# 網軍內網滲透之奇技淫巧 (Operation: I am Tom) - zha0, Tom, Aragorn {%hackmd @HITCON/r1z4zylVv %} > 從這開始 > ###### tags: `HITCON2020`,`HITCON` The operation name came from: ## Agenda + AD Farm + Webshell ### AF Farm 奇異果不單純只 log on password SSP:Security Support Provider mimikatz is a tool of katz Copy lib.dll to C:/system32 modify regidtry HKEY_LOCOL_MACHINE ### Mimilib - SSP Mimilib patch ssp in memory 1. Run Mimikatz type misc::memssp 2. inject Mimikatz memssp - memory status patched dll ### Skeleton Key Skeleton Key is installed in 64 bit domain server Support Windows Server 2003-Windows Server 2012 R2 Inject shellcode into Isass.exe to change its excution flow It will fail after restart, ### Mimikatz skeleton key - injected shell code ntlm hash ### Mimikatz skeleton key - patch dll ### Wdigest - clear text password + For Window 7,8,Server 2012 + KB2877991 update + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Security set to 1 + 變成明碼 ### REegistry ACL VPN 的帳號密碼不一定是AD的帳號密碼 ### Mmikatz bypass AV + VMP + Mimikatz variant + https://www.freebuf.com/articles/system/234365.html ### ntds.dit + Windows password is stored after being hashed and stored locally in hkim\SAM and HKLM\system in the registry + In the domain, password is stored in C:\windows\ntds\ntds.dit and HKLM\SYSTEM of the domain controller ### Precaution Limit the possibility of DLL injection by removing users and groups from the "Debug Programs" policy setting(SeDebugPrivilege) Lsass.exe process protected Protected Users Group NTLM is not used,Kerberos or third SSP is required Kerberos tickets have a shorter life span Windows Digest is not cached ### Webshell erp、AD #### IIS-Raid #### IIS Module Precautions Check whether IIS is installed with a backdoor by #### Exchange privilege admin 不能看到 system 的 ticket #### Modify the aspx #### HyperShell APT34 Leaked Tools For Exchange webshell #### Compile dll (iis cache) Csc.exe compile will generate a compile dll cache file #### Precautions Modify directory permission #### Exchange Antivirus Whitelist 微軟放到白名單裡面 不會被防毒檢查 因此容易被放惡意程式 ex. mailbox #### (De)Serialization overview #### Microsoft .NET Viewstate Object passed between client & server #### Machinekey Element validation key used to sign the ViewState HMAC decryption key Load Balanced #### Exploitation Path #### Access Payload Double DLL Sideloading ##### Self - Modifying Code #### Sysupdate + Dll hijacking(used by APT27) + 一個以cpu名稱命名的registry #### TEBShell dll hijack => malicious DLL => Encrypted Payload => #### Telegram RAT Use pyinstaller to package exe, it is more difficult to ### miscellaneous #### StickKeys Backdoor + sethc.exe #### Attacker's trap ##### Rootkit hide directory ##### Easy File Locker ##### Check source host MAC?? + VPN abuse + different attack's Hostname => Find host in TW domain, bypass security policy ##### Virtual Directory ##### Antivirus bypass + close antivirus software + login antivirus software management interface with old password