Webcast: Attack Tactics 5 – Zero to Hero Attack


Timecode links take you to YouTube:

4:11 – Infrastructure & Background
8:28 – Overview & Breakdown of Attack Methodology and Plans
11:35 – Start of Attack (Gaining Access), Password Spraying Toolkit
15:24 – Mailsniper, Retrieve Global Access List
21:58 – Lateral Movement, OWA, VPN, SSH
27:05 – Scanning/Enumeration, Nmap SSH Brute Force, “Find Open”, Movement, Gaining Access
34:07 – Gaining Access, Test for LLMNR, What is LLMNR, Responder, NtlmRelayX
45:53 – Gaining Access, Lateral Movement – crackmapexec
50:29 – Gaining Access, GoPhish Campaign, Additional Paths to Access, HTA, Cobalt Strike
59:48 – Wrap Up

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics5ZerotoHeroAttacks.pdf

Presented BHIS Testers by: Jordan Drysdale, Kent Ickler, and John Strand

This is a re-recording of a live BHIS webcast that was presented on April 26th, 2019.

Ever want to see a full attack from no access on the outside to domain takeover? Ever want to see that in under an hour? 

OWA? Password Sprays? Yup!
VPNs? Remote account takeover? Yup!
Fully documented command and tool usage? Yup!
MailSniper? Absolutely!
Nmap? Obviously!
Crackmapexec? Definitely!
Cobalt Strike HTA phishing? This is the one I am most worried about 😀 – but we’ll try anyway. 

So what? What’s different about this webcast? We’ll cover the zero (external, no access) to hero (internal, domain admin).

Then, in the next webcast we will cover all the points where it could have been detected and stoped.

Get slides and document containing all commands at: https://activecountermeasures.com/documents

Questions from Live Webcast:

Q: Best methods to detect password straying?

A: John is working on blogs to detect these types of activities. When OWA is exposed, monitoring your security logs on the CAS is crucial. Also, the companion webcast is how to catch all of this webcast’s activities.

Q: Do u actively use cloud fronted Cobalt Strike servers on engagements?

A: If the engagement is a red team, we have to. If the engagement is a pentest or C2, we aren’t necessarily trying to be stealthy. We are testing existing control structures to assist an organization in baselining their current posture and aiming for improvements.

Q: Have you gotten into a situation where you have access to a cisco router of our clients? if yes what happens next?

A: Yes, and sadly, it is often. Missing patches on these boxes leaves a very dangerous “on by default” service enabled: SMI. The smart install service allows easy-peasy config retrieval – we check for this by scanning TCP/4786. Lots of blogs on this and SIET.py is worth a review.

Q: tcp 4586 and LLMNR, right?

A: See previous. Clarification: TCP/4786 for Cisco SMI. LLMNR is bad, and so is NBNS.

Q: Do you have any PoC code to download configs using Cisco Smart install?

A: https://github.com/Sab0tag3d/SIET/blob/master/siet.py

Q: but if you enable message signing you may impact production on the network, no?

A: There are reports that enforced message signing can slow large file transfers. Again, if you are curious about the impact of this configuration, feel free to reach out to consulting <at> blackhillsinfosec.com and let us demonstrate the risk. Also, Nessus reporting this as a medium is only because this vulnerability requires coupling with another vuln for impact.

Q: In my experience, the impact on services for SMB signing has been greatly over stated.

A: This, so much this. Thank you for confirming our belief. Someone here will eventually test for validation sake, but we appreciate you saying so.

Q: Can you pth creds obtained via responder?

A: Best question!!!! The challenge/response mechanism will prevent a “replay” in this scenario. For example, if I am poisoning and successfully challenge a connection and receive hashed credentials, those cannot be replayed. For a successful relay to happen, I have to be in a position, let’s call it B. The client at A, requests C and B poisons the request and forwards the request to A. C challenges for auth, B forwards back to A and so on. Basically, the request / response / challenge have to be *untampered, but can be relayed, not replayed.

Q: what do you think about restricting command prompt to admin users and leave powershell open to everyone?

