Pentests: The Jason Bourne Approach — Turning Regular Biros Into Weapons

shut the [ __ ] up thank you good morning um so yeah so anyone who's not seen me talk before I definitely swear um that's probably why you're all here to listen to The Glass region dancing monkey do talks on security and before we get started uh I've been not I've been told by the scam drug that I shouldn't put this slide up but if you're doing the scavenger hunt there's a 30 points for getting my signature so here is my signature if you take a picture of it and submit it to the scarf on you might get 30 points [ __ ] it anyway um so this talk came about oh sorry someone wants to see that picture

this talk came about because uh Glenn came to me when besides leads was being blind he was like Andy I need a talk and I'm like that's great I say you problems like no I want you to talk I'm like cool what on he's like just pick a title I'm like okay cool cool so I got one of my good mates to pick a title and uh here we are so um it's not Jason Bourne it's just Danny um fair pre-warning so I go off in tangents quite a lot this talk is probably going to be quite uh tangential is that the right word um it happens I sometimes swear I'm not meant I'm not trying to purposefully

offend you unless you're being a [ __ ] and then I'm definitely trying to be trying to offend you um I don't know everything so if if I can't answer your question like if you've got questions at the end I can't answer it I'll go and find the answer for you and if I still can't find the answer then we'll never know the whole [ __ ] walk in front of the camera um so yeah if you've not seen me present before um you're in for a treat I hope anyway so five slides before the first that should take the top and so this is pen testing the Jason Bourne approach uh turning regular buyers into weapons the

original top plan was going to be I was going to go through low risk issues and then um Step through and be like oh this is how it's a high risk issue and I thought well that'd be a great idea if I had known about the description more than a week before the talk because I asked the b-sized organizers I was like folks uh what did I submit as a talk time they're like this I'm like oh great cool so instead we're gonna go through um Jesus Christ that's Jason Bourne um no it's just Andy and we're gonna go through War Stories and things so for those of you for those of you who don't already know me I'm Andy Gill I am

the UK EU adversary engineering lead at Larry's Consulting so we are our Consulting Farm based in States I run the European team um I've been slower defensive but mostly offensive for over a decade I've written two books uh learning the ropes 101 and learned in ropes 102. they're not about bondage despite what you Google um I'm known as their profession on most platforms and all of my slides will hopefully be pretty and all the photos that are from okay all the all the photos I'm gonna walk away for a second but all the photos are going to be um after the slides on that blog there which is my blog that I take photos anyway so the original title for this

talk was this one time on a pen test and I'm gonna go through some more stories so this war story here is hiding in plain sight what um typically happens So the plan for this talk was to look at techniques that are harder in a pen test than a red team than a typical threat actor would have and generally speaking that's mostly the case anyone who does pen testing behind it do you handle for the red teams yep so a few of you you'll know that going up against a good blue team is pretty hard and in this instance uh what I found was or what my teammate team and I found was we were masquerading as a

legitimate company inside another company and for the purposes of these watch stories I'm not going to name clients because obviously that's a bit [ __ ] stupid um hopefully someone's keeping count of how many times to say [ __ ] um Alex is wonderful so yeah hiding in plain sight we were essentially stations inside a company masquerading as another company so we came inside um

as a legitimate develop developer and applied for a job got a job there um and the objective of the engagement was the access the privileged information and access the sensitive information so this company who were the target where a large manufacturing company and the objective was to go after plans for their next biggest product so what we did is we applied for a job we got a job I got a job as a developer I can't write code for [ __ ] but they didn't know that past past the interviews I got got through to the kind of the stage where they're like here's a laptop and realistically speaking anyone who's done an Insider threat most companies will

give you a laptop and be like right you're gonna you're gonna masquerade as a malicious employee your objective is to go after X Y and Z well actually in this case I was the malicious employee they'd give me a laptop legitimately and my objective was to go after X Y and Z so what I did was first couple of days I was getting get into grips with HR um was was all my best behavior I wasn't all I'd call people [ __ ] and no matter how much I wanted to and I was learning about their internal environment and what I found quite quickly was being a developer they give you local admin on machines which for anyone who does pen

