the infosec revival
DESCRIPTION
As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases. Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.TRANSCRIPT
THE INFOSEC REVIVAL
Why owning a typical network is so easy, and how to build a secure one
Matt Weeks
scriptjunkie.us · @scriptjunkie1
OUTLINE
The Evil That Threatens Us
Network Defenses
Host Defenses
THE EVIL THAT
THREATENS US
Network Intrusion Playbook
LEVELS OF ACCESS
• Limited User
• Local Admin
• Lateral Movement
• Domain Admin
• Internal Network
• Internal Server
INITIAL ACCESS
Sta
rt
External Server Exploit: Web/SQLi/password
Internal Network
Internal Server Client-side Exploit: Java,
PDF, Office, Browser
Social Engineering via Email/Browser Limited User
Physical Items: Thumb Drives/CDs autorun/link/EXE,
HID-spoofing USB Devices
Physical Access
Local Admin Supply-chain Compromise
LIMITED USER EXPANSION
Lim
ited
Use
r
Weak file/service/registry
permissions
Find plaintext passwords in scripts/registry
Local Admin Local exploit – win32k,
ntvdm…
Guess/Bruteforce local admin password
Find system current user is local admin on
Internal server-side exploit – SMB, PXE attacks
Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password
Shares: DLL preloading, shortcut hijacks…
Dump local hashes, re-use local admin
accounts
LOCAL ADMIN TO DA
Lo
cal
Ad
min
Hijack active domain logon: dump wdigest/tspkg-cached
password
Hijack active domain logon: steal token/hash/ticket
Find plain-text password in scripts/registry
Keylog admin password
Crack domain cached credentials
Deobfuscate LSA Secrets, saved passwords
Do
mai
n A
dm
in
INTERNAL NETWORK/
SERVER ATTACKS In
tern
al N
etw
ork
/Ser
ver
Internal server-side exploits, PXE attacks
Local Admin
Internal web attack, guessed password
Internal Server
Internal client-side attacks; including ARP
poisoning, WPAD
Local User
Domain Admin
COM B IN ED
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylog password
Crack domain cached
credentials
Deobfuscate LSA Secrets
Do
mai
n A
dm
in
Internal Server Attacks
Internal Client-side Attacks
COMMUNICATION
Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
AIR GAP
“The only way to completely secure your computer is to
disconnect it from the internet” – UC San Diego
Still not completely secure, but still the gold standard
Tight physical/personnel security
Prevent USB drives (disable USB drivers)
Everything without air-gap, isolate as much as possible
DEFAULT ALLOW IS EVIL!
Isolate workstations
• No direct connections out
• Whitelist DNS
• Whitelist HTTP by proxy
• Block social networking/file sharing
• Block inter-workstation/ARP-spoofing
Isolate servers, admin accounts
• Stricter whitelist out
• DMZ for internet-accessible servers
Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
COMMUNICATION
Firewall; no direct connections out
Whitelist/categorical block
Whitelist/firewall policy
DNS whitelist
Firewalls/segmentation
Firewall/Whitelist
USB-disabling, user education
Categorical block (sorry!)
CONTROL THE HOSTS
Disable common social engineering vectors
• Java
• Office Macros
Stop privilege escalation
• Automate permissions checks
• Prevent remote local account logins
Never allow passwords
15 PASSWORD EVILS!
Admins leave passwords in shared drives & scripts
Can be dumped from memory
Can be keylogged
Can be guessed
Everybody reuses them
Hard to remember
15 PASSWORD EVILS!
Social engineering
Passing-the-hash
Pot of gold hash dumps
Easy lockouts or online brute force
NTLM relay
NTLM auth and cached credential offline cracking
Painful post-attack cleanup (reset every password)
NEVER ALLOW PASSWORDS
Force smart card logon for all users
Force Kerberos by denying all incoming NTLM
Deny network, RDP logon to any non-smart card local or service accounts
For extra credit
• Disable secondary logon service to prevent password-privesc
• Require SMB signing to address MITM attacks
• Set low maximum machine account password age to address computer creds
Results – solves all 15 problems
NEVER ALLOW PASSWORDS
Prevents passing-the-hash; hashes are not used
No hash/private credential database to steal in bulk
Private keys cannot be stolen, dumped from memory or keylogged
Can’t re-use, choose bad passwords, or give them to online social engineers
Don’t need to worry about lockouts or on/offline brute force or NTLM relay
Admins cannot leave passwords in shared drives or scripts
Only active logons can be hijacked – temporarily
Easier on users’ memory and easy to clean up from!
