly restart the machine bring that back up because if you get a call from a c-level later on the next day and they were down for six hours because you didn't get a hold of somebody they're not gonna be happy so let's say the least and then make sure that again you have that emergency list what this is usually going to be your email as a phone number somebody to get on the phone with at

2:00 a.m. in the morning when you're doing your testing that had to say hey I've got a machine I know it's still live out there I have I probably have something that's running I just can't talk to it anymore can you restart that box because again if something if you can't get to it active users probably can't get to it and then there's also the in the depending on the type of engagement depends on who's gonna know about what's going on so sometimes that engagement and this is gonna this is good to be clarified during that objective is whether you're going to test the operand a knock you know say you want to see what the

reaction times are or you want to make sure that an IDs or IPs or something that you put in is actually working versus just I want to know what's out there because if you want to just know what's out there you're probably going to cause a lot of network traffic you're gonna be noisier it's also going to give you the ability to either hone whatever your skill set is and focus on again whatever that objective is and then make sure that if especially if you're doing social engineering don't use real third parties I'm not speaking from experience or anything but they just don't like getting Rhys email responses from social engineering emails going well you're

bank account has been you know manipulated in some way financial institutions particularly I don't like that because when they respond to that email if they respond to an actual financial institution there's a whole lot of things that go on in the backend that you will have to deal with later and then again make sure that if you're on an engagement and most of the time you'll run into this in application level stuff if you start branching over to other websites because you have Google Analytics or something else built that make sure that you don't go outside of that scope yeah or if you find something that could potentially be leveraged to gain access to another

provider engage them make sure that you engage your your point of contact your project manager and and move in that way don't just go off the cuff and start going against this stuff they don't like that so the first thing that we start doing is we're gonna start looking at how to find what's available so we know we have this scope we have Class C Class B whatever start digging down and the first thing that we're gonna start doing is we're gonna start running some discovery stuff so in particular I use n map a lot a lot of stuff that I use is still the old command line stuff I like how it looks it's just it works a lot better for me

instead of going to the gooeys I will show some of the gooey stuff later just because it's pertinent now but I prefer being in the terminal so you can use n map to basically get a better idea of what's out there listening so now you have your Class C you have your range just kind of get an idea of what's actually out there listening so you don't have to spin your wheels running OVA against Class C because VA is take long they take a longer time than the discovery scan does a report scan you can also do this now in Metasploit so this is the Metasploit community our slash pro edition so the newest version

of Metasploit actually has a web Yui that's pretty good you'll see you'll see this a lot through the slides I won't push Metasploit pro on e or anything I do work for rapid7 book so you can actually do a scan directly from Metasploit and the backend of this is actually an map so you can your custom scan switches and such right into the web Yui and whether whatever it is whether you want to use a triple V and actually see what an maps doing so that it doesn't tell you that it's counting up for your expected completion time or if you want to start doing specific ports or anything like that it's broken up for you write it within

Metasploit now and the ability to scan through that I'll get you a good idea as far as what's listening the types of ports and what the potential for services or whatever is running on that and if you're running it in an map this is the this is the error Metasploit this is the actual output for that so you can follow it live within the log window and see just exactly what you would see normally in the terminal window if you were running nmap and it kind of makes it for anybody that wants to see what's actually being done and makes sure that those that scans actively running properly for what you know and maps should be doing you can verify that

right here and then the next part is to do it is to go into the vulnerability assessment so now we understand that our class c is now down to 100 IP 75 IPS so we want to focus on that because the first thing that out for me personally one of my goals is if I go into engagement I want route in 24 hours that's it's it's a short amount of time when you're winning around an actual engagement because you have to make sure that if it's an on site you're working in certain amount of hours and such so I want to make sure that everything that I'm doing is going to cut that you know

the amount of time that I have to focus on each effort down to whatever the minimum I put it would possibly can Metasploit now gives you the ability to directly import from a lot of different of EA's out there from you can do an import from necess you can do an import from NEX pose you can do an import from nmap you can do an import from a lot of these different devices directly into Metasploit so in particular because Metasploit community the community Edition as well as an expose Community Edition tie directly into one another you can run a VA skin from Metasploit in expose and all that information is going to be directly imported into

