Fade from Whitehat… to Black

hey everybody can you hear me okay cool I'm gonna start this out by asking a question how many of you this is your first time at a b-sides event look at that look how many people are brand new to b-sides this is awesome so let me be the first to welcome you and say you're gonna have an awesome time there's a ton of awesome talks lined up if you see one of these staff members thank them for all the hard work they're putting in because they're doing a kick-ass job here so uh this next question I think I'm gonna get the majority of the folks to raise their hand because it is a besides conference how many of you have a job in

which you have some sort of touch into the security realm so you do Network admin system keep your hands up for me so all right now how many of you have actually ever took what you knew about infosec and you thought about what if I decided to do something malicious with that with that knowledge you've got so I yeah so I've got I would expect I've got you know my pin testers you know red teamers in the room thinking you know yeah I do that on a daily basis right I hack companies okay now how many of you the silver hands raised have actually gone through with crafting an intricate attack process on how you

would go about targeting organizations exploiting them prophetizing off of that and then trying to maintain non-attribution through the entire process so there's a couple there's a couple in the room there's a couple in the room but this is this is why I'm here I I thought it'd be fun exercise to kind of just walk through the process of a dedicated attacker I'm a pin tester and I compromise organizations every week it's it's easy as my co-workers in the back can tell you we do it weekly um what I wanted to go for is if if I as a pen tester or somebody in this security Community were to just wake up evil one day how would I go about doing that so

I'm going to show you how me personally how if I were to just wake up people one day I would go about doing this so let's let's have some fun with this so some key focal points of this talk the main the main theme you're going to find through this entire talk is non-attribution so you know I on a daily basis I'm doing exploitation of organizations so I spent a lot of time just focusing on how what louder louder scream okay well the mic doesn't have volume or all right okay yeah gotcha um so the uh the thing is is like I had to spend a lot of time thinking like okay you know I we usually have

organizations that you know know where we're coming from IP wise you know we're not doing real legit like I'm trying to not get caught hacking right so I had to really put a lot of thought into this the next thing is how am I gonna go about picking targets am I just gonna pick them at random am I just gonna you know say hey I don't like that guy over there I'm gonna go Target him um and then reconnaissance right so how can I just go take open source information things I can find freely available on the internet and potentially find exploits for a company you know just freely available uh and then the actual

exploitation stage right so we have to compromise the company in some manner and then eventually we'll talk about how I think I would go about profitizing off of it so real quick who am I I'm a pen tester at Black Hills information security we've got some of my co-workers here uh I'm also a host of a web show called hacknakedtv um where I talk about random news things and rant a little bit and then I've also previously a Defender so a lot of this talk I'm I'm mainly kind of putting on my defensive hat because I really wanted to not get caught right like so all of my my previous experience with with defending a network and trying to catch

an attacker I tried to really put that into the stock so quick side note something I thought was kind of interesting I want to share with you so most of you probably signed up on the b-sides website right you probably went there and you know paid your money one thing I noticed was kind of interesting about it is there's a picture on the website so I'm in that picture this is me two years ago sitting in Kevin Johnson's Keynote and so the thing that's kind of amazing is that at this point in my life like I totally would have never expected to be right here today never like I mean I was a security engineer I had never

performed any pen tests never you know did any con talks or anything like that so for me to be up here today it's like what the hell um but anyways my point is like in the last two years since then I performed pen testing at 70 different companies I've recorded 20 different hack nicotv episodes I haven't I've spoken to three different security conferences now and I've written a blog post that you know kind of kind of helped me get to where I am and now I'm adding keynote to that list and I really have everyone in the room to thank for that because it's it's the security community that has helped me make myself who I am without everyone

here I wouldn't be where I am today so uh thank you first and foremost to everybody yeah enough about me let's talk about not getting caught so before we dive into how I personally would think about how I'm not going to get caught let's look at some guys who did a bad job at not getting caught so Jeremy Hammond he's the the guy that hacked uh Stratford and so the thing with with his hack he or his his problem was that he trusted humans so he actually ended up getting ratted out by the former Anonymous member Sabu um and uh he they you know the FBI busted down his door flashed grenades everything with you know assault rifles

