Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Published byMaude Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."— Presentation transcript:

1 http://Irongeek.com Adrian Crenshaw

2 http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  Sr. Information Security Consultant at TrustedSec  Co-Founder of Derbycon http://www.derbycon.com http://www.derbycon.com Twitter: @Irongeek_ADC

3 http://Irongeek.com  Skydogcon wanted something basic, decided to use it at Hack3rcon too  Who cares about Domain Admin if you can get the data without it  Ok, my ego cares, but…  Get the data  Trojan the EXEs  Add your SSH keys  Vulnerabilities get patched, common configuration mistakes last forever  Everybody screws it up

4 http://Irongeek.com  Server Message Block Protocol  Evolved into Common Internet File System (CIFS)  Communicates over  445/TCP or  137/UDP, 138/UDP, & 137/TCP, 139/TCP or  NetBEUI  Also supports Inter-Process Communication (IPC) named pipes

5 http://Irongeek.com  Invented by IBM  Microsoft used it in its answer to Novell Netware, LAN Manager  Samba uses in it *nix environments  Changed over the years  SMB 2  SMB 2.1  SMB 3.0  SMB 3.02

6 http://Irongeek.com

7  Windows 2000 & XP

8 http://Irongeek.com

9  Windows NT 4/2000: Anonymous Security identifier (SID) was part of Everyone metagroup  Windows XP forward, it is not, must be authenticated  Homegroup?  Share Level vs NTFS Permissions  What version of Windows?  Authenticate with Microsoft account?

10 http://Irongeek.com  $ suffix hides from built in Windows tools, but not others  Admins think it does  Not the same as Samba’s browseable=no setting  About the same thing as not broadcasting your SSID

11 http://Irongeek.com  How easy is it to integrate with current authentication?  Samba  AS/400  OS X  SOHO NAS

12 http://Irongeek.com

13  Anonymous  Local Hash (WCE or Built-in to the tool)  Null Sessions 1. nslookup domainname 2. enum4linux -a someip > enum4linux-a.txt 3. grep "Domain Users" enum4linux-a.txt |cut -d '\' -f 2 > users.txt 4. hydra -L users.txt -P passwords.txt smb 5. hydra -L users.txt -e nsr smb  Responder and crack challenge response

14 http://Irongeek.com  WCE http://www.ampliasecurity.com/research/wcefaq.html http://www.ampliasecurity.com/research/wcefaq.html wce.exe -g somepassword wce.exe -s someuser:somedomain:90172B990B993E317 6FDE78389BE2CE2:DE4DB66B3AFD1319F4442 D1108134FAC

15 http://Irongeek.com  Based on NetBIOS service location protocol  net view

16 http://Irongeek.com 1. use auxiliary/scanner/smb/smb_enumshares 2. set rhosts 192.168.1.1/24 3. set smbuser adrian 4. set SMBpass somepassword 5. set spidershares true 6. set showfiles true 7. set threads 100 8. run

17 http://Irongeek.com

18  nmap -sU -sS --script smb-enum- shares.nse -p U:137,T:139,445 -- script-args smbusername=adrian,smbpassword=some pass --open 192.168.1.1/24  smbhash  http://nmap.org/nsedoc/scripts/smb-enum- shares.html http://nmap.org/nsedoc/scripts/smb-enum- shares.html

19 http://Irongeek.com Nmap scan report for Cthulhu (192.168.1.240) Host is up (0.078s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 137/udp open netbios-ns MAC Address: A4:17:31:02:7B:50 (Hon Hai Precision Ind. Co.) Host script results: | smb-enum-shares: | ADMIN$ | Anonymous access: | Current user ('adrian') access: | C | Anonymous access: | Current user ('adrian') access: READ | C$ | Anonymous access: | Current user ('adrian') access: | IPC$ | Anonymous access: READ |_ Current user ('adrian') access: READ Nmap done: 256 IP addresses (10 hosts up) scanned in 13.10 seconds root@kali:~#

