>> This is acquired current user hashes without admin privileges. So please join me in giving Anton Sapozhinikov a very warm welcome. (Applause.) >> Hi guys. So what this talk about I will discuss common penetration testing case I expect to see during any engagement during my work. We will discuss traditional techniques to gather credentials for the user and (indiscernible) SSPI. So, who is me? A little bit of penetration tester for seven years. CTF player; maybe you know my team is MoreSmokedLeetChicken (indiscernible 1:04 Ė 1:10) but anyway. Working for KPMG Russia and project volema. So let's start. Let's imagine a situation where we don't have ‑‑ we exported some vulnerability in the (indiscernible) sites of (indiscernible) for example browser or I donít know, Flash Player . Or maybe these are just downloaded and executed a payload from internet. And there is no access to internet from his computer. I mean, about (indiscernible) for example or there is some kind of restrictions on it. Of course we have showed access to user workstation because our payload was (indiscernible) framework or some kind of rank. And these rank fully (indiscernible) windows and any kind of rank from XP to the latest 8.1. And of course we don't have any privileges on that workstation. I mean usually running credentials of a user. So, the admin working have done. Admin drop was done.
So our goal was to find an ‑‑ our goal is oh to find out a password for user and try to use it that way after that. Why do we need to try to get user password? First of all, any shell is going to die from day‑to‑day. We use buggy software. How many of you see (indiscernible) unexpectedly dying? So it's - - I see every day unfortunately. So workstation of the user may be powered off. For example, (indiscernible) for a weekend maybe your dock was detected and forensics people start to instigate a computer. So your shell will die and you will have no access to work station after that. But if you grab a password for the user, you can use it to connect I don't know, web mail, Citrix, VPN, exchange, any incorporation, and incorporate sources what is available from the internet. What's the traditional ways to get a password of a user? There are famous tools like Fgdump or maybe you know Mimikatz or those credentials editor. Or maybe just extract passwords from not (indicernible) but hashes from (indiscernible), registry or SAM file. But the disadvantages of those ways is that you have to have admin privileges for example, to grab registry or some debug privileges to extract hashes and passwords from a memory like Mimikatz or Fgdump. If you remember during the definition of our task, we don't have heightened privileges on our workstation. So we canít use those tools to perform our engagement.
The second way could be try to elevate privileges in some way, for example, try to find some third party service. We filed permissions and over write some sensitive files. Or from DLL hijacking attacks or something else. But, as I mentioned before, we have fully portioned operating system. We have fully function (indiscernible). So still no way to escalate privileges and exploit it and use our favorite tools like Mimikatz. That's sad. There's some alternative ways. For example, we could try to popup user window could look like that. It's a standard window from Windows XP. But as I mentioned, there is some localisation. Just imagine what you are exposing computer sort of staying somewhere in Russia or China, you couldn't popup a window with the correct word ‑‑ we would call it letters so when the native speaker will mention it with the letters and he will not trick and he will not enter his password in that window. So you fail. And you wait, even if you, if you use your real belief to your window, he will, for example, enter some different words that are not actually user names or passwords. During my experience, during my engagements, I see a lot of users were trying to put, for example, some words like, I don't know, get off or something like that. If they actually realize it was some kind of social engineering type. We try to have some fun with you, I don't know. The second way could be for example, use of script from Metasploit frame work. It's actually called hash snarfing. Also, this technique is implemented in a tool called Incognito. How it works, it approaches (indiscernible) credentials of a current user trying to connect to SMB server that's arriving somewhere in the network, the local network and authenticate using credentials for current user. And attacker should control its SMB server to grab the credentials and somehow extract the passwords from it. But as I mentioned in the definition of the task, we do not have access to the network. So we do not have any SMB servers in the networks and we can't execute such kind of attacks. The third way is try to use Internet Explorer. The default browser could use credentials from a current user to authenticate you. And you also could grab the hashes but there are some disadvantages. For example, the host name you should use. Browse with Internet Explorer should be like everything in the trusted zone of the domain and (indiscernible) should be allocating the local net work. Wherever the user is current located. That's option number one. Or option number two is whether it could change a proxy server of the browser, and for example, the proxy server will be actually ‑‑ your seller and (indiscernible) from the browser will go through that proxy and capture the hashes. But itís quite difficult to perform because actually could (indiscernible) control internet access for public user, and you know if Internet is not working for the user, he will call help desk. And your shell or your Metaputuer or something, (indiscernible) will be killed. You'll be, you're incident will be investigated. Anyway, we're ‑‑ if you want to follow the way of using internet explorer, all of you know, if you're executing internet browser, it will use a lot of (indiscernible)s and you'll be very, very slow and user will notice it. So I think in terms of pace, it's not for us. So what is security support provider? Provider interface? It's some kind of layer. What allows different applications starting from browsers any kind of applications to talk to security providers what implemented by breaking systems. So what is it? It's several packages. Simplest of then is Microsoft Negotiate. It just picks the best security package to handle the current configuration of a computer and try to use the package was actually configured by admins. The second package is Microsoft NTLM and everybody thinks, no what is it? Microsoft Kerberos and Microsoft Digest SSP. Digest SSP currently, not widely used, but in the past it was used to authenticate users of a mail systems like three POP3 protocol or for example HTTP Digest Authentication. And a Secure Channel package, it's just implementation of SSL or TLS by a Microsoft. So how does any application talk to any server using SSPI. For example, we have a client application and the server application. Umm, and the client would like to authenticate on the server using password of the current user. It will change (indiscernible) some kind of messages and any way ‑‑ client should generate the message called ETLM. Negotiate and send it to the server. The main advantage of it is SSPI interface is at client application shouldn't know anything