and what did he do he immediately just closed his laptop encrypting it forever so you know the FBI at the point they're like oh well we're never getting into that right does anyone know how they did end up actually getting into the laptop he didn't give him his password he chose a really shitty password his password was his cat's name one two three so you know you go through this whole process like I'm gonna encrypt my laptop I'm gonna hide from the FBI and he choose a really good password so you know as somebody who's going to look at not getting caught I mean I'm you still gotta defend yourself too um you got some of the LOL SEC hackers

you know as you start adding more members to your hacking group it creates more problems right like you have more Communications you have to like worry about talking to them and not getting caught that way so you know that's that's another another case like trusting humans is not something I'm going to do um and then you got Ross ulbrich dread pirate Roberts this is The Mastermind behind the Silk Road so uh we're gonna talk about Ross ulbrich in particular here so dread pirate Roberts because he did a lot of things really wrong um when it comes to opsec I'm going to list out a few things here bear with me boasted about creating an economic simulation on LinkedIn so he

basically went to LinkedIn and said hey on his own personal account he said I'm going to create this awesome website where I'm going to just completely subvert the government so that's one problem right one thing so he he purchased virtual private servers using his real picture on a fake ID so he he could have put anybody's picture there he put his real picture on a fake ID that got caught and and you know it's like hey who's this guy the nine fake IDs um he he went to stack Overflow and asked for advice on how to code Silk Road so like he would post a question like how do I connect to a tour hidden

service using curl and PHP you know with his with his real email address not he didn't try to obfuscate that at all um he actually tried to hire an undercover cop to kill somebody you know trusting humans again I mean if you're gonna hire somebody to kill somebody I mean maybe don't I don't know trust some random person I don't know um and then he actually had a real technological security flaw uh with with uh with Silk Road he actually had a vulnerability where his the public IP address was actually being leaked so you know anything about tour hidden Services you know you can only connect through it through the Tor Network and that actual

public system should be should be hidden uh through that process but he actually had a vulnerability where his actual public IP is being leaked so the FBI saw that one day they're like oh hey let's go compromise that server confiscated um and then oh he accessed the Silk Road from a block from his house so like you know if you're gonna go run a billion dollar drug industry why do it right down the road from your house all right so how am I gonna go about that I'm gonna design it with opsec first and foremost in my mind how am I going to go about setting up an infrastructure to attack organizations without getting caught

so let's try to avoid his mistakes we're not going to trust any humans I'm gonna do it all by myself uh I'm gonna build an attack infrastructure with opsec being the first and foremost so how I'm gonna go about actually doing the exploitation phase is all going to be very very much opsec driven and then maintaining an anonymity in both the real and digital worlds and the reason I say the real world too because let's say I want to go buy some Bitcoin for cash um you know I I don't want that person that I'm buying Bitcoin from a cash to really figure out who I really am so even in the the real world I still have

to remain somewhat anonymous so let's talk about the actual setup this is the real this is my infrastructure and how I'm going to go about attacking organizations and not getting caught so here's just some some Necessities right some things that are absolute musts we're gonna have to have a laptop to work from maybe some internet you know that help uh vpns maybe some proxies to route through um some command and control servers attack servers and then non-attributable currency you know go buy some some gift cards or Bitcoin these are just the Necessities so find a laptop's easy go to Craigslist find you know there's a ton of different laptops they can go buy those in cash right that's the easy part

that's kind of straightforward internet same thing like we're gonna we're gonna access it from a free Wi-Fi Spot somewhere right like that's the the the typical mindset my favorite thing is to do like apartment complexes because then you get really good internet sometimes you know they might have like some hundred Meg download um you know you get a Starbucks you get kind of crappy internet um yeah here's here's a really key point so in my mind if I were to be a malicious attacker I'm not going to access my my attack infrastructure from half a block from my house like Russell work did I'm gonna go greater than 50 miles um and the other key thing is I'm not

ever going to bring my residents into the circumference of my house so funny story there was actually a hacker that was caught because he was accessing his his attack infrastructure from 10 miles east of his house 10 miles north 10 miles west various Starbucks and the cops are like hey huh he literally made a circle right around where he lives so you know it was it was easy for them to go go find him so you know when we go to like this place that we're gonna work you know we're not going to show up and like have like some like sock thing thinking we're you know being like opsec friendly because we've got this weird

