21st Century War Stories

thanks everyone thanks coming to watch my talk on 21st century war stories big thanks to be sized to have me back i would say last year doing a talk with Dave Hardy on interactive PowerShell sessions with metasploit I've tried to make this talk for everyone so it's not really aimed at the it's not just aimed at the social engineering enthusiasts but also the professional Red Team ER if you've got any questions I've grants them at the end or a beer later so the talk is going to run a little bit like this we're going to talk a bit about open-source intelligence-gathering reconnaissance reconnaissance probably all the most important parts of any penetration test or red team the

foundation of great success in my opinion and they're talking about the current tooling in the industry infiltration tactics techniques and procedures and persistent so once you've got inside a network how you can stay inside a network reliably any lateral movement that you might need to do and then acting on your objectives then i'm going to introduce them a tool like we've written an attitude called posh t2 and do a live demo so Who am I so my name is Ben Turner and for those you don't know I'm a penetration tester and Red Team ER for nessa chewed this to me before jewelry and after a beer I've been through the questing leader exams and done my fair amount of IT

health checks which I think sets a good foundation for red teaming gives you a good experience on all different types of infrastructure in endpoints and a good general understanding of sort of different network topologies firewall rules and infrastructure as of late most of my focus been around red teaming and SC and star which have also helped the star simulated attack specialist exam now for two years also not just a full-time hacking nerd do you like riding motorbikes skiing which apparently is not boarding but hey a little bit flying drones and traveling try not to combine the two and I work for an attitude bit of a disclaimer about the presentation so it reflects real life

experiences and observations of me however some of the customers sensing informations been redacted for client confidentiality so what is 21st century hacking so 21st century hacking is an amalgamation of social engineering red teaming star and see best it's the most cutting edge of all the cutting edge and realistic of all the assurance services it brings a mix of skill sets and team members in order to achieve an objective it includes things like physical SC USB drop spearfishing telephone calls telephone social engineering hacking and other stuff as well it's free from caveat at all forms no hackers would be constrained it like this so why should we put those constraints on us as well and in my opinion if you're not waking

up at 3am to check you've still got shell inside the organization you haven't really experienced red team in what I tend not to class red teaming eyes is blowing the doors off a building and access computer systems that way that's more of a military analogy and kind of don't think we're quite at that level yet although I'd quite enjoy to do that I think the UK's slightly behind the curve been over to the US a little bit to do some competence over there and nations are doing red teaming all the time I think the introduction of sort of see best to start to get people like learning about red teaming and it's getting a lot more and more but I think

UK slightly behind the curve here a bit so basically in a nutshell when people ask me sort of why should we do red teaming on top of all the normal penetration testing and assurance services got this quite good little story and we were in the Middle East we were hacking a bank they do a lot of VA run ability analysis and pen testing of the road and they've got their own internal pen test team so they employed us and they said well three honest we don't think you're going to get in we're pretty good and we were like oh crap they obviously do quite a bit of assurance services anyway so they said right okay do what you need

to do this is our bank is our layout this is our ATM machines blah blah blah do what you need to do okay so we thought well we'll try and attack the ATM machines not really done an awful lot on ATM machines myself but treat it as any normal network and try and hack in so this is the ATM machine the pictures kind of speak for themselves so in one of the ATM machines inside a mall we did have security guards bias by the way just in case but this is the back of the ATM machine outside the ATM machine this was the lock that been ripped off it was actually built on wood which is quite

interesting so pretty much just pushed off and as you can see there's a cisco Rooter hanging out the back of it so we thought why okay well it's probably over a 3g wine or something like it's going to be all locked down the ports are going to be securely configured so we can't just plug in and see anything note we were wrong so when we plugged in didn't actually give a dhcp which is fine i was able to boot the network see what about plugging give herself an IP address see what the default gateway was add a default gateway start hacking the ATM the ATM was quite firewalled but you can see all the traffic you do man-in-the-middle

attacks to see what traffic was happening i could see it was going over the network over the 3g 4g land back to the net back to the core network so i asked the guy who was with me I said you know what's your domain controller for your network and he said it's on this assist I was like okay which you know you won't be able to get here so don't worry all of our our DP'd straight onto the domain controller house like from in the middle of nowhere in the middle of a mall I can get onto ATM network which by just plugging in at the back give myself an IP and RD peeing onto your domain controller this is what

red teaming is this was another example pretty much same place in Middle East they have these like little things outside the malls it's basically just a little air cond rooms and they have their own self sufficient kiosk and ATM machines another example this is the cupboard that all the network infrastructure was placed in literally it was just ripped open this was two examples they even put the IP address and default gateway and everything for me so that one was even easier all this could have been done anonymously as well because you could have just placed a war hoodie walk in there plug-in put a wireless access point in walk out and do all this remotely you can have access to their

full internal infrastructure really quite scary stuff so everything we do when we do pen testing and red teaming we map it back to the cyber attack chain this includes the reconnaissance phase the delivery phase exploitation pivoting and then acting on your objectives so everything in this presentation will hopefully map back to that one of these phases

