net-sec-samenvatting/05_post_exploitation.md

6.8 KiB

Post-Exploitation

Pilfering

  • retrieve useful information from machine
    • passwords (/etc/shadow, hashdump SAM database)
    • cryptographic keys (SSH, PGP, GPG)
  • /etc/passwd format: fields separated by colons
    • jef:$y$salty$youwish:20022:0:99999:7:::
      1. jef: username
      2. $1$salty$youwish: hash id, salt and password hash
      3. 20022: day password was last changed (unix timestamp but in days)
      4. 0: minimum age of password before it can be changed again
      5. 99999: max age of password, after how many days password must be changed
      6. 7: how many days before expiring the user should be warned
      7. number of days after password expired that user should be locked out (usually empty)
      8. expiration date of account
  • moving files
    • push file directly if firewall allows it
    • otherwise send command to target to pull target from client
    • use whatever protocol works best (FTP, SMB...)
    • meterpreter supports sending files
  • Windows
    • user credentials cached in Microsoft Credential Manager
      • extract using credential cache dumping tools
      • requires admin
    • service account passwords stored encrypted in LSA secrets section of registry
      • Mimikatz lsadump can dump these
    • wireless client profiles can be extracted if admin
  • other
    • source code of services for vulnerability analysis
    • scripts for hardcoded passwords
    • files left behind by users that shouldn't be
    • browser passwords
    • machines with which machine has recently communicated (find pivot targets)
    • DNS servers
    • web servers
    • mail
    • ...

Password attacks

  • guessing
    • generates lots of traffic
    • can lock out accounts
    • slower than cracking
    • spray attack: try single password on list of users
  • cracking
    • steal hashed password and compare hashes
    • runs on attacker's machine -> stealthier
  • important for assessing security posture of network
    1. access control evaluation
      • assess password strength
      • password policies
    2. credential-based attacks
      • brute force: try many combination to expose weak or default passwords
      • dictionary: use list of common password
      • credential stuffing: use credentials from previous breaches
    3. privilege escalation
    4. social engineering: trick users into revealing passwords
  • MFA
    • prevent leak of password from becoming a breach
    • bypassing
      • phishing or man-in-the-middle
      • expose implementation flaws
        • insecure methods, e.g. SMS or email
        • session hijacking, e.g. intercepting cookies
      • social engineering, e.g. pose as tech support
      • SIM swapping: get victim's phone number reassigned to new SIM card
      • use backup codes or account recovery
      • push notification bombing
  • using dictionaries
    • large word list for password cracking
    • small tailored list for password guessing
  • cracking not always needed
    • sniff cleartext protocols
    • keystroke logging
    • pass-the-hash techniques use hash directly
  • clean up after pentest (don't leave cracked passwords lying around)
  • lockouts
    • password guessing can lock accounts
    • Windows: original admin account can't be locked out
      • admin has SID suffix of 500
      • if multiple admin accounts, only 1 is safe
    • Linux: lockouts not always configured
      • if so, done using PAM
      • root account not locked out by default
    • prevention
      • just don't guess passwords
      • ask target personnel for info on policy
      • create test account for pentest
      • attempt 1 password per observation window

Password representation

  • Windows
    • Security Accounts Manager (SAM) for modern desktop versions
      • stores all local account info
      • login info from domain users that connected to the machine
      • encrypted SAM database
      • password hashes stored in registry
    • LANMAN (LM) or NT hashes
    • Active Directory newer alternative

Lanman hash

  • operation
    1. truncate password to 14 characters (pad with NUL bytes if less)
    2. convert to uppercase
    3. split into two 7-char pieces
    4. use each piece as 7-byte DES key to encrypt 64-bit known constant KGS!@#$%
    5. hash is concatenation of two 8-byte outputs
  • this hash is criminally bad

NT hash

  • operation
    1. convert password (max 256 chars) into UTF-16 little endian format
    2. hash using MD4 (no salt)
  • better but still pretty bad

Windows challenge-reponse authentication

  • mutiple forms of network cryptographic authentication
    • LANMAN challenge/response: legacy-only, uses LM hash
    • NTLMv1: also legacy, uses NT hash
    • NTLMv2: stronger security, uses NT hash
    • Microsoft Kerberos

LANMAN and NTLMv1

  • operation
    1. client initiates authentication
    2. server sends 8-byte challenge
    3. client formulates response
      1. pad LM/NT hash to 21 bytes
      2. split hash in three 7-byte pieces
      3. use each piece as DES key to encrypt challenge
      4. response is 3 8-byte outputs
    4. server calculates same response and compares
  • problems
    • attacker can sniff both challenge and response and try to crack
    • rogue server could issue static challenge for which it has rainbow tables
      • works because neither hash uses salting
    • without rogue server, method is slower than cracking hashes in SAM db
      • no access to actual hash
      • attacker needs to perform DES encryption

NTLMv2

  • operation
    1. client sends authentication request
    2. server sends 8-byte server challenge
    3. client formulates response
      1. creates NTLMv2 hash using HMAC-MD5
        • data: username and domain name
        • key: NT hash
      2. creates NTLMv2 response using HMAC-MD5
        • data: server challenge + data blob (client challenge, timestamp, fields for integrity / security)
        • key: NTLMv2 hash
    4. client sends response to server
    5. server computes validity of response using stored NT hash and received fields
  • cracking still possible but much slower
    • stronger hash is used
    • timestamp protects against replay attacks
    • rainbow tables not useful due to variability of client challenge

NTLM relay attacks

  • both versions vulnerable
  • possible if attacker can access server client usually uses
    • ARP or DNS spoofing
    • phishing
    • cross-site scripting attacks
  • operation
    1. attacker poses as authentication server
    2. attacker relays authentication request messages to real server -> acts as authenticating client
    3. attacker receives authentication and returns error message to client