Adversary Village - New Generation of PEAS
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 84 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/54359 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2964 / 84
1
2
3
4
6
7
13
15
20
37
39
43
44
47
48
49
55
00:00
ComputersicherheitDemo <Programm>Inhalt <Mathematik>TabelleSuite <Programmpaket>Funktion <Mathematik>SkriptspracheMailing-ListeAbzählenCoxeter-GruppeGenerator <Informatik>BitRoboterVerschlingungOrdnung <Mathematik>SchaltnetzCharakteristisches PolynomAbzählenDifferentePaarvergleichSkriptspracheMailing-ListeResultanteComputersicherheitPhysikalisches SystemHilfesystemSoftwareschwachstelleBildschirmfensterGraphfärbungSuite <Programmpaket>MultiplikationsoperatorMomentenproblemFunktion <Mathematik>DifferenzenrechnungDigitales ZertifikatTwitter <Softwareplattform>Demo <Programm>GarbentheorieVerteilungsfunktionAnalysisTopologieTafelbild
04:33
StellenringInformationMenütechnikChecklisteSigma-AlgebraPhysikalische TheorieToken-RingTopologieExploitMereologieVerschlingungSoftwareschwachstelleURLGarbentheorieBildschirmmaskeProgrammierumgebungDeskriptive StatistikChecklisteBildschirmfensterPhysikalische TheorieComputersicherheitToken-RingNeuroinformatikHackerSkriptspracheOrdnung <Mathematik>
06:26
Suite <Programmpaket>Demo <Programm>SoftwareschwachstelleVirtuelle MaschineDämon <Informatik>
06:52
MultiplikationsoperatorVererbungshierarchieVektorraumAdressierungDefaultKonfiguration <Informatik>Elektronische PublikationFunktionalWurzel <Mathematik>Reverse EngineeringFunktion <Mathematik>VerschlingungSoftwareSkriptspracheGenerator <Informatik>InformationVirtuelle MaschineVersionsverwaltungBinärcodeInelastischer StoßProgrammierumgebungPhysikalisches SystemPasswortCompilerKernel <Informatik>Prozess <Informatik>GraphfärbungDifferenteArithmetisches MittelUmwandlungsenthalpieKonfigurationsraumBitZellularer AutomatSkalarfeldGraphische Benutzeroberfläche
11:42
BinärcodeSkriptspracheMailing-ListeElektronische PublikationLeistung <Physik>GarbentheorieOrdnung <Mathematik>Physikalisches SystemInformationVerschlingungDemo <Programm>KonfigurationsraumFrequenz
13:24
SkriptspracheOrdnung <Mathematik>VersionsverwaltungNeuroinformatikMereologieMakrobefehlVerschlingungPhysikalisches SystemDifferenteSkriptspracheInformationBinärcodeFunktion <Mathematik>BildschirmfensterPhysikalischer EffektHalbleiterspeicherElektronische PublikationVirtuelle MaschineMini-DiscNabel <Mathematik>Mailing-ListeCodeVirenscannerBus <Informatik>Regulärer GraphGemeinsamer SpeicherLesen <Datenverarbeitung>
16:50
SkriptspracheParametersystemInformationDifferenteSkriptspracheLeistung <Physik>Projektive EbeneZellularer AutomatVersionsverwaltungBildschirmfensterStapeldateiVirtuelle MaschineMicrosoft dot netParametersystemHalbleiterspeicherVirenscannerOrdnung <Mathematik>InformationCASE <Informatik>URLGraphfärbungHilfesystemKonfigurationsdatenbankWurzel <Mathematik>Bus <Informatik>Verschlingung
19:25
InformationGenerator <Informatik>Green-FunktionOrdnung <Mathematik>GeradeSensitivitätsanalyseElektronische PublikationDifferentePhysikalisches SystemDienst <Informatik>ProgrammierumgebungCASE <Informatik>InformationsspeicherungSkriptspracheURLVariableEreignishorizontMultiplikationsoperatorSystemverwaltungMailing-ListeDatenverwaltungWeb SiteDemo <Programm>UDP <Protokoll>GarbentheorieAnalysisVersionsverwaltungBinärcodeMinkowski-MetrikKartesische KoordinatenSoftwareVirtuelle MaschineNP-hartes ProblemBenutzerbeteiligungDivergente ReiheHackerLineare Regression
26:13
SkriptspracheBitVirtuelle MaschineGraphfärbungOrdnung <Mathematik>StapeldateiPunktCoxeter-GruppeMatching
26:50
Suite <Programmpaket>ComputersicherheitGruppenoperationEinsTopologieFreewareSkriptspracheRoboterCybersexStörungstheorie
27:30
Funktion <Mathematik>Mailing-ListeSkriptspracheRoboterOrdnung <Mathematik>GruppenoperationMaskierung <Informatik>Generator <Informatik>ParserKugelkappeSkriptspracheFunktion <Mathematik>VerkehrsinformationDichte <Stochastik>Projektive EbeneResultanteMultiplikationsoperatorFront-End <Software>HilfesystemMailing-ListeToken-RingGraphfärbungCASE <Informatik>SchnelltasteBestimmtheitsmaßInelastischer StoßSoftwareentwicklerDebuggingBenutzerbeteiligungDatensatz
Transkript: Englisch(automatisch erzeugt)
00:00
So first of all, thank you very much for having me here today I'm very excited to be here at DEFCON in the adversary village and I hope you like this presentation Which is called new generation of peace We are going to discuss a little bit about this piece and why is there a new generation? My name is Carlos Pollop. I work as senior security engineer at MERL. I have some
00:27