Metasploit without having you do any sort of other interactions it cuts down the amount of time and it makes the information show up pretty quickly so it runs just like any other VA out there you'll start to see the information it'll start to correlate any known Metasploit packages directly into the the data that it's going to be returned per host and it'll start taking a look at what the potential for those are for exploits are so it's going to either match up a Metasploit module it's going to match up a known exploit on the CVE or security focus listing and it's gonna start giving you the information this cuts down in that amount of time that

you have to start guessing if you had a google search for every service that you found based on banner how could you imagine how long that would take you you're not gonna get that done in in the scope of an engagement if you if you have even ten machines and you have to Google search thousand different ports and services if you can do that and an engagement I give you props I will buy you a drink and the next thing that I'll move to is while I have the VA stuff going I'll start moving and start looking at some of the other stuff now I like to look at the man in the middle some

organizations you'll have to initiate them to say I want to do this because there is potential that you can knock machines off line and such but if you cater that and you understand what you're doing when you're executing it you can lessen the likelihood so I particularly like Cain and Abel you can do this with a Turk app you can do this with another of other utilities but it can enable seems to do it functionally the best that I that I like as well as gives you the best look and the easiest way to actually dig through some of the data that you're seeing so this in the screen right here we actually have Cain

and Abel up and what I did was I did a populate for and a scan for any of the devices listening out there so you can see that it lists the IP address the MAC address and then who the manufacturers you this in this way you can now cater your man-in-the-middle and you can also start catering some of your later attacks because if you see Kyocera up there it's probably a printer so you don't really you're not going to run Microsoft exploits again to print against a printer or a print server you're not gonna run those off of a fax machine you start building and taking these little pieces of information and you start shortening the amount of time

that you actually have to focus on the the outside portions of the engagement so now every or every one of these little steps you start shortening the amount of time that it's gonna take you to actually get to the point of getting the route so while that while I've got my man in the middle running I might have 15 machines I've got my VA stuff going I'm still I'm still gonna be churning I want to get that route in that 24 hours that that's my key goal and if I can get that route in 24 hours I can spend the rest of the time making sure that I have pertinent information pertinent evidence all that fun stuff

and making sure that not only is the report easy to read but there's cool pretty pictures in there because that everybody likes pictures right yes it's not rhetorical yeah yes yes no nobody likes pictures all right so when I start looking at the exploitation phase I'm not going to be only focusing on the system level stuff because the system level stuff a lot of times you have other systems that support those whether it's using wsus or something like that for doing the patch management or ids/ips for making sure that all the network systems that's not gonna be a lot usually what's going to be leveraged when you start getting into the point of exploitation it's starting to look at

the low-hanging stuff I know that in particular most of the engagements on there that I've been on if I'm going if I have a serger workstation segment in in the scope there's probably gonna be more vulnerabilities and on the workstation environment then there's going to be in the server environment because servers are critical systems right so everybody applies good patch management everything to servers but usually the workstations elapsed a little bit and then to look at you know human input you know usually the the human aspect is the weakest link you start applying best practices and and the ability and security across what people can and can't do and you start seeing people start trying to get

workarounds in there whether it's shared passwords whether it's a changes of passwords by only a character could be a number changing one to two because you had to change your password at 30 days so if you change that under Windows if you change that one to a two that's a different password so and then the administrators usually want things to be easy the cost of support and management for organizations today is astronomical when you actually start looking into what you have to spend for because that's that's people that systems that's various technologies that support across multiple platforms all that stuff costs money so to cut down the amount of time and money that it takes means that

there's going to be shortcuts in there somewhere and those shortcuts are usually going to be administration level stuff who's familiar with MS o 8 o 67 oh I should see more hands than that configure anybody know configure yes I use this and I will say probably 97 percent of the engagements that I've been on has at least gotten me onto one system so the ability to and this is if you look at the Oh 8 means that that came out in 2008 this is four years later this stuff still exists usually you'll find this on a Windows XP box somewhere out there you know workstation segment it doesn't really apply to a lot of the server stuff unless their legacy

boxes you know you're 95 your 2000s and if you're running on anything later than that you're probably owned already so you can use the MSO 800 67 in the in the web Yui you can use it in classic Metasploit doesn't matter everything that you're going to see and through the through these whole walkthroughs are applicable to both so whether it's in the web Yui or whether it's in the command-line everything that we're gonna walk through and everything that I'm gonna actually show the exploits for can be applied to both so it doesn't matter whether you have framework and you're working on the Ubuntu or even an old-school bt3 Slackware box as long as you've got Metasploit updated this stuff