so understanding the cyber cyber threat is quite important and it somehow it gives the ability to provide risk at the board level so you want to know what the threats are to your organization and this is where sort of threat intelligence reports come in and it plays a big role into into what we do I won't go with too much into threat intelligence because that's obviously a talk in itself but for me when i'm doing a red teaming engagement i want to know the through actor that they want me to mimic that's kind of the most important for me each through actor has different capabilities so if they're telling me they want me to act like a nation stay I

need to behave differently so range it ranges from sort of script kiddies or lone Wolf's which have not much capability at all it's easy to fingerprint detect and respond whereas nation-state is completely opposite and it's got significant capability in funds it's got custom cryptography protocol multiplexing anti detection and zero days and things like that so they're really hard to fingerprint detect and to respond to so the reconyx is the reconnaissance stage week on the most important really and I can't stress that enough to anyone it's the foundation of great success and I like to live while the analogy proper planning prevents piss-poor performance most importantly the more you can find out about your target environment the

better you can hack it better you can weaponize your payload communications to be able to hack it in a better way and to not get detected basically some of the things that I tend to use for doing reconnaissance stages are multi go and it sort of finds a lot of things on the internet that you might necessarily be able to find which by doing normal google hacking and things like that dns reconnaissance is really important i'll come on to that in a second even things like who is records can give you a key key personnel inside the organization that you might want to might want to target other things you can use our media newsletters forums and white papers

social networking is obviously a really really good one pamphlet access and people's information and people who work at that organization and what they do and what roles they do twitter facebook and instagram also same sort of thing github searching that's another great one recently we've seen a lot of information stored on github and just like not not even private get up so you can search the gate of find the private keys passwords and they're often an exact replica of the organization's sort of application or anything so it's always worth looking and get up just for things like that even though you thought out that organization won't use that type of thing but they often people just

put stuff on github Google Maps this stuff is quite good as well when you're in physical se so just finding out where that where they're located dropping that person on the map and seeing where you can go another great great one is previous breaches so we often use this quite a lot how vibe in impound is also something quite a good one that links often this but just looking at all the different people in the organization using the domain name as a start point to look in the adobe breach gmail breach linkedin and that will give you a great start point or at least a few email addresses to use before you do the f

social engineering also the showdown api if you put your customers name in the showdown apil often give you a vast amount of information about what they've got exposed on the internet and then also just coming back to just normal search engine google searching so doing a job recently and they said they weren't very security aware so I was like okay no problem and we're doing a remote sort of red team and type of approach we were going to do some social engineering on against them because they said they didn't have much security in implemented we were like okay that's fine no worries by actually doing a bit of a reverse lookup they were using mime

cast and for those you don't know mine cast is like a male security Gary and that's actually really quite good it's got a lot of protections in place and but one thing I've learned from doing the red team and I've done is that mine cast unless they've got the threat portal which replaces all the links within the emails if you send an attachment so you know a document with a mac or something then you probably not likely to get in but if you send someone maybe a link to an attachment which is hosted on an Internet then that's probably the best bet so just having this kind of information just from DNS is really valuable before you attack

your organization so if you doing sort of social engineering or spearfishing campaigns against an organization you need to know the domain obviously that you're targeting and the format but once you've got that information tools such as Prowler really quite good so proud your search is LinkedIn for all the people that knows about against organization and it will come back and give you a nice formatted list of email addresses to use for your spear phishing campaign simply email the harvester multi go these will do that sort of thing but we found that proud that's probably the best best effort this also previous breaches because that can just give you a massive list of email addresses to use

and not all of them are still valid but you say two-thirds generally are so this is an example of prowl it's actually a guy from neta to do wrote this and it's really good basically just gives you the guy's name what their what their role is within the organization and even now maps against have I been pwned so it will give you all the list of email addresses for the organization and they'll say oh this one this one this one's already been in the adobe breach so then you can cross-reference that and again with adobe breach you sometimes can get the password back the password isn't in there it is encrypted or encoded should i say but they have

passwords that have been reversed and what i would say is when you target an organization think about what your objective is of the of this whole test so are you going to go after their core application server or you're going to go after their their banking application and because this might basically save you a bit of time once you're in so if you know you're going after that certain banking application link to you might say these three guys here already work on the application so this is a great way of basically finding out information out before you go in so you don't have to do much lateral movement once you're in so it's good to know your terminology

when you're talking to the client or just generally because there's a bit of a difference between spam phishing and spoofing so spam is unsolicited bulk email or messages irrespective of content and usually like bulk advertising that sort of thing whereas fishing is a type of spam but it's purely intended to trick the user into entering credentials or sensitive information with the intent to commit fraud or identity theft where spoofing is the forgery of email headers so the message appears to come from someone else rather than the actual source so what I've been doing recently again people who haven't probably got things like mine cast is I've had quite a lot of success with spoofing emails so not

necessarily spoofing it from like Microsoft or anywhere like that because that's where stuff like SPF comes in but actually spoofing it from themselves so if you're targeting a bank on example bank calm actually spoofing from them so using the whois records to find out who the network admin is and then spoofing from him to the rest of the company and sometimes it has got this is just allowed in because the way the mail gateway set up so it's worth testing this out before you even try sort of creating your own domains and things like that because it'll have a lot of success with it and also one thing to know about if you can do that you're

