Why Hackers Keep Winning

we've got an orphan in the race this afternoon but Jacob dance on the death secure you're here they're going to talk about why hack was complaining if you guys haven't spent time in general today but haven't spent time anticipating a CTS and something like this these guys are putting us on here for b-sides for a couple years now and it's something that I would love to not and see so I can actually participate but you guys can so if you haven't you know these are one of the opportunities that when you come in here as he talks and do the things these new kinds of things you wanna be involved these guys do that here but

they're also highly sought after other places including other conferences then sometimes they're also called upon well here goes aiming all that said sometimes they are called off the locals we go [Applause] Thanks so today we're going to talk about why hackers keep moving some of the things they do to compromised networks from the outside as well as a kind of general change so did they already talk about four main things we're gonna start off talking about some high profile breaches just to instill some fear uncertainty and doubt we're going to move on to some basics pentesting talk about some common entry points like we mentioned earlier ways to get footholds and then also how to

escalate which you're in as well as not just infrastructure attacks but attacks against users and what that might entail there's a couple quotes full disclosure I didn't write these slides or wake up this morning thinking about scary podium or anything like that we are not going to be held responsible for any means yeah I think I think I vouch for the content I'm not sure about the leaves the capacity said already mailed that awesome axe yep awesome tax so 2017 experience de findings sorry breaches 2018 there's some he's got some numbers of record stolen which I don't have any info on prices per record but GDP are I think is feels like a four million earth sorry at the war

percent crop profit penalty that's probably pertinent coming up if you're affected by that there's a some info and reaches per industry obviously people of banking 2019 reaches nothing info knowing about records or anything like that but the point is this stuff happening I'm not sure what the repercussions are versus what they should be yet I think we're moving in the right direction I think companies kind of need to be helped to uh some level of physical pain before I start paying attention to some of this stuff and we see that happen so talk about defensive tool said evolution we used to joke but Dan like five years ago six years ago we probably wouldn't even have to worry about

Optus Gatien you just run interpreter yeah that's pretty much antivirus was you know hey James three bytes and all your payloads work we don't have to worry about any more things that have changed quite a bit especially the past couple of years and point protection is really stepped up Microsoft amazingly you know we used to always joke about that Windows Defender Windows Defender on Windows 7 is still really easy to walk right by on Windows 10 it could be the button and you know they're actually watching what's happening all the time and has new attacks come out new techniques come out they go and implement them and we start blocking stuff and you know one of

the big ways that we work as offensive professionals is there's a lot of knowledge sharing you know everyone's trying to find cool new techniques of color step and then they get blocked right away so I really start to find other cool techniques a good part about this is the bad guys are getting blocked too and it's definitely making things a lot tougher that part is it makes us have to do a lot of work yeah so you know we've seen some of these endpoint protection systems moving beyond signature based detection and um or behavior based so what's it doing what's it calling what's it looking at and we've seen detection where we haven't seen before so now they're

engagement it's much more common that they run things in a lab or try to do so many Nam on what controls are being run especially on red teaming which is Noble another thing we could very goal based in avoiding detection and working with the team it's very important to figure out what's running on the other side whereas it just wasn't in the days when you just had your choice of semantics caffeine or whatever so that's a good thing that thing is a lot of a lot of the new controls windows and wise are only available to you if you have an enterprise license so it's only available if you have a lot of money so

things like ATP some of the controls listed up there you know aren't available as non-enterprise licenses which is it's bad on one hand on the other hand I expect this stuff to be monetized you know also on the network side we seem more like you know your Palo Alto right out of the box it's going to stop an interpreter HTTP connection that's that's quite a ways even several years ago so you know I think the point was made in the last talk it's not all about learner abilities in the technical sense right so our security posture is a combination of our people our processes and our technology right today was a human factor everything is

we all complain about constantly you know if you're if you're CFO's assistant gets dished into sending 50 million dollars offshore with some c CFO fraud type stuff that's a process issue you know we have the technical issues the sequel injection what have you but we have you know with regard to non-technical findings weak passwords are still a huge issue right lately we've had a lot of lately and effort we've had a lot of success given a proper user base or spring 19 exclamation mark which if you notice Pete's most corporate complexity requirements right now product director you also have third-party window breaches that had nothing to do with your security posture right so you trusted them and that implicit trust

