Andrew Kozma - Building Offensive Security Skills

building the fence of security escapes and coming from CIF so from al fakher middle police please welcome hey everybody nice to see some familiar faces if somebody wants to we're talking about building offensive security skills it's just something for those how many here in the room actually five Rangers talked this morning I know you wrench Springs cuffs on a few of the topics that we're gonna discuss in depth today I do have a full slide that it's only about 25 slides but it's gonna talk about the end line in for the type of presentations that I do I haven't done a presentation like this for a while so we're tempted the demo guy we're gonna actually exploit a

workstation or a target today and talk about the points of offensive security skills and how is being a well-rounded information security professional what's required today and what's expected today so it's me you building offensive security skills improving your defensive security posture with offensive security strategies Alex talked a little bit about me InfoSec personal working in the public sector I always prefer to myself as an information security professional I'm an active or member for the away a security conference how many here are pretended Atlantic security conference in the past Wow y'all come in next year right honestly April 24th and 25th for 2019 anybody know the client bottle guy on the Internet Clifford Stoll anybody heard of Clifford Stoll cobra skull is

the opening keynote for Atlantic security conference if you have ever seen Back to the Future movie great god Clifford Stoll is the bool plan or it's God anyway I'm a dad and with my technical had occurred what does that mean well and any given time in my house there's a four year old a 14 year old and an 18 year old so late nights with the 18 year old early morning with the floral and sometimes in between I get to practice hockey and building out my skills that's why I say I'm a perpetual student I love to learn wrench talk better earlier this morning in order to be proficient in what we do you kind of gotta take it on the chin

and recognize you don't know everything and one of the biggest things that I've seen from the most elite people in our industry that have crazy zero-day climbing crypto math skills and the big brains there's there's a lot of animosity and there's a lot of not supporting each other in our communities and I want to stress the importance of supporting each other in the points of Education literally everybody in this room knows something I don't and if you can pummel yourself and approach learning that way will make a lot more friends end up a big fan of Bruce Lee ninjas and samurais films anybody know who these guys they're that's right yo Jimbo anybody see the movie hard

boiled with Bruce Willis when he finds it in the town of two gangs we play something against each other that movie was recorded I think every board it's real Kimbo and the other fellow that's with them is Shintaro katsu he played a character called Zac yhe and he's the blind swordsman so there's a theme throughout my presentations and as we talk about security practices and information security practices there's a number of in a number of comparisons rich talk about the tactical arms races weren't or racial thought the tactical arms races morning I'm a lifelong martial artist studied a bunch of different stuff and the principles apply and going to move into the next slide anybody wanted

miyamoto musashi is right on absolutely the swordsman a lot of samurai this guy was famous for the school of two swords say he's willing to charge his hands as an information security professional when I say professional in one hand is you technical a committee or technical skill set your other hand his business acumen both of them together can make you a deadly force or you can talk defensive and offensive skills but Miyamoto Musashi was the founder of the to sort school and at that time when their feudal era of Japan it would have two hands on the sword they had one longsword college katana and one short sword color wakizashi this guy basically kicked everybody but with two full

katana so when we do references and we talk about principles and offensive security and what is hacking and what is to be defensive in nature and protecting your organization's in the infrastructure in one hand you have your technical skill set in the other hand you have your business acumen because you have to be able to talk to sea level folks you have to be able to interact and present risk and make it mean something at the drive body so one of my favorite quotes from Musashi he also wrote a book of five rings it's do nothing which is of no use and this is what I say do nothing which is of no use for your

organization and or for others slash community its wide drove from Halifax to come at b-side this is why I'm involved with the Atlantic security conference not only a mask a board member for the Atlantic Street conference on coke cops and I support monthly meetings and Halifax call the Halifax here you security clash where we talk of and stuff like this so what are we gonna talk about today what are we gonna do today your attention to theme Fight Club chuckling yeah one of the greatest adaptations don't have that patience is a novel I read the novel on the first time and then I love the movie how much can you know about yourself if you never

mean in a fight how much can you know about your organization if you've never had the response to an incident most organizations today are did breach the 12-time is over 200 days what I mean by 12 time is from penetration to detection 200 days so picture me with my suit tie for 200 days come to your office sit down and work it what do you think I can learn 200 days by the organization so we can do better we have to do better so this is about hacking our own infrastructure to improve defensive security measures and processes so knowing how things get exploit you know how many babies get compromised and then building out a response plan so that you