actually from a trusted domain so anything that you send like hyper links or images it'll automatically get downloaded in outlook so it's definitely worth testing before you do the stuff of engagement so the current tooling out there that i found i use in red teaming that's why obviously this is probably the biggest and best open-source penetration testing framework i wouldn't say it's specifically ideal for red teaming because it's quite noisy and it's not very stealthy it's been signature do i love ids and IPS products the reverse HCBS has come on a long way it's now got some set timeouts and sleep options so you can almost use it as a beacon but i still wouldn't say it's you know full-on

end-to-end a very good red teaming tool it's got some great socks proxy and capabilities so that's 10 to what i use metasploit for so not necessarily use it to get in or get the initial foothold but if i want to sort of use it for IDP and socks lateral movement that's what I use it for now i'll show you a bit of this layer Empire so that's it's been quite bigger to beam out just over a year now think it's a really neat product and I have had some issues with it so I've tested it in quite a lot of environments and there's been a few issues where it wouldn't go through proxies so most of

the people I tests are quite high profile clients so they generally have quite a good secure configuration and everything's proxied and it's failed a couple of times so I've been a bit no bit worried about using it you got to have confidence in your tools so that I sort of relate back to revert back to metasploit but again then you know you're at risk of being caught because it's quite noisy cobalt strike that's a very solid and red teaming tool that's really good it's quite expensive if red teaming is not your core sort of function within the organization then getting the buy-in to have that per license is probably quite expensive and there's paschi to which

i'll come on to a bit later but this is a free tool that we've been we've written help with this kind of thing everything that I've talked about in here is been simplified to be used in that when you're doing this engagement you got a note as well that when you're doing sort of social engineering that swept and spearfishing you really only going to get one shot so you've got to be really really reliable use a really reliable tool that you know is going to get in so I've been doing this then probably about 18 months now and I've had a pretty much one hundred percent success rate so every every job I've done waved

and red teaming we've kind of got in one way or another I think the success factors for us are basically just testing the tools that we're using using proxy aware payloads and basically if you aim to infiltrate the most secure environment then if it's if it's less secure than you it's a winner so always aim for the most secure don't go out and ports like 80 80 because they're not by default allowed out on proxy so always ground port 80 or 443 make sure you traffic to encrypted that sort of thing one of the ways we've still been getting in with vba macros so it's amazing vb imac has been around a long time and

people been using this for social engineering spearfishing for ages but it's amazing how often people still require vba so they won't disable it it's really easy to implement trusted locations with macros with group policy that people still don't tend to do it so sending a macro has probably been well the most used I would have used also documents with ola objects in so you can even add executables and things like that in word on office java jar files i tend to use these quite a lot as well but i would always sign them unsigned java files it's pretty much a no-go because by default on Java hi only allows signed applets so it's fairly easy I'll stay fairly easy you

can get assigned sign co signing certificate but I'll talk about that a bit later hypertext and HTML applications again these are quite good for getting inside an organization however i wouldn't be you know most outlook will block these because i'll see it isn't executable but if you host it and then send the link to it these are ways that you bypass these sort of filters quite a few recent ones a zip file so in a zip file you can actually have an lnk file which links off to something like powershell when they just double click the link file in the short cut it just runs PowerShell so that's another good way and click once so this is really

quite powerful as well so integrating PowerShell or standalone executable into a click once application so send them a link sort of saying I'll come visit this site you get ten percent discount and when they click ok then it pops up like a click once which is all signed and they all feel quite fuzzy because it's got a nice little padlock and then they end up licking site cloning again if you just that after sort of credentials because they've got a lot of single factor systems on the internet then select site cloning might be the way to go I've had a lot of success with just pure brute force single factor systems on the Internet so using stuff like the adobe

breach to get the list of email addresses and then train maybe password one january 16 these stubby things against it only probably once or twice because the lockouts were they going to be three but we've had a laugh success i had one recently which was against citrix so six users on the internet i looked at it and it basically said it was two factor authentication before i'll probably not even which point trying to brute forces before what the hell I've got a list I've got a password I'll give it a go so I brute force to about 150 users with i think it was welcome one or something like that and basically i was able to get in on the internet even

though it said it was two factor so even though it says it to factor you still have to put each person in the group two factor authentication so you might find you might find one that isn't so it's always worth a go this person luckily for me had access to some pretty sensitive information there was a nice folder called credit card shared data it was like oh that looks juicy 25,000 clear text pan numbers which was quite nice hanging on the internet of a citrix server not sure how they got away with it in the terms of PCI but there we go so just trying things like a brute-force attempt against systems that should be

single or shouldn't be single factor is always always worth a go but again be quite careful don't lock out things make sure any try one attempt and be quite stealthy if you are trying to be stealthy one of the most important things is increasing the trustworthiness of your links of your spear phishing campaigns and in the ways you can do that is buying stuff like code signing searchers have talked about so when you're sending in a job of payload or code signing sir sorry or a click once application if it's signed again you get the nice green padlock and everyone feels warm and fuzzy also if you're sort of sending in CVS things like that where you need