Certifications I play CDF and all this stuff So if you want to talk about me, if you want to know something else about me Just check my LinkedIn and you can also contact me via Twitter or even email for the more traditional stuff
00:41
So in this talk we are going to talk a little bit about the p-suite what it is, why is it useful? Why is there a new generation then? Today I'm going to very briefly introduce Hacktrees and how can it be useful in combination with the p-suite and then we are going to see some demos about link piece smack piece and win piece
01:01
At the end, we are going to very briefly see what is bot piece the last being aided just one or two months ago And then I want to talk a little bit about the to-do in order to indicate the community how? How you can help to the p-suite
01:20
If you like it, so sweet piece Piece is the name piece come from previous escalation or some scripture But basically this suite is a combination of scripts that will allow you to enumerate the most common host and I'm talking about Windows Linux a
01:42
Unix in general and even Mac in order to find Easy ways to escalate privilege so before the p-suite there were already a few scripts that Performed these sections, but I I like them But I didn't feel very comfortable with them because there were a lot of data
02:03
That was mostly useless and I didn't want to lose my time reading this data I'm figuring out if you can use it in any way or not and Because they didn't have enough text or at least they didn't have the text So that's the reason I start this this week so in peace you are going to find very
02:22
comprehensive scripts for enumerate host and see how harden they are and how you can escalate privilege You are not going to find endless data list So you are going to know where you need to focus in order to find these vulnerabilities you are looking for They have more text that any other tool at least I try this and this is because I
02:46
Mostly are probably one new check per week. So that's a very very cool a way to Update the scripts as I have said before the piece can be executed for Linux Mac OS And he mostly any any Unix flavor and also Windows, which is which is great
03:05
Anything is the only privilege escalation Enumeration to can be executed in this amount of different operative systems But I think the fact that most people like love about the piece is that the output if is colored
03:20
This means that you are going to find for example the color red where something is suspicious or the color green Where something is well configured and this is very useful in order to know where you need to focus Or you should focus in order to try to find more abilities Last of the characteristic is is the monetarization
03:41
We will talk about this later because actually you cannot use any monetarization at the moment But my idea with this piece new generation scripts is that you are going to be Able to execute the piece in a host as frequently as you want and be able to compare
04:02
Different results in order to see how good you are doing hardening your systems as I have said This is not available yet, but I hope this will be soon Well, the more help the community gives me the sooner this will be prepared But before going into depth with this
04:22
I want to show you what is happy because this is going to be highly useful when using these tools So I'm going I'm going to open this link and you can see that Hector's is basically a book a book with a lot of cool drinks of hacking But now I want us to focus on the privilege escalation checklist for Linux and Windows
04:45
In a few weeks. I hope I will create one specifically for Mac Where you can basically see some checklist of things that you should search on each computer in order to try to find vulnerabilities and Improve the security or exploit the vulnerabilities depending if you are in a routine or in a red team
05:07
Also, Hector's is pretty useful because when you execute these tools You are going to see probably some links to some parts of the book and this is because if you don't understand the tech That the script is performing you can access this
05:22
URL and you are going to have the theory about the tech what why is being performed and What you should check for and how can you exploit a vulnerability? vulnerability phone in that section if any You have it for Linux for Macios in the future. I'm just starting and
05:41
For Windows and to get to give you a very brief example For example, let's say that you find some Vulnerability which is related to access tokens and you don't know what access tokens, you know, we use environment You can just come here and have a description about what is the access token how to enumerate them?