gets abused when they get compromised default configurations we still see Cisco smart installed installed out there on the internet you know it's just not really evident that could be used that's an example we see you know default passwords fallen asleep news dreams obviously to both everywhere 2 million different ways that something could be vulnerable by default sorry just something with Cisco smart install you guys are running meses that's an informational message criticality something can own your entire system and no severity at all because Cisco says it's by design and therefore no vulnerability so obviously there's contact like did you find that on inside network did you find that your bone scan is not going to usually care

less you have a pretty well tuned your a1 percenter as far as the long-standing implementations go so there's the insider threat which I'll worry about and just inadvertently exposure you know that developer that stood up a website and it has a folder in the web root so just things do you wanna take this and why do we why don't we get an intent and I mean as a lot of the guys with larger corporations are fully aware you know pen testing has several different purposes you could either be testing your security you know you could be doing an actual like test can you be penetrated you'll be doing a red team where you're actually testing your blue

team seeing how well you're going to actually defend against it you could be doing a just find everything that's wrong where it's pretty much as a tester you're not meeting any opposition you're just trying to find every possible ability not good at all so that can all get patched you've also got compliance reasons where you're going to you know get that check box so then you can handle credit card data or you're going to actually do it or a customer request where you are you know they just say hey we need a pen test and you say okay we've been tested on this time obviously the different types of tests have different pros and cons usually how it

works out is you want to get if you've never had a test you want to get the most wire broad-brush finding everything in my experience it's usually people have no idea what's actually sitting out there that's considered vulnerable until they get that first test and then they go and fix everything about being part of me test it again fix all that stuff and part of that stuff and then you actually go and see ok somebody goes and attacks you know our HR department how is our security people in a response oh well is our training stuff like that you kind of ramp up the difficulty both before the tester and for the corporation so for you know pen testing

obviously and the other really endeavor it's important to have moles and there's some pretty common tools with pen testing that I think are fairly inclusive it's still worth an interesting so you know maybe you want to find out Long's it's probably not a pen test it's more bone scanning which unfortunate take a lot of a lot of folks out there actually passing off bullets Gaming is pen testing but if you want to find all your bones you know it's going to fall out serious fitness be in our work and a lot of time with the pen test you obviously have a time lab time limit but that's that's generally you know the first thing that comes to mind is people

want to find their abilities like you mentioned you want to test your teens away do you even see a lot of companies think they did at first but they do realize they can't pick that to back down and that's something very simple but you know how's your laugh work because your IPS working how's your response you know what happens if say thanks know why user gets compromised as well there's you know a lot of lot of times you get our football by spraying outside we'll talk about it in depth later but we're going to find out what can happen you need to crack a user there's a lot of powers we're going to get into just forgiving a single user

even though privileges outside of being in the domain users group gives you a certain set of abilities in Active Directory they're pretty dangerous I think a lot of organizations don't think and then you know tested users right so maybe your contest includes social engineering you want to see how your users do our philosophy at the depth is we want we want to come get people we don't want to mess with users in the lunar lemon tough quickly we do do that stuff but after class the general test for us structure and we get significant success that way there's no reason to kind of think of it it's cheap but it's a huge factor and definitely something

to be concerned about types of in zesty turn so there's several different types of tests you can do even with those different sets of goals an external peg tests which is what most affiliate with it's going and testing the outside perimeter of a company it usually involves a bone scan followed up with and some discovery trying to find what assets a company actually has followed up with in-depth testing you know going and drawer busting all those lips are hers and looking for a development sites and all the other fun stuff there's an internal which is usually of that type where it's more trying to find all the vulnerabilities already inside these are usually very noisy again

vulnerability scans are run things are followed up on i'll shares are checked the actual network configuration is check you go relay NetBIOS request you so and so forth a red team is where you're actually testing the company's defenses that's where you're not really restricted on the scope that much and you are or going in quietly they don't know when you're going to hit where you're trying to find your best point of attack in going sneak in pretty much try to evade detection as long as possible and this simulates what actual real advanced attacker would do purple team slash adversary the simulation this is more usually a lot of time what you'll do after a red team it's one of

