phukd - Irongeek
Download
Report
Transcript phukd - Irongeek
Adrian Crenshaw
http://Irongeek.com
I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
Sr. Information Security Consultant
at TrustedSec
Co-Founder of Derbycon
http://www.derbycon.com
http://Irongeek.com
Twitter: @Irongeek_ADC
Skydogcon wanted something basic, decided to use it at
Hack3rcon too
Who cares about Domain Admin if you can get the data
without it
Ok, my ego cares, but…
Get the data
Trojan the EXEs
Add your SSH keys
Vulnerabilities get patched, common configuration mistakes
last forever
Everybody screws it up
http://Irongeek.com
Server Message Block Protocol
Evolved into Common Internet File System (CIFS)
Communicates over
445/TCP
or
137/UDP, 138/UDP, & 137/TCP, 139/TCP
or
NetBEUI
Also supports Inter-Process Communication (IPC)
named pipes
http://Irongeek.com
Invented by IBM
Microsoft used it in its answer to Novell Netware,
LAN Manager
Samba uses in it *nix environments
Changed over the years
SMB 2
SMB 2.1
SMB 3.0
SMB 3.02
http://Irongeek.com
http://Irongeek.com
Windows 2000 & XP
http://Irongeek.com
http://Irongeek.com
Windows NT 4/2000: Anonymous Security identifier
(SID) was part of Everyone metagroup
Windows XP forward, it is not, must be
authenticated
Homegroup?
Share Level vs NTFS Permissions
What version of Windows?
Authenticate with Microsoft account?
http://Irongeek.com
$ suffix hides from built in Windows tools, but not
others
Admins think it does
Not the same as Samba’s browseable=no setting
About the same thing as not broadcasting your SSID
http://Irongeek.com
How easy is it to integrate with current
authentication?
Samba
AS/400
OS X
SOHO NAS
http://Irongeek.com
http://Irongeek.com
Anonymous
Local Hash (WCE or Built-in to the tool)
Null Sessions
1.
2.
3.
4.
5.
nslookup domainname
enum4linux -a someip > enum4linux-a.txt
grep "Domain Users" enum4linux-a.txt |cut -d
'\' -f 2 > users.txt
hydra -L users.txt -P passwords.txt <DC-IP>
smb
hydra -L users.txt -e nsr <DC-IP> smb
Responder and crack challenge response
http://Irongeek.com
WCE
http://www.ampliasecurity.com/research/wcefaq.html
wce.exe -g somepassword
wce.exe -s
someuser:somedomain:90172B990B993E317
6FDE78389BE2CE2:DE4DB66B3AFD1319F4442
D1108134FAC
http://Irongeek.com
Based on NetBIOS service location protocol
net view
http://Irongeek.com
1.
2.
3.
4.
5.
6.
7.
8.
use
set
set
set
set
set
set
run
auxiliary/scanner/smb/smb_enumshares
rhosts 192.168.1.1/24
smbuser adrian
SMBpass somepassword
spidershares true
showfiles true
threads 100
http://Irongeek.com
http://Irongeek.com
nmap -sU -sS --script smb-enumshares.nse -p U:137,T:139,445 -script-args
smbusername=adrian,smbpassword=some
pass --open 192.168.1.1/24
smbhash
http://nmap.org/nsedoc/scripts/smb-enumshares.html
http://Irongeek.com
Nmap scan report for Cthulhu (192.168.1.240)
Host is up (0.078s latency).
PORT
STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
137/udp open netbios-ns
MAC Address: A4:17:31:02:7B:50 (Hon Hai Precision Ind. Co.)
Host script results:
| smb-enum-shares:
|
ADMIN$
|
Anonymous access: <none>
|
Current user ('adrian') access: <none>
|
C
|
Anonymous access: <none>
|
Current user ('adrian') access: READ
|
C$
|
Anonymous access: <none>
|
Current user ('adrian') access: <none>
|
IPC$
|
Anonymous access: READ <not a file share>
|_
Current user ('adrian') access: READ <not a file share>
Nmap done: 256 IP addresses (10 hosts up) scanned in 13.10 seconds
root@kali:~#
http://Irongeek.com
Quickly know what access you have
http://Irongeek.com
General->Up thread count
Additional->Grab HTTP & FTP server banner
Work Stations->Lookup logged on users
Share->Enumerate All
http://Irongeek.com
Getting the most out of shares
http://Irongeek.com
Use operators in CAPITALS
http://windows.microsoft.com/en-us/windows7/advanced-tips-for-searching-in-windows
http://Irongeek.com
http://regexlib.com
\d{3}-\d{2}-\d{4}|\d{9}|(?i)ssn
grepWin
http://stefanstools.sourceforge.net/grepWin.html
AstroGrep
http://astrogrep.sourceforge.net/
http://Irongeek.com
https://code.google.com/p/opendlp/
http://Irongeek.com
Tweaks to secure and scan better
http://Irongeek.com
http://Irongeek.com
Deny access to this computer from the network
Under Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
http://Irongeek.com
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmC
ompatibilityLevel
SecPol.msc
http://Irongeek.com
Level
Group Policy Name
Sends
Accepts
Prohibits Sending
0
Windows NT 4, 2000,
XP
Send LM and NTLM
Responses
LM, NTLM
NTLMv2 Session
Security is negotiated
LM, NTLM, NTLMv2
NTLMv2
Session Security (on
Windows 2000 below
SRP1, Windows NT 4.0,
and Windows 9x)
1
Send LM and NTLM—
use NTLMv2 session
security if negotiated
LM, NTLM
NTLMv2 Session
Security is negotiateda
LM, NTLM, NTLMv2
NTLMv2
2
Send NTLM response
only
NTLM
NTLMv2 Session
Security is negotiated
LM, NTLaM, NTLMv2
LM and NTLMv2
3
Vista, 7, etc.
Send NTLMv2 response NTLMv2
only
Session Security is
always used
LM, NTLM, NTLMv2
LM and NTLM
4
Send NTLMv2
response only/refuse
LM
NTLMv2 Session
Security
NTLM, NTLMv2
LM
5
Send NTLMv2
response only/refuse
LM and NTLM
NTLMv2,
Session Security
NTLMv2
LM and NTLM
Based on http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
http://Irongeek.com
Finding Rogue SMB File Shares On Your Network
http://www.irongeek.com/i.php?page=security/rog
uefileshares
Finding the Leaks
http://blog.secureideas.com/2013/01/findingleaks.html
nessuscmd Tip: Finding Open SMB File Shares
http://www.tenable.com/blog/nessuscmd-tipfinding-open-smb-file-shares
http://Irongeek.com
Derbycon
Sept 23th-27th, 2015
Derbycon Art Credits to DigiP
Photo Credits to KC (devauto)
http://www.derbycon.com
Others
http://www.louisvilleinfosec.com
http://skydogcon.com
http://hack3rcon.org
http://outerz0ne.org
http://phreaknic.info
http://notacon.org
http://Irongeek.com
42
Twitter: @Irongeek_ADC
http://Irongeek.com