telephone number won't you to purchase and burner phones from somewhere so you can actually legitimize it a bit more and put your telephone and mobile number so they think oh there's a mobile number that must be must be safe registering a new company so we often register quite a lot of different new companies when we attack in an organization even sometimes if it's like example bank will by example bank group or something like that these type of things people just see the bank in the title and go oh yeah that must be safe let's encrypt which is free so if you're making any websites when you excite cloning that's all free to you can get

free cells to pick 30 date so 90 days I think and also then yeah try using very similar domains this is it before and the default on Java is high so if you are using Java make sure you sign a code signing sir like here so it pops up and doesn't show any red errors and stuff another one which is quite interesting recently a site email reputation so again i'm attacking quite high profile clients so they have quite good web proxy gateway filters and which probably have quite a lot of threat feeds which come from like known sources and they say these are good these are bad they block unwanted categories like hacking things like that gmail webmail that sort

of thing so when we're creating these sites on the flying maybe like a week before these aren't gonna work so what we've been having to do now is actually create sites you know six months 12 months in advance of doing a test so that we can build it from reputation just even just like basic ecommerce sites that just sell other no random books or something so at least they get a decent category and they're sort of committed through websites and things like that I've never used direct IP addresses for CT traffic because that instantly will just come up as a big red herring with in any sort of filtering system also in the early days we try to use

dynamic dns and again this is quite a no-no and this is quite easily blocked or disabled on sort of websites and things like that so i'd stick stickly with that so cyclo cyclone and we often target a group or users via site cloning just forget initials even if they use into FA you can sometimes basically add the step within the cyclone so this is this is us we've create a cyclone of their citrix system which did have to if a wide in the previous one but it is meant to so to do it legitimately we create another one we cite cloned and sent a link saying oh we just upgraded the citrix server can everyone try and log in and

with some nice jquery which i'm not very good at but i got to help me basically you can offload the weary sends back to like at your own web server log so it'll actually pass to me creds the username the password and the pin at that point you probably got about 60 seconds to use them credentials legitimately on their website and then if especially if you create a nice link so when they press a log on it does actually bypass them back to the fair log on attempt of the legitimate site so then they log in a second time and by that point you've already logged in and then they log in and they think nothing's wrong so this

is just another good way of doing psych cloning without raising suspicion and once you're on inside a Citrix environment is pretty perfect from a red team perspective because I think ninety-nine percent of all Citrix environments you can break out up to some sort of power shell or command prompt so I think I'll show you that a bit later so it's a really good thing to get onto from a red teaming perspective so when doing this type of engagement and we provide the climate some analytical data so a lot of management like graphs as you probably all know it's kind of management porn in their eyes and I like to add the three so to get this information I had three stages

in my sort of spearfishing campaign so inside the email life's end I'll add a web book and the web book will have something like 1.png so when I've sent my my links so I when I've sent my first phase in it all if they download the image I'll get a log with a unique reference on my apache web server and I know that person's downloaded it so at that point everyone's got a unique reference so if i send 10 emails in and i get 10 unique references hit my web server i know that every one of them as at least open that and then if I've sent a sort of a doc you or something like that in with it i

will add something like two dot PNG when they open the document so at that point then I'll know that they've won they've opened my email to their open the attachment and then three if my exploits been successful I love to get shell so then I can then give a nice graph to say how many emails were sent how many emails were opened how many documents were opened and how many hosts are compromised so this just a really nice graph to send back to the client at the end of the engagement so their UNC paths that any lines had quite a talk on it and it still kinda thinking sooner the talk soon as well but UNC paths are really quite

interesting it's been around for donkey's years but no one's really used it in the social engineering capacity so we found so you can you can embed basically HTML obviously within an email and you can send it and if you send an image source for example with a UNC path and if someone opens that inside a normal organization with tight egress filtering controls this isn't going to do anything so it will just open the image will fail to load but what happens if you're targeting people working from home you've got crappy sort of speedtouch Reuters or sort of BT Home Hub without any firewall this will just basically seamlessly go straight out if they haven't got any no split VPNs so

although you think you're targeting a really high profile client that definitely wouldn't work on it's worth trying it for them remote workers that might not have connected to a no split VPN wrote a blog on it as well and why it's quite bad so I won't go over it too much but you can you don't have to embed it in the email itself you can also embed it in the document you can either do this manually again I think I'd go on to this a bit on the blog and but or you can just use the max fleet module and it will actually end that are you in see within within the document I haven't

really told you what UNC does sorry so for those you don't know if you want someone opens on Windows this with a UNC path it will try north in Takei to that end point and if port 445 zile out band you'll get the challenge response hash of that users of that user's password and then obviously and then you can try and basically attempt to offline brute force that try and get the password and then in combination with say for example single factor systems you might be able to use that to get into owa anything's all that oh do we were a has got a vast amount of information usually and people just leave on the internet just for ease

really but once you've done this type of tack linked with UNC you can then access loads of information if you just search for wireless on on you insert sorry on outlook web access generally you come back with oh yeah this is the Wi-Fi password it's changed everyone or if you search for password people just store random passwords in there also like credit card information just searching for pans and things like that you'll find a lot of this information within owa and this is without even penetration penetration pended pillar penetrating and web will move move on without even access in the inside network other things that often on the internet are things like link so another good one