sweater thing that's covering our laptop so let's talk about a bit more opposite safe you know maybe we'll get like some power to like sit out in our car right like get a nice little power converter get a yogi antenna and then you know have an alpha card and then you can access it from you know a good good distance away and then you end up looking like this like a true hacker like dude black hat beanie and all because you know you can't hack without either a black hat beanie or a black hoodie right I mean it's just not doesn't work that way all right so the actual attack architecture how am I going to do this

um I'm never going to attack an organization directly meaning I'm never going to send packets from where I'm sitting to that organization we're going to use multiple different VPS networks to Route the traffic through and in order to be non-attributable we're going to need some alternate identities and some Bitcoin because buying the VPS servers themselves is going to take some some sort of non-attribution in its own so buying Bitcoin for cash is is easy you can go find people sell it around here uh very easily and then you can actually buy vpss for Bitcoin which is really cool right because then you buy it for cat buy Bitcoin for cash remain anonymous buying the Bitcoin buy a VPS under an alternate

identity using Bitcoin then there's really not a whole lot to kind of Trace back to you at that point from from the perspective of obtaining your virtual private servers all right so the primary attack system this is this is the main network setup right so I've got I'm gonna have two different virtual private server networks I'm gonna have VPS Network one which is going to have a VPN server a management server and possibly password cracker because I'm not going to bring any of my my files that I'm I'm running or that I'm taking from an organization back to my local laptop I'm going to strictly keep all that stuff off of the local laptop just for offsite purposes so if I

need to crack some passwords we'll do it out in the VPS and then I have VPS network two where I'm actually going to have the primary tax server and a command control server so connectivity wise VPN into virtual private server Network one and bear with me because I got a nice diagram of all this in a minute um I'm going to SSH and RDP or you know VNC to my management server inside of VPS Network one so I'm not I'm not just you know vncing straight up to the virtual private server Network one because you know there's you know having a VPN there kind of limits the the availability of somebody on the local network from sniffing the

traffic and whatnot so VPN then connecting to the management server the management server is really there to uh to to route my connections to the actual attack infrastructure which we'll talk about in a minute I'm going to Route all the traffic from the management server through tor all of that through tour SSH over from the management server to my virtual private server Network 2. where I've got my attack infrastructure and it looks something like this so I've got let's walk through this I've got I've got my laptop that I bought with cash I've lived it with a Linux sister I've connected to free Wi-Fi coffee shop somewhere I'm VPN from that that Wi-Fi out to my virtual private server Network

one where I've got a VPN server a message or maybe even like VNC or RDP to the management server and from there we're routing all of that traffic through the tour proxy nodes which uh you know you're gonna hit like at least three proxies there and then the SSH traffic from that point is all going through Tor into the actual attack infrastructure so the target organization should only ever see two IPS really that are attacking it they should only ever see anything that's in VPS Network to and uh the the reason that I kind of set this up this way with with tour in the middle some people were like well why don't you just why don't

you just connect straight through tour why don't you why do you bypass this this whole thing and just connect through tour out to VBS Network too well there's been a number of demonstrated attacks against Tor itself uh where you know you can if you if you control the the um entry and exit nodes you can kind of correlate where that traffic came from uh so in this infrastructure setup I've got it in between two different VPS networks which kind of you know if somebody were to control that traffic or know where the traffic's coming from they're going to be just LED back to my VPS Network one which still kind of you know is is kind of a a trail

to go down at that point you know they're gonna have to go to VPS Network one and then try to figure out where I connected from there and eventually find out that it was from like a you know a Starbucks somewhere um remember this the reason I'm doing this is because I want to keep offsec in mind um so something interesting that I I'm actually not entirely sure uh because I don't have control of of a VPS Network myself but one thing that I was I was kind of tossing around the idea of so like let's say somebody traced it back to tour let's say for some reason they were able to trace the tour Network back

