奥里·大卫_隧道视野探索VPN后利用技术.pdf

《奥里·大卫_隧道视野探索VPN后利用技术.pdf》由会员分享，可在线阅读，更多相关《奥里·大卫_隧道视野探索VPN后利用技术.pdf（53页珍藏版）》请在三个皮匠报告上搜索。

1、 2022 Akamai|Confidential1Tunnel VisionExploring VPN Post-Exploitation TechniquesOri DavidAgendaVPN exploitationVPN post-exploitationWhat can we do about itwhoamiOri DavidSecurity Researcher at AkamaiBackground in red teaming&threat huntingWhy VPNs areappealing to attackers?VPNInternal NetworkWhy VP

2、Ns areappealing to attackers?“Classic”VPN exploitationAbused mainly to gain initial access to the networkVPNInternal NetworkVPN Post-Exploitation?VPN post-exploitationPersistencyCredential AccessWindowsVPN?Implant based post-exploitation Mandiant“Cutting Edge part 4”reportImplant based post-exploita

3、tionRun a custom implant on the underlying device OS Modify system files or hook functions Full control over device functionalityExpensive to develop and maintainLiving off the landVPNLiving off the VPNOur test subjectsAbusing Remote Authentication ServersLocal user authentication1.Provide username&

4、password2.Approve/RejectauthenticationVPN Remote authentication serversAuthServer1.Provide username&password2.Validate user credentials3.Approve/RejectauthenticationVPN Abusing LDAP Authentication Fortigate LDAP authentication LDAPServer1.Provide LDAP username&password2.Validate user credentials3.Ap

5、prove/RejectauthenticationFortigateCLEARTEXTLDAP authenticationFortigateLeaks 2 sets of credentials:The configured Fortigate LDAP service accountThe credentials of the authenticating userLDAPS is supported,but not used by defaultCLEARTEXTLDAP authenticationFortigateIvanti LDAP authenticationTwo type

6、s of LDAP authentication servers:LDAPActive DirectoryIvantiLDAP authentication serverThe default setting uses TLSWhen LDAP is used-a simple bind is performedIvantiActive Directory authentication serverUses Kerberos authenticationIvantiCapturing LDAP credentialsIf LDAPS/Kerberos is used-downgrade to