my favorites it's you actually go in and sit with the blue team and say okay here's what we did so okay what happens you know what alerts did you get on that's okay why did that fly to the ring oh well you're missing this right here and you kind of instead of it just being a report at the end you kind of educate everybody so it kind of brings up the skill level and that way when the real attacks come they see it application assessments these are what are most commonly nowadays referred to as pen test it's going and taking a web application and thoroughly testing and digging into all the different functionality looking for various web

application vulnerabilities seeing if you can compromise data compromise the application use it as a pivot point to compromise the internal network so let's so forth mobile assessments doing it once is similar with actual mobile applications one of our guys James Kennedy did a talk on that earlier today Wireless assessment is not as big of a deal nowadays where it's pretty much just making sure somebody doing anything dumb with their wireless networks now using wiki's not using untrusted Hertz Wireless is pretty easy nowadays to get right was though is that way but and then audits are more just going through check boxes are you doing this stuff you know are you hitting these different requirements not a boost

so our solar red teams which I know when inflamed a lot people read to you technically different and depending on the results you get on your pen test if your pen test firms getting domain admin on your external pen test maybe maybe a red team isn't what you need so let's talk about all assessments home scanning this is so you alluded to it earlier

[Music] what checks are using they go after locating through and you know the value of the tool like that is the interpretation and results so like Dan said there can be a critical vulnerability stuff in the info section and a lot of a lot of folks would admit it but I think a lot of a lot of contestants maybe who blue teamers kind of skip that section right it's full of John it's painful to look through every robots.txt file on every web server under that enterprise but that stuff matters too and meanwhile you have to dig through all those I TLS version one enabled finding the other criticals that aren't actually criticals yeah so you know that

boils down to threat knowledge right try to tell but like just knowing that ministers file uploaded on a web app is way more dangerous than rc4 insecure cypress knees ties crime vulnerability I don't think anyone getting crime he's out there on in the real world right but you know all kinds of folks that are having a really bad Monday morning when they wake up and find their information on page member that someone uploaded up aspx shell to some other app that people forgot about the other thing is standards don't do discovery so in 2019 these things that every organization window their parameter down to the IP the end and you know it's just harder than that I think most organizations

know they're on print forever the other office external networks ciders whatever but we do discovery you know on large organizations especially a lot and find extra domains the marketing stood up in digital ocean some other public platform as-a-service someone's you know joined on to just one record in their main domain they didn't know about so you know it's important to actually feed your standards with proper targets and you have to have all of your targets to do you know the final comment there is scanners sorry standards also you don't find the logic flaw so in your apps you know if scanners not going to look at a cookie that says admin equals true and do

anything of them than showing you all the cookies in the information section of every app on your cell phone you're up never but if a pen tester is browsing through a one of your apps through burp suite proxy and sees a set cookie admin equals true these would jump all over you know we start salivating literally the final point there is you know a vulnerability test super important so some things that can actually be done now we're saying a phoner ability assessment that's more when we do you know it's kind of like this that's where you use a scanner to start off with and then actually assess the entire the entire tour whatever scope you're looking at looking for all the

vulnerabilities since this is trying to cast a wide up net as possible one of the really important things is to turn off shields usually these pen tests are time limited you know they're only one or two weeks or three weeks long and the purpose is to try to find a big net not test how good your defenses are to find out where all the vulnerabilities are so when it's you know your IP gets blacklisted after three incorrect ports it's not gonna stop us we'll just start cycling through VPNs but it will slow us down the thing is is that an actual attacker has quote-unquote unlimited time and they can just leave a scanner going low

and slow or use a very large distributed net to not trigger the stuff from that it's also a good idea not to have to worry about too much throttling obviously we've been upping it as you're not trying to bring we think down if it's a knapsack test you want to have a development environment so you can pump garbage into the database without ruining anything actual externals that are usually done with lighter touch but you want to have you know we run into plenty of times where there is well if you send more than 10 requests in a second then you're going to get blacklisted it's like well that's fine but that's not really that's hurting the product that you get from it

