Internal Recon Offensive Security Offensive Security Once you

  • Slides: 13
Download presentation
Internal Recon Offensive Security

Internal Recon Offensive Security

Offensive Security Once you get access, now what? https: //www. swc. com/blog/security/disrupting-cyber-kill-chain-microsoft-solutions 2

Offensive Security Once you get access, now what? https: //www. swc. com/blog/security/disrupting-cyber-kill-chain-microsoft-solutions 2

Internal Recon • First steps on a machine • Shells Two is one, one

Internal Recon • First steps on a machine • Shells Two is one, one is none • Start passive • Frustrating to get caught by defenders on the first box • Information gathered informs the next steps Offensive Security Do not drop software or persistence 3

Goals • Find out about where you are • Figure out what you can

Goals • Find out about where you are • Figure out what you can do from the context you are in Offensive Security What context you are in Type of system Filesystem Users Network Security 4

Host • OS • System purpose • Users /etc/passwd net users Are any of

Host • OS • System purpose • Users /etc/passwd net users Are any of them logged in? Which are admins? What are they admin of? • Security settings/group policy AV/EDR/Sysmon Offensive Security Release Patches 5

Networking • IP address Ipconfig/ifconfig • Network connections and services • Arp • Firewall

Networking • IP address Ipconfig/ifconfig • Network connections and services • Arp • Firewall Netsh Ufw, iptables, firewallcmd Offensive Security Netstat 6

Services • Typically have higher permissions • Could always be running • Insecure service

Services • Typically have higher permissions • Could always be running • Insecure service path • Config files Offensive Security Windows Service users are usually local admins 7

Network (Passive) • Watching network traffic from the local machine • Wireshark Doubt you’ll

Network (Passive) • Watching network traffic from the local machine • Wireshark Doubt you’ll have this • Tcpdump • Local tools Netsh Iptables/python Offensive Security You might have this 8

Network (Active) • Passive network recon should have provided a starting point • What

Network (Active) • Passive network recon should have provided a starting point • What does your network look like? • Can you route to other internal networks? • Scanning the network Nmap Custom solution Offensive Security DMZ -> Servers 9

Active Directory • Are you on a domain? • Where are your domain controllers

Active Directory • Are you on a domain? • Where are your domain controllers • Users/Groups • Trusts • Local/Domain/Enterprise/Server/Exchange Admin Offensive Security Nltest /DCLIST: [domain] 10

Bloodhound. AD • https: //github. com/Blood. Hound. AD/Blood. Hound • Uses graph theory to

Bloodhound. AD • https: //github. com/Blood. Hound. AD/Blood. Hound • Uses graph theory to traverse AD relationships • Scenario • How does it do this? • Group, Local. Admin, RDP, DCOM, GPOLocal. Group, Session, Object. Props, Computer. Only, Logged. On, Trusts, ACL, Container, Dc. Only Offensive Security Blasts the network with queries 11

• Metasploit post modules • Linenum. sh • Les. sh • Nishang •

• Metasploit post modules • Linenum. sh • Les. sh • Nishang • Powersploit Offensive Security Automated Approaches 12

References Mubix’s Online Documents Linux/Unix/BSD - bit. ly/pq. Jx. A 5 Windows - bit.

References Mubix’s Online Documents Linux/Unix/BSD - bit. ly/pq. Jx. A 5 Windows - bit. ly/1 em 7 gv. G Offensive Security • 13

Privilege Escalation Offensive Security Internal Recon Learning asPrivilege Escalation Offensive Security Internal Recon Learning as
Offensive Introduction Offensive Security Introduction I will alwaysOffensive Introduction Offensive Security Introduction I will always
Internal Tides Internal Tides Internal Tides are InternalInternal Tides Internal Tides Internal Tides are Internal
esercizio Internal Internal Internal Disponibile nelle dispense Internalesercizio Internal Internal Internal Disponibile nelle dispense Internal
Defense Bill Approves Offensive Cyber Warfare OFFENSIVE CYBERSECURITYDefense Bill Approves Offensive Cyber Warfare OFFENSIVE CYBERSECURITY
Offensive and Defensive Realism March 5 2013 OffensiveOffensive and Defensive Realism March 5 2013 Offensive
OFFENSIVE FUNDAMENTALS 1 OFFENSIVE FUNDAMENTALS Gaining contact withOFFENSIVE FUNDAMENTALS 1 OFFENSIVE FUNDAMENTALS Gaining contact with
Teaching Offensive Skills Coaching Offensive Skills Jon WestonTeaching Offensive Skills Coaching Offensive Skills Jon Weston
OFFENSIVE LINE DRILLS Ken Wilmesherr Offensive Line CoachOFFENSIVE LINE DRILLS Ken Wilmesherr Offensive Line Coach
Western Maryland Stags Offensive Playbook Offensive Philosophy AWestern Maryland Stags Offensive Playbook Offensive Philosophy A
Offensive Line Drills Offensive Line Drill Library PassOffensive Line Drills Offensive Line Drill Library Pass
Whitehall Football Offensive Philosophy Offensive Emphasis 1 StrongWhitehall Football Offensive Philosophy Offensive Emphasis 1 Strong