if you want to sort of really social engineer someone once you've got on to that single factor system and you can't really get anywhere you might be able to jump on link and send them a document to open or send them another attachment because they they'll think it's that person also sending emails from you and see so sorry with UNC once you access to owa you can actually send an email then from that user to the rest of the rest of the company and that email is entrusted so you can add another UNC path and you get a lot more shells if you even do this via owa from the internet but you have to manually intercept it with burp to

add the UNC path

so signing macros data and other adds another degree of authenticity some exactly some examples of what it might send in so obviously we're 2016 everyone thinks it's new and different so if you send a document something like that they'll say oh this was created with a later version and yours you need to enable content about 75% users will just go yeah okay enable content what I quite like doing is sending a CV so yeah hi I'm after this job of Allah is my CV having a nice little picture with some encoded text and then adding an image saying to enable a UK encoding click enable content then once they do that the image is then reverted back to

the proper picture and they feel warm and fuzzy that something's happened and it worked so they don't think that anything's the various going on the background they just think something Tappin that work cool it must be my PC click once applications so again these are really good and when you're trying to mimic sort of things like Citrix because by default you have to have the Citrix Receiver installed on your machine and to do that that actually installs either send you off to a link or install something on your machine so when they see things like install they're not going to think that's dodgy they're going to think oh yeah that's just normal install it click once happy

days and if you again use a code signing sir it comes up and it doesn't say anything about red note not trusted so it's just another good way of getting inside an organization and this is part of all part of the delivery mechanism so what I would say is always anonymize you see to traffic so if you're doing it you know a real engagement you're trying to mimic a real threat actor so you don't want the IP address to come back to net shoot because they'll just be able to do a reverse lookup on the IP and go that's an attitude a UN security testing you really want to mimic a real threat so that there I our team can work

their ass off to try and find out who's trying to hack them and then give a nice report at the end to say what we did because that's kind of the whole the real reason we do a red team engagement is to test their defense and response capability so there's two ways you can anonymize your traffic well two ways i'd do it you can either create an IP table rule on some sort of VPS is on the internet which basically just forward 80 and 443 things like to your c2 server so all the traffic will be going straight to them by acting in the back end going back to sort of the net stewed range all there's

some nice Python scripts you can write one of our guys wrote a nice Python script which basically takes it fits a normal web request it'll just take you off to the website if it's see to traffic defined by the user agent then it will go after the c2 server and this helps when you create an bogus websites because if you go if you do it the other way we just iptables it just send you off to the sea to server whereas if you use the Python script you can actually have it go off to your just normal website which has got good good reputation so one day in the red team in World I sent my CV into the recruitment mailing

list of a company thinking very pessimistically I decided to send the attack and go from coffee as per usual this is about half five at night so I was just about to get off just about to go to the gym less than five minutes later Wendy opened my email and then she opened the CV and then she enable macros however the UNC path was blocked which was fine that's no problem I've still got a shell on her on her machine at this point however never fear because enterprise vault was here so this popped me domain admin credentials sent over unc so I was now inside the organization with a foothold with domain admin credentials sent value and see which had

a trivial password so basically zero here in five minutes and I wanted to go the gym at this point basically I was inside their organization I could access their datacenter i could laterally move to pretty much anything that was windows authentication with the domain admin credentials this really just shows how powerful UNC can be again because I didn't think UNC would work and it didn't on the user that I was intending to attack however some random configuration of enterprise vault allowed me to get the main admin credentials so it's just really really quite strange how things can happen but always just add all these type of things into your weaponization phase things once i was a mega access to i

could screenshot I desktop see that she was on all our emails when I was searching to find some information because this was kind of an open objective they just said Devon really had this pentas tub pen testing before they just wanted us to know they wanted to provide risk to the organization so side of a little search around found HR payroll data looked in their 40 p 60s now that can't be all the p 60 is password protected PDF that's fine i can't get but i can't get around that a way i can there's John the Ripper got around that and then I showed them the CEOs pay slit I've had to adapt that but believe me

she ain't a lot of money so a shell is only the beginning as dark operator would say and it really is it's great having 320 shells in the organization but you really got to act on your objectives so once you're in that's just like the starting point for me so then I want to actually laterally move trying and act on my objectives and get the crown jewels of the organization but first whenever you get inside an organization you do some situational awareness so don't forget when you do this type of engagement you are going in blind you don't have a clue what you're going to hit and if you're going to hit and what you land on so you need to be aware of

your surroundings and you want to desktop I you on a VDI which is a virtual desktop are you want to laptop is a system going join to a domain or is it standalone because you might be on some some guys laptop at home which you never really intended to target so you need to be you know quite savvy when you do this type of thing because it is you know you could be breaking the law at this point you need to ensure what OS languages on so I was doing this recently I was able to escalate privileges but it took me about an hour and a half when it should took me about five minutes I was on an algerian pc i

didn't really take note this when I was initially on it and I was basically able to escalate my privileges by a service abuse and but I was trying to add my use at the local admin group and I wouldn't work and it must have pulled my hair again why does not working it I know I can get excellent escalation and privileges and because in Algeria and all French administrators has spent spelt with an EU so its administrator's so it basically just you know be aware what machine you are and little things that can just hold you up and take about an hour of your life where you didn't need it to and this is really important

