Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk. Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment. What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools? This lecture will address these questions and more, including a showcase of attacker methodologies.

1. Beyond the Pentest
How C2, Internal Pivoting, and Data
Exfiltration Show True Risk
Beau Bullock

2. Beyond the Pentest
What does a standard internal network pentest already
cover?
Port scans
Vulnerability scanning
Manual validation
Provide recommendations

3. What is Wrong With This
Attackers don’t
vulnerability scan - too
noisy
Misses some very critical
vulnerabilities
Doesn’t account for
domain systems already
compromised

4. whoami
Beau Bullock
Pentester at Black Hills
Information Security
Host of Hack Naked TV
Previously an enterprise defender
OSCP, GXPN, GPEN, GCIH,
GCFA, OSWP and GSEC

5. What Are We Missing
Three major things
Command and Control
Internal Pivoting
Data Exfiltration

6. How Do We Test These
Start with the basics
Standard domain user account
Lowest level of access typically provisioned
Standard system build
Anyone on leave? Steal their system
Standard network access

7. Command and Control

8. Command and Control
Three focus areas
Payload delivery
Email, web, etc.
Client-based protections
AV, application whitelisting, HIDS, etc.
Network-based protections
Egress filtering, IDS/IPS, inline payload detonation

9. C2: Payload Delivery
What can be emailed to your employees?
Executable
PDF
Word DOC or XLS w/ macro
Batch file
Encrypted ZIP
Extensionless files?

10. C2: Payload Delivery
Protip:
Many webmail services scan attachments for
malware
Some don’t allow EXE’s altogether
Yahoo’s MTA does not scan, and allows EXE’s
Use a third-party mail client to send through Yahoo

11. C2: Payload Delivery
What can be downloaded?
How about browser or Java or Adobe exploits?
Are users allowed to insert USB drives?

12. C2: Client-Based
Protections
Did anything detect the payload after entry?
Anti-Virus
Application whitelisting
SIEM alerts

13. C2: Client-Based
Protections
Payload types
Non-encoded EXE
Encoded EXE
ShellCode injection
Word Doc w/ macro
Software exploit
Physical access (rubber ducky)

14. C2: Client-Based
Protections
Bypassing Client-based protections
Veil-Evasion
Framework for creating custom malware
PowerSploit
Shellcode injection directly into memory
Obfuscation

15. C2: Network-Based
Protections
Was the C2 channel detected?
Firewall block
IDS/IPS detection
Inline Detonation

16. C2: Network-Based
Protections
What does an outbound portscan reveal?
open.zorinaq.com
Weak egress filtering provides more legroom for C2
DLP might miss items not sent over standard ports

17. C2: Some Typical C2
Channels
Standard TCP
HTTP/HTTPS
DNS
ICMP

18. C2: C2 Through A Web
Proxy
Meterpreter Reverse_https
Uses proxy settings on system
PowerShell Empire!!!
Same as above but in PowerShell
Appears as web traffic through your web proxy

20. C2: C2 Over Social Media
Can your users get to any social media sites?
Twittor - Uses Twitter direct messages as a C2
channel
GCAT - Uses Gmail as a C2 channel
Sneaky-Creeper - Uses Twitter, Tumblr, and
Soundcloud as a C2 channel

22. C2: C2 over DNS
DNScat
Tunnels traffic through DNS requests
C2 channel through NS Records
C2 even with EVERY port blocked outbound from the
client
https://github.com/iagox86/dnscat2

24. C2: C2 over ICMP
Invoke-PowerShellICMP
Tunnels traffic through ICMP echo-requests and
echo-replys
ICMP is commonly allowed through firewalls
https://github.com/samratashok/nishang/tree/master/Shells

26. Internal Pivoting

27. Internal Pivoting
Use built-in tools as a low level user to compromise a
network
No vuln scans needed
Less noise
Escalate privileges; locate sensitive data

28. Pivot: GPP Passwords
May 13, 2014 – MS14-025
Passwords of accounts set
by GPP are trivially
decrypted!
…by ANY authenticated
user on the domain
Located in groups.xml files
on SYSVOL
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/

29. Pivot: GPP Passwords
First thing I check for on an internal
assessment
Almost always find an admin
password here
Find it with:
PowerSploit - Get-
GPPPassword
Metasploit GPP Module
Or…
C:>findstr /S cpassword %logonserver%sysvol*.xml

30. Pivot: Privilege Escalation
Local privilege escalation
Are we already a local
admin?
PowerUp
Invoke-AllChecks looks
for potential privilege
escalation vectors
http://www.verisgroup.com/2014/06/17/powerup-usage/