20 http://Irongeek.com  Quickly know what access you have

21 http://Irongeek.com  General->Up thread count  Additional->Grab HTTP & FTP server banner  Work Stations->Lookup logged on users  Share->Enumerate All

22 http://Irongeek.com Getting the most out of shares

23 http://Irongeek.com  Use operators in CAPITALS http://windows.microsoft.com/en-us/windows7/advanced-tips-for-searching-in-windows http://windows.microsoft.com/en-us/windows7/advanced-tips-for-searching-in-windows

24 http://Irongeek.com  http://regexlib.com  \d{3}-\d{2}-\d{4}|\d{9}|(?i)ssn  grepWin http://stefanstools.sourceforge.net/grepWin.html http://stefanstools.sourceforge.net/grepWin.html  AstroGrep http://astrogrep.sourceforge.net/ http://astrogrep.sourceforge.net/

25 http://Irongeek.com  https://code.google.com/p/opendlp/ https://code.google.com/p/opendlp/

26 http://Irongeek.com Tweaks to secure and scan better

27 http://Irongeek.com

28  Deny access to this computer from the network  Under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

29 http://Irongeek.com  HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmC ompatibilityLevel  SecPol.msc

30 http://Irongeek.com LevelGroup Policy NameSendsAcceptsProhibits Sending 0 Windows NT 4, 2000, XP Send LM and NTLM Responses LM, NTLM NTLMv2 Session Security is negotiated LM, NTLM, NTLMv2NTLMv2 Session Security (on Windows 2000 below SRP1, Windows NT 4.0, and Windows 9x) 1Send LM and NTLM— use NTLMv2 session security if negotiated LM, NTLM NTLMv2 Session Security is negotiateda LM, NTLM, NTLMv2NTLMv2 2Send NTLM response only NTLM NTLMv2 Session Security is negotiated LM, NTLaM, NTLMv2LM and NTLMv2 3 Vista, 7, etc. Send NTLMv2 response only NTLMv2 Session Security is always used LM, NTLM, NTLMv2LM and NTLM 4Send NTLMv2 response only/refuse LM NTLMv2 Session Security NTLM, NTLMv2LM 5Send NTLMv2 response only/refuse LM and NTLM NTLMv2, Session Security NTLMv2LM and NTLM Based on http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspxhttp://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

31 http://Irongeek.com  Finding Rogue SMB File Shares On Your Network http://www.irongeek.com/i.php?page=security/rog uefileshares http://www.irongeek.com/i.php?page=security/rog uefileshares  Finding the Leaks http://blog.secureideas.com/2013/01/finding- leaks.html http://blog.secureideas.com/2013/01/finding- leaks.html  nessuscmd Tip: Finding Open SMB File Shares http://www.tenable.com/blog/nessuscmd-tip- finding-open-smb-file-shares http://www.tenable.com/blog/nessuscmd-tip- finding-open-smb-file-shares

32 http://Irongeek.com Derbycon Sept 23th-27th, 2015 http://www.derbycon.com http://www.derbycon.com Others http://www.louisvilleinfosec.com http://skydogcon.com http://hack3rcon.org http://outerz0ne.org http://phreaknic.info http://notacon.org Photo Credits to KC (devauto) Derbycon Art Credits to DigiP

33 http://Irongeek.com 42 Twitter: @Irongeek_ADC

Download ppt "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."

Similar presentations

Ethical Hacking Module IV Enumeration.

Ethical Hacking Module IV Enumeration.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan 2015 1.

Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.

Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.
Windows Assessment Vulnerability Assessment Course.

Windows Assessment Vulnerability Assessment Course.
Network Security With nmap By *** *****. Installing nmap netlab-2# cd /usr/ports/security/nmap netlab-2# make install all.

Network Security With nmap By *** *****. Installing nmap netlab-2# cd /usr/ports/security/nmap netlab-2# make install all.
1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.

1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Samba

Samba
Chapter 6 Enumeration Modified 9-28-09. Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.

Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Similar presentations

Ads by Google