to my VPS Network one here so a lot of a lot of cloud services offer uh VPS hosts and they'll give you like a public Lan IP on that VPS so like for example Amazon will do that Amazon ec2 so if I connect over the public IP or not public private IP private RFC 1918 IP from my VNC server to the manager server is anything actually logging that you know so that's like once you hit the management server you're going to see you know Trace back to the public IP of the management server but from there is anything actually really logging that traffic inside of VPS Network one so who knows the trail might die there and

eventually like if somebody did trace it back to the the Wi-Fi hotspot I will be at a different one by that time so anyways so I know a lot of you are thinking like damn like the latency on this must be crazy well I actually set it up and it's not that bad so I live booted off of a Linux this row I uh connected to free Starbucks Wi-Fi my VPN to a VPS server uh that I set up which is literally just a VPN server and uh one of the cloud-based Services I then vnc'd this the main main window you see here is me vncing to my management server just a Ubuntu box um where I routed all the traffic

through Tor so you can see you know I've got like the congratulations browsers configured you tour so it's not just HTTP traffic that I'm routing through tour though it's all traffic so as you can see in my SSH it's probably you know you probably can't see it from the back but yeah it's not coming through very well but if I did like a Nets that and you can see the actual public exit node from Tor as the SSH IP address so all of us it is being routed through tour so a message to my tax workout you know Metasploit and uh whatever else on that attack infrastructure and you know even if the latency was bad you could all do

it all in screen sessions anyway you know and then if you lose connection just connect back to the screen session and of course the mandatory caffeination gotta have caffeine okay so now we've got our attack set up ready to go we got to figure out how we're gonna go about targeting organizations what is our motivation well you can go after easy targets that's you know easy right you could pick high profile targets you know things companies that that we just have like an itching to attack uh then you've got contract targets you know maybe one day you know I might get paid just for targeting a specific company and then you've always got Vengeance you

know I don't like those guys so I'm going to Target them so let's talk about easy targets first so I spent about 15 minutes on showdan which is awesome if you haven't used Showdown before go check it out and I just looked for unauthenticated VNC servers so these are servers that are publicly available to the internet that have a VNC service running that does not require authentication I spent about 15 minutes and here's some examples of what I found um so we've got a wide open Windows server in Romania I think we've got a wide open Windows server in Taiwan uh we've got uh industrial control system in Greece that looks like it's like I

don't know like hygiene or something so maybe it's like some poop coming out there I don't know what that is but looks fun um another Windows Server just wide open like remember these are not no authentication to these they're just wide open on the internet uh here's actually like a patient health record system in the U.S just wide open that's kind of scary um and then you know a Mac for good measure right uh vulnerable services so instead of trying to just you know let me just run a bone scan against an organization and try to find something that potentially might be exploitable let's just look for publicly available hosts that are already exploitable so things like vsftp

2.3.4 which has a publicly available exploit and Metasploit 130 servers on the public internet that you can find with Showdown just go export them today or you know we could look for high profile targets right like we can pick out the Enterprises of the world you know we've got the Haas hospitals you know the the fun organizations to go Target because you know they might make us more when it comes to the profitization stage and then you got contract targets so this is actually a real Hitman Network on the dark web you can go literally buy a Hitman for Bitcoin so I mean eventually maybe somebody wants to just contract targets out to me for for

hacking right I mean why not and you got Vengeance you know you got Mr Robot who you know just takes down evil Corp um you know could pick pick an organization just because we don't like them so after we've picked our organization decided we're going to attack them let's do a good amount of Recon and to how we're going to go about exploiting them we're not just going to throw you know Hail Mary you know DB auto-pone atom um so information disclosure every nessus scan you've ever ran into that has information disclosure it's like a low finding right well let's talk about some of the more interesting ones how about an organization's username structure that you can gain from

publicly available systems that's that's kind of cool um how about credentials and previous breaches so things like poneless can show you boneless will grab everything from uh from any breach that that gets dumped publicly to the internet um and then maybe just like you know we got to know the external network ranges maybe look those up and show Dan find find some some targets through that um we're gonna minimize the noise reduce sites like Showdown census to once again look for the low hanging fruit and find you know should open ports we're gonna locate external login portals which uh we'll talk about that in just a little bit because external login portals if you're using ldap