M A N DA T O R Y
S M A R T C A R D ,
K E R B E R O S
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylog password
Crack domain cached
credentials
Deobfuscate LSA Secrets
Do
mai
n A
dm
in
Internal Server Attacks
Internal Client-side Attacks
SECURID EVILS!
RSA server holds all passwords and seeds
On login, password is given to Windows; everything else is the same
Hash, pass can be dumped from memory
Social engineering (MITM - time limited)
Passing-the-hash
Pot of gold - hash dumps, passwords, seeds
NTLM relay
Very painful post-compromise cleanup (replace all tokens)
Does fix user-chosen or re-used passwords
ISOLATING ADMINS
Assign dedicated admin workstations
Restrict inbound workstation connections to remote admin sources
Block admin accounts from internet and email
Restrict privileged accounts from authenticating to lower trust systems
Mark privileged accounts as “sensitive and cannot be delegated”
Use remote management tools that do not place reusable credentials on a
remote computer's memory
Remote desktop
Console physical logon
Batch logon (scheduled tasks when not
S4U)
Service logon
NetworkClearText/Basic authentication
RUNAS
Powershell WinRM with -Authentication
Credssp or -Credential
Net use/file shares
Remote registry
Remote service control manager
MMC snap-ins
Powershell WinRM without –
Authentication Credssp or –Credential
Psexec without explicit creds
IIS integrated Windows authentication
Intel AMT with Kerberos
REMOTE MANAGEMENT
Stealable Non-stealable (Use these instead)
Remote desktop
Console physical logon
Batch logon (scheduled tasks when not
S4U)
Service logon
NetworkClearText/Basic authentication
RUNAS
Powershell WinRM with -Authentication
Credssp or -Credential
Net use/file shares
Remote registry
Remote service control manager
MMC snap-ins
Powershell WinRM without –
Authentication Credssp or –Credential
Psexec without explicit creds
IIS integrated Windows authentication
Intel AMT with Kerberos
REMOTE MANAGEMENT
Stealable Non-stealable (Use these instead)
No remote desktop?
But wait!
There is another way!
Secure RDP with temporary account
Video
EXPLOITS
“The bottom line is the way that we keep people out ... I don't care
who hacks my system if they can't get in - let's make it hard for them to
get in. And the way you do that is by eliminating software
vulnerabilities” – a well-known exploit developer
“Too much of the debate begins and ends with the perpetrators and
the victims of cyberattacks, and not enough is focused on the real
problem: the insecure software or technology that allows such attacks
to succeed.” – New York Times Op-Ed, 4 April 2013
I F
E X P L O I T S
N E V E R
E X I S T E D
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylog password
Crack domain cached
credentials
Deobfuscate LSA Secrets
Do
mai
n A
dm
in
Internal Server Attacks
Internal Client-side Attacks
FIGHTING EXPLOITS
Secure webapps
• Write security into contract for custom apps
• Do not accept source-code-less apps without audit
• Scan/bugfix regularly
Force exploit mitigations
• Mandatory DEP, ASLR
• EMET SEHOP…
Patch in priority
Put vulnerable apps in VM isolation
VM ISOLATION
Virtual Machines > other sandboxes
• Hypervisor attack surface < kernel attack surface
• VM escapes have required guest LPE first; added barrier
Implementation:
• Commercial – Bromium/Invincea
• Free - Qubes
• VMware view client
• Citrix
• Roll-your-own with hypervisor/VNC
VM ISOLATION
Requirements
• Restrict network access
• Prevent host code execution
• Deny access to sensitive host files
Document VM with no internet access
• PDF reader, Office
• Stops exploits and social engineering
Browser VM
• Stronger sandbox
• VM needs internet access
Demo
VM
I SOLATI ON
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylog password
Crack domain cached
credentials
Deobfuscate LSA Secrets
Do
mai
n A
dm
in
Internal Server Attacks
Internal Client-side Attacks
FILE SHARES ARE EVIL!
Executable planting
DLL Preloading
Shortcut hijacking
Script infecting
Do not use open Windows shares
Use a CMS
Disable WebDAV
Per-user home drives still OK
Admin-writable-only drives still OK
CODE WHITELISTING
Effective against some exploits, much malware, persistence
Bit9/Kaspersky/AppLocker… whitelists
Lock down powershell
Whitelist vbscript/javascript
Whitelist batch scripts
Whitelist Java
Block VBA macros
SUMMARY
Air-gap what you can
Whitelist everything
Kill passwords & NTLM; use smart cards/kerberos
Use strong mitigations
Put your programs in isolated VM’s
Don’t use Windows shared folders
THE END
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylog password
Crack domain cached
credentials
Deobfuscate LSA Secrets
Do
mai
n A
dm
in
Internal Server Attacks
Internal Client-side Attacks
QUESTIONS