before you lay persistence as well because if that was me and I will just lay persistent there and then and moved out then it wouldn't work so things is really important so which brings me on to another little story so we applied for a job at a company and the top of the CV we had a burner phone number which we use before so a guy called Michael rang the burner phone so it was free written in our war room and there was dead silence in this burner phone ranks it's the first time we've actually have I had call into the burner phone well you're like oh that's what's that anyway I was like now na UN

he was like no you enter and we had a bit of a fight and I in advance in it I was unfortunate one to talk to this guy anyway rings me goes oh hello hello is that a common what name is James I was like yeah yeah it's james said I have your CV and you have an issue of like yeah yeah basically I couldn't upload it to your website so i was running if you could upload it for me and he was like yeah no problem no problem he said it should be in PDF I was like yeah I know but I couldn't I couldn't didn't had a PDF it he was like no problem I can PDF

it for you I was like great perfect I like does it show my picture by any chance she's like no I can't see no picture I was like okay no worries is there an able content button by any chance yeah yeah sure I said can you click that yeah no problem flick yes we had a shell I couldn't really I was a star so happy at that point I guess the reason why I'm saying this is when we got in and we actually got shall we failed to install persistence so luckily for us we had a great call great guy called Michael so we tried on the first instance we tried to install the persistence within the registry but

because we're on a VDI and the actual bat file we uploaded was in the C Drive when he logged in again with a VDI configuration you can have that either have dedicated video so you can have a random VDI and some videos can be destroyed so when you logged in day two we were waiting for a shell out about 9-930 didn't get show on oh bugger why why not couldn't think anyway so the reason was we didn't get a shells because it was on the vdi so anyway we sent him another mimosa haha hi Michael I've updated my CV i forgot to add that i had disqualification at this date oh no problem no problem here i'll update

it for you bang another shell happy days anyway right we got an elf assistance this time so we tried in storm systems a second time with a scheduled task scheduled task with a bat file again in his local profile and for some reason again we don't really know why this one failed come to the second day 9 930 no shell no way we can't use Michael again surely not anyway Michael there's a typo in my CV you couldn't be the effort for me thinking half and I went by now he's not done it sorry Ben sorry I was a bit late here we go done yes third shell anyway third shell manage to install persisters properly in the registry and

nothing touched disk when he logged back out and log back in and everything was persisted fine and it was great really but I'll just thought i'd share that story because you know even if you've been doing this thing a while you can talk basically get caught so it's really really good to know your surroundings you guys might not have a guy called Michael he'll just click anything so it is four ways I reliably get persistence so if you're in as a user there's the HK see you registry one key which I often use this is fingerprint quite a lot now so if you took going gets calm lacking think that you might be a bit careful

when you when you're installing persistence but for the most part of work and if you're running us if you've actually made to escalate privileges system there's a system land version of it as well what's another way quite good it shed your task again most times you can run that as a user but often it is locked down by group policy again if you can escalate privileges on the on the machine to install persistence you can get a system level system level service which is in system and one of the most stealthy ways that I find is wmi so Matt graber did something on this think it was about 9 10 months ago now you can

create an on startup wmi event which is really stealthy not many systems would pick this up at all so if Stealth's your approach then and that's the way to go really one thing to be aware of again it is proxy where I know I keep going on about this but it's really really important so if you've escalate your privileges system you got to remember that the user you're logged in as before you've got the system would have proxy aware sort of credentials so he would be allowed to go through the proxy system isn't isn't a user domain domain user so system wouldn't be able to traverse out the proxy so when you create in your

payloads if you use in stuff like metasploit or whatever you want to use to get out you need to make sure that can support proxy credentials on the proxy and proxy URL because system won't be able to find out for you so this is another way which we fail before is we're just installing it thinking system will get out and it won't so just just be aware that if you escalate privileges and installing system level persistence make sure you add your proxy details so other post exploitation techniques I use a lot is sort of cred logging and credit popping so the main goal of a red team engagement is to get to the critical assets or applications and

often inside a bank or something like that it'll be on oracle so your credentials that you might have got during the windows phase wouldn't work on the oracle stuff so the way i generally do this is by basically if the guy that I've got onto is open the application I want to access the application so the banking application often just kill the process and wait for him to log back in using a keylogger and that way then I've got got the credentials i need to actually move on to the application so this is an example a real world application and using powershell keylogger they see was able to see him go on to the banking sweet enter his

username and enter his password I was then able to laterally move to another machine with citrix and log straight into that banking application

so which brings gone to another little story so we approached a guy called Andrew Andrew it was a network specialist who may or may not been looking to leave his current role and we found this CV was already out there on the internet so we basically go and touch this guy over social media and slightly over sold him a role the new IT role was working from home great salaries fifteen percent pension private healthcare everything we literally just sold on the phone with an hour and a half this recruitment like is really easy i don't know i don't go into that to be honest all i needed to do was visit a website and digitally sign my

agreement in principle so I said I'll before I can work on your behalf I need to visit this website so that we you know so that I didn't do anything naughty and you know I'm bound by UK law so I got him to put his full name in his email which is the digital signature apparently and it says I agree that this is this is contractually sorry this is this contract shall be governed by UK law so he thought this was all good yet no problem I'll do that for you now been because I said it was all anonymized and nothing sort of showed any recruitment sort of logos or anything he did this in