authentication can be a lot of fun let's talk about exploiting now so we've we've gained some information about an organization we know it's publicly available we know hey maybe this company has vs ftpd 2.3.4 and we can just go exploit it or hey maybe we were able to gain the username structure and we can do some other attacks with that so exploitation page let's talk about credential reuse so traditionally when when organizations or employees or anyone thinks about credential reuse people think like oh I'm using the same password on another account or for example like my maybe my I have like an administrative uh user that has a separate like domain admin account and like I found one recently

where the guy just reused the same password on his administrator account and his domain admin account so they count the guys using for daily activity to open up every email he's opening up like every PDF he gets sent and you know launching every Java applet that that account has the same password as his domain admin so um but in this sense what I'm talking about is not across the same Enterprise account I'm talking about the uh the actual personal accounts of employees so this gets in kind of a gray area because this is something that that an employee owns outside of the organization so think of like like a Gmail account or Yahoo or anywhere you

can go publicly sign up for an account so how can we exploit that so I was doing a pen test recently where I found uh where I submitted I submitted the company's domains to pone list and phone list will tell you hey here's the certain number of uh of email addresses of this domain that were compromised so this particular company had you know 157 for their main corporate one 82 for another main corporate email address and then 50 000 pound accounts for a domain that was technically their customers so imagine a company like like a Google and they have Gmail right so if I were to submit every Gmail address they might say Hey you know you have 10 million

opponent accounts or whatever um or like an ISP where you've got like Verizon's a good example they got verizon.net if you're a customer or at verizon.net email addresses so this company was kind of similar to that in the fact that they had uh they had their own domain for their customers so this was their customer's domain so I started thinking all right I've got 50 000 credentials of people who use this company how can I go about finding out if any of those people are employees at the company and they reused their same password on their personal account so the way I did this is I I went to Pitbull Pitbull's a great site for for

collaborating they collaborates a ton of information from a lot of different social networks LinkedIn uh connects to like YouTube like pretty much anything that you can find on the internet and we'll try to kind of collaborate all that information into a detailed kind of story about a person that it can find on the internet so what I did is I submitted those 50 000 email addresses to pipple and I just greped the results for the company name that I was targeting so these are personal email addresses and somebody said hey I work at this company for example this is manager Network operation support at X company right I got 252 hits from this so I had 252 accounts that were personal

email addresses that said they worked at the Target company I was trying to Target and outside their credentials because they were part of a breach so now it became can I just convert those back to the the organization's actual email structure if I know their name it's probably first name dot last name or first initial last name at companyname.com we go try their credentials on their OA portal and hey now we've got a valid domain account just from credential reuse on a personal account so that one that's attack number one I'm gonna talk about three different attacks so here's here's hack number two password spring password spring is probably my favorite thing I love password spring if you don't know what

password spring is traditionally when you think about password attacks we think about brute forcing passwords right like I'm gonna throw a million different words at somebody's account and try to guess their password password spring is different as it will not actually lock out accounts so when you when you try to Brute Force accounts you're gonna lock out accounts really quickly especially if you have like a domain authentication um and you know you've got like your your password threshold of like five so you know you hit five five attempts and you lock out an account with password spraying you kind of take the opposite approach you take everybody's username in the environment so everyone in the

room everyone has their own username I'm going to try one password against everybody's account and I'm gonna pick a good one I'm gonna pick something like winter 2016 or password one and I guarantee you I will get a number of you in the room by using every single person's username so uh when we look at password spring we just try one one attempt so I know you're thinking like all right so I'm an external attacker how do I get the usernames how do I how do I know what to try at you know as an external attacker internally you know you can just run uh net user forward slash domain get all the usernames from the domain and then

try it internally that's a lot easier externally though you have to figure out how the username structure works so there's a tool called focus and foca uh will go and grab all of the publicly available files from a domain so all the dot doc files all the Excel files all of the PDFs and it will go and download all this so basically just doing Google searches right it's doing like like site colon company name file type dot doc and it will find all the doc files and go download them the interesting thing is that you can also extract all the metadata from those files so one thing that a lot of people don't do when they

post things publicly is strip all the metadata and if you create a doc file or PDF a lot of times you have your username attached to that file so all these publicly available files that we're able to pull we're extracting usernames and so I I did this on a recent test and I I figured out the username structure um which which I mean it was a little bit of an easy username structure right I I then took that username structure crafted a list of every possible combination so they basically had like a like a three character uh uh prepended uh uh three characters prepended to the usernames something like EMP and then they had the initials of the user so