and then finally you're just not testing defenses there is another type of test that's more of a red team where you are testing defenses and then it definitely should be both shields up but not for a vulnerability assessment so digging a little deeper there are also applications testing the actual source which has other benefits and drawbacks and then you know hybrid testing and testing whatever you want it's kind of a combination - so things we find that a lot of folks haven't put into place before these ready to start or kick off an application meant a star may seem crazy but you know using dev or staging or UAT environment obviously we have clients come to us

with production actors in 2019 and that's better than not Testament so we're not going to say no we always push people to use a dedicated environment because there's just certain things that you don't want us to test in a production environment namely the create edit and delete functionality of databases so we can do a lot of testing on read-only functionality but you know in prod you don't want to update a graduate usually sometimes it's okay if you have multi-tenancy create a tenant for us the general is best to do it at that dedicated testing environment so multiple users per roll it's big enough tendency you you know if you have two users per roll number one of my lot

going out I don't have to call delay the testing two hours if I try to get that that unlock you think it'd be easier than that sometimes for the right person on the team that has the rights to unlock locked account actually delays the test a pretty significant amount of time especially considering I'll be attached or whatever then it's also important as multiple roles either escalate that had been functionality well it's a lot harder to determine that if I've never seen the admin functionality give me that admin functionality I'll check out those pages and those parameters and how it works and I'll try that stuff general intercessions oh it sounds pretty simple but it's important you

know people need to be focused and that means that you know they need to be ready movie star well is it okay if I push this build on Wednesday you can but the whole thing is you're supposed to kind of have that down or stop a period well we can't ask for consistency hours yeah I've had a few times where I contact the customer because the site's down and like oh yeah we just updated and then the actual bug sound they always testing is now gone it's like is that actually go on go on or did you take away rights because it's generating interest in your site so finally penetration testing you know penetration test demonstrated impact I

know if any of you were invasion was talking like four or five most parity probabilities to be able to override folks server-side so penetration test demonstrated in fact a proper context doesn't have just a list of findings and maybe a shell or to its full this is once I get the shell I did this is what I do the other attackers going to do because still in 2019 now everyone knows the stuffs possible people still think if you pop an act and it's about that oxidative minutes and I order that database and give it through an Escalade to go made a beauty because then I know I can get all the databases looking beyond the perimeter obviously if

there's more threats than just internet base once I tend to worry about the internet just because of the whole seven billion people on the other side of my firewall but you know internal threats are serious right so I've heard stats saying that they're the majority of significant breaches you know finding out what you don't know it's that's a huge thing obviously that's part of demonstrating impact demonstrated impact that's already known and I think we've talked about this before but like what you know what's your network resilient sometimes we this is something I don't like but every now and then we run across the system with a really meaty IP staff that can't even handle it in that

top ten ports you want to know about that stuff preferably during prepared to deal with it rather than some some other day when maybe weren't ready that doesn't come up that much but still in any no how's your team respond he I'm not sure what it means about consider the time frame but it was mentioned earlier that an attacker has unlimited time I wish I had done the time I think I've got about forty years based on my what's a pen test so so the I think what this is about is like what's a fantastic tip right so there's so there's pre-engagement you're scoping maybe you're talking to the sales guy or that very explaining that in which you

what you want to test the level you want to test it learner engagement that you kind of expecting maybe you're shopping it out getting multiple quotes and choose somebody when you have a kickoff meeting once that started testing beginnings in which testing begins you know it's kind of intelligence gathering time first passes without even sending a packet on network find out a lot about normalization so certificate transparent all transparency Bob's around all of your folks have certificates and who is the first who is will tell me a lot about your networks and domains and you can register your name and the search engines and LinkedIn then you go on to more active recon so your reports can own skins services what

vulnerabilities exist you may find yourself at something evenings exploitable a general dentist is worried about once you exploit you kind of have what we call you previously a foothold before that's just like a remote position on your network the same as any other VPN or anything like that which we compromised the web server maybe it's a database or in the case of sequel injection we're going to look to use that give it through it and then move to the next phase which is post exploitation and you'll see that post X in Windows world kind of works the same way over and over and over maybe in a few different varieties but there's a lot of commonality once all the findings

are identified and any of the post X fun stuffs done and documented there should be some you know some updates that go out if anything serious but you're not waiting until the end of the pen test and surprised with the report but at the end you get a report followed by a discussion what was found and what's possible only how fix all that stuff