text or anyone who's in Blue Team knows that's probably not a good idea because having admin on a machine gives you more access than you probably should have so anyway I had this laptop and I was playing about with it and I found that with local admin I could turn off their EDR product now because it was the first week of the job and this engagement was eight weeks long I wasn't just gonna disable the EDM like right right why is the game The Game's done you're [ __ ] instead I I kind of went through everything that they had on the laptop and what I found on the laptop was um for some reason I don't know why they

were doing this they were backing up the sander system and the security files to the C drive and because I had local admin I could access it at the C drive if you if so top tip if you're locking down end points um restrict access to the local C drive to normal users because if you don't and you're stripping off the back up the sound system and security files what I can do is attackers take them offline and disable all the security controls in place on the laptop so what they had was they were blocking USB access so obviously what I wanted to do was take the Sam's system and security fails off for those who are not aware of those

files on Windows they make up the local database of hashes for users on Windows so I took those off the machine put them on USB stick took them off to my right which was actually the side and uh load them into a tool called secret stump and what secret stamp will do is it will combine the three files and create you um essentially a block of ntlm hashes but then you can pass into hashcat and crack back to your text and by doing that what I found was the the local admin password had a hilarious password I think it was like password one or password two and I was like this this feels too good to be true so anyway the

local admin password and passed it to my colleagues who had another machine on the network so I was acting as the NCAA threat I was the legitimate user and my colleagues had a Linux machine that was implant on the network so while this was a red team we were trying to remain under the radar and hide in plain sight so what we did was or what I did was I started to browse around their environment and make noise as a discounted employee or or more so could have not really not really know what I was doing of course I knew what I was doing but I was I was focused on going after their SharePoint things like

that all the while my colleagues in the background were taking those local admin creds and spraying them across the network with topographic zip now what crap exec does is you can give it credentials or you can give it hashes and you can give it a list of posts and you can spray across SMB RDP mssql and ldap they were using SMB because it's most common now Warcraft map exec does is it logs into machines using whatever credentials you give it and it will allow you to do different actions now the actions in question for this particular attack was they were looking to dump the LSA secrets so for anyone who uses different EDR products if you

try and dump the lse secrets there it is most good EDR products set in the one not being one and we'll we'll block it and they'll tell you that it's a problem but if you're up against the good if you're not up against the good EDR product which was in this case uh what we found was we were from the lse secrets which was able to give us additional credentials within the environment so we found the service currently environment that had local admin everywhere while we had the local admin hash this was a this was the main user that had access to servers it's worth missing at this point the local admin hash that we had

sorry interrupting I'm sorry I can take off if you like yeah for YouTube police just walked in and ruined my talk uh for everyone else anyway so yeah so we sprayed that through the network with uh app exec we found credentials off of different machines and we got service account that had local admin because we had local admin or um from the laptop what we found was that was local admin for the watch stations this client was at least doing a little a little little thing well in the cigarette segmented segregated their admin privileges so we had local ad in the workstations but with this service account what we found is to be at local admin across the

server state which obviously adding I can both goes a bad thing so because we were trying to remain under the radar what we did was we um black pocketed that service account and then from more spraying we found more sets of credentials and Western credentials from the character called the main Joiner and what what that account was able to do is in the name um by default in Windows any standard user can add up to 10 machines to The Domain unless you harden it and in this scenario what the client had done is they had locked it down so that only this one account could add machines the domain so by adding machines to The

