THE INFOSEC REVIVAL
Why owning a typical network is so easy, and how to build a secure one
Matt Weeks
scriptjunkie.us · @scriptjunkie1
OUTLINE
The Evil That Threatens Us
Network Defenses
Host Defenses
THE EVIL THAT
THREATENS US
Network Intrusion Playbook
LEVELS OF ACCESS
• Limited User
• Local Admin
• Lateral Movement
• Domain Admin
• Internal Network
• Internal Server
INITIAL ACCESS
Sta
rtExternal Server Exploit:
Web/SQLi/password
Internal Network
Internal ServerClient-side Exploit: Java,
PDF, Office, Browser
Social Engineering via Email/Browser Limited User
Physical Items: Thumb Drives/CDs autorun/link/EXE,
HID-spoofing USB Devices
Physical Access
Local AdminSupply-chain Compromise
LIMITED USER EXPANSION
Lim
ited
Use
r
Weak file/service/registry
permissions
Find plaintext passwords in scripts/registry
Local AdminLocal exploit – win32k,
ntvdm…
Guess/Bruteforce local admin password
Find system current user is local admin on
Internal server-side exploit – SMB, PXE attacks
Lateral MovementSpread links via shares, email; Relay NTLM or crack NTLM password
Shares: DLL preloading, shortcut hijacks…
Dump local hashes, re-use local admin
accounts
LOCAL ADMIN TO DA
Lo
cal A
dm
inHijack active domain logon: dump wdigest/tspkg-cached
password
Hijack active domain logon: steal token/hash/ticket
Find plain-text password in scripts/registry
Keylog admin password
Crack domain cached credentials
Deobfuscate LSA Secrets, saved passwords
Do
mai
n A
dm
in
INTERNAL NETWORK/
SERVER ATTACKSIn
tern
al N
etw
ork
/Ser
ver
Internal server-side exploits, PXE attacks
Local Admin
Internal web attack, guessed password
Internal Server
Internal client-side attacks; including ARP
poisoning, WPAD
Local User
Domain Admin
COM BINED
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
LimitedUser
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
LocalAdmin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylogpassword
Crack domain cached
credentials
DeobfuscateLSA Secrets
Do
mai
n A
dm
inInternal Server Attacks
Internal Client-side Attacks
COMMUNICATION
Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
AIR GAP
“The only way to completely secure your computer is to
disconnect it from the internet” – UC San Diego
Still not completely secure, but still the gold standard
Tight physical/personnel security
Prevent USB drives (disable USB drivers)
Everything without air-gap, isolate as much as possible
DEFAULT ALLOW IS EVIL!
Isolate workstations
• No direct connections out
• Whitelist DNS
• Whitelist HTTP by proxy
• Block social networking/file sharing
• Block inter-workstation/ARP-spoofing
Isolate servers, admin accounts
• Stricter whitelist out
• DMZ for internet-accessible servers
Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
COMMUNICATION
Firewall; no direct connections out
Whitelist/categorical block
Whitelist/firewall policy
DNS whitelist
Firewalls/segmentation
Firewall/Whitelist
USB-disabling, user education
Categorical block (sorry!)
CONTROL THE HOSTS
Disable common social engineering vectors
• Java
• Office Macros
Stop privilege escalation
• Automate permissions checks
• Prevent remote local account logins
Never allow passwords
16 PASSWORD EVILS!
Admins leave passwords in shared drives & scripts
Can be dumped from memory
Can be keylogged
Can be guessed
Everybody reuses them
Hard to remember
Persistence without malware
16 PASSWORD EVILS!
Social engineering
Passing-the-hash
Pot of gold hash dumps
Easy lockouts or online brute force
NTLM relay
NTLM auth and cached credential offline cracking
Painful post-attack cleanup (reset every password)
NEVER ALLOW PASSWORDS
Force smart card logon for all users
Force Kerberos by denying all incoming NTLM
Deny network, RDP logon to any non-smart card local or service accounts
Auto-rotate krbtgt, machine account passwords every few days
For extra credit
• Disable secondary logon service to prevent password-privesc
• Require SMB signing to address MITM attacks
• Set low maximum machine account password age to address computer creds
Results – solves all 15 problems
NEVER ALLOW PASSWORDS
Prevents passing-the-hash; hashes are not used
No hash/private credential database to steal in bulk
Private keys cannot be stolen, dumped from memory or keylogged
Can’t re-use, choose bad passwords, or give them to online social engineers
Don’t need to worry about lockouts or on/offline brute force or NTLM relay
Attackers cannot stealthily maintain access without malware
Admins cannot leave passwords in shared drives or scripts
Only active logons can be hijacked – temporarily
Easier on users’ memory and easy to clean up from!
M A N D A T O R Y
S M A R T C A R D ,
K E R B E R O S
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylogpassword
Crack domain cached
credentials
DeobfuscateLSA Secrets
Do
mai
n A
dm
inInternal Server Attacks
Internal Client-side Attacks
SECURID EVILS!