31. Pivot: Misconfigured
Systems
Occasionally, admins get lazy… and do things like add
“Domain Users” group to the “Local Administrators”
group

32. Pivot: Misconfigured
Systems
This means EVERY domain user is now is an
administrator of that system
Veil-PowerView Find-LocalAdminAccess
Veil-PowerView Invoke-ShareFinder
http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/

33. Pivot: Password Spraying
Domain locks out accounts after a certain number of
failed logins
Can’t brute force
Solution:
Try a number of passwords less than the domain
lockout policy against EVERY account in the domain

34. Pivot: Password Spraying
Lockout Policy = Threshold of five
Let’s try one password across every account
What passwords do we try?
Password123
Companyname123
SeasonYear
C:>@FOR /F %n in (users.txt)
DO @FOR /F %p in (pass.txt) DO
@net use DOMAINCONTROLLER
IPC$ /user:DOMAIN%n %p 1>NUL
2>&1 && @echo [*] %n:%p &&
@net use /delete
DOMAINCONTROLLERIPC$ > NUL

35. Pivot: Password Spraying

36. Pivot: LLMNR & NBTNS
Poison
LLMNR = Link-Local Multicast Name Resolution
NBT-NS = NetBIOS over TCP/IP Name Service
Both help hosts identify each other when DNS fails

37. Pivot: LLMNR & NBTNS
Poison
http://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

38. Pivot: LLMNR & NBTNS
Poison
SpiderLabs Responder
Inveigh PowerShell Script
The result is that we obtain NTLM challenge/response
hashes
Crack hashes
https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Responder-1-0/

39. Sensitive Data Hunt

40. Sensitive Data: Info
Disclosure on Shares
Sensitive files on shares?
Find them with PowerView
ShareFinder then FileFinder
FileFinder will find files with the following
strings in their title:
‘*pass*’, ‘*sensitive*’, ‘*admin*’,
‘*secret*’, ‘*login*’, ‘*unattend*.xml’,
‘*.vmdk’, ‘*creds*’, or ‘*credential*’

41. Sensitive Data: Locate RDP
Jump Hosts
Where are users RDP’ing to?
Can provide insight into where critical systems are
Get-NetComputers | Get-NetRDPSessions | Export-
Csv –NoTypeInformation rdpsessions.csv
http://www.harmj0y.net/blog/powershell/powerquinsta/

42. Sensitive Data: Virtualization
Hypervisors

43. Data Exfiltration

44. Data Exfiltration
What are organizations concerned about leaving their
networks?
PCI data
Patient health information
Personally Identifying Information
Intellectual property

45. Data Exfiltration
How can attackers get data out of your network?
Email
Web Access
USB Drive
Photo

46. Data Exfil: Email
For email is DLP being enforced on the following?
Cleartext in email body
Encoded in email body
Attachments
Optical Character Recognition

47. Data Exfil: Web
Is all web traffic subject to DLP inspection?
Same types of tests as email are performed but
tracking over standard and non-standard web ports

48. Data Exfil: USB Drives
Are files allowed to be copied to a USB drive?
Encryption
DLP
Blocked completely

49. Putting It All Together

50. Attack Scenario
Target Organization Setup
Firewall only allows outbound traffic through web
proxy
AV up to date on clients
Email gateway allows Doc files
Local Administrator account is widespread with same
credentials

51. Attack Scenario
Phishing email is crafted with Word doc attachment
Word doc is weaponized with a Macro
Email is sent to target employee

52. Attack Scenario
Employee opens email
Downloads attached .doc
Enables content
Macro runs PowerSploit
PowerShell script to inject
Meterpreter Reverse_https
into memory
Meterpreter C2 channel is
established

53. Attack Scenario
Password spray from the command line
Spring2016?
Run Find-LocalAdminAccess to find where the users
are local admin
Pivot using psexec

54. Attack Scenario
Attacker dumps local user hashes (including local
admin)
Local administrator credential is not randomized
Using PowerView UserHunter the attacker finds where
Domain Admins are located

55. Attack Scenario
Attacker pivots to DA
workstation
Runs Mimikatz to dump
creds from memory
Locates sensitive data
with PowerView
ShareFinder
Exfils data

57. Summary

58. Summary
What are the benefits of this style of testing?
Real test of detection and incident response
Shows how an attacker can go from low access to
owning the environment
Shows true risk to the organization

59. Thank You!
beau@blackhillsinfosec.com
beau@dafthack.com
@dafthack