Coming back on the heels of Blackhat 2017, I’ve finally managed to find my normal routine again. Hacker summer camp 17′ was incredible! So much knowledge, laughs, and incredible people in constant networking and collaboration. I was able to kick off the entire conference week with a 4 day training by the NoSoSecure folks who has several trainings at Blackhat this year. The course I took was 4 days of Advanced Infrastructure Hacking. Now the course title could have used some work, because of the 4 days I’d say only 1.5 days were actually focused on “infrastructure”. I’ll chalk up the definition differences up to cultural. The course was taught primarily by Anant Shrivastava (@anantshri) who is @notsoecure regional director, and is very active with opensource projects and his blog. Anant had his entire team there to help out with any questions or problems the 150+ students in the class may have had.
Overall, I really enjoyed the course and picked up a few new tricks to add to my belt. It’s always incredible to see how other penetration testers use tools, techniques, and methodologies differently. There is always more than one way to breach an objective, so seeing things thru their eyes was a great opportunity.
The course was taught from a brief review of technology, technical lecture, live demo, lab time to re-create the live demo, and then a review process. This was repeated throughout the 4 days and expanded upon since each attack scenario worked to frame out a larger attack on a mock network. Leveraging each attack demonstrated and then in our own labs allowed us to walk through the 4 days and pwn all 10 boxes by the end of the course.
The day started out going over some rather rudimentary discovery concepts, however command syntax used was a bit different from what I was use to. For example, use of nmap to do an extremely verbose output to the screen with TCP connect on all 65k ports in aggressive mode and output in all three popular formats (XML, Grep, Nmap) on only hosts listed in an input file. Again not anything new, just a different approach which I really appreciated seeing how other professional penetration testers do it.
nmap -n -vvvv -sT -p0-65535 -A -iL livehost.txt -oA nmap_scan
There was also a review of several other technologies and concepts such as IPv4, IPv6, SNMP v1/2/3 and some exercises around them. The next huge concept section with was Distributed Version Control Systems (DVCS) such as GIT and Continuous Integration / Continuous Deployment (CI/CD) with a tool called Jenkins. There are several technologies that use this concept but the entire process of automation around build -> test -> deploy and quickly is the heart of it. There was also a lengthy review of different database types such as MySQL, Oracle, and Postgres. We were taught about sqlmap tips and tricks and other tools such as ODat. We used another tool called RazorSQL to connect to an Oracle database with minimal credentials and built our own function to elevate privileges leveraging the index on SYS.DUAL table. We also went over several of the more recent SSL/TLS vulnerabilities including Heartbleed & Shellshock and how to leverage them together. One large area I had no expertise in was Java Serialization attacks, so that was great to get an overview of that attack type and see it live in a demo and lab time.
The second day was all about hacking windows and the many types of attacks and privilege escalation techniques that you could use. I wouldn’t necessarily say this is “Infrastructure” but hey we could be using a Windows endpoint to attack a Windows sever such as a Domain Controller which is a large attack surface in modern networks.
- Host/User Enumeration
- AppLocker/GPO Bypass Techniques
- Privilege Escalation
- Post Exploitation
- Antivirus\AMSI Bypass Techniques
- Exfiltration of Data and Secrets
- Active Directory Delegation Enumeration and Pwnage
- Remote Services, Pivoting and Lateral Movement in a Network
- Golden Ticket and DCSync
- Reviewing other methods
A day full of Windows hacking kicked off with a lot of review for me, especially in enumeration but that was okay. We reviewed several techniques including utilizing NetBIOS to extract hostname, usernames, and network shares from Windows boxes. There was a breakdown of how old versions of Windows were able to really utilize this technology including RID cycling. There was a lengthy lecture on Applocker and restrictions in that environment which included a demo of how to bypass some of those restrictions. I found this section very useful since I had not had much exposure to restricted Windows environments like this. Learning how to leverage Powershell to break out of environments was awesome! We also spent a bit of time reminiscing about the tried and true remote exploit for Windows XP back in the day.. MS08-067 was such a classic, however there were several high profile leaks of some incredible tools and exploits. Eternalblue & Fuzzbunch brought us a new remote exploit called MS7-010 affecting Windows 10 machines remotely! There is even a Metasploit exploit written to utilize this, there is a really neat demo of that in action by the NotSoSecure folks. There is mention of other useful tools and demos of Responder and MultiRelay.
