Wrangle Your Defense Using Offensive Tactics

hey thank you everybody how are you doing today well I guess to start off how many people in here do we have on like the blue team defenders couple handfuls any penetration testers or red teamers okay a couple there - any students okay cool all right anybody that's an audit or any other management things like that so pretty good variety a lot of blue teamers so that this talk will first start out Who am I I'm a hacker Matt done a penetration tester I run offensive consulting team I build hackers so I take interns and regular IT people and I turn them evil and steal them from my IT department and I love open source software all right so

I want to set some expectations for this talk I gave it to my wife last night and she does a lot of presentations and she was like wow that's terrible and I'm like it's like love o'clock and so this morning I made some tweaks to it and hopefully will be a little bit better and I'm trying to fit a lot of information in but well I'll do the best I can all right so what I'm going to talk about it's mostly from a looking at offensive a couple offensive tactics how to think offensively to secure your network and so the talk I had a lot more details but it's got to be a little bit

higher level because of the tight time constraints any any offensive techniques that I'll be sharing during this presentation you need permission to perform first if you don't have permission you could be committing a crime so don't be you know cracking your Active Directory database passwords to see you have shitty passwords or things like that without permission and I'll talk about network discovery that I think is something that sometime overlooked with like vulnerability management programs will talk about attacking a defending a common password issues and stealing credentials from memory and also analyzing Active Directory environments and then we'll finish up with talking about using a minor attack framework to think offensively and tune your defense or if you're an attacker to tune how

you're performing your engagements all right so when I'm first enumerated Network some of the things that I look for are items that don't belong an Internet so if I'm doing an external penetration test I want to look for you know Citrix management interfaces that are accidentally exposed to internet and have default credentials and this is something that I see with a lot of vulnerability management programs is that things like that will be missed because they won't hit on a vulnerability scanner but if you are doing like an nmap scan and evaluating the things on your external network outside of the vulnerability is that's something that you could pick up default or non-existent passwords I go in a lot

of environments like colleges like this and I can log in to half the security security cameras with the password admin admin from the guest wireless network sometimes that's kind of scary you know other things with the numeration you can look for things are incorrect Network statements so oftentimes I think it's hard to understand what is on our networks unless we're auditing them and so we might find IOT devices or thermostats plugged into the corporate network and maybe they should be on a different belay on that's isolated anything that looks really old that always interests me so oftentimes I'll find things and I'll go to ITA team and be like what's this I'm like oh I should

have been taken off the network three years ago and that's the potential to have you know some vulnerabilities or or something I can take advantage of they're a couple simple ways to find things are using schools like nmap and eyewitness and that how many people here are familiar with nmap almost everybody great so I won't go into too many details with that but it's a port scanner so you can use it to see what systems and services are running on different network segments you can also do a little bit of vulnerability scanning with a lot of other things here's an example of you know an map being run that's we got some open ports you know there's a lot of documentation

on a map if you want if you're want to utilize it on larger networks more quickly or to fit your use case and that can be found it then map website there's a bunch of blogs I'm sure you guys are familiar with those one thing I do that to take my end map day to the next level I'm pretty visual person so oftentimes I'll be looking at a network and I want to understand what's on the network quickly and if I have like a thousand or a hundred or three hundred web web ports hit I might want to see very quickly what all those systems are so I'll run it school like I witness which will go

out and takes load webpages and screenshot them and so I can see very quickly okay where the VPN portal at portals at is there like Outlook Web Access page pretty quickly by generating report with eyewitness and it generates an HTML report like the one in this example and all I write has a screenshot of the web page the left side it has some web request info and if it's a device that's in its database of default passwords it might tell you hey this is a tomcat server typically the password for that's Tom Tomcat and you could try that you can also have the tool I guess the passwords if you want to again you need permission to do that if

you do that against systems you know on that and you log in and that could be a problem so what how to utilize what you find from your enumeration is be looking for gaps or are there systems that don't belong in places if there are why are they there and get them off of there if there's old systems get rid of them isolate them update them if there's default logins figure out who owns is responsible for those systems and make them change them so that the printer can't be used is you know a beacon point into your network all right now talk a little bit about weak passwords so when I'm talking about weak passwords anything that's default

easily gassed or easily cracked this is one of my favorite types of things to attack because it's pretty easy I'm pretty lazy but a default passwords we talked about those admin end and things like that easy to guess passwords so these are passwords like season and year company name one so if I get a list of users for your organization one of the first things I'm going to do is find your VPN or your Outlook Web Access your office 365 and try you know right now fall 2019 against everybody's account see if that hits if anybody has that password password reuse so if I land on a system and the user has local administrator access and I can have full

control that system I might dump the local passwords or hashes on that system if they're reused across the whole network or across several accounts that allows me to move laterally very quickly through the network so that's something to watch out for and so why should we care about weak passwords I'm in a lot of environments where where the IT passwords are actually really good but the user passwords aren't necessarily good and typically of IT stances well who cares about the basic users and the reason that we need to care about them is because it only takes one weak link for me to get into a network only one account that doesn't have two factor authentication enabled I get into an

