Breaking Down Walls With Windows

one and in order to do that right like from even a defensive or an offensive standpoint uh you have to know the other side of the same coin and that's why after my graduation from the university of texas at san antonio where i was on the collegiate cyber defense competition team as the team's token windows guy and then thrust into leadership after i did all of the blue teaming stuff and the defensive stuff in college i took a personal interest in the offensive side of cyber security and got my sans gayak g pen certification for general penetration testing so you're probably here wondering well what is this guy going to talk about well that's why i've got a slide for it

i'm going to talk about what penetration testing is and why we need it going to give you a brief overview of some of the tool sets and why you would ever choose to use microsoft windows as your penetration penetration testing platform penetration testing pen test red team ethical hacking for the purposes of this talk it's all going to be the same thing to talk about an authorized simulated cyber attack on computer systems and networks that are designed to assess the security posture of a firm or if you're doing it on you know your own personal network yourself you do this in order to understand the weaknesses that exist within your network how they could be leveraged by a threat

actor or any other unauthorized party uh the sorts of things they would be able to see the sorts of things they'd be able to take the the ease of difficulty in actually going in and manipulating your systems enabling you to do an entire um risk assessment to you know is it really worth having a website running on this server versus on this one very interesting stuff it has become so much more than a network assessment um it encompasses things like social engineering calling up the target help desk impostering yourself as a legitimate user and trying to get them to reset credentials the biggest thing that i want to say before we get into any of this

is that any of the tools or techniques that i talk about in this presentation absolutely must not be used on a network that you don't already own like it is your network you set it up you built it you inherited it it is legally yours or you have express written permission to perform these sorts of actions on complete with a signed get out of jail free card and that's because computer crimes are no joke they can lead to fines or imprisonment and it is frowned upon to use your powers for evil you would disappoint clippy and you can see him there in the corner sad at the very notion that you would go about trying to use

your newfound powers for evil all right let's get back to the fun stuff now that all the business is out of the way penetration testing is great for a firm or an individual to understand their network and how everything is connected as well as how threat actors are able to manipulate your systems and it allows you to fix issues that you didn't even know existed so performing a penetration test will allow vulnerabilities that you didn't know as a blue tamer as a defensive operator it allows you to see the sorts of vulnerabilities that exist and how someone could manipulate them to compromise your network and it's a lot of fun just think of it as

sort of a puzzle where you're trying to understand all of the pieces uh with a very vague idea of how everything fits together i could go on and on about black box pen testing where the people performing the penetration test have no idea what the network is like versus crystal box penetration testing where the penetration penetration testing team knows exactly what sorts of hosts exist the vulnerabilities that already exist and they don't have to go through all that scanning but that's not what this talk is about we're going to talk about the different tool sets that exist and how to leverage them if you've spent any amount of time in offensive security you're probably familiar with cali linux

that is the de facto standard there's also a black arch which you know if cali is debian with a gun black arch is arch with a gun there's you know quite a steep learning curve to being able to utilize that effectively there's also parrot os and microsoft windows which is you know the whole reason that we're here today so to understand why you would choose windows first we need to talk about the competition right so kali linux the industry favorite be it from a script kitty someone who's just starting out all the way up to advanced persistent threat groups that are nation state backed and have funding they're using this debian based free and open source tool made by

offensive security to go out and do their day to day black arch has a whopping 2400 tools that you can pick from but no desktop experience in which to actually run them unless you know you go about out of your way to configure it yourself and as a windows guy i earned the the moniker bill gates back in college because that's windows is my thing uh black arch is not for me there's too much configuration there using the pacman package manager to set everything up i'm not about that life parrot os is really pretty so much like a parrot would be colorful comes with a penetration testing toolkit as well as digital forensics tools this is also free and open source just

like cali just like black arch and it's maintained by the parrot project we're going to talk about windows which if you've ever used a computer you've probably used microsoft windows it's been around since 1985 it is closed source it is not free it is made available for purchase by the microsoft corporation and it is the de facto standard for industry be it for your server environments a lot of that is moving more towards linux now but desktop clients like you know your go-to laptop that you're probably using for work from home now is likely running windows uh since we're not doing this presentation in person i can't pull the room uh to see how many people are using uh anything

besides windows entirely but so i'm just going to pretend that it's not very many of you that have been able to completely remove windows from your life and maybe this talk will give you the opportunity to reintroduce windows into your workflows you might be asking yourself but why with all of these free and open source tools why why would i want to run anything on microsoft wind blows they're just out for your money i can do everything on my own with my linux anyway that's fine that's totally fine i'm not here to like operating system shame you into using windows but most of your targets in an enterprise environment will be running microsoft windows so

having a familiarity with the the layout definitely helps windows as a penetration testing platform will offer you native support for smb so you can abuse server message block and explore those sorts of shares you can get into your samba shares fairly easily comes equipped with powershell which controversial opinion i think is better than bash there are remote server administration tools that are bundled by microsoft they make it easy you land on a box you get your credentials you're able to just add them into your rsap you have access to the entire sysinternal suite so you can see exactly what sorts of things it is that you're manipulating on a box and how the incident response team will

