Hack Back — A DIY Guide (Hacking Team) Here is where your presentation begins Hack Back — A DIY Guide (Hacking Team) Expoit iSCSI iSCSI devices were supposed to be on a separate network, but nmap found a few in their subnetwork 192.168.1.200/24 Author forwarded the port so that he could mount it from a VPS and he use iscsiadm command on the VPS to perform target discovery. Hack Back — A DIY Guide (Hacking Team) Access domain admin via backups data Backup data used pwdump, cachedump, and lsadump on the registry hives. lsadump found the password to the besadmin service account Check passwoord Author used proxychains with the socks server on the embedded device and smbclient to check the password and it work password for besadmin was still valid, and a local admin RESULT Author get a meterpreter session ran “load kiwi”, “creds_wdigest”, and got a bunch of passwords, including the Domain Admin Downloading the mail With the Domain Admin password , Author have access to the email,. After downloading the emails, it took he another couple weeks to get access to the source code and everything else, so he have to download the new emails. The server was Italian, with dates in the format day/month/year. he used: Hack Back — A DIY Guide (Hacking Team) Downloading Files Now that he’d gotten Domain Admin, he started to download file shares using my proxy and the -Tc option of smbclient, for example: He downloaded the Amministrazione, FAE DiskStation, and FileServer folders in the torrent like that Hack Back — A DIY Guide (Hacking Team) Lateral Movement Author give a brief review of the different techniques for spreading withing a windows network : + remote execution : require the password or hash of a local admin on the target. Most common way to obtain credentials is using mimikatz, especially sekurlsa::logonpasswords and sekurlsa::msv, on the computers where you already have admin access. +The techniques for “in place” movement also require administrative privileges (except for runas). The most important tools :PowerUp and bypassuac Hack Back — A DIY Guide (Hacking Team) Remote Movement: Psexec WMI The tried and true method for lateral movement on windows The most stealthy method PSRemoting Scheduled Tasks If the sysadmin has already enabled it, it’s very convenient Can execute remote programs with at and schtasks GPO If author is Domain Admin, he can use GPO to give users a login script, install an msi, execute a scheduled task “In place” Movement Token stealing MS14-068 Once have admin access , can Can take advantage of a use the tokens of the other validation bug in Kerberos to users to access resources in generate Domain Admin tickets the domain Pass the Hash Process Injection If have a user’s hash, but they’re not logged in, can use sekurlsa::pth to get a ticket for the user Any RAT can inject itself into other processes Runas This is sometimes very useful since it doesn’t require admin privileges Persistence Once attacker have access, you their want to keep it and so is the author. Really. he always use Duqu 2 style “persistence”, executing in RAM on a couple high-uptime servers. On the off chance that they all reboot at the same time, he have passwords and a golden ticket as backup access. Internal reconnaissance ● Downloading a list of file names ● Reading email ● Reading sharepoint ● Active Directory ● Spy on the employees Hunting Sysadmins Sysadmins Accessing Author want to acces Rete Sviluppo, an isolated network with the source code for RCSs. So that,he looking for Sysadmins privilege Author accessing Mauro Romeo and Christian Pozzi's computers , who were responsible for administering the Sviluppo network Open port Executing Meterpreter Author opened the port of Mauro Romeo's computer for Windows Management Instrumentation (WMI) Author can perform various actions, such as keylogging, screen scraping, using Metasploit modules, and searching for interesting files TrueCrypt Pozzi had a Truecrypt volume ,author waited until he’d mounted it and then copied off the files Weak Passwords Pozzi have weak password The bridge Within Christian Pozzi’s Truecrypt volume, there was a textfile with many passwords. One of those was for a Fully Automated Nagios server, which had access to the Sviluppo network in order to monitor it. And that is the bridge author needed. The textfile just had the password to the web interface, but there was a public code execution exploit (it’s an unauthenticated exploit, but it requires that at least one user has a session initiated, for which he used the password from the textfile). Reusing and resetting passwords Author reading the emails and seen Daniele Milan granting access to git repos. He already had his windows password by mimikatz. He tried it on the git server and it worked. Then he sudo and it worked. For the gitlab server and their twitter account, Author used the “forgot my password” function along with his access to their mail server to reset the passwords.