can respond an adequate fashion to protect your organization I'll be the first guy to tell you if you spend more than $1 and what an assets values worth your security program and your security practice isn't very good right that's overall it's all about support the business business isn't there to hire security professionals security professionals are hired to support business . . once once we understand that and we change our business is our client they are infrastructure we may have lots of opportunity for work lots of requirement lots of need for our services truth of the matter is we are there to support the business the business isn't there that want us security so today we're going to do a demo scan

all the things on all the things so I kind of broken some of the stuff into two easy activities and the tools we're going to use Dahle Linux everybody knows what Callie is write down links as a distribution maintained and operated or maintained by the cruet offensive security offensive security are a professional services company they have a designation called the OS CP offensive security certified professionals I will be the first to tell you my past ominous my first step down this path I was in the Windows system administrator a number of years ago and I want to learn offensive security so I went find him online I'll sign up for that wait a moment remember and my life that I booted

anything up from Linux not one so I stepped into that world and then it kicked my butt but at the end of it we meet when after a failed certification at that because I knew what I knew now how much I didn't know and it started a continuous learning path for me that that's led to what I consider a professional which is the ability to demonstrate both defensive skills and offensive security skills when you're in the boardroom or when you're time for your manager is one thing to say awful the sky is falling there's risk over here we have to do something now spend spend spend and the vendors are clear would love you to spend

like that Jerusalem matter is you can only do that once or twice and then your impact the organization is kind of oh who keeps them like this dirty guy - the meetings will never get that project up but the culture I haven't changed included so we're going to use Kali Linux and we're going to target legacy infrastructure right so there are a couple of things I'm a principle based security professional on of a principle based on our slaves Bruce Lee had principles you click a strong side first right he never put his strong side back and always put his strong side first leveraging those types of printables principles and bring security down to principles and if you understand the

principle you can apply that at knowledge so the difference between a good security administrator and Alice and a great security minister a turn animals good security analyst and administrator there you go the policies and the procedures but the great security now knows every single exception to one of those policies and procedures so they know about the Oh Linux server in the back that we can't upgrade the kernel long because the vendor says we won't support you if you do right you got to keep it on keep the lights on gotta keep the business going back to our jobs so everybody has legacy infrastructure to some degree and that's what we're going to target today so some

objectives the first rule of Fight Club is you don't talk about Fight Club I check together to talk about this because what is knowledge sharing right there's a big difference between information and intelligence I caught a couple minutes of the intelligence talk upstairs intelligence is the application of it . so what you learned today i hopefully you learned something you're able to take it away and start your own path start messing around with tools maybe reverse engineering some binary make some firmware upgrades or even reverse engineer and windows patch see what is it they're trying to do so you'll recognize and you find a proof of concept or an exploit online learn about it and you look at the patch from the

reverse engineer and the later skill set that's really what we're talking about today I need a sip of water yeah compromise real bad so with proper planning and optimization authorization is a big one I'm Stan you're working stuff but work knowing especially if there any tank managers in the room not speaking from personal experience but they don't like it when you bring stuff into a dome the go home controlled environment where it's safe to practice offensive security techniques usually with this slide I have a picture of a monkey with a gun let's truth be told you can go and download Kali Linux and create havoc with very little knowledge but it's although public control we're

gonna point it how do you how do you execute your activities early in my career after I failed OSTP first time I was like I can't can't afford to keep subscribing to their lap I'm gonna be broken how many times can I ask of how many times in I ask my manager should prove it so I found free resources boom hub if you haven't been there go check it out there are distributions for capture-the-flag there are deviations that are specifically designed to be weak for you to test and build your skills and some of them have great walkthroughs and in the beginning be honest with you I believe the walkthroughs I would bring up the

machine and if I could find its IP address I didn't know where to go out so the walkthroughs were kind of like okay a little hints if I need it and that's important so with proper planning and authorization along with an understanding of the risks you can and will test production on infrastructure virtualization is a beautiful thing if you'd asked me that last night I might have might have a few choice words if you look at some of the scans so my presentation is built them like a tutorial but we're actually going to do the demo remember I mentioned the demo but my presentation don't like a tutorial so there are actually step by step instructions so you guys can start