06:02
How can they be in abuse and everything? Basically, this is pretty useful to know Why are the piece performing the text they are doing and you how can you exploit them if you find any vulnerability? Also, you have here the URL. This is free before everyone you can just access the book and use it as it is
06:25
So let's continue Now we are going to start with the demos we are going first We are going to perform our Linux with limpies and then a demo with Mac piece So I have here I have a pretty vulnerable and very updated
06:42
Deviant machine that we are going to Well, we are going to execute limpies just to see the vulnerabilities that it is fine So I have already accessed this machine the SSH so and look it I'm My and the user user and I'm in these very
07:06
Outdated deviant machine. I have also already uploaded Limpies, so we are just going to execute it. First of all, take a look at the options because maybe some with these have Several options that may be useful for example in limpies
07:22
You can find it. That's a this means to perform all checks and this is because there are some checks that are very various Or that are very noisy that by default they are an execute But if you are playing a CTF or you don't care about being noisy or about the time I completely recommend you to execute that say because more texts are going to be executed
07:43
So you have the superfactual option and you also have some options that will allow you to perform Network return just using limpies, which is kind of cool because just with limpies You will be able to enumerate the machine but also to enumerate the network if you don't want to upload any other tools
08:02
so Let's execute limpies. We are just going to run without that's it. We were just going to run limpies in a normal version So here we can see that Limpies start with a very very very beautiful banner Here we can find version we can find legend
08:22
This means what the lay indicate what the color means which is kind of awesome because here we can see that the red yellow indicates a 90% 95% tons of previous escalation vector red means that well just take a look at it and green basically means well configure things or common things that you
08:43
Really shouldn't care about because this was found in other machines We have some basic information information about the tools that are available to enumerate the network And then we start enumerating The system so here we can find system information We can see just in red that the kernel is pretty real the pseudo version is also a little bit old
09:05
So probably they are vulnerable We can see a little more more information about the systems if you info environment you may be able able to find some passwords here We enumerate also some Linux protections like is a new signal and enable this
09:21
ASLR is this a virtual machine actually if this is so we have here just Some information about the container if this was a container, but we are in inside a container so nothing interesting here Devices available software is good to know if you have some comparable some compiler available to compare possible kernel exploits
09:44
Then we start taking a look to Two processes that may be vulnerable to scalar previous Binary process permissions grand jobs and here we can find the first highly probable previous escalation vector The link piece has formed so for example here
10:01
This user is able to write in a path that is being used in a chrome That is then being executed by root without indicating the path so for example if we Create a file called override sh with a rubber cell In this folder this is going to be executed by root, and we are going to obtain a reversal execute by root
10:26
Here we can see the link piece enumerated enumerating more information also, network is always important to know where you are in in a network and With other networks new networks you can access and enumerate them here
10:42
We have just a local network, and we're even taking if we can sniff traffic using TCP down Then we are in American some using information and here We can see that there are a bunch of ways to escalate privilege by executing different binaries with pseudo
11:04
More information about the users software information This is pretty interesting and is one of the main things of limpy some wind piece And it's one of the main new topics in the new generation scripts So we are going to talk about them later, but basically here
11:22
We are just looking for sensitive files that for files that may be containing sensitive informations Related to some specific software for example some Tomcat configuration files that may have passwords inside of it You can see that we are looking for for a bunch of them actually
11:41
We'll talk about this later So we are going to continue till the last section which is interesting files these files The files that are here are here just because they have some Interesting fact that Will make limpy's to enumerate them for example here. We can find all the shoe ID files
12:04
Some of them has been vulnerable in the history in the history, so we have here some What some information about in which systems this issue ID binaries are vulnerable and also the issue ID? binaries that are unknown But limpy's are going to be well executed in order to perform a few checks to see if we can abuse
12:28
these files to to execute arbitrary commands and it's called a privilege Same thing for s GID files again If you don't know what the fight these files are you can follow this link and you will find all the information
12:46
I'm Taking misconfigurations. Well, we are taking more misconfigurations We can write a few files and folders here that we can abuse this caliper list. So this is very cool With a little file So basically here you're going to see that well in pieces looking for a lot of information that maybe
13:05
Give you or sensitive information or the power to escalate always take a look to everything because what you can find something something interesting So this is limpy's now we are going to continue with a Mac piece
13:20
demo But this is there is something important that you need to know. First of all, there is no Mac piece script Because Mac piece is actually inside of limpy's if you execute limpy's inside a Mac host Mac piece is going to be executed and I have created this script this way because the code that both
13:44