works so the first thing is to look from MS o 8o 67 nice thing about using the Yui is that you can actually define a range so you can actually put in your full range and look for an MS o 8 o 67 - Papa shout throughout an entire environment and when you run it for the web Yui it'll actually pop a number in the sessions right at the top if you're in the terminal it'll just generate yourself a matter praetor session right there when you actually execute it and then once you have that you can actually see on this screen that it'll define that that MS o 8 was actually exploit so this right

here this is going to exploit against the windows XP box for our little lab environment then we're gonna walk through and by having this information we've already got a foothold into the or end to the end infrastructure and then the next thing is actually start gathering credentials now if you remember we we still have that men in the middle running and if you're running a man in the middle there's a lot of things that you'll see you'll see HTTP traffic HTTP now you're able to actually do some SSL stripping and such you can you'll see telling that you'll see SSH you'll see a lot of different protocol start flying over the line and if you

start looking at HTTP stuff there's a lot of applications out there that it will integrate with Windows authentication or that users generally will use the same password and username for because it's easy to remember so you'll actually start seeing the the traffic from one device to another and depending on where you actually execute that man-in-the-middle Cain and Abel will nicely populate that in a username and password list for you so you can literally just scroll through everything that you were watching on the wire and pull out what you need so this this also applies to HTTPS and I found a number of decent lis what should be secured information some of the credit card companies will fall to the SSL stripping

so just generally be careful what you what you're using and then you also have the ability to watch SMB connections or Windows logins so the nice thing about Cain and Abel is actually there we go all right so uh in Cain and Abel these buttons right here these these top ones right here allow you to actually downgrade your ntlm to ntlm V one so it'll spoof the challenge and response that the Windows servers will send out there and it'll allow you to downgrade so it'll actually map what type of ntlm credentials and hashes that you're able to collect there and the nice thing about that is with the newest version of ntlm it'll actually pad the

hash with zeros whereas if you have the ntlm v1 critic credentials or the hash clear tax it'll be the full password so the way that the the SMB connection works is it doesn't pass obviously clear text passwords but it passes the hash itself and then if we actually have that session saying in the Metasploit Yui we can click collect evidence and it'll start running meterpreter sessions if you have a meterpreter connection or excuse me interpret our scripts directly from the Yui to start collecting the information and one of the by default that it's going to pull is it's going to pull the local hashes and these are based on the Sam database everybody familiar with what that is yes awesome

so the Sam database is a database that holds the hashes for any of the local passwords in particular the one that we're looking for is that top one which is the local administrator password and hash and the reason that we're looking for that in particular and here's just kind of a list is that a lot of times corporations will have a standard corporate build how many people here company has a standard corporate build all right so in doing so there's usually a single local administrator account that is used for to install every application that they need to run for that business right most organizations leave that after they connect to the domain so if you have the ability to

gain and that information that having one machine on the network that has that username and password hash that you were able to guess or able to collect the potential is to start actually leveraging that across the system so you can do this whether it's a user account that could be shared across that local it could be a lot of different things so again we're still we're still focusing on local administration hashes local hashes local passwords and local accounts the next part is actually the passive hash technique hey I got a laughs cool you guys are actually reading this stuff so the past the hash is actually where we take the the hash that we were able to

collect and populate the password field and a PS exact module everybody from another PS exec at least a little bit it's a it's a utility that way back when actually Microsoft put some dive into and then sis utils picked it up and such what it does is it replicates the SMB connection firm from a machine to a machine for Microsoft administration or Windows administration and it's the PS exec module is built into Metasploit as a whole and if you find let's see here so in what we're walking through here is we're gonna go into our host we're gonna find that Windows XP box and we're gonna start looking at those credentials so on the bottom there we can see the

highlighted one this is going to be that local administrator password a hash that we were able to glean earlier and we're gonna do a quick search for PS exec if anybody is going to use this in framework it's a exploit forward slash Windows /sm be four slash PS exec and if you're using the Yui the web UI the URL that's listed actually has that module string right into the URL so that you can copy paste that into the framework if you aren't using the the web UI and then we're going to go into the PS exact module and we can actually define different ranges so if we know we have a scope out there and we know that we've