doing this stuff yourself as well last night I had problems with the underpaying and ended up just subscribing and rebuilding and starting to do so practice amateurs practice till they get it right remember said we're information security professional professional practice too late cannot get it wrong so hopefully if the demo gods on my side I practiced enough that I sound like a little bit like a little bag of it so scanner anybody familiar with in that hi awesome Gordon Theodore he wrote that back but 15 years ago might be eighteen now that thing is an amazing amazing facility I recognize that you're not going to be able to see this we're gonna do it through the

actual demonstration so what we're gonna do is launch an nmap scan against our target and what we're doing is infect the operating system we're going to detect these services and their versions we're going to run some of the nmap scripting engine scripts against inside of it and we're going to output everything in an XML format then we're going to leverage nmap XSL stylesheet anybody ever use in that style sheets okay once you do the first time and if you have more than one host and you start scanning networks if you don't love it and then you'll see in our command - - open that - reason so that tells the scanner I only want information about open ports and I only

want I want to know the reason why you're open and I want to know the service that's running on them so the whole command this think long thing and after a while you get used to it it just becomes second nature what you'll find is which one am I supposed to calculate and then what we do is we convert the nmap scan to HTML so they could be browsed in Firefox so the output by default is an XML so that's what we asked for but then there's this XSL XSLT proc solution you convert it to HTML and you'll get something that looks like this gives you your sans scan summary to do a nice table and presents the data

much better than what you could consume in your terminal and scan all the things part scan all the things pone all the things the scan all the things part the more information you can gather the more success the more likelihood you'll have success which regards to any type of exports or any types of activity that you want to pursue so scan and gather as much information about your target as you can anybody familiar with goes to care upstairs is you can swing by and talk to them about advanced out-of-state production here's the difference for what we're doing and one not advanced adversary to do advanced emissary they won't scan anything in your environment don't get caught okay

picked up they get identified you can block your source IP I should do something else those guys are slow and roll number the 222 days 12 time these are the kind of guys that are same in your network they don't need to scan they'd be there a long time and they're gathering that information possibly not necessarily so that's actually before we dive into that I'm glad I got the mic cuz I'm gonna sit down why don't we launch the commands do all right

okay so slow man look also I didn't spend a cent other than my laptop to perform any of these activities Kali Linux is a free distribution running the VMware Player and you can see non-commercial use only that I selected that option so I don't have some of the advanced features or the VMware Player but for what we're gonna do today this is more than enough so I'm using the VMware Player to host our attacker and our defender after that and our defender is the other one this one here this guy

it's what make sure nothing's changed that's like practice so the target IP address is 192 168 1 16 130 that's what we're going to scan and our source is the kali linux box it's really clunky and difficult to continue to use the virtual manager interface so remember i said about making exceptions hi I made an exception in a loud room that SSH to the Cali box right but I know about that exception so it's kind of ok right but for the purpose of the demonstration purpose honestly you would never enable root SSH access and if there's a UNIX of man in the audience we've the crows foot have a drink of vodka for me because

we're about to go into demoing what's up I could yeah everybody can see that that's his biggest I could make the bomb and I have a crib sheet that that I'm gonna use because I really don't wanna not screw up oh absolutely so remember we talked about n map and map is the de facto default scanner the first tack home is identify the operating system of the target the second one is identified the services - SP the third one runs some of the scripting feature the third one is output with the XP output XML we're gonna use Excel and then I want to know the open ports and the reason why they were open and then the target IP address

so that scheme is already run and if we sit here and wait for scans to run it's gonna be a lot longer than the time that I have a body but we can go into route these eyes

and you can see that we have our nmap scan XML file that was output Oh 10:30 last night oh that is the XML version of the files that we looked at that generate this let's take a second to talk about this so this is much easier to look at then the convey information it gets jammed it to a terminal this is the actual style sheet that nmap has come with it if you're an HTML guy or a web guy or gal you can easily customize this throw your logo up whatever you need to do well what's important is it gathers the information and you'll see that whether we ask I want to know what ports

are open what services are associated with them and a reason why so it's compiled all this information for us and this even thunderbolt operating systems detection and you can see right here map scan and the time that it was ran so this M map is the de facto now if you want and then we only scan the single host in this one but if you want to scan a Class C Network or 24 Business Network it organizes this first table here you'll have multiple IP addresses appear in this table on each one is clickable so you click through it and then you'll see the services and the ports that are associated with it when you start to