his work pc which wasn't exactly what i wanted basically so just popped up a Java applet and he clicked run happy days i got my shell so Michael may or may not have sent me some very very harsh messages after this because he found out about what we did so because so much so when I got on his machine he actually must have gone home and told his wife about listen everything that you've got a new job potentially he was searching to kit out his home office so he's searching for chairs and curries he was looking to buy a printer and I did kind of feel quite bad at this point but he had the key to the kingdom he was

pretty much done any firewall switch and Rueter within the organization so I didn't have to move so like why I was saying back at the start I picked the right guy to target I didn't have to doing lateral movement so it's fairly easy it could have been worse i could have been my mate who decided to put this as his linkedin profile could have broke his marriage up button so it can always be worse so lateral movement so a lateral movements a key point in the cyber kill chain and it's it's where you would act on your objectives so I've talked about MSF quite a bit the socks proxy kept religion MSF is pretty awesome it allows

you to sort proxy change any of your tools in Windows or Linux through that initial shell there's another way you can do as well with CNT lamb and ssh and sh proxy server but it's not quite as cute as mass for you or another way you can latch remove is using wmi and win RM within within windows so citrix servers are often a great target so when i get on and it on my initial foothold on side the laptop or desktop the way often try and escalate privileges is either on the machine itself which sometimes is will lock down fairly well or often go into the citrix servers so once I've gotten with pushy too then I'll an install Matt's ploy to

use the socks proxy capabilities and then I'll acts and I'll access the Citrix server once on the Citrix server so I'm going to be ahead I'll get on to the after so this is the socks proxy capabilities of the metasploit allows you to use any of your normal tools so you can just use Medusa and map rdp SMB map so all these tools you can use just because proxy chains allows it to go formats Floyd so it is a great way you've been able to latch move once you've got your initial foothold within max bullying sometimes it's really quite easy because people just have a nice pass word doc file which has got all their passwords

even for national lottery but what I was saying before was going back to lateral movement and Citrix so this is an example so i actually use a socks proxy server to rdp my connection on to citrix once i was on citrix i could access all the banking applications but while i wanted to do was just escalate privileges at this point so i was able to basically use the winners explorer to navigate to powershell open powershell because I know citrix servers are used all the time people tend not to reboot them so obviously for that note they're probably not patched so i used ms 1632 which is one of the lates privilege escalation vulnerabilities to allow me

to go from nothing to system when i was on the system when i was on a system obviously you can dump the clear text passwords out and memory of which i did which was quite ironic because the password was suck at red team at this point this guy that i got the password for was da as they will enter laps we moved to the domain controller add users just for an IR sort of case access other citrix applications i was able to even log into that basically the money place where you can approve and reject payments from one system to another i was able to download all their PDF copies of all their agreements again

access the banking information another one which is quite interesting is the database stuff so sometimes they might have Imperva which logs date risk connections to and from a client and server but what's go interest if you r DP onto the server and access it via the MS SQL management agent that isn't logged within Imperva so that's just another way to think about it if you've been quite stealthy and don't to get caught that's a good way to access the database so all that is kind of how I would do a red teaming engagement and that's kind of how we built a tool so to start with I create a wiki which had basically all these different tasks that I would do

with all these different tools and I thought well when I just you know create our own off the back of what we did and within powershell in metasploit so we created something called paschi to me and Dave Hardy so there's 12 reasons I think you should probably have a look at Part C 2 and it's maintained free and open source it's inspired by imported by the MSF stuff we did back in April last year it's a great way of learning PowerShell and a phased approach so it doesn't just Chuck you in the deep end of learning PowerShell like you've gotta know PowerShell you can just run known modules and command 'let's so it is quite easy like metasploit but also it

allows you to get quite dirty and powershell if you want to so you can write your own modules and add them it all uses ASM encrypted communications we've added an auto kill switch so it just reduces the risks or an organization so if you're going to do this type of engagement there might be worried that what happens in four weeks and you've still got a shell if I won no we won't because we'll have it have a kill date of two weeks anything after that date will automatically get killed so it just reduces the risk a little bit and they're probably more likely to go for a red team engagement it's not only red teaming you can use on pentesting

engagement so I use it quite often now because if you use in PowerShell you'd have to think about removing anything it's just all in memory simple to use and it's really easy to install it will create you a java payload so it only requires java jdk if you want it to do that part of it but it's not essential if you don't want to it works on anything from power division 2 and above witches windows 7 8 10 2008-2012 and plus it's fully proxy where so it's one of the main things I've tested on quite a few things I like squid TMG websites and Palo Alto and it all works perfectly it's based on customizable HTTP beacons so it's not

continuous TCP stream so you can set the beacon to be 60 seconds five minutes two hours and it's like that and it's got also a jitter of ten percent so if they're looking on there like firewall for everything beginning at 60 seconds exactly this will actually add ten percent jitter to counteract that so it's maintainable modular and can be added in the middle of engagement so it's got a folder called modules so if you write your own power shell and you want to just add a module quickly on the fly to run it on the engagement you can just drop it into the modules folder load module and a way to go with from the communications perspective