got a good number of systems the probability is that we're gonna see you know other machines out there that actually have that same password so we're going to populate a Sider range and then where we have the ability to import the SMB past we're gonna put that hash in stat and then under SMB user we're going to define administrators obviously the user because that's what we want to use and all you have to do is click run exploit and hopefully you're met with a matter procession now the nice thing about having interpreter is that you can run a lot of scripts you can do direct inter interaction with that host along with all kinds of anti forensics and other

stuff that you can do with that but the ease of use for using interpreter for your sessions brings a lot of extra stuff into it and it also it allows you to directly integrate interact with the command line on that host so in particular the command that I have on the bottom there it's kind of hard kind of hard to read but that's a shell so we're gonna inside meterpreter we're gonna find that we want that command to go directly into the command line on the host and we're gonna use the net command so if you're not familiar when that commands are built into all the windows devices and we're gonna do net user in

here we reason rapid7 the password this password this is a secure password right capital P a SSW Ord number one asterisk that's secure right yeah because it qualifies under all windows requirements for secure passwords if you use that and you put that against John John the Ripper that will last for about two and a half seconds so even though that that is what's considered a secure password by most passwords standards it will fall pretty quickly and then we're gonna do an ad so what we did was we just added that user and then if we actually do a net local group with local group administrators we can elevate that to a local administrator account real quick

and once we have local administrator on one of those machines we can usually just jump right on to a remote session so and using remote desktop we're able to directly interact with the Windows GUI and do whatever we want to in this case we found somebody that had a shared local administrator password that also was also there a via box so any of those voicemails or anything else you can delete or change or whatever you need to do so local admin yeah it's it's nice to have but you're limited you can't do a whole lot of things right so that's where incognito comes in anybody familiar with incognito got one hand two hands a couple awesome so if you're not

familiar incognito actually allows you to impersonate current domain sessions by integrating with the session by impersonating the domain users token so we're actually going to do a walk through here once we have an active session and this can be meterpreter session based on an exploit this can be a mature session that we generated by grabbing one of those hashes doesn't matter all we need is to grab and make sure that we have a session on a domain host once we have that session on the domain host we'll we'll be able to see that things are actually executing the little yellow line means that we we have our session and from there we're going to drop into an interpreter so

meterpreter is again very interactive and we're gonna use the command using Cognito and what we're gonna start doing is we're gonna start looking at all of those connections that we may have whether it's one whether it's a thousand to see who actually has what host actually has a domain token on there and what we're looking for specifically is we're looking for a domain admin so if I've got income if I've got incognito loaded and I'm on the the hosts first thing that I'm gonna do is I'm actually gonna do a query to figure out who's in there we go I'm just to slide ahead I'm sorry so if we do if we do help once you

have incognito loaded you can see all the options in particular we're going to look for that list underscore tokens option and then we're gonna do a - you by doing that we're gonna see exactly what what hosts are on or excuse me what sessions and what users have an active session on that host and the next thing that I'm going to do is I'm gonna so here we go here's our list tokens and on the last line underneath the delegation tokens we can see that we have an administrator and it's it's going to be the domain so we have an r7 domain with an administrator account logged in here now that is obviously gonna be a domain

admin if we need to actually take that a step further we can start to look and do a net query for domain admins it would be net group quotation domain admins and quotation forward slash domain and you can issue all of your net commands directly to whatever the local the closest DC is by adding that forward slash domain to any of those net commands and we can verify whether that administrator actually exists in there or not but just understanding that we we have an hour seven slash administrator that's probably gonna be a domain admin so the next thing that we want to do is we want to make sure that we're gonna grab that session and we use the command

impersonate token the impersonate token will then then we also have to specify what token we want to use so in the caveat for this is you actually have to make sure that you have a double for backslash in between the domain and the user to interact with this so like you can see on the bottom line we have our seven slash slash administrator if you don't that'll air out I've run into that a lot of times so it's just it's a good thing to know and if the stars line and everything works perfectly and we'll be presented with this it'll say delegation token available and that we've successfully impersonated now just because it says it doesn't mean that