build that information even understanding what is on your network is important and I'm going to talk about one of the first principles being a principle based information security one of the first things you'll hear me say in juniors or anybody that I work with is if you cannot detect it you cannot protect it the NIST cybersecurity framework has five individual calls that you run across the top identify protect detect respond and recover in the beginning on the identifying protect side and even detect they're having technology so it's we there's a lot of technology that do some of that the respondent recover that's us so they talk about the automation automation and the introduction of robots even though most advanced

security practitioners upstairs even if they're companies I say they're using they out of entire realistically it's going to always come down to the US we're always going to be a part of the equation so it'll be us and automated intelligence working together some form of automation and as attacks continue to increase in sophistication and automation our defenses are going to have to as well and automation and make one defender a pair like environment so you can use it as a force multiplier so that's the in map stuff back into our presentation and the reason why I specifically talked about Doc's better than anybody I use the community edition of VMware Player I'm renting it on my

work laptop which is municipal II provided and plus if my laptop and your laptop guy on the octagon I don't think my laptop of winning that's just leave it at that so I'm able to create a little small environment on this laptop that helped me learn some of these skills so open fax anybody heard of all the best awesome open box is the opening of all mobility assessment scanner anybody heard it necess or tenable I know they're upstairs okay cool tenable is the closed Fork version of open vise right Oh edible can do it so it's easy to install it doesn't come installed natively on Kali some miss shows they do but you can just call open

basket alley it's as simple as device so Callie doesn't have any installed by people but it does have their own appropriate source lists so that you can install it just use an apt so once we have it downloaded installed we could run the open back up and it will run a configuration installation script and makes it easy once its installed there are a couple of commands of the open bass add user pretty simple that's how you add an administrative user or a user with access open bass feed update so the difference between technical and open bass right now it besides the open for another closed fork for an animal the web interface is different obviously

when when countable closed therefore forked it off and closed it they they built a really crazy web front-end and ensure the product quite a big but open bass is still heavily supported by indeed around version nine right now and they are so providing feed updates and what feed updates are is although the vulnerabilities associated with services so remember in our map stand said I want to know what service is running on it so in the vulnerability assessment scanner if I'm running a legacy version of MySpace on the recipe or whatever application open vast database is a collection of these vulnerabilities or CBE's compability and then the last one open math checks up so once you've done

all this open box have the script they can tell you yeah this oven is working looks good you're presented with the green bone security desktop pretty cool medicine looking at the hockey dinosaur I don't know memory foam carefully but for free it fits my budget it hasn't been anything and let's talk about what you get so here's the best part there are some I love to see some of the young people and there are some vets that have been around that have worked in information security for a number of years I had this conversation with so bad damad at the hockey table see this number here this is 1999 on the graph and these are the number of exploits in

infrastructure so you can see it's not going the other way since 1999 it's increased and the conversation my head was so bad was you know if you meet somebody and they said oh I've got 25 years of information security experience I'm here to tell you right now tell them you're full of it Bullock's challenging bullocks at best mm right here but for the young people in school today this is an exciting time well I got thrown in the information sugar because I was a network security architect and the firewall patched a network and we got hit with sequel slammer elissa the virus so that I love you Byers so I ended up through attrition doing more and more security

opportunities or more security work today you can graduate and get an information security job great updates and we need you we need you there's a young man I've met today all of that Oh correct yeah he's he's come through the cyber tank programs they're gonna be white papers about you for years hopefully we can use people like Paul to address the cyber security skills gap that we hear so much does so great we get a dashboard that identifies 130 thousand plus vulnerabilities from various products who's been sent also when I create a scan which is all GUI based driven didn't want to break it down for tutorial on this is pretty pretty intuitive it's click and go you can see that this

is the scanner is that the target red is bad how do i met the sea level which have a bit of trouble I'll be honest with you a little bit of the mindset change or managerial and technical these days but why should you miss it so this is just a quick overview of the target system and the vulnerabilities that were identified when we stand it so we used an method to identify open ports and the services running on them and we use open box to look at the versions of services and compare it to a known database of exploits and then report on what can be exploited right this is all coming together remember scan all the things and then pone all