something like ABC so it was a six character username I created a list of all those usernames and I tried one password against every single one of them against an external portal this particular company I was doing an external test before and then was scheduled to do an internal assessment later on before I even got access to do the internal assessment I had 252 valid per domain credentials before I even touched the internal Network so uh you know like this this is this is intact you know as an external attacker getting domain credits really the first step you know getting getting access to a network so let's talk about phishing phishing's you know known as what we call the

golden ticket pretty much any network right I'm gonna talk about two different types of fishing I'm talking about credential Gathering and system compromise credential Gathering so the first thing that I would try to do is set up a external portal that looks like something that users are already used to logging into something that looks like maybe Anova portal that they're used to log into every day and hey you know we need you to sign in we need you to sign into the owa portal to you know validate your new benefits for some reason and people will do it they'll go try to log in and then they'll get you know a login failure because it doesn't work but we

immediately redirect them to the the actual login portal so you know they just think they just mistype their password and you know nobody's the wiser and they just oh okay well maybe I just mistyped that um and then you know remote exploitation that's probably one of the more common ones we do um sending Word document macros right like that's the new the new hotness right like everybody's doing Word document actors every every attacker is doing that um because everyone wants to just enable content no matter how hard you know they say not to um everybody just sees that button it's like I have to press it you know there's no there's no way I can't press that

button um so all right so kind of quick quick funny story um myself and uh Joff Thayer who works at our company as well we were doing a phishing assessment for an organization and so we started doing some Recon and we found that this company did uh they did like a national like walk at work day they're gonna do some exercise and um at this or at this at this like retreat thing we saw they had like a number of vendors there from a number of other companies like like clothing vendors and whatnot so I was talking to Jeff and I was like Hey what if we just pretended to be one of these vendors and you know try to

send like a coupon and said hey thanks for coming out you know to our national walk at lunch day or whatever um here's 50 off our our merchandise at our store so we created this coupon um we sent it to all these employees it was just like raining shells on us like everybody's everybody's enabling content and all right so the bad part is you know we got shells that's that's you know bad for the organization but the worst part is people were actually like printing it out and leaving work to go like actually try to get the 50 off so you know we caught some Flack for that but whatever so uh you know we've we've gained access

to credentials maybe fish to user now becomes how am I going to access that Network remotely so one of my key one of my key like beliefs in doing this is I'm not going to do any physical attacks because I don't want to get caught I I think you know there's plenty of people who do physical pen tests very well and there's plenty of ways to get into organizations physically but I just feel like I don't need the risk like I can just move on to another organization if I can't get it remotely so number one is is two-factor and play on a VPN like an external VPN if I got creds for a user can I just literally

just VPN to the network without having to have two-factor is there just like externally facing RDP servers that I can just go log into how about access to OHA so all right that's not access to the network per se but hey phishing across internal accounts is gold like I find a like a conversation between somebody that's already like in a heated debate about one thing and then say hey you know what screw you click this link right here and they're like hey I know this guy they've already been in a conversation with me I'm gonna listen to them and I'm gonna click that link yeah and like I said no no physical attacks so post exploitation so after we've

gained access to a network see the the thing is with this with this uh this entire talk is for me we we get basically given access right most of the pen tests we do they say hey here's a non-credit or non-administrative account on a normal Windows build or whatever is normal to the environment go right so for me post exploitation this is something I do every day and it's it's easy and this particular slide I'm going to try to boil down my entire besides Tampa talk from last year into this one side so let's go so a Powershell we never have to ever actually use external tools anymore on pentas it's all all we need are

