Perform local reconnaissance/discovery
Local Reconnaissance is done to understand about the system and internal network. The results help them to operate thereafter to achieve their objective. Let’s say If a Windows Active Directory structure is implemented, the hacker group can use the access credentials of the user or system obtained during the initial compromise to query the domain controllers, central systems that are used for authentication, etc. Information such as (privileged) user groups, password complexity requirements, access rights, open network shares, trust relationships with other domains, and the application portfolio can be determined.
Performing local reconnaissance on internal systems and network reconnaissance on internal network, both comes under same group as their main objective is to gather adequate information about internal organization structure. Internal reconnaissance is also referred to as post-exploitation reconnaissance.
Red Team: Attack vectors and Techniques
1.Credential harvesting/Steal Authentication Tokens
Passwords are a very important aspect of information security. Before approaching lets understand how are they stored & how are they used. Password hashes are loaded into the Local Security Authority Subsystem (Lsass). Lsass runs as the executable %SystemRoot%\System32\Lsass.exe, which is responsible for user authentication, among other things whereas On Linux, tickets are stored in credential caches.
It is important to note that dumping password hashes from the Windows SAM database or from memory requires administrative privileges.
Password attacks, such as password guessing(Online attack) or password cracking(offline attack), are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly.
Process-based attack — LSASS constantly communicates with a database file on the file system called NTDS.dit. This is the database that the Active Directory syncs it information to, about every five minutes usually, Which means that all the usernames and password hashes are stored in NTDS.dit(In C volume). Utilize Volume Shadow Copy Service (VSS). VSS is windows based backup service-VSSADMIN.EXE. Invoke VSS to backup the C volume and using tools like NTDS Extract find the username and hashes. VSS is by default OFF in Windows server but raises an alert when turned ON.
1a) Pass the hash(PTH) — Most used & successful technique wherein you first grab the credentials(NTLM hashes) either using frameworks or tools like procdump and use them later on. This attack is usually directed against Windows systems, however they can be found in other systems, for example vulnerable web applications. In Windows, pass-the-hash attack depends on the Single Sign-On (SSO) functionality in authentication protocols like NTLM and Kerberos.
Kerberos Ticket — The Kerberos ticket is a certificate issued by an authentication server, encrypted using the server key. Utilise mimikatz.exe to get all the kerberos tickets
1b) Pass The Ticket — Similar to PTH but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner.
A method of authenticating to a system using Kerberos tickets without having access to an account’s password. It is a well-known method of impersonating users on an AD domain.
Kerberos authentication can be used as the first step to lateral movement to a remote system.
- Metasploit hashdump/Psexec module
- Pshtoolkit
- Impacket
- Mimikatz
- Rubeus
2. Common Local Targets — Use scripts(PS, VBS, BAT, Shell) to speedup up operational tasks which saves your time and these also helps in defense evasion by directly interacting with O.S at an API Level instead of calling other programs.
2a) OS, Domain, Network Information — An adversary may attempt to get detailed information about the operating system and hardware including version, patches, hotfixes, architecture and network shares. Once explored he uses that info whether to fully infect the target and/or attempts specific actions.
- If it is cloud platform, perform asset discovery, and identify servers, virtual machines, software's if it is AWS.
- Check the log file to figure out the name of Domin Controller C:\Windows\debug\NetSetup.LOG
2b) Users & Groups — Attempt to identify primary user and currently logged-on user, cached Kerberos tickets, list local and Domain accounts and it’s privileges
Get Domain Names And When Account PWD set to Expire
WMIC UserAccount GET name,PasswordExpires /Value
2c) Cache & Logs -
- The credential cache file holds Kerberos protocol credentials (for example, tickets, session keys, and other identifying information)
- Check the bash_history, export function values, often you can find sensitive details that can be helpful for privilege escalation.
Eg: HTB Traceback Challenge has script to gain privilege escalation in bash_history file.
2d) Services and process — Information obtained could be used to gain an understanding of common software running on systems and registered services within the network.
wmic path win32_process get name,commandline /format:list
Tasklist /v
Tasklist /svc
SC query
Look for any sysinternals tools & makes use of them which helps you to perform actions faster.
2e) Installed Apps — This is a core part to identify if there are defensive tools/software’s, Configurations such a secure group policies, firewall rules. Thereafter you approach changes based on the result. Let’s consider If you find internet explorer is in old version which can be exploited then you will concentrate to find remote shell, and it can reveal personal information (banking sites, social media a/c details).
wmic product list full #list all the installed softwares
2f) Files & Registry —
- Enumerate the Windows Registry to gather information about the system, configuration, installed software and values of Audit Settings, Virtualization artifacts, registered mail, browser, and instant messaging clients from the Registry.
- Enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Eg: AutoIt malware searches the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, .zip, .mp4 and .jpeg. Assume the case your organization VPN document would have stored on disk.
After all, use MMC snap-ins to enumerate local users and local groups, services, scheduled tasks, SMB shares and sessions on a system if you have an interactive desktop session on the compromised system either via RDP or if you are simulating an insider threat during a pentest and you are given a company’s laptop.
lusrmgr.msc #windows
BLUE TEAM: Detective and Preventive Controls
Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
Endpoint Level:
1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
2. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.
5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM, Monitor the above mentioned registry keys for any violation)
Network Level:
1. Monitoring at network level can be used to detect systems communicating with a C2 server.
2. Implementing Network segregation — Segregating sensitive data and systems to make them more difficult to access.
3. Web Filtering (github).
4. Session key is used to identify a user and to encrypt the information sent across the network. Empty session key is one identification of Pass the hash attack.
Process level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Train staff on the latest security threat and security tools.