Scripts both flavors of the script shares is like 90 percent. So almost every every part of the code is served so I just generate some specific parts for the Mac version in order to run these parts in a Mac computer instead of the regular link piece
14:03
But as you can see here just execute limpy's in a macro system and the Mac piece version will be automatically be Automatically executed so this is very cool because you only need to know how one script works, you know in order to execute it in Linux in macro course, I mean any probably potentially any
14:23
flavor of Unix so My current host is a Mac. So I have already executed the Lean piece Version in my Mac. Actually, I haven't executed from file, but I have executed from memory
14:42
I have just downloaded From github and pipe it into a sh shell So this way the script is never going to touch the disk Yeah here we can see that I have already executed because as my host have a lot of more files
15:01
Than a virtual machine this could take instead of taking just one minute this could take Around five minutes ten minutes and I don't want to keep you with it. So here we can see that the banner is Much more ugly. I really definitely needs to improve that but well, it's not on my priority list again
15:20
Here we can see some information some basic information We can see some system info and we can mostly see the same information From lean piece in Mac piece the difference is like under needs There are different binaries being executed to obtain the the same information, but it's pretty cool So because you just need to execute one
15:41
It is going to be intelligent enough to distinguish between Mac or Linux and just the current version is going to be executed Well, so you have said you are going to find most of the same information as before so we can We can pass this output you can just test it in your own, okay, okay
16:06
So lean piece we can start Also, there are all their more stealthies way more stealthy ways to execute lean piece a Bunch of them are mentioned in the read me even ways to bypass antiviruses. So
16:23
Check this out because it's going to be very cool for you to learn how you can execute a lean piece Probably just using net cut and cool or even be without that you seen bus pipes So, yeah, that's all for lean piece
16:44
Okay So let's continue with win piece when this is obviously the well the windows version of the script Okay, so here I have a Windows virtual machine where we are going to execute win piece
17:01
Obviously win piece is using a completely different script that lean piece Actually, there are two different projects for win piece. One is the batch version and the other one is the XE version the batch version is less maintained than the XE version and is
17:21
Mostly created for all windows machines So the most maintained version of win piece is going to be the x1 and is the one you recommend you to execute if you Can obviously there are some requirements like the dotnet version, but mostly you are going to nowadays
17:41
Windows you are going to be able to execute it. So I definitely recommend you to execute this this version So Here also, we have a quick start and we also have a few ways to execute a Win piece from memory or win piece or execute win piece while doing some kind of
18:02
Stealthy things in order to avoid antivirus to detect that we are executing the binary I recommend you to take a look at it because it is pretty interesting We in peace also have some interesting parameters for example Win piece allows you to execute lean piece and this is very cool because if you find in a windows the windows subsystem for Linux
18:25
You can execute lean piece because it is a buzzer script So if you just in the case to win piece the URL where it can find lean piece It is going to download and execute it from memory. I think Also, you don't even need to host your version of lean piece you can just indicate the URL for lean piece
18:45
inside GitHub Well, you have also more more help information basic information Where my colors when you execute win piece without doing anything in a new Windows host You are not going to see any color. You need to execute this first in order to indicate the registry that hey, I want you to
19:05
Interpret the colors that are going to be displayed Run this you don't need to be rude or anything and the colors will magically appear Well, you need to start another another power cell so Okay, so I have already run
19:23
win piece in this host We can see that we have another very beautiful banner. We have some information about the creators And we started with lean base we start seeing some system information We have integrated Watson
19:42
inside Win piece so this is pretty cool because it will just run with win piece Here we can find that we have we are enumerating the hot fixes Has been applied to the to this virtual machine in this case information about the environment variables
20:01
Information about how did we flops W-digest again, if you don't know what for example, you don't know what is there will you digest you? Can't just access this URL inside hacktrix and you will learn what is this and why is this important? same LSA protection protection wars, so
20:24
the main difference between Win piece and lean piece apart from the obvious one is that you are not going to find these red yellow colors in win piece that you will find them in in the piece and this is because Maybe in win piece is more complicated to be so sure that something is going to give you a privilege escalation path
20:45
So I haven't implemented those yet, but I may do that in the in the future Well as you can see in win pieces and I'm reading a lot of things Interesting events now, we have some user informations in red. You can find interesting things for attackers
21:02
So here you can find that the user is administrator Home society folders something interesting about win pieces that is taking every path that appears So for example, if this path was reachable by our current user This will appear on red and will tell you hey, you can write this binary
21:23
Maybe you can escalate through this because this is being executed As you can see here Obviously you cannot escalate through this overriding win piece because this is a binary of these of the user we are using But maybe if this was being ruined by another user Which is an administrator and you can write the binary you may be able to escalate through this