Domain we could essentially Act as a malicious actor for a Windows machine doing all sorts of malicious actions without being detected by the security stack now bear in mind I still had this laptop in this customer I could still do things but it had the full stack on it so we added a Windows machine to The Domain again we actually renamed it the host name that was matching the laptop that I had bit off by one so the the host name was like laptop zero zero one and we added laptop to zero two I thinking nobody's gonna have this I mean obviously it's a bit more complicated than that they had like um hexadecimal in their hosting so we

just put put on the network and what happened was we started to perform malicious administrative action actions and by done logging into machines it's just a surface account dumping the lsas process which is where all the potentials are stored and eventually it got us a set credentials that were domain admin now once you get them in admin in pen test that's usually it came over it's like right okay got them in admin do the Da Dance jobs but in a red team you're not looking to set off too many alarms now granted we had to spread the network exactly we were pretty noisy but we were looking at what we could do from there so the way

that I see the domain admin is that stage zero the way that my colleagues describe it is we are like Psychopaths and serial killers once we get domain admin we go after the debt so the ntds.net which is where all the hashes to the network are stored and if you think about serial killer they collect like the pinky tool from their victims the dips are what we collect so we pulled the debt off the network um cracked offline got got access to all the credentials and then we went after the actual objectives so the main objectives that we had were going after semester data privileged access and other things and we first thing we did

was we went we went through active directory and we went right what users are likely to have access to these systems went through them targeted them popped their machines got into vdi and then rinse the repeat and eventually we got to the end of the engagement and we got all these things and we were like right okay both teams not seen anything I wonder why um turns out my colleague had popped the head of lithium was just sitting deleting logs from from the from the dashboard as we were in so yeah hiding in plain sight unconscious we're only a half an hour so I've got three War Stories here I might not cover them all but we'll see and the

next one is uh va's so vulnerable assessments are not the BR and end-all and the original plan for this talk like I said was taking low risk issues and call them it's high risk issues what we found here was um 300 Fusion essence or terrible a lot of people um so nessus and Andor attainable have a really bad habit of marking things for compliance as high risk and critical risks and more often than not like things like SSL and TLS unless you're Scott helmet have a hard-on for SSL it's not really a critical risk unless you're going through like PC I can find some things but what we found was in NASA's specifically there are a lot of

informational risks that are raised that people often forget about and one of those informational risks in this scenario specifically was um Cisco smart install now Cisco smart install is a run it's not available

this wasn't uh this wasn't a red team so we weren't bothered about being quiet and we connected to tell the switches download all the configs access to other things and added ourselves to the um network access control so we bypass network access control so moral story is there look at the informational risks now that's a short whole story I've got a little bit more of an interesting War story so they don't have a PCI yeah PCI payment card industry technically speaking you're meant to segregate segment segment segment anyway your networks are supposed to be separate and in this case they technically were separate but they weren't because networks were never separated they had essentially an environment whereby I was

given access to uh Windows machine within uh within their PCI enclave and a Linux machine within the corporate Network and the objective was to see if I could pass traffic between the two now at a network level I couldn't there wasn't any route but what I found was they were doing Access Control based off of active directory so talking about doing Aden earlier on getting domain admin is often stage zero before you even go after the objectives so in this client environment specifically what I had to do was find a way to get them in admin to add myself to the specific group of active directory to access the PCI environment so what I did was I

turned to the trusty old adcs active directory certificate Services which is uh um well adcs is used for issuing certificates within our Windows environment and the fundability itself is vulnerable certificate templates so you can essentially um you can enroll a certificate on behalf of another user or behalf of another group and what we found was there was a group there was a certificate that was vulnerable that our standards the main user could enroll on behalf of the domain admin so essentially using a tool like certify or certify or there's many other tools you can you can query the adcs server you can say I want this certificate but I want it on behalf of this user this user in particular was in

the main items group so did that put them in admin I was like right great got something to happen What do we do next well typically because we're serial killers we dump the debt we go for the things but because we were looking at specific users what we did was we took an active directory Explorer dump of the domain and which is a assess internals tool and we found that it going through that we found two or three different um users that were marked as secure they weren't secure they just had secure in the name so we went after those we dumped their hashes we cracked them and we used them to access their other

network once we were in the network I was like oh this is PCI there's a bunch of like stuff in here that I probably should have access to including stuff belonging to see letter agencies because they were doing investigations at the time and I'm like I'm just going to put that over there and not touch it client calls me up they're like oh did you get into The Enclave I'm like yeah like yeah we got a phone call from said three letter agency saying someone was in the network and I'm like yeah that's probably me turns out I'd set off one of their um honey pops a lot of the story is if you see that