the things so we're getting to the other high so hoping bass creates a pretty big bass report let's just switch back to take a look at 1 & 4 $0 makes my budget and it's one of those things that could be introduced pretty quickly so you guys can't hear that clicking around in my mouth twice my nice white nuts when I have a cough drop but I'm getting the cock-a-mouse pretty bad okay here's the HTML version of the output we scanned a single host if we scan the network they'd all be presented chronologically and same deal show me the ports and the threat level associated some of these services this host pretty bad when it's bad by design

so that we can practice right and learn what not to do so security issues for and when you see a high and this cbss this is an industry standard it means common vulnerability scoring system when you see anything ready which is pretty much seven and a half four seventh to ten it means that it can be exploited easily and remotely so when we talk about infrastructure that's connected to the Internet if it has a cbss score of ten I'm really bad everybody else on the internet could in theory all your stuff remotely you wouldn't you've never know and of course we scan like it's the architecture look at the first thing Oh LS end-of-life detection so you're

running off which is an operating system on a rubber hose that reaches end-of-life should not be used anymore why why is that significant because there could be exploits that are identified after the fact that will never be patched and or supporting all you have to do is think about Windows XP in your environment you don't know if we're talking about that's what it looks like lots of information

so the other half so we scanned and we created two XML files we created an X and an X amount and we created an open box yeah I come up anybody familiar with Metasploit anybody heard Metasploit awesome cool that's boy is an exploit handler it's a handler and what it does is allow you to deliver exploits have the wolf connections that come back called shells it's all them having different levels of access you get interactive show Medford cetera but Metasploit is the de facto exploit handler and it makes the work easy first of all by a guy named H anymore the work that racket 7 and now he's doing the month day prior to the

Metasploit framework you would have to compile your payload Palio exploit pile it all manually and it was a very tedious program process Leslie provided a framework that could pack everything the liberty exploit the whole shebang Swiss Army knife for security testing so we're gonna open up the Metis bully frameworks and jump right back into here everybody see that Oh No can you switch I gotta get out of presentation

okay move the callee baselines so we're gonna go MSF console

and it's thousands and thousands of lines of code to build up this Hamlet so time to taste a little one once we have it we're going to use the output of our scans to populate the database on as plate so let's go back in here real quick

so if the command is actually DB underscore M chord and then root these sides is our working directory and then we have a map and x7o I'll import that which is already being done and then the other one is open vast and XML which are both there and I can check because we could ask the database what hosts you have there's our target system he knows that it's one night and it's a server now remember we asked for and maps can provide us the services let's see if the services were successfully employed and implemented or if the services were successfully imported into the mastoid database yeah so it's shown that host has shown a bunch of open ports and a

bunch of services or nmap scan results are being imported beautifully and the last one oh the open bass and we want to know what boehner abilities are available and as you see a lot and that's by design that's why something like vulnerable health is great you can get capture the flag exercises anybody participate the capture the flag tonight awesome I would encourage you all to try it's not anything that don't be technically scared frightened of it there are a lot of people lilies a great resource Oscar for how to give you hints yeah maybe maybe give you hints for a drink

so I would recommend everybody start and as a matter of fact there's a lot of capture-the-flag stuff so you can take some of the scariness out of it in front of your peers by practicing at home and alone so just like we did here so I have got a target machine up and I can remember the very first time like okay now what doctor what's that for a while then I found a walk through when I started to reverse engineer that and then small steps get you to the point where you start looking at proof of concepts for exploits on the internet that are available and they do look at the patch and you get a specific set of

skills where you can start reverse engineering patches and start seeing oh hey Microsoft this is how they approach some of those things and you'll often find times even with patching and the change advisor board and the other things but anytime you change a system even with security patches there's very high actually could introduce other additional risks so having that kind of knowledge building out your offensive security skill set to include the hey this is how they code this is how they build the next link and then this is furthermore how they build a patch to address some of those exploits that's what we're talking about today that's why who is it they've tended me they've tended to give a lot of heat for

social engineers toolset makes it too easy routes of matter is easy for me as professional is good because I don't have the time to become a malware author and become an expert an hour but I can learn very quickly how to use a tool that can do a lot of the complex eyes of men and lay malware and test it against my environment and then build that means neighbors before that when stuff does go south I can respond quicker so really offensive security skills are about you kicking the crap out of your own environment so that you can start to address some of the things what worked what didn't work and you can start identifying those