Powershell and command line Group Policy preferences we still find on almost I don't know 90 of organizations we find a clear text administrative credential through group policy password files um if you don't know what those are basically organizations previously could set up uh like a local administrative user via GPO and the second you would connect to the device the domain it would go get the GPO install the new local admin the problem with that is uh those the the password and the username are available to The Domain so that you know new systems can access it create that new local admin the problem is that the uh the credential is using uh an encryption key that is widely known so

it's easy to go decrypted so you know that's that's one way that we get admin on our Network very quickly widespread local admin so whenever you're not randomizing the passwords across your systems in your environment it makes it easy for us to go pivot around using the same same credential the local admin finding insecure permissions on other systems so something we find kind of common is they'll like like an administrator will for some reason put domain users group in the local admins group on a system which means everybody in the domain is an admin of that system now and those are easy to find like you think like oh hey like yeah it's just one system and ten thousand no it's easy

to find those with with a Powershell tool called Power view there's a script find local admin access and it will go to Every system and say hey my local admin on you hey my local admin on you hey my local admin on you and if you find domain users in local admins hey I'm local admin on that system now I can go pivot to it and I can go obtain the the at least the hash of the local admin user from that system and if you're using widespread admin account then I just pivot around using a hash internal password spring so we talked about external password spraying a bit ago but internal password spring is

money as well not there's not a whole lot of organizations that we've tested that have detected it you know we're trying one one attempt against every account and uh a lot of times they're not they're not detecting that stuff you know and then you know we play the the PS exact memicats combo hopping around with boxes so you know we get get one local admin cred pivot to that system run memicats maybe maybe get another uh user's credential um that we can use to gain access to another system a lot of times we use a tool called user Hunter which helps us find uh where specific users of groups are logged into certain systems on the

network so for example domain admins uh we with with user Hunter you can say hey every system on the network do you have a domain admin logged into you and if I have a local admin credential I just pivot to that system run mimikats and dump that domain admins clear text credential for memory so then it becomes you know looting right like I've compromised an organization got da our favorite thing to do is Pivot to the DC and double the hashes um because it's just fun to crack everybody's password on domain my my new favorite thing is to find vcenter servers or any sort of virtualization engine and and show like a screenshot of me logged into vcenter

as a domain admin and say hey look at all these awesome servers I have access to and all right so the best thing about vcenter is when you get a really good sys admin because they organize the crap out of it right like they've got here's my SQL servers here's my my exchange environment here's all the the web servers here's my DMZ um you know it's it's beautiful right because then you know as an attacker you know I don't have to like work that hard to figure out what everything is anymore it's just hand it out to me the other thing with with vcenter 2 is a lot of people or a lot of organizations

think you know I've got this awesome you know PCI environment you can only get to through uh you know through um uh through a jump a jump system on RDP from a certain IP at like 5 PM on a Thursday and you log into vcenter and it's like oh hey I can just console right to that so completely bypassing all the firewall rules that you might think are there all right so now we get to the profitization state we've taken over a company we've got access to vcenter we've dumped all the credits from from a domain how do we go about turning out an actual hard cache right like as an attacker this is something that uh I I thought a

pretty great deal about and um yeah well let's just go through so turning compromise again here's here's some things that we could possibly do we could be Carter right like we could go install point of sale malware on all the card systems in the environment and try to do kind of like the target hat right hack right like try to just exfiltrate card numbers scrape them all for memory on the system we could try to do just identity thefts you know if we find that we just want to attack hospitals or any any organization that has some sort of you know Phi or pii go steal all that become an identity theft right ransomware this seems to be the new

hotness right like everybody's everybody's doing ransomware these days and you know they're making probably a good bit of money of it I mean it's in the news every day now um and then uh you know you could be a hacktivist too you could just go screw with companies why not so I I saw this news article the other day or I guess it's like last month now um about how Apple employees were being offered like 23 Grand just for their credential just for their credential to log into the Apple network so to me I'm thinking like okay I could go set up this crazy Carter infrastructure and like have to have like all this you

know other technologically um uh installed tools and um I'd have to have like probably a community control server that stays up all the time to have like you know the hitbacks from from The Carter network but what if I just go sell the creds that I get from hacking a company to the Carters themselves you know if they're paying upwards of 23 Grand why not just go do that why not just let me do what I do every week compromise an organization get domain credits you know this this is just like basic creds right like they're just offering like middle management 23 grand for their creds but hey what if I went to this same people and said hey I