urgency don't touch the documents probably not a good thing so that's that's segmentation the um the the kind of last war story because we've got like 10 minutes this is an interesting one so this is from a while ago so I've been doing pen testing for the last 14 or 15 years at a while anyway and when I first started I worked for a large computer manufacturer I don't know if there's any here there's not thankful um who had a security and as a junior pen test I was like all right okay I'm going to do a lot of things I'm going to do things like web tests I'm going to do things like infrastructure testing

things like apis and things like that and one of the things that came up was a large um Middle Eastern bike or like we want to do a pen test and I'm like all right great yeah cool cool cool cool but I don't know if anyone's dealt with um people in the Middle East they tend to have a lot of [ __ ] money like tons of money and what we found was um in what I found was in in the application specifically there was a bug what the bug allows you to do because there's always positive applications what the bug I wanted you to do was transfer money to other people's accounts sounds okay like you have to do the

money it's it's okay but what it happened in this specific instance was the cutoff for anti-fraud now typically anti-faud the UK's or about 10 grand or something um in in America I think it's like maybe 20 grand um in the Middle East it's in the multiple figures of of money and what I or in this this client specifically in their snow so what I found was transfer but I could say I want to send myself five pounds all right cool there you go right we'll just step up a notch let's call it ten pounds now the checks won't do anything so I could just put a put account number in transfer the money across and have the

money and we stepped a little bit more and I was like right okay what about like a thousand pounds because that should set something off nope nothing ten thousand pounds nothing I was like right okay I called it quite I was like just just double checking what are your fraud cutoffs they went oh it's like a million a million pounds before it's like a problem I was like all right okay cool but your testing account will let you to transfer more than 999 999 because that's a car I was like okay so um monzo have got this great feature of you can spin up a virtual card and it will have give you a new bank account

that will be temporary so so what I did was I spun up a temporary bank account and I said the question well my test account's not gonna let me do this can I try this with like a legitimate kit they went oh yeah our fraud detection system they'll definitely catch that it'll be no problem like all right game on folks game on so I chat my chat my current details then I might write go through the normal thing so I'm like I wonder if this is a test system for like a penny and I was like okay that works I sent himself five pounds and that works okay cool I can't Funk off Bonzo be like are you doing

something dodgy because like you've had a middle eastern transfer for like a couple of quid and I'm like no all right okay cool cool no problem nothing at all it's absolutely fine so anyway going through the going through the transfer I I um transfer myself a million pounds and that worked no problem like cool I'm like client did you see this like nope getting better I'm like right okay [ __ ] it let's transfer a billion what's the worst that could happen so I transfer a billion pounds to my account and I get a phone call again from Monza like are you sure you're not doing malicious stuff I'm like well it's not malicious if I've

got permission right no it's still malicious I'm like here's the client so anyway Mike tries to chat support like oh no we're doing testing it's like can you not use your own accounts or our test accounts only support of the 999 again they're like all right okay so anyway if my mom's working at a billion pounds pending and I'm like is that just pending or is that gonna go through and they went and checked the test account the test account had minus two one basically the the number that's like infinite I was like how much money was in the test account when you started transferring they're like oh zero am I so I have created money out of nowhere

and they're like yeah nice so I thought [ __ ] it we'll go one step further what's the largest number that I can fit into this box before it becomes a problem so I put the largest number in and the test account still got zero in it and my bank account had more money than there is on the planet I was the richest man on Earth for at least 30 seconds it was wonderful and then it all went tits up when hmrc came around to ask questions the next year because my accountant was like used your business bank account I was like yeah like you realize that shows up your statement I'm like that's correct they

went and each of us you're going to think you've got more money than the world has they might [ __ ] I didn't think of that so yeah that was that was a that was a fun story anyway the client came back to us and said well actually this is this is an interesting bug can you try transferring between like legitimate accounts I was like yeah I can give that a go why not I mean I'm only taking numbers in the Box pass into the box and pass them across so anyway we took uh um I'm not sure if the client had permission but we took one of their wealthy clients bank accounts and emptied it in 30 seconds