exceptions right that's a legacy system can never be upgraded but the vendor won't support it if we upgrade the girl daddy on so over to my crib sheet

we have imported we checked our imports so this is where we are bones have been identified as weaknesses

pause and that's the whole section I know but I know that I put them in my presentation absolutely listen I've tempted the demo gods and quite honestly since June my capacity of being very much managerial go up there with me oh my gosh we're gonna I'm gonna I'm gonna get moving here we've identified him chords explored open so we're gonna exploit Samba so we're gonna use this command here

could be in my preview here on exploitation we did a checking name for chat sector we actually didn't put in the exploitation part of that so we'll go back to our we'll go back to our MSF consult will say use exploit we're gonna and then I want to know the info about this so Metasploit framework is modular and you can uses modules for various functions and this one this particular exploit is even telling you what CV is they can see it's old 2007 but oh there's no our host set so we need to set our host let's say one one six one three zero three zero one three

so now if I do go see that the arm over fire you set right here should have set the port force as well so let's go back and double-check we can try to exploit it and see if it works so simple we sent our host sent our airport we've got our target destination let's try and exploit it come on work

all right so Who am I whoo what's my working directory Ruth and just to make sure I'm on the right machine

116 130 so now I have an Excel from my attacker to the other machine so every command I issue through this antler right now is executed on the remote machine so I asked remote machine yeah so basically the script is there as a module so during the DB import phase I imported the vulnerabilities that were identified and I pick Samba or I think I picked Sam up because how many people in here are windows admins in their environment ever set up a UNIX server that's gonna be shared you know how many windows administrators set it up and can't get sharing right so they miss configure it so I picked this particular exploit because realistically it's what

happens or oh it's a Miss configuration but for this particular example it's running a service that's exploitable through the moment code there's actually about 400 flows and other things that happen in the backend but I didn't have to worry about it because s lloyd does all the heavy lifting for me so let's just go for the users for the UNIX event where you think of that one what's this right Batsy passport so eunuchs does this cool thing which user cups they see ready and it takes the password and it creates two separate files one is XE password and the other one is NC shadow so when our demo today and what I displayed here is

the actual contents of both of those files because when we compromised the box through the SMB share you sombitch exploit I had a system level access root privileges so I can look at everything time so what I looked at and what I'm moving towards is now that I've got an exploited I want persistence I want to stay there so what do I do to maintain persistence well I don't every account that's on the box and capture their username password so that I have more than one avenue to go back right and now I can use those accounts to start moving laterally so the likelihood that a helpdesk might have tech support account on a Windows machine is pretty high if

I'm able to dump the tech support account on one machine using baddest boy I could probably start the Luna lab early with the credentials that I've harvested right so basically what we'll do next is use John John the Ripper and John is going to take those two files that we had at C password and NC shadow and we're going to use the command on shadow them

and if I do my directory here you'll see that shadow Texan password Tex Willer I just cut the paste off the screen and then save it as a text Bob and then I use the using command that allows me to combine those files so you can unshadowed root b-sides password Dietetics route besides shadow effects I'll put it to on the shadows duck text so what that does is it takes two username and a password combines them together into a format that John can understand and John is going to look at the hashes try to determine and break the hashing and determine what the password associated with that account is so now what we're doing is gathering

crashes so we're almost there here yet so I can do we're gonna ask John what the he so John keeps a record of credentials that it's harvested so I can go back and ask it so I want I want John route these sides which is my working directory for the presentation on shadow dot text

didn't save it in the database no one I don't know if we're gonna have time to run big attacks let's go back to what's in my presentation it doesn't work for me last night and of course demo gods so what we did to start cracking the password so we have two files at NC password or NC / password and NC / shadows we unshadowed them where we combined those files into single file like John can understand this command here John and then the path to that block basically starts to look at the hashes and username and passwords it found six of the sudden that counts would you see each on is loaded the hashes and successfully cracked some of

the passwords so what we're looking for and previously clock crack passwords can be viewed with command John shown path to the Bob oh that's why I didn't know guys what did I forget I didn't get to show me no I had it I'm shattered I didn't ask it to show me I just put John I put John at it I sent John edit John what it started to try crack I was like why is it ask him to crack again they were going so that box is configured with sis Batman clogged one two three four five six seven eight nine nobody has passwords like that right msf it may not the name password saying Postgres is