about what NTLM negotiate is. It'll just tell SSPI. SSPI please can you write me that type of message and then client just get it from a buffer and send it to a center and log any authentication. On the server side, happens the same. Server will talk to SSPI interface and read the following: Hay SSPI, here is a message from a client. Go read it from buffer. Please prevent buffer and can you write for please, NTLM challenge and I will send it to the client. After that, client will receive NTLM challenge message, also will send it to SPPI interface. And SPPI will prepare for client the message what should be sent to the server. So SPPI allows us to extract from implementation of different mechanism currently running from breaking systems, power (indiscernible). What options are configured? Various domain controller or within an (indiscernible). What's it current. Where is location, how many of them? Just ask SPPI to perform authentication and thatís solved. So there is three types of messages as I told before. That message type one is just contains features that supported by the client. Message type two just contains features that are supported by the server and it contains a challenge generated by the server. The challenge should be used to generate the message type three. And the hashes that are contained in the message type three calculated using the change from a message type two. So letís optimize approaches. I'll talk the SSPI, for example, implement the server and the client application in the one process. What does this mean? We will send the message type one message type two, and message type three from ourself to client to server in one application. That means that application actually know what is the challenge, what is sent through the server and what was captured by the client. So there is not any traffic on the network. And the application could grab all that information what was passed and use it somehow to calculate and extract later applications. So how it looks like. Message type one, it's just different bytes. Using that you could extract the knowns, the challenge. The hashes were calculated by the challenge and if you grab all the things, you could just format it for different crackers for example, John the Ripper, and it will crack it for you. And after a little bit of brute forcing, you will get a password of a user. I did little bit of benchmarking, as you can see. If you are using different types of protocols for authentication, for example, you could brute force as fast as one million hashes per second. If you are currently using NTLM version one, it's about two million hashes and NTLM version two is about 500 hashes per second. What is mean for us? It means NTLM version one is disabled on the computer we could try to use HTTP Digest to authenticate the user. It allows us to brute force at double speed. So what attack flow willl actually look like? The processer will send the user some kind of spear fishing user will be navigating, clicking on the link or downloading some payload or any exploited any how. Payload will try to authenticate a user on itself and send the authentication data and what was extracted on the data flow to a pentester. The pentester will force it and extract the user name and password of the user. Afterward, he will use it to connect to any incorporated sources and exfiltrate the data what means is the (indiscernible) was successful. How again exfiltrate code load can send the message to our common control center with authentication data what was just extracted. Where is, I think we used ‑‑ everybody will know that some kind of (indiscernible) shells, but (indiscernible). But it's off the blogs. And umm, I would like to present you with two (indiscernible) and (indiscernible). The way number one is using DNS for it. For example, we could try to use, to ask that DNS server to resolve for us some kind of name like some information goes here dot to my dot evildomain dot com. That means that our DNS servers are trying from that domain will capture the data, what was requested. But every time your payload will try to resolve a domain, window's security alert, for example, or any other personal firewall will alert it and these may block your payload. There are some work arounds for it. For example, a workaround I suggest is using file system. For example, windows acted like create file set current directory with a way like slash slash some information goes here in my domain slash some directory will force break in systems to result the DNS main for you. And it will send a DNS request to your server. And umm, personal firewall, actually will not block it. And that means you win. If you would like some to get some information back from DNS server and not using any network connections, you for example would like, use for example IPConfig slash display DNS. And you will see the result of DNS replies or test by DNS client for you and you could extract from that and actually know there's not any personal firewalls that will get you doing such things. It's slowly, but if you want just to send your user name and password to somewhere in the internet, that's quite enough. Second way to send the user name and hashes to what you just dropped to your common control center is using Google. Many times during my penetration testing works I see the company was using some kind of white listing (indiscernible) or proxy servers a we block any unknown web sites but Google come in quite often. Itís opened for everybody even for (indiscernible) company. Even for the most unprivileged users so we could use to, we could try to use it to send data back to home. The trick is using the IP off Google.com and try to ask Google.com to send the data to a application in China for Google. So to perform that attack we should install our own application engine and capture the data is and send it to somewhere else where actually could brute force it. And using that way, any proxy server that is monitoring the internet of users, could see what user just searching something in internet and nothing else. So we will win after that. How could we mitigate of those kind of that attacks? First of all, we could try to use two factor authentication. Any kind of talking or hardware talking or software talking strong passwords as you mentioned. We should brute force caches that we just drop to extract the passwords. If the password was quite strong we will fail and passwords wouldn't be extracted. And the last suggestion is just to try to disable unused packages. For example, as you see the benchmarking slide. There is it, HTTP Digest package allows you to double the speed of brute force and passwords. So if you disable it, the attackers only, will use only (indiscernible) to attack your users. So what's next? In a week, I will release Metasploit post exploitation model. My implementation of attacks (indiscernible) in the seat currently on a github. But the Metasploit model is currently in the work. It has some bugs, for example, it doesn't support fully supported protocol and do not extract hashes from every operating system. I know at least, I know it (indiscernible) hashes, but, it's difficult to extract because (indiscernible) for that protocol is about one hundred pages. So I don't have time to read it full. And umm, I don't know something else. Something else to improve. So that's all. I am ready to think maybe answer questions.