email or a VPN and I'm on the network and it typically isn't very difficult for for myself or for an attacker once you're initially in the network to move up the ladder and Gainax full access to the network and so one way I talked a little bit about like I like to guess commonly is passwords using a technique called password guessing or spray and that's like password brute forcing but done at a rate below a lockout threshold so not so I'm not locking everybody out of an organization it all so is a little less likely to be detected if I'm not walking a lot of accounts out and standard password complexity requirements don't block easy

to guess passwords by themselves so it's still a very effective technique and some of the tools that you can use to do password guessing or password spraying burp suite is a web application testing tool as capabilities to do passwords spray one of my co-workers wrote the tool spray Charles which is a command-line Linux utility to do password spray and it has modules for things like Outlook Outlook Web Access office 365 and it's set up so you can put in the lock out thresholds and I'll stay below those you can also route the traffic through a proxy if you want to be more stealthy the main password spray is a utility the powershell based password spraying tool that you can use

on an internal or each potential that external network on a Windows network all right and so what do we what do I do with passwords when I get them or an attacker gets up we log into things right so I'll get an email okay I get into the VPN does anything not have to factor on it if it has to factor on it as a person not enrolled yet but I can enroll myself my fate my new favorite well it's not my new favorite things something I've been having a lot of success with lately is I get one basic account I log in to the helpdesk ticketing system and I create a ticket I say hey oh man this excel file I'm

having trouble loading all the data in it can you please help me and I submit the ticket as a regular user I delete you know the helpdesk response from their email and then the helpdesk looks at it and I launch the malware on their system and now I have helped us ask access from a basic user account another thing I made you is use tools to see what I can do with my passwords so once I have credentials I want to utilize them across the network crack mapping Zack is a Linux tool that's very easy very easy to take passwords are hashes and try to use them to connect to systems you can use sequel

queries you can run commands on system can steal passwords with me me cats all kind of things how one example I might use is okay I've gotten a local administrator password is that valid on another system and so here you gonna see an example I'm using the password administrator and password I pointed at the system they came back as green that means the password is valid if it's got the yellow pone it means I have local administrator access on that computer and potential control that system to steal more passwords from launch other attacks from it whatever they'll also tell you if the account password is valid but just accounts disabled or if the password is invalid well and that's

just like one example there you can do that manually or there's many other tools defending against weak passwords so so we talked a little bit about weak passwords that there are a lot of ways it's not very difficult to defend against weak passwords what I recommend doing first is evaluating the passwords that you have where do you stand once we'll to do that is called des internals it's a PowerShell module and what it does is it takes a copy of your Active Directory database the passwords in it and you can do some password cracking against it if you want it want to you can feed it like a password dictionary and see you know if it has anybody using

weak passwords you don't have to do that if you don't have authorization to crack people's passwords you can actually run it I'll show you how many people have the same password and that can be a good indication of our users using weak passwords because if you have a group of 10 20 passwords are the same their user accounts they're probably using something like 1 or 2019 you can also see while you're your IT people your admins that have their mortal account and on their admin account are they using the same password for both of those I've been situations where we got access to a mortal account and we saw that this username was similar to an admin account

we tried the password on the admin account it was the same and then we had you know a lot more access to the network the best way though it's actually block that to deal with bad passwords is just to prevent them and you can use password filtering tools cred defenses and open source of open source one there's you can do it manually with Windows mixes and n front or paid products I don't think they're very expensive for what people I've talked to they'll use them before but basically you give it a list of passwords that meet complexity requirements but but you don't want to allow like you know the sports team in the area and your season and year you

could even give it a list of the top 10,000 bad passwords things like that they're very configurable and that'll actually prevent people from selecting bad passwords the networks that use these I have some banks that use these it's impossible to guess passwords there and it's very difficult to crack passwords if you have pretty strict rules in place so deal with a local admin password reuse the best way to deal with that is to have a solution that manages the passwords for you and randomize them Microsoft laughs is a solution that does that probably if you're on the defense you're familiar with that some smaller shops sometimes I find familiar with schools like that but it's a free solution that will manage

local Minister your passwords and the polite if on to each system alright so detecting bad password activity a couple things to look for there's more things you can look for but windows event ID 46:25 login failure if you see a lot of those or more than normal it might mean that somebody is running past for guessing against you and the the number you know threshold will vary upon your organization now if you're authenticating through some other methods it won't trigger that and that ID it'll trigger event ID 47 71 so if you're doing password guesses against the LDAP service guess I'll trigger that different event IDs so if you're only looking at 46 25 you might be missing pass we're guessing

in tums you may also want to watch successes a lot of places I work with are able to detect pass for guessing particularly if it's coming from one IP address but they often cannot tell me which accounts I compromised and that's pretty important you know it's okay so maybe you've locked the attacker but so they compromised any accounts and that goes to having all the logs you need so other times I'll find the alert won't trigger because maybe the VPN or another external service isn't feeding in the same sim or the logs aren't there and so it's not triggering a triggering an alert another way to detect a bad password activity on your network is to