it's true so we can do we can do a get you a UID command from there and it'll actually tell us who wear act wear active what the session is and what user where active actually acting as and then if we do this long string at the top this execute - C - capital H the old version of incognito you could actually just type shell but the with the new caveats and some of the security controls that windows have added you actually have to be used this whole string and I'll make these slides available later or you can get ahold of me and I'll give you this because it kind of obnoxious to sit and read but

once we actually execute that you can see that we're gonna drop into the shell on that host and when we when we have that information everything we type into that meterpreter line at the bottom will directly be interacted with in the shell session that we've just generated so in particular we're going to take a look and see who's our domain admins so we can see that if we do that net group quotation domain admins for slash domain it's going to do a query against that domain controller and it's going to give us a list of everybody that exists in that domain admins group and in particular we can see that we have administrator now because we don't have

the active credentials we don't have a hash we don't have anything like that for that domain admin we can't really just spread from machine to machine with this session because we don't have any credentials to provide to other machines so what's the next thing that we're gonna do well we're gonna start adding users again using net commands we use the net user we're going to use the rapid7 and that very strong password again /add for slash domain and if everything works correctly we should see that the command has completed successfully so now we've just added our user using that session as the domain admin to the domain and if anybody is worried about auditing and everything it

was just created by that administrator user so there is no log out there that says that it was created by someone that didn't have the proper permissions or anything else you just created it with and already already domain administrator account next thing is to make sure that we are part of the domain admins because what else would you want right so if we do the net group domain admins rapid7 that's our user I Forge slash add four slash domain now again we're going to issue that command to the DC and if everything works properly you should again see that line right in the middle of screen this command is completed successfully so now all of a sudden

we've we've already moved from A to B we had one exploit that we were able to gain a foothold in the network and now we have a domain admin account supposedly we do it says it completed properly but there's only one way to verify that let's query the neck or the domain admins group again so at the bottom there you can see that instead of just having an administrator listed we also have that rapid7 user name listed and we are now officially part of the domain admins group now to make sure that and see just how far that actually gives us leverage we're going to go back to our PS exact module and by doing that we're gonna use

that same rapid7 password one asterisk and instead of defining it as work group we're gonna make sure that we put our domain in there because if we have a domain admin we should be able to connect to anything to the domain and the next slide here this one was one that I actually did out there 496 connections after that so 496 my Metasploit sessions off of that that one set of credentials that I was able to add it's a lot of information it's a lot of connections I have yep No so so this is we've already were long past that password so what we did is here we've actually created our own user inside the domain and the domain admin

so once we have that domain admin now we know what the password is we know the user we know the domain and then if we use that PS exec and again it doesn't matter whether you use the web Yui or if you're doing this from the front of the framework command line you're gonna start generating sessions across every machine that that domain admitted that's connected the domain and has the ability to allow that domain admin to log on to so once you have that obviously you have full control over the domain next part is hardware right hardware safe well if we go back to the men in the middle session like I had touched about before

Cain and Abel will actually pull out any sort of SSH connections telnet sessions anything that they can read and copy that into a clear text txt file for you so you can go through that later and make sure that you're actually you can see whether there's logins you can gain access to switches routers firewalls things like that so and then everybody trusts everyone of their contractors right you trust them everywhere they go so the next part is actually getting a physical access now I had I had a gentleman that stopped me when I did this before and said well we have pre-boot authentication and my question was how many desktops do you have it on everybody puts it on their

laptops but don't doesn't doesn't generally deploy that internally to those desktops because they don't move anywhere right but how many people can walk by the ease to put a unauthorized OS onto a USB Drive now and get those past physical security is almost minimal they have and I actually use one for social engineering they have quarter of fake quarter that you can actually split in half put a micro SD card in put that in your pocket with your change pass that through as your change and then you have the little micro micro SD card reader on your keychain because they're only about that big now so this is this is one of the older readers this isn't a big bulky one

but on there we have backtrack five so once you once you have backtrack five on there and say either and the next exploit that we're gonna use you can actually use if you have remote access and say you're doing a two faceted pen test where you have one person external we have one person internal or you just don't want anybody walk by and see the big dragon sitting on the screen and go huh that doesn't look like Windows what you can do is you can actually go through the process of mounting that hard drive and bogna mounted you can have access that Sam database you can have access to a lot of information on there but you're