so the fun part is the general attack strategy it's pretty much and these are the basic steps of usually how the external pin tesco where you pretty much map out the entire external perimeter do all the discovery find a weakness break in via via weak passwords or vulnerabilities enumerate the internal network getting all the information you can and then pretty much just bounce around and go after Lou it's pretty much what we call it going after the data that would be considered valuable to the company that could put a company out of business even we're actually gotten by an attacker so 80 points on a test so vulnerable --'tis the first thing that he wants you to

think of Act infrastructure attacks these days Donnell exposed SME service MSO eight one six seven on the internet pop-up window system they're in 11s so if you're getting a external contest hopefully that individuals well first and attacking axis that's where all the identified infrastructure lives the next

so fishing users that could be trying to get their credentials in a form trying to get a football or care system by sending them malware as an attachment or linking to some malware and then you have you know logging into the passwords brand which I still it's just a less technical thing so we've got pretty good at identifying that one citrix or BPMS is going to get into an NFA on and just using that to spray our user list finally you know single password across that list we'll talk about that more but those are those are three very common of the two points if you guys have paid attention to the new Citrix recently not

compromised because of expose Citrix end point and password spray go with different levels of skill levels of the actual attacks depending on something that's exposed so lots of cyber criminals are usually going for low-hanging fruit they're usually going after vulnerabilities when you have you know various software sacs and use the struts vulnerability to stuff like that or didn't used to be picked up by you know scanners weren't going to Egypt or wherever and the people come investigate those motivated attackers are going more after the users the login points they're looking at actually getting a foothold on the network and compromising the entire organization and then you've got the good old ATP's which are dropping o

days and setting they're the ones intercepting your actual ordinary transit and putting a malware on the actual purple area here HP server so what are some attacks on users well you know we credentials are one to talk about phishing reaching out social engineering digital physical for credential management storing your passwords and Excel spreadsheets on open chairs and anyone with a domain account content to which occurs in every organization larger than a couple hundred people I've actually seen recently the few tests looking up the companies on get up and finding more developers and publish stuff that connects them to internally these systems and the immigrants were just sitting in github you know Thursday that's for credential management UV USB

drives and something you might be familiar with a rubber Ducky's the hack five cells and other hid attacks you can buy USB drives I actually type in the communities to run now where or whatever so that they also attack against the users Stuxnet comes to mind when I think of USB drops so password spreading in 2019 right used to grab the rocky you dot text list off your back track or Callie incidents and run through intruder illnesses going against you lock them out with three failed attempts to follow me or whatever but we've got a lot of love what we call password spraying or if you want to look at it it's a horizontal logging attack

and it's it's still really simple it's just a matter of being intelligent on the front part where you're building your username list and intelligent about taking the password so you know we have some recruiter recruiters that work for us on LinkedIn and they're friends with everybody and thank you to anybody that accepted that invites yeah you caught a lot of people probably Frank with friends or second level connections only you know you know if you unfriend these individuals will just tribute others but yeah so they're linked it's really really useful for recon sparse building on word list for spraying customers so you can use it to like lean content that will use credentials you have to have a

LinkedIn account go through we can give it a organization I need and it will literally go through the pages if I think selenium or so and pull all the users and it will create lists of users whether it's Stuart West first name dot last name first initial last name whatever that's pretty easy to find an organization to format for email if they have a consistent one otherwise you have all the time in the world just make all four formats and populate your list of that and you know the main things about owning low and slow and avoiding that two three four our lockout window that most organizations have with their Active Directory since most people are

friends or connections in LinkedIn with other people in their own companies for an example one of those recruiter accounts I've got about 3,000 connections every company I belong now I have 90% of people available throughout the back don't have to reach out to anybody at all and that's what the free account you actually have a a Twitter account it's the numbers go up you know exponentially so there's a shot of intruder we like to use a junior on HTTP based services obviously makes it super easy to load up a word list mark out your payload your targets you know HTTP request and then firing off and then sort with the columns on whether you can