and their front apart and rang us up and went what the [ __ ] are you doing like well we thought this wouldn't work and clearly it works and what we found in the back end was they had a statement that was like fraud detection which was commented out so nobody was actually checking that [ __ ] you could transfer anything and even worse their actual bank account system like their banking system had no validation if you had the money in your account or not so you could just basically be like hey Richie well I've actually got like 1500 pounds Market all right cool yeah here you go here's the faster problem or I've got

like a billion pounds yep you can have it no problem and the fix for that was we're going to rewrite our banking system because this is a [ __ ] [ __ ] show so yeah that was that was a good laugh so I've actually rattled through these but I've actually got five minutes left for questions but before questions that's not Jason Ball neither am I if you'd like to follow me on Twitter um that's my Twitter handle if you want to see my blogs and [ __ ] all there um I work as I say I work for Lara's these stories aren't familiars they're from previous companies but if you fancy reading all this cool stuff

that we put out you can check out the blog there has anyone got any questions I'm not going to name quite names before that's the question yes [Laughter] Maybe it's not gonna be my turn I'm going to see a lot of someone else and give it to you as well yeah I'll give you your own Tanner back yes the ah after that engagement they took the bank offline for a week and rewrote the entire thing and I might it's quite ambitious boys but I I had left the company at that point I assume they fixed the bug but hello I'm not gonna name the bank because I don't want to go to jail or ever

um yeah

so the one of the things that Lara specializes in is red teams and long-term red teams so we have quite a lot of large clients who specifically want us to do one scenario or multiple scenarios and it will span over six weeks or eight weeks or in some cases we've got a client that has a year-long red team with us every year so they will give us four different scenarios quarterly and those are what we have to go after and there may be a case of well you need to break in this this quarter you need to go after this specific stuff but one of the core um objectives is to remain persistent in the network so if you get caught you

need to kind of get your foothold back okay yep

oh so yes um my my uh my name was Johnny Sins and the company no Bobby tables well Johnny Sins much better his penetration tested for [ __ ] sake [Music] and he's a pretty good uh multi multi job individual she Google Johnny Sins if you don't know who he is with safe search turned off any other questions yeah

yep so the client wanted us to go after a specific team so they they had a job role that was open they might apply for this job role and we will we will kind of do the strings internally so I went through two interviews with legitimate people who thought I was there for the job and then the final interview was with someone else finals have actually blanked them because I can't write code for [ __ ] but they were like yeah this is cool so um yeah they they put me through the process the onboard of me as an employee and because it was like a short stint a fast tracked the application so typically I think there are background

checks would be like between three and six months and they were like this guy's worked for us previously they built up a fake profile and things that went eagle and it kilowatts yep foreign

like arbitrary sums across that's when it became a problem and it was like the second last day they were like [ __ ] it we'll just we'll try like a trillion or whatever we did it worked I was like oh no anyone else yep

I don't know I don't know if if the application was outsourced or not

I found that before so in in a lot of pen tests what you found specifically with applications or infrastructure deployment if you've got assistance integrated that builds your systems they'll build the same vulnerabilities all the time and we decline actually um a couple of years ago I think it was or maybe maybe a few more than that whereby the head of security add a [ __ ] password and they moved to the next company and didn't change the password so we compromise and security one company happened to be a client next company also happened to be a client to compromise them got access to both accountants and they lost their job the next day and I hope they learned to

change their password got questions

yep the customer didn't find out because they had more money than I've ever seen in the bank account and they probably don't check their Bank very frequently they're probably just like I've got money until they Rock up to the cash and go oh I don't have money anyone else when's the audiobook what audiobook whenever you want to do it because true at some point we'll find out so before oh [ __ ] I [ __ ] it basically if you want the scaff hunt take a picture of that now if you haven't this guy's running the scaffold so foreign

[Laughter] [Applause] thank you