A: Nope. Restrict it all, we have a finding that we call “access to native tools” – they should, in theory be restricted to appropriate groups. What business does Albert in accounting have running powershell? This also can help with visibility – ALARM: Albert in accounting just ran powershell. Send in the decontamination unit for forensics.

Q: Why not use MultiRelay?

A: Also a great question – and yes it is also functional, but after testing org after org and gaining access with MultiRelay, the shell is limited and a bit clunky, it was a pain to get a payload uploaded and executed, and last, for the webinar – we just wanted to demonstrate impact of credential theft in five minutes or less.

Q: Which is of the attack you guys is more easy to stop?

Long passwords, message signing enforced at GPO, disable LLMNR, and figure out how best to rid your networks of NBNS – whether that is at your image management level, through PowerShell, get rid of these things. Sooooo dangerous.

Q: isnt this going to be very noisy on the network? just want to adjust my approach according to red team stuff.

A: Super duper noisy. Alarms should be going off all over the place. However, once an admin hash is recovered, crackmapexec smb attacks are surprisingly challenging to stop. CME is just taking advantage of native communications, and while a single compromised host connecting to potentially hundreds of other systems should ring some bells, the SMB connections are perfectly normal.

Q: how about running inveigh from a compromised windows system?

A: Also has relay options included, YES! This tool can do all the things too.

Q: what about forensics artefacts, demo look very noisy!?

A: Yes, stay tuned. The entire domain’s logs were captured right after the webcast for forensic analysis. The next webcast will cover exactly where the blue team missed things and these attacks could have been stopped.

Q: If you dont find a linux machine on the network do you use Cobalt Strike to get the functionality of tools like CrackMapExec?

A: Yes. And, additionally, for a pentest – not red team – we ask specifically for a Windows box with typical domain build and a Linux install somewhere.

Q: Can PowerShell still be utilized/exploited when attacking, even if the user’s account doesn’t have local admin?

A: Definitely, and with things like powershell -ep bypass, and iex, we can quickly pull scripts in to memory designed to automate the PrivEsc process.

Q: Would NTLMv2 prevent pass-the-hash?

A: Negative, this does not solve the problem. An earlier question alluded to this as well: Long passwords, message signing enforced at GPO, disable LLMNR, and figure out how best to rid your networks of NBNS

Q: What version of GoPhish are guys running??

A: Latest, greatest, installed just for this webcast.

Q: how do you get in if pwd reqs are set to 13+ chars?

A: Phish for payloads, relay for creds. No domain credentials are required to execute the relay attack.

Q: Is there a better way to say “we win”?

A: we much prefer to “demonstrate risk effectively through compromise.” Hits home and doesn’t pit us against the companies we test.

Q: So just disabling SMBv1 does not help us much?

A: No, enforce message signing.

Q: Do SPF, DKIM, DMARC policies stop spear phishing mails ?

A: Not if the “phishers” are well versed in mail flow. For our phishing engagements, we do multiple things like set SPF, DKIM, and DMARC records. We then also used SendGrid, who has a tacit agreement with MS, big G, the Y, etc to land email in inboxes. You cannot stop a dedicated attack, but you can limit the impact – break links inbound, restrict attachment types, enforce ongoing education.

Q: How do you best avoid spam folders?

A: See previous. Dedicated attackers have legit mail domains with all the specifics they need. Agreements between service providers, ie SendGrid and a mail provider allow money to influence decisions about mail flow.

Q: if the org systems have a GPO that restricts local admins from auth over the net, would this still work?

A: we had mixed results in the lab and ended up troubleshooting proper GPO application. I can’t say it is 100% effective, because it wasn’t for us. But – if this attack doesn’t work, we take the hashes offline and crack. Also – xfreerdp can pass the hash, so if RDP is available, we have another potential game over scenario.

Q: Responder caused network slow down on the last pentest.

A: the -r flag can cause some trouble on the local subnet and is moving toward being avoided for this reason. I now stick to just -d

In closing:

would love to see the defense side of this podcast!

It is coming soon.

Want to learn more mad skills from the person who wrote this blog?

Check out this class from Kent and Jordan:

Defending the Enterprise

Available live/virtual and on-demand!