often find the successful logins based on the response size or response code often unsuccessfully at 3:02 in a failure 200 or something like that I believe supply this s worth always 17 or 20 19 the reason why I just season here is so successful is because with good pasture policy we've all been trained that passwords expire over three months and that you need a new password and lots of people have had the clever idea of well the seasons changed every three months so they change the season in the year and since nobody discusses our passwords with anybody else lots of people in organizational out the same genius idea and that's what we usually exploit fine to get it so the

first thing we do we pop at the users now is go get the rest of the user accounts remember we have a good list it worked for one but I'd rather have the actual every user account in the organization so you can use it to like [Music]

methods the whole point what do you do when you have the perfect list it's great you may have had one spring 2017 to four or four but now you have 40 it helps to maintain persistence in case someone catches you so let's talk about multi factor defending against password spraying so everyone knows about multi-vector and everyone is familiar with it and there's just a couple of ways that people get it wrong so one of the most common ways is just not putting it everywhere like the G did you get that disaster recovery or that alternate Citrix server sometimes it's just we have three realms on an SSL VPN and only 200 active with NFA and one was

left out the test the solutions installed so just in case something goes wrong yeah you know another thing we found is for a new user account how is remote access before enrollment so a lot of times there's a self-service mechanism out there to get users enrolled and if we can compromise a user account with our spraying that isn't controlled yet maybe we can then enforce the home the token code says are you know or get get a link to install duo - all right you know we get you get coat and you know I think now because it's didn't really convenient to use and we use duo which uses a push notifications to your phone like it's so

easy you come try to attack it scan your eyes and your fingerprint and just lock you in but back in the day I was kind of covered based a lot of folks use SMS which i think is a the industry not best practice nowadays because the ability of folks to tamper with SMS use phrases so through favorite password twice he's saying use smart pass words don't use fall 2019 and also don't require and there's been a an update of this specifically because of all the password spring that no longer do you have a password expiration policy and stab you only expire passwords when they've been compromised but instead of just used on pass phrases that are needs

you know hard for a personally remember be easy for a computer to guess that's pretty much what it is

we've mentioned you know storing passwords and files obviously they know it's pretty there are tools once you gain enough access on a network that just scour all the chairs for files and continue screens like password so yeah I think that's probably still happens password reuse across sides that's still a problem so we can talk about that we have a system at work that we collect very high profile large other breaches and then we crack that breaches normalize the data on our GPU based password cracker and then we wrap the front end around it and these are pretty old breaches in most cases but you'd be surprised how many folks are using their corporate emails on services like

LinkedIn and Arlington and these other services Dropbox that get compromised and what are they are those passwords are different amongst the compromised service in the organization well maybe it's different now eight years later but for the other uses uses of this is we use it to gain accurate worthless so there's a lot of trapped up in these breaches and they may not all be current employees but we don't care if they're all a person correct it's an interesting tool for that so fishy we all know that's a that's a big issue and a lot of you probably test your users their services out there and monetize this like though with more things like that you know user education

there's really no way around that yeah are you gonna are you gonna prevent every user from clicking every fishing line absolutely not but it's not a binary fan it's when you get 10% better can you get folks that are inclined to click links 40% less likely to to fall for it so obviously there's value there there's a some kind of an HR violation this was an actual real efficient campaign Ryan's girlfriend never received yeah and you know we don't use these much but only because our clients won't live because HR yells of information security tables are so effective and um you end up undermining the relationship between the employees in a jar test like this but

nobody wants to make any of the people who in absolutely touched your payroll but yeah this was one these are these are pretty effective because people generally do whatever it was SH already so you know fighting in this your users teacher users to be honest and reassure them that you're not going to fire them if they speed up after that so that they feel confident to say hey and I think think this may happen - versus just a hideout like which would be a normal human reaction and it woman these are awareness programs you know I mean it's kind of fluffy we don't have a dog in that race at all are all kind of

offensive but like I said it's not binary it's not you're not your job isn't to prevent everything all the time it's to make it better some more information on USB we talked about this with a rubber ducky attacks which emulate human interface devices there's a USB killer which is like a really gnarly USB Drive I've been thinking of capacitors on it the toilet juice so even around someone puts an inner computer it gets destroys the computer I've never used one just tempting fate there's what bad USB which was really bad USB