configured with a default account post credit Postgres using user 1 0 0 1 so six of the seven passwords John was able to crack because the human part we're not very good at great password so let's go back into our presentation on the post exploitation and I always like to throw nuts in it so I didn't have time to add it but there's an open source script called ransack and it just does that so if you compromise a host you can launch ransack and what it does is go through every attach drive on that box and look for information that is interesting and it makes a copy for you way easy for data exfiltration when you

compromise an endpoint so I'd say in a couple minutes take a look it's called ransack once you compromise an endpoint is fun to play with because you can start creating text files or paywall XLS or passwords dot XLS I'd hate to say it for that email and even with large financial institutions that know better and he creates a passwords on XLS file and they guess what's in it and you got so what I wanted to talk about and the reason why we talked about scanning everything slash polling everything way back in the beginning when we were doing our information gathering phase we actually were able to identify the bad logs had an account that was running VNC server

with the password of password right so if we just slow down and look at all of our information way back in the beginning it identified and how easy was to exploit just off-the-shelf open source free tools so what's this all about breaking things to make them better you can tell it like by club by club breaking I seem to watch it at least one thing at the time my life just seemed to complete and maybe we have to break everything to make something better out of ourselves I would recommend you to do that to your substrate program on a regular basis breaky how long did it take to do time and if it's 200 days this time I want to

be detecting it in a 159 until I get to a point where whatever risk captain my organization has my detection capabilities my protection capabilities my respond recover we have a plan because the truth of the matter is there are a lot of salespeople upstairs and we'll say here's a silver bullet we can protect that we can protect this we can break that but the truth of the matter is at some point at some time it's going to fail what you do after it fails is what's important and that's where it requires to respond and recover which requires people and a plan so when you start looking at production systems it is important to have a demonstrated

repeatable process that had buy-in from management a change of energy boring I'm going to before you start pointing pattern when it's all over your network and holds that document your findings indicating the threat the likelihood of occurrence and the impact of the business what does that is a risk register right there when you start talking to folks at the sea level they don't give two craps you can talk about security for days their eyes will roll over in the back of their head as soon as you say the risk to your organization the risk to your business when you stop talking about security and start talking about risk that's when they started like to get to the table

use the information from of these exercises to build business cases you perform best maintain security so go back and say you know what we have monthly high protein but stuff is getting exploited every day we need to look at continuous patching once hatching look like fours there are vendors that have solutions right virtualization makes patching easier somewhat but use the information from these exercises to build a support for your program you start looking at the production environment oh yeah there'll be blood you're gonna start funding legacy systems you're gonna start breaking stuff and then you're gonna have to go in front and say well you know I thought the risks were worth it and it's a tough one but espy done and

one of the very first slides I thought put absorb what is useful the scarf was on I had what is you need to be your own so absorb what is useful for your security program scared what is not useful for your security program and and what is uniquely your own as security professionals our job is to tailor a security program to support that business that's where the funds and with that I'd like to say thank you very much for your time there any questions or comments I know we're close on time

sorry actually what what do you think absolutely so I'll send a copy to the b-sides group I do run a blog I haven't been contributing to it lately and one time I do run a blog I haven't contributed to it lately because I've just changed roles in June so I started to work with the Halifax Regional Police in June of 2018 and they have a PR crew and they don't necessarily want their chief information security officer if they're teaching everybody hack and then talking to things so an other thing I do not have to get been in through public relations so my content hasn't been updated lately but this will be their InfoSec - Samurai

everything we did today didn't require a single sentence with zeros better so if you have a VMware environment you can prop up so I wouldn't say put it on production isolate say maybe your stuff don't think it exposed to the Internet but even at home if you have an opportunity to gather at all pieces of equipment or something being being commissioned in your office that's how I started I was working in healthcare and we were doing a certain raw upgrades and refresh I was gonna make the server but not allowed to take the hard drives I was like the deal I went bought some hard drives filled the server up and started loading a bunch of virtual images from bone hub

and started building out my better security skills and today that's a defensive security business entertainment so took a while to get there I can remember my first path down like I couldn't understand how there could exist a server that didn't have a go now I hate doing any man I know of that I know there's other talks and we're at 2 o'clock but it but if you want to chat just talking on your shoulder

[Applause]