got a domain admin at this company you know you would assume maybe like 50 100 grand for each one of those so here's the tricky part yes I put a Bruce Schneider quote in my my talk I'm sorry I'm gonna read it to you because I think it fits perfectly it's not that we find criminals like this through cyber forensics we get them in the real world when they do something stupid it's invariably how it works getting credit cards is easy turning it into cash is hard so I got to this point and it really is hard like I really thought about it a lot I mean obviously the guys that are doing ransomware and

they're you know these other other attackers that are accepting Bitcoin as payment uh are figuring out a way to get it out so Bitcoin is probably the obvious choice right like to go with initially but there's two major problems Bitcoin is not untraceable and turning a large amount of Bitcoin Into Cash is really hard like if I if I take 100 Grand of Bitcoin and try to sell that to somebody that's gonna cause kind of a blip right so here's some things to look at for Bitcoin you can go to blockchain.info and look at all the transactions that have ever happened on the blockchain so The Ledger of all the transactions um and then there's a site called blocks

here that will let you kind of trace it back a little easier too kind of visually so for example this this one transaction was 3.4 million dollars in Bitcoin somebody or I you know I traced it back to a mixer service which you know that seems like the obvious choice right like go go mix the Bitcoins and hopefully you know that'll kind of kill the trail but there's still risk there you know eventually it becomes money laundering and I I didn't travel down that road I didn't I didn't want to go down that path of of you know walking you guys through hey this is how I go money you know launder a bunch of money

so um so my my attack Trail kind of stops here so if you want to do the research go ahead yeah um so after after we get through this whole process full rip and replace of everything buy a new laptop you know get all the new VPS servers and then start over again next week because to be honest so from the time it took me to set up that that virtual private server Network that I showed you that was like three four hours to set that up and when we get access to an organization it's less than a day before we get into domain admin in most cases so this this entire operation happens in

a week and then we're done with it strap all that go to different hot spots get out of there um rebuild from scratch so let's fade back a little bit let's come back to to the white hat a little bit um why don't I do this well first and foremost ethics I I just personally want to be more of a help to the security Community I don't want I don't want to be a detriment I want to create a better a better world for my kids really um I I don't want to screw over companies I want to help companies and then there's the inevitability of getting caught like you always have that thought in the back of your mind like

hey you know I mean I I guarantee most of you in the room probably picked out a bunch of holes in my entire attack story today I bet a lot of you were thinking like how can I catch this guy oh yeah I would have caught him right there and so I'm probably missing something anyway right so you know there's always that inevitability of being caught and then there's the danger of entering the criminal world right like in order for me to go sell the Bitcoin I'm gonna have to go meet some drug dealers or something and like go try to like do some like shady deals and yeah that is not for me but we can make it better everybody

everybody that has any sort of touch on this community security Community which most of you raise your hands we can all do this so I'm Gonna Leave You with two things I'm going to talk about Defenders first we need to shift our Focus from attribution to detection and prevention so I was I was walking through this this talk with one of my buddies uh who's a security engineer at a company and he he basically pointed out he said so all right if I had if I had two Factor on my external portals or if I had if I had more logging to uh detect you when you're doing password spring um you would have probably stopped there

right because you know like I said I'm not going to do if I can't access the network remotely if I can't do phishing attacks if I can't password spray if I can't uh just log into an old portal remotely I'd probably probably stop there right I mean short of having publicly available exploits for certain Services because that's you know that's that's another option right foreign because everybody everybody has that battle everybody's still on that eight character default policy which enables us to password spray very easily so uh attackers I'm gonna say this continue to highlight the importance and value of credentials do this entire talk there's three main things from a credential perspective right we we you

attempt to do obtain credentials through password spring through uh credential reuse we then attempted to escalate our privileges to get higher level credentials then we tried to sell the credentials at the end so credentials credentials are really worth a lot a lot of people focus on on um you know like let me get the latest like Sim solution or let me get you know some application whitelisting solution but really your users are still using crappy passwords that's what we're going to use we're just going to password spray and find those users and pivot around using their password so attempt to locate credential reuse um attempt the password spraying stuff that I talked about which both these

things I actually wrote up in blog posts are on the Black Hills blog if you want to go check that out and then escalate internally and crack all the passwords so with that I want to say have a great besides thank you so much for having me here I'll be thank you

if you want a free hack naked shirt come to the booth