still going to be in that terminal and you're you're gonna be on the session with a big backtrack v logo or a backtrack logo on the background if anybody walks by they're gonna notice that so what I usually do is over place set HC dot exe with command dot exe anybody familiar with set HC HC dot exe no that is your sticky keys your hotkeys executable now what's awesome about that is that if you replace that obviously you know create a backup or dot old or something with the original but if you go to the logon screen you hit shift 5 times to bring up that sticky keys mic menu now you're gonna actually get

presented with a command line and this is running with system level permissions so now you've just rebooted you can open up the command prompt use your net commands and now you can add net users or whatever you need to all from all from the login screen this is so in the background this is a Windows 2008 box and it's unauthenticated when you hit shift 5 times so it's a cool little little fun thing and if you actually show client that in video it gives them a moment so the next thing is to take an understanding and look at this and actually start looking at how to keep going and how to keep looking at these

things for more information in particular one of the really good free resources online is the offensive security Metasploit unleashed tutorial it's a whole walkthrough and it's a hands-on engagement it's it's a hands-on learning utility for learning Metasploit as a whole they go through a lot of different things it's a great resource community that rapid7 comm has kind of taken over from some of the old Metasploit community stuff so a lot of the Metasploit input is all on the community side anymore now so people will donate code they will put scripts up there they will put a lot of information things that they've run into things to look out for up there for you to read later security besides calm that

you're at one now look for them take part in them be again be up here I want to come and see you guys actually talking instead of me listen to me drone through this stuff up here and then Metasploit the penetration testers have a guide awesome awesome book if anybody's familiar Dave Kennedy relic very a very very very good book I've read it a number of times and still continue to pick stuff up and then your local DC Def Con groups from it anybody familiar with DC groups cool take part in them these are the guys that are actually out there in the trenches these are the guys that are working through this stuff they have

their hands on this stuff every day they're always coming up with stuff this is a great out place they actually find information get more detail go out and learn how to pick locks go out and learn how to you know just talk InfoSec and start to actually leverage the ability from what maybe get a if you're looking for a position in pen testing you might be able to meet somebody that's looking to hire somebody in patent testing and then the local hackerspace everybody familiar with hackerspaces anybody cool they're there all over the world so you can find hackerspaces from here to Vienna to New York to everywhere around the world there's hackerspaces out there and cool

places again to go and meet people the big thing is making sure that you're networking the keynote this morning touched about upon it networking with the people that you don't know or that you aren't in your normal circle is key to making sure that not only does your career grow but your information your knowledge and everything grows and with and it really is is knowledge is power so the whole the whole thing to take away from this is you know look at things from start to finish but make it small pieces look at the little things and then connect those along the way because if you all of a sudden have a huge infrastructure you have a huge

scope and you have a huge engagement to do you're not going to actively be able to function if it's all one big piece break that out understand the little bits and pieces that will get you from A to B and you'll have you'll will have domain admin in no time so any buds yep sure

and that's when you want to actually start I I do a secondary version of this presentation which is an auditors introduction and it goes into more about knowing the people this is more like the technical talk but you really want to make sure that you create a relationship with your pen tester don't only interview the company that is going to bring that pen tester on but try to interview that pen tester themselves because if that if he is only as good as the tool then he's only as good as the tool if and you'll find that out real quick by just talking to them if they can if they can tell you you know what

nmap is and they can tell you what Metasploit is and they can tell you what every other tool is that's cool but it doesn't break them out of the fact that it's still a tool that you're hiring make sure that because especially as an organization that pen tester is going to have access to data that you don't want people to have access to interview them just as much as you would interview any vendor any product and a supplier anyone else because they will be that employee essentially for you while they're on that engagement and any good pen tester is not going to end that at the end of that engagement they're gonna make sure that that is you create

that relationship because later on you don't want somebody new that's touching your data every year every six months because then you start getting into the part of what are they doing with that where are they taking it are they taking it what are they what are they doing with all that information after the fact you really do want to create a strong relationship with whoever's doing that pen test and making sure that you know them they know you and they know your objectives and you know what their level of experience is by looking at those objectives and applying that mindset to more of then okay I can do that because if they if that's their response to

everything you're just buying a tool in more sense of the word than just that so anybody else all right so here's my here's my contact information if you guys have any questions and later on if you want any information if you want to add me on Twitter feel free I try to answer this stuff as quickly as possible I make myself available especially to community members for whatever you guys run into in the future so thank you very much smoosh peel