we tested against fire iron Palo Alto and web since we've added some image heuristics so actually if you if you take the traffic from from the sea to going back and forth is all yours load it as though the PNG images flying back and forth all the data is an encrypted byte stream within an image so it's actually quite hard to reverse and get the data back out so it just looks like images basically so it's quite good from that point of view and then one of the most important things worse is the detailed output you get so when you do this type of engagement you need to be really sort of time-sensitive so you

need to say exactly what you've done and when you've done it so at the end of the engagement you can go to their I are they provided a report to say this is what we saw and you need to be able to collaborate with yours and say no no we didn't get we didn't get for all then we've got it here and then so just a synchronized time source and time stamping of everything you've done is really important I'll show you a demo laughter but that's one of the main things why we wrote this and it puts it in a nice HTML file oh sorry puts it in Nice HTML file so you can provide it to the customer after as well

so I was going to do live demo but that went horribly wrong so I've got video I'll slip the installation to their got much time so once you've installed it and basically said how it looks you wouldn't use an idea just usually at the top it will give you five options you would use the URL or DNS name you've configured for your c2 server it's going to run quite quick because of em it's time but basically it's an e getting a shell on a bank it's a fake banglar I've created oh sorry

no

no I can't sit yeah it specially some me getting a shell on a fake bank this is how the implant comes in it shows you the encrypted key that everything is encrypted with it's all stored in SQLite database you can then on the left hand side it opens two windows to the left hand side is well the output goes the round side is where you input the commands so get screenshots just one a normal function basically just a normal print screen of the desktop that you've compromised you can run things like Who am I you read it now I just net users net you know that local group administrators these general commands that you'd be

able to run to is like a command-line interface this is weakening over five seconds you can set it to two seconds one second or two minutes so that'll be quite stealthy but for this I wanted to be quite quick so the the main aim of this one I think I'll skip the installations this beta just attempts to escalate privileges I'm using a number 16 32 16 32 is out there we've just incorporated it into into pasti to that is hopefully will show me doing that now start another implant that's just another way of getting another implant so once you've got one again you don't you're not to die or to timeout so you always do start another implant gives

you a back at one so we're quite interactive it's got a helpline so just type help it's literally to basically to powershell scripts it's all readable you can edit it it's got modules folder it's fairly module know this is all the modules that we put in I haven't written all these by the way and these are all just the decent scripts that are out there and command lets that already out in there by sort of harm join matt graber and i wrote a few of the functions like get proxy because this is some of the things i'd want to do when I want an engagement but it's basically just running basically a registry command at the

background everything as well so everything I've written like get proxy it tells you exactly what the command is because I want it to be quite transparent I want you to learn how to use PowerShell as well so crab pop is a good one so that basically pops up the screen on the desktop same outlook requires your credentials so to do anything usually you need to have credentials and it don't know how many times my machine ask me that so it's not something that that wouldn't be familiar to the person everything that you put into like the screenshots will be in here so this is just an example so this is a screenshot of the desktop that I've actually

managed to capture you can actually sit there just doing screenshots and often it's quite good just to sit there watching what the person does because they're the person who knows how to use this banking application I'm here coming in as an outsider wanting to use the application I have no idea just sitting there watching is often a really good way of sort of learning how to use the application

so creating a proxy payload so everything like i said is proxy aware but you need to be able to tell it what the proxy credentials are so I'll escalate in previous now to system as i said before system wouldn't know how to get out so what you got to do is create a proxy payload and tell her what the URL is which obviously the URL i found out from the from the registry and i've got the credentials now so now i can create my proxy where payload and hopefully exploit ms 1632

so instead of touching disk I've introduced something recently which is named pipes so in PowerShell especially in the exploit in the export world where Emma 1632 works as a race condition and starts a new process you're only allowed one or two four bits well when you create a PowerShell proxy payload that's bigger than that so the way I've done it is to set up a named pipe so exactly what doing now so it sets up a local named pipes and powershell and then it gets the data from from the name pipe and that's that's allowed me to get it less than 1024 bytes so that's what it's doing yeah hopefully I

won't keep you much longer coffee's on the rise

so it'll automatically loads of modules as well if it knows about the module so if you add one it won't automatically load it so you can just click load module and then either no power view ps1 or whatever and there we go we've got our system shell there so now I can use it go back up here see all my implants on the right Who am I and it should then come over in tell me I'm system yeah yeah bank system so that's me escalating privileges all through a firewall laterally moving and proxy where system

like on yeah so this is created by me and Dave a laser said we want to create more integrate payload methods like HD n click once we want to create a daisy-chain method so that once you're inside an organization not every machine has to connect out it can all connect out via the one the first pivot basically and implement process migration which we've already done now so you can actually migrate to other processes I want to add more modules like capturing traffic autocompletes and things like that feel free to do pull requests it's all on github and on the labs nachi website so have a look feel free to hit me up just quickly this is the logging

basically this is our outputs it outputs two files it tells you exactly what implants you've got and what host they're on and when you got them and when it last communicated and alltel also tells you exactly what time you ran each command and the output of each command so it's great for like a red team vs blue team so thank you very much [Applause] you [Applause]