4. Key learning points:
Windows Firewall is often misconfigured
Firewall is a great segmentation tool
You can allow only certain processes to communicate
with the Internet or locally
No need to know processes to block them, you can
operate on the services list
In Windows Firewall there are couple of things missing:
x Filtering by the group of computers
x Detailed logging for network traffic
x Expandability – there are not many options
x No correlation in between process and network traffic –
whose role is this?
5.
6. Key learning points:
Almost always there are passwords reused
Almost always (ekhm… always) there is some variant
of company name and some number (year, month
etc.)
It makes sense to check for obvious passwords and
continuously deliver security awareness campaigns
Typical password locations
NTDS.dit, SAM
Configuration files
Registry
Memory dumps, Hiberfil.sys
Databases (DPAPI ?)
10. Key learning points:
Set SPNs for services to avoid NTLM:
SetSPN –L <your service account for
AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of
domain domainserviceaccount
Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-
us/library/jj865668.aspx
Require SPN target name validation
Microsoft network server: Server SPN target name
validation level
Reconsider turning on SMB Signing
Reconsider port filtering
Reconsider code execution prevention but do not
forget that this attack leverages administrative
accounts
11.
12. Key learning points:
Common file formats containing malware are:
.exe (Executables, GUI, CUI, and all variants like SCR, CPL etc)
.dll (Dynamic Link Libraries)
.vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM,
CMD etc)
.docm, .xlsm etc. (Office Macro files)
.other (LNK, PDF, PIF, etc.)
If SafeDllSearchMode is enabled, the search order is as follows:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories that are listed in the PATH environment variable
18. Key learning points:
The best operators won't use a component until they
know how it breaks.
Almost each solution has some ‘backdoor weakness’
Some antivirus solutions can be stopped by SDDL
modification for their services
Configuration can be monitored by Desired State
Configuration (DSC)
DSC if not configured properly will not be able to spot
internal service configuration changes
Example: how to I get to the password management
portal?
19.
20. Key learning points:
gMSA can also be used for the attack
Service accounts’ passwords are in the registry, available online
and offline
A privileged user is someone who has administrative access to
critical systems
Privileged users have sometimes more access than we think
(see: SeBackupRead privilege or SeDebugPrivilege)
Privileged users have possibility to read SYSTEM and SECURITY
hives from the registry
Warning! Enabling Credential Guard blocks:
x Kerberos DES encryption support
x Kerberos unconstrained delegation
x Extracting the Kerberos TGT
x NTLMv1
21.
22. Key learning points:
Worldwide spending on information security is expected to reach
$90 billion in 2017, an increase of 7.6 percent over 2016, and to top
$113 billion by 2020, according to advisory firm Gartner
With increasing budget the risk of possessing hipster tools increases
too – do we know where these tools come from and what are their
security practices?
Lots of solutions where not created according to the good security
practices (backup software running as Domain Admin etc.)
Each app running in the user’s context has access to secrets of other
apps – Data Protection API
Case of CCleaner
23.
24. Infrastructure can be a silent
killer
Isolate infrastructure components so that in case of
attack they prevent spreading
Engage with the network security guys
Review servers’ and workstations’ configuration
periodically
Vulnerability Management
Put on the Hacker’s Shoes
External + Internal + Web Penetration tests
Configuration reviews
Prevention
Start implementing the monitoring and execution prevention
25. Thank you!
Paula Januszkiewicz
CQURE: CEO, Penetration Tester / Security Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Microsoft Regional Director
Contact: paula@cqure.us | http://cqure.us
Editor's Notes
Kto z was wstydzilby sie hacka?
Story of disappointment
Connecting to the network and…?
Story with the icecream truck
Vendorzy maja swoje
Hacking videos
[5]
Cloudflare 2014: DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks.
Spamhaus - attacks that reached a peak of 75Gbps
CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus
https://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/
Downgrade:
It was initially designed and developed by Sybase Inc. for their Sybase SQL Server relational database engine in 1984, and later by Microsoft in Microsoft SQL Server.
Password decoding - line 99 - https://github.com/SpiderLabs/Responder/blob/master/servers/MSSQL.py
Asking about old version - line 351 and next - https://github.com/SpiderLabs/Responder/blob/master/packets.py
If you really want to understand the answer sent by SQL to client, refer to: https://msdn.microsoft.com/en-us/library/dd357559.aspx and go to ~30% and see the VERSION row in the PL_OPTION_TOKEN table.
[15]
Normalnie takie rzczy sa po patchowaniu.
Skrypt – informacja – RDP Operational
Prefetch – mimikatz.
Local Admin vs. Domain Admin story.
[15]
Broadcast Domain
The set of all devices that will receive broadcast frames originating from any device within the set. Broadcast domains can be bounded by VLANs in a stand-alone environment. In an interworking environment, they are typically bounded by routers because routers do not forward broadcast frames.
Results are more harmful
[20]
How can we use MSDCC2 within the attack? Is it really useless for bad guys?
[25]
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
[CC] wallpapers-and-backgrounds.net
Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
[30-35]
[35-40]
https://twitter.com/thedudolf
Clicked on a speaker icon cause this is a voice message
[40-45]
http://www.ebay.com/itm/11114-E-Novelty-Pipe-Raccoon-Life-Size-Taxidermy-Mount-Coon-Possum-/161031671900
Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols (e.g. POODLE, DROWN). Most modern browsers will show a degraded user experience (e.g. line through the padlock or https in the URL bar, security warnings) when they encounter a web server using the old protocols. For these reasons, you should disable SSL 2.0 and 3.0 in your server configuration, leaving only TLS protocols enabled.
Some of things that v1.3 is going to provide:
Complete removal of things that are known to be cryptographically weak such as MD5, RC4, and weak elliptic curves
Dropping support for seldom-used features like compression and “change cipher” ciphers; and adding new elliptic curves
It will be much faster and resilient to attack that break older versions of the TLS protocol
SQL uwierzytelnianie
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
Tabular Data Stream wymyslony w 84 by Sybase
[50]
Kill -9
Pending Renames
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
[60]
Normalnie takie rzczy sa po patchowaniu.
Skrypt – informacja – RDP Operational
Prefetch – mimikatz.
gMSA powinny byc tak samo monitorowane
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
[65]
Github
Online repositories -> spoofing ale WAZNIEJSZE jest TYPO w GITHUBIE
[50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
[72]
So now… How would you feel
Ambicja
A potem shame
100% security
Risk small medium
Desipite the pervasive nature of cyber organizations should focus on risk assessment
Media is big about cyber – this leads to disproportional fear.
Dealing with from risk management perspective not on fear and not to make system that is 100% watertight.
Licence: Common
Infrastructure can be a silent killer. One day you’re running a company to deliver something special and new to customers — completely unrelated to the underlying technology making it possible — and the next, you’re stymied by bills or bugs. Not to mention, plagued by performance problems. How disappointing to get taken down by something so foundational when your company is taking off! Yet it happens all the time.