be able to respond to that incident there's also some windows-based command and control systems that i think are really cool such as covenant which is built on.net and posh c2 which is built on powershell that's not enough to make me switch that's totally fine you don't have to and with the innovation of the windows subsystem for linux or wsl you don't have to whenever i go on engagements uh i'm running usually a windows box with cali installed as a subsystem so you don't need a virtual machine everything is just right there you also have docker freely available for those tools that you absolutely need docker for and sometimes you won't have a choice there are

engagements that you'll have to go on where it's a strictly windows only environment and there are limitations on the sorts of operating systems that you're able to bring in and you have to use windows another drawback you know besides forcing your arm i'm sorry another positive point instead of forcing your arm is native support for microsoft azure and active directory with a lot of systems moving towards cloud-based security being able to interface with azure right on your penetration testing platform is a godsend so we're going to talk about um this really cool tool that i found it is commando vm it is made by mandiant a division of fireeye it's free to do all the setup scripts

but you still got to pay for your windows license i do want to let you know um this is in no way a sponsored talk i just really like the tool set and yeah so it comes with a bunch of tools straight out the box for your information gathering phase of a penetration test penetration testing test you have tools like bloodhound and nmap there are your networking tools like wireshark and an implementation of tcp dump to dump your network traffic written specifically for windows for the exploitation phase you've got like proof exchange and metasploit everybody loves metasploit uh for your password cracking utilities you have things like kane and john you also have hashcat mimikats for your web apps

you've got things like owasp zap all of these built for windows and for your vulnerability analysis you can go even as in depth as reversing the binaries using tools like ida or binary ninja so why exactly do you want me to use windows the tool sets are compatible comparable you have the linux tools also with windows versions and if it's not native you can just run it in wsl this allows you to save space so you don't have to switch between your linux environment and your windows environment while performing penetration tests you can do everything straight from one box and as i had mentioned before you'll have at times restrictions on the ability to pick and choose what

tools you bring into the engagement there are reasons why you should not use microsoft windows and that has to do with the licensing cost you still need to pay for the os license windows does have some overhead you're going to need more ram in order to actually use microsoft windows and your fellow cyber professionals will at least laugh at you or give you strange looks i've had to deal with that quite a little bit but i like making it a challenge to you know use the unpopular impossible tool suite to still get the job done

the biggest thing to know is that having access to a ton of tools isn't going to make you a good hacker what is is knowing the tool set that you've been given your personal limitations not being afraid to you know ask for help and continuously learning and iterating so that you get better and you know you're not just a script kitty you're going through learning the tools of the trade learning what works for you what works for each any given situation and knowing that um attitude how you approach the problem is more important than the tool sets that you use so that's the end of my slides i can give you a quick little tour of the

commando vm if you give me just a minute here to switch windows um am i able to see any questions in the chat is that a thing i'm used to having an audience um actually the there's no questions in the q a right now um the talk on discord uh there's a pretty robust conversation going on be the track one breakout room okay that's where everybody's gonna hang out and then want to chat with you later i will definitely check that out thank you so much let's see i want to share all right you should be able to see my uh commando vm yes sir all right so one thing that's really cool is by

default powershell doesn't log the things that you type one of the nifty things that mandiant has done is actually allow you to log all of that to text files that it automatically organizes for you which after undergoing a penetration test is definitely super useful whenever you're in the thick of the moment and you know you're not taking notes on what you're doing uh as i've been guilty of you're able to go back and actually look at the commands that you've run and how they've affected the system so let's get out of the transcripts let's look at some of the nifty tools they've got things like active directory tools you can go in there and look at all of the administration

tools you can mess with dns whenever you connect it to a target server so you don't even need to be like you don't need an interactive shell or rdp into the box that you're targeting you just need to have the appropriate credentials to do everything remotely you've got python 2 and python 3 you've got go you've got get support the win pcap driver stuff let's go back a folder say go back a folder thank you uh your command and control sets uh all of the stuff for your.net your networking tools your password attack stuff hashcat lovehashcat super helpful note if you are on windows is that you are able to more easily access the the drivers for your onboard

video card so if you have a gaming laptop and you want to take it on a penetration test use hash cat use your your gaming graphics card and you are good to go straight out of the box there are some other utilities uh like process hacker that's part of the system internal stuff uh your vulnerability analysis uh you can install things like nessus on top of this so you're able to have a better understanding of the entire network's security posture they've changed the the right-click menu so you're able to just open up command prompt or powershell as admin so if we go ahead and open up where's my command prompt there we go who am i you're the commando user

they've also added timestamps up here to the top baked into your command prompt which is something that's not native to windows but definitely something that i find useful you've got the entire kali linux suite right here

oops

all right i clearly don't remember my password that happens but everything that you would use on cali is available not only within cali but within commando as well

you