There was also heavy focus on privilege escalation and the many different ways to do that in Windows. Everything from DLL hijacking, local exploits (MS16-032), command syntax to search for cleartext passwords, PowerUp and more were covered and demoed live. A couple of lectures centered around AV bypass was also a center focus of the day covering two tools really, Veil-Evasion and Shellter Project. Discussions around how to disable antimalware vendor agnostic (AMSI). There is an excellent write-up by the folks at BlackHills Information Security (BHIS) covering some of this as well. The infamous @mattifiestion also tweeted out how to bypass AMSI in a single tweet:
Everyone loves pivoting and lateral movement deep inside a target network, there were several techniques discussed in class that I’ll definitely be using in future engagements myself. There was also a lot of attacking of the Domain Controller box to get at Active Directory, multiple technqiues and tools were demoed, however no real mention of Bloodhound. I was excited to see how other pentesters may be leveraging Bloodhound in a mock environment, guess I’ll have to look for another training or con talk about that. I was happy to see mention and a live demo of using Golden and Silver tickets in a domain environment, that is cool to see every time no matter how many times you’ve seen it. We even used Mimikatz to leverage DCSync 🙂
The third day was probably the day I wouldn’t have minded relaxing at the Mandalay Bay pool with a constant supply of Mojito’s being brought to me. This was the most disappointing day of the four, a lot of remedial review of Linux file structure’s and legacy services was discussed. I suppose it was good to hear and see them in action because some of them I had never even used before. Anyone remember Finger? Well NotSoSecure folks made an argument that they are still relevant today, even showing that Shodan as of July 14, 2017 was reporting 18k active devices with that service. How many of those are emulating the Finger service and are honeypots is another question though. There was a very neat trick by leveraging multiple misconfigurations and attack types including network file shares, enumerating users, writing meterpreter payloads, creating mock users and files in a controlled environment and then copying and executing to get limited shell and root. There was a lot of discussion on privilege escalation too using SUID files to gain either EUID or UID. Of course what Linux penetration testing training wouldn’t be complete without mention of some privilege escalation exploits like DirtyCow (CVE-2016-5195)
There was a huge section on some extremely legacy services though which I thought could have been striked from the training. These services are so ancient that I remember reading about them in Linux administration books back in the late 90’s, rservices. Some of you reading this may be asking yourself what the hell is rservices, exactly they are that old. Rservices includes legacy services such as rexec, rlogin, and rsh operating on TCP ports 512, 513, and 514 respectively. I believe they were released around the mid 1980’s and very similar in nature to Telnet.
The fourth day was my favorite, as everything in here was brand new to me. Aside from mild exposure to some of the technologies we were attacking purely from a consumer standpoint. The Docker section was my favorite and started out with a lengthy detailed discussion about what Docker, how its leveraged, and the attack scenario. The entire scenario essentially made use of everything we had learned previously in the Linux demos and labs. By chaining a misconfiguration with a few other lateral movements it was possible to breakout of Docker and move between the containers. There is a pretty nifty video that details some of that by the NotSoSecure folks too.
The VPN section was really useful as well, discussions around the most popular types of VPN technologies was had and then we dove right into a demo of exploiting IPSec by leveraging weakness in the protocol.
The third and final section of the course was VoIP hacking, this was mostly made possible by using the SIPVicious tool suite. There are a lot of useful tools in this suite including enumeration and cracking type tools. We ended the day walking through a scenario where we enumerated out services, ran a brute force tool against it, and then used a virtual phone tool, XLite, to emulate a user with a password we had cracked.
By the end of the fourth day we had attacked and gained at least a limited shell on ten boxes, many root. The challenge to gain root on the remaining ones was where the 30 days of lab access came into play. Every student had an additional 30 days of lab time after the course ended to review these concepts, redo the labs, and attempt to gain root on all boxes. I really enjoy that aspect of the course, unfortunately the rest of the month is swamped for me so finding some time to do that will be difficult.
One thing the NotSoSecure folks did on a regular basis throughout this class was show how you can chain multiple attack types together to really get a foot hold, and I appreciated that perspective. There were some remedial technologies and attacks taught in this course, but I think that was mainly the instructor attempting to keep 150+ students all on the same page. Overall, I’d recommend this course to others as I found it interesting, fun to whack some boxes using non-traditional approaches, and learned a few new things in the process.
The live-demo’s were fantastic and Anant must have prayed to the demo-gods like crazy before hand because they all went flawlessly. A live demo does have its downsides though, there was a lot that he taught in this quick demo’s that I would like to review again and that are not found in the 341 slides of the main deck. I wish Anant would have recorded or pre-recorded demos as videos and handed those out to the students afterwards. I will say though that the answer sheets which were given out after the course was over are incredibly detailed walkthroughs on the labs/demo’s that Anant went over, so that is worth something.