have honey accounts that are never used so creating like a disabled account here yeah creating a con disabling it that way if somebody dumps your user your user database and there's all your usernames and it's guessing and passwords against all of them you would get a failed attempt on that account which should never be logged into I thought that way before I met iteration test which I thought was pretty cool I like to get caught I mean I it's a it means it's good for my clients and they're improving them so once we have credentials or have some kind of access to a network we want to go deeper and one way to do that is with by stealing

credentials from memory so a lot of systems will hold passwords or other authentication mechanisms in memory and we can steal those to further access on the network so Munich hats is like one of the most popular tools to do that here's an example of running me me cats on a Windows 7 system and by default you can get clear text credentials from that you can see the highlighted red there that the Pat that's the password and then the hashes are above that by default Windows 10 that's disabled can't can be re-enabled so you want to watch that but in this case we just get the hash we can still use the hash or we can

try to crack it or try to pass but we don't have the clear text password which can limit what all we can do with it and you can't actually defend against me me cats it's not overly complicated it uses a C debug privilege to do a lot of it a lot of the things that it does so if you disable that be a group policy and don't allow anybody to do that to access that then a lot of Mimi cats features will not work you can also disable w digest which you should do particularly on windows 7 systems hopefully you don't have any of those left that will also prevent getting some of those clear text credential guard is

also a mac windows feature that provides more protections to us a process which is in memory and where we often steal the passwords from or authentication mechanisms and there can be some issues with single sign-on when using that but it's something that you could use I've seen people use that on like jump boxes and things like that high risk systems Headey our solutions are also pretty good at protecting the L SAS process so they'll they'll watch that an a if anything unusual tries to access it they'll prevent that well you can also detect me me cats if you have a sim or a tool monitoring and event logs if you look at event ID 46 88 and you look you

want to look for things like mini hats exe SEC secure LSA even if somebody changes the executable a lot of times they won't change the commands within it so you can still pick it up by the commands being run in system on you can look for the same same indicators with event ID 1 and me me cats also has yarra rules included with the on github so once we have credentials we need to know what we can do with them how many people have used bloodhound here not too many so bloodhound is an active directory enumeration tool it has support for Windows and Linux you can run the data in gesture as any domain user so I can

pull a lot of information at a packed Active Directory as any domain user and it helps an attacker and a defender look for possible privilege escalation and paths so I if I compromise an account and I have the blood bloodhound output I can pull up the nice interface here and say okay I have Jim's account is there a path for me to get to domain admin from here it'll tell you yes okay Jim can log into the system too which has a domain admin logged in he probably has tomato or he has local admin rights there can log into that system and steal that domain admins password then you're a domain admin so this can help you from

a defensive side look at are there people that have overly permissive access in terms of local administrator rights is it very easy to get to your domain admins and privileged accounts you can you can't actually prevent bloodhound from running and defend against you know privilege abuse the best thing to do with that is to use these privilege if you can so giving users the least amount of privilege they need to do their their job that makes a lot harder if you get an account to utilize it to move throughout the network you can use bloodhound to find the weak links and then break them and you can actually detect bloodhound being run by creating tiny tokens and there's

a link here I'll provide the slides on Twitter later if you want to go through and have the links you can also use 80 security orgs tips for breaking bloodhound that'll allow it to run for your defensive team but not for just anybody on the network which would which would prevent attackers from using a tool or a tool like that pink castles weren't worth mentioning it's an 80 audit school that has some kind of similar features of bloodhound it's a paid tool but there's a free version it will look for do you have you know passwords stored new group policy things like that all right now that we we've looked it really just a small number of

attack techniques and some of those really what I consider attack techniques just like a numeration but one of the things that that I find what I'm doing security assessments is that people have defensive tool sets in place they won't necessarily always test them to see how well they work and then when I come in or my team comes in we test them and it doesn't work how they think it works or it doesn't work at all and so I highly recommend if you're not using it using the mitre attack framework as as an attacker or as a defender to measure your defense and so what the mitre it's how many people are familiar with the my your attack

framework ok great a lot of people you're not familiar with it it's this matrix of attack categories so you have initial access all different ways you could get that fishing supply chain execution all different methods of executing code on a system and so on and so how you want to use mitre attack to strengthen your defense or your offense is to from a defensive perspective looking at what are the common attacks in your industry or just a common attacks overall and seeing how you how you fare against those can you detect that can you prevent it if you can't why not and fix that this is one thing that why do you purple team assessments so we

utilize heavily so I'll go in with one of my defensive team members and maybe I'll run the attacks we'll have a look at mitre attack work with the organization and say ok these are the areas you're concerned about let's start with these from you know we'll pick a handful of categories a handful of techniques and it will run the attack ok is the log in place to detect that ok it is great is that feeding of the sim are you alerting on it ok good you are is it being prevented and then we'll look at okay here's the prevention control for that to prevent that from being successful also all right I I managed to get through all those slides

pretty quickly I was worried enough time thank you very much for listening I hope I didn't bore you too much if you have any questions for me I'd be happy to talk about anything after the talk I'll be around or reach out to me on Twitter or my emails there

Lambeth okay take a couple questions yeah any other questions hey great thank you very much