RSA server holds all passwords and seeds
On login, password is given to Windows; everything else is the same
Hash, pass can be dumped from memory
Social engineering (MITM - time limited)
Passing-the-hash
Pot of gold - hash dumps, passwords, seeds
NTLM relay
Very painful post-compromise cleanup (replace all tokens)
Does fix user-chosen or re-used passwords
ISOLATING ADMINS
Assign dedicated admin workstations
Restrict inbound workstation connections to remote admin sources
Block admin accounts from internet and email
Restrict privileged accounts from authenticating to lower trust systems
Mark privileged accounts as “sensitive and cannot be delegated”
Use remote management tools that do not place reusable credentials on a
remote computer's memory
Remote desktop (unless Windows 8.1
Restricted Admin)
Physical console logon
Batch logon (scheduled tasks when not
S4U)
Service logon
NetworkClearText/Basic authentication
RUNAS
Powershell WinRM with -Authentication
Credssp or -Credential
Net use/file shares
Remote registry
Remote service control manager
MMC snap-ins
Powershell WinRM without –
Authentication Credssp or –Credential
Psexec without explicit creds
IIS integrated Windows authentication
Intel AMT with Kerberos
REMOTE MANAGEMENT
Stealable Non-stealable (Use these instead)
No remote desktop?
But wait!
There is another way!
Secure RDP with temporary account
Video
EXPLOITS
“The bottom line is the way that we keep people out ... I don't care
who hacks my system if they can't get in - let's make it hard for them to
get in. And the way you do that is by eliminating software
vulnerabilities” – a well-known exploit developer
“Too much of the debate begins and ends with the perpetrators and
the victims of cyberattacks, and not enough is focused on the real
problem: the insecure software or technology that allows such attacks
to succeed.” – New York Times Op-Ed, 4 April 2013
I F
E X P L O I T S
N E V E R
E X I S T E D
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
Limited User
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
Local Admin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylogpassword
Crack domain cached
credentials
DeobfuscateLSA Secrets
Do
mai
n A
dm
inInternal Server Attacks
Internal Client-side Attacks
FIGHTING EXPLOITS
Secure webapps
• Write security into contract for custom apps
• Do not accept source-code-less apps without audit
• Scan/bugfix regularly
Force exploit mitigations
• Mandatory DEP, ASLR
• EMET SEHOP…
Patch in priority
Put vulnerable apps in VM isolation
VM ISOLATION
Virtual Machines > other sandboxes
• Hypervisor attack surface < kernel attack surface
• VM escapes have required guest LPE first; added barrier
Implementation:
• Commercial – Invincea/Spikes AirGap
• Free - Qubes
• VMware view client
• Citrix
• Roll-your-own with hypervisor/VNC
VM ISOLATION
Requirements
• Restrict network access
• Prevent host code execution
• Deny access to sensitive host files
Document VM with no internet access
• PDF reader, Office
• Stops exploits and social engineering
Browser VM
• Stronger sandbox
• VM needs internet access
Demo
VM
ISOLAT ION
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
LimitedUser
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
LocalAdmin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylogpassword
Crack domain cached
credentials
DeobfuscateLSA Secrets
Do
mai
n A
dm
inInternal Server Attacks
Internal Client-side Attacks
FILE SHARES ARE EVIL!
Executable planting
DLL Preloading
Shortcut hijacking
Script infecting
Do not use open Windows shares
Use a CMS
Disable WebDAV
Per-user home drives still OK
Admin-writable-only drives still OK
CODE WHITELISTING
Effective against some exploits, much malware, persistence
Bit9/Kaspersky/AppLocker… whitelists
Lock down powershell
Whitelist vbscript/javascript
Whitelist batch scripts
Whitelist Java
Block VBA macros
SUMMARY
Air-gap what you can
Whitelist everything
Kill passwords, NTLM; use smart cards, kerberos
Don’t leave creds lying all around your network
Use strong mitigations
Put your programs in isolated VM’s
Don’t use Windows shared folders
THE END
Sta
rt
External Server Attack Internal
Network
Internal Server
Client-side Exploit
Social Engineering
LimitedUser
Physical Item Drop
Physical Access
Supply-chain Compromise
Weak permissions
Find plaintext passwords
LocalAdmin
Local exploit
Guess local admin password
Find system current user is local admin on
Internal server-side exploit
Lateral Movement
Relay/crack NTLM
Attacks through shares
Pass local hashes
dump cached active
password
Hijack token, hash, ticket
Find plain-text password
Keylogpassword
Crack domain cached
credentials
DeobfuscateLSA Secrets
Do
mai
n A
dm
inInternal Server Attacks
Internal Client-side Attacks
QUESTIONS
BACKUP SLIDES
STRATEGY
Investment – A little up front saves a lot of pain later
Default deny – Known good > enumerating badness
Hunt – Take initiative
• Attackers win when they know what to avoid and take initiative
• Every detection can be avoided, every avoidance can be detected
• Proactively look for compromise with new indicators
Economics
• No security measure is 100% - every one can be bypassed
• Weigh costs and benefits
Detect/respond – Use full kill chain
• Attackers have habits and are lazy; cannot reinvent world for every intrusion
• Detect and respond at every point
KILL CHAIN
Recon
• Web analytics
Weaponize
• NIDS/NIPS
Deliver
• Awareness
• Filters
• AV
Exploit
• HIDS
• Mitigations
Install
• HIDS
• AV
Control
• NIDS
• Firewalls
• DNS analysis
Actions
• Logs
• Honeypot