21:45
same for for services information actually here you Can see an example of what I have been talking about and is that this service this binary of this service is reachable by everyone So here you have a privilege escalation path
22:00
Also win pieces checking for no quotes and space in the beam path of the services So you may be able to abuse this misconfiguration also to escalate More information about applications how to run same you may find some places that you can Well write on
22:23
Your binary is going to be executed with higher privilege so that's previous on And I want to show you few more things Network information again is very important to know where you are inside an internal network if you're inside an internal world
22:42
Anyway, which other networks you can access that you were unable to access before and also is important to check The ports I don't have well UDP the ports that are being that are listening just in localhost because maybe these services are vulnerable and you can
23:02
Scallop bullets are using those We found some well the the NLM has of our current user I think user yeah, we form the unattended file this may
23:20
have Credentials of the administrator user And this is pretty awesome because you can see here this section the final analysis section and That we are also looking for a lot of files that may be a story in sensitive information So before the piece new generation every time I wanted to search for a file that may be containing
23:46
Just sensitive information I needed to us add on a specific check to limpy's and then on a specific check to wimpy's Which was pretty awful Because well, it was kind of hard on well, it took several minutes
24:04
With the new new generation scripts. We have this build list inside this bill this Folder we have this sensitive file demo Where you can find all the sensitive potential Files that can storage that kind of storage sensitive information. This is pretty awesome because for example
24:25
file fee young his ML is is Specifying to search the folder with the name fine See you and inside this folder to search the file called site manager
24:40
XML and if it is fun Green in red all the lines that contain some of those red excess so this is pretty awesome because limpy's and wimpy's are a Automatically created using this demo. So so both of them are going to search all these files and
25:03
If they found them while executing they are going to bring them to you This is very awesome because now in order to just add a new Tech if I want to this if I discover a new file that maybe contain sensitive information I can just add it to this journal and this is going to and the new limpy's and wimpy's are going to automatically be
25:23
Built and are going to be searching for the news sensitive file So this is very easy to maintain And also is very easy for the community to help me adding new files that maybe a storage sensitive information Actually, you have here a few examples well explained
25:43
so if you want to just Contribute to this script because you know about this file that may be containing credentials that aren't included included yet Just take a look to the example including in general create a pull request To master and the new versions are going to be automatically built. So it's just awesome
26:06
As I have said before wimpy's has another flavor which is the batch one which is meant for all machines Actually, the syntax is a little bit more complicated because batch is not very flexible
26:25
Anyway, if you need to use it at any point you can find it here and also take a look to this explanation of how to Understand the permissions because you will need it in order to find the paths to escalate
26:41
It's because here you are not going to find colors Or because that is not very very very flexible So we are in this presentation We Are going to continue with both piece. I created this like One or two months ago, I think
27:01
This is very very a very very simple script This is basically monitoring new CVs and the ones that are related to privilege escalation are going to be indicated in this group of telegram And this group we also discussed about heart trees piece and latest news in security
27:20
So it's free for everyone you feel free to To join it and also you can find both piece in github. You can find it You can find it here and actually this this bot allowed you to create your own bot in order to monitor your own
27:46
The CVs you're interested in so basically you can modify this Jaml and set your own Keywords and then put your slab web hood or your telegram token and The bot will send you all the new
28:03
CVs that are discolored Contains the keyboard the keywords that you have specified here in this case We are just looking for things related to previous collision Yeah things ready to be escalation or docker container escape
28:23
Okay, so yeah feel free to join the group if you please Finally about the to-do So We have the cap we now have in this new generation tool. We have the capability of
28:42
create Jsons from a the row output and you can find the script to generate these Jsons in the parser folder So you can basically execute the piece parser give the path to the output of the one the output of one piece script and
29:01
Generate the Json. I'm looking forward to someone that from that Json can generate a beautiful Report PDF HTML reports that will be awesome. Also. I want to develop web piece which is going to be the
29:21
Well, the centralized agent that we allow you to automatically execute lean piece or win piece and Compare the results and even add new features So I'm really looking for someone with experience in front end and or back end So if you want to help me developing web piece in order to allow to perform this constant monetarization
29:46
Just contact me Finally obviously win piece and lean piece are very big scripts but can be bigger So if you know about new techs or if you want to help out They updating the list that they are using just contact me because well, this is a huge project that needs a few help
30:05
the help of everybody that can Any help that you can bring me? So I hope you have enjoyed this talk. Thank you very much You're enjoying Defqon and now I will be in the in the discord channel if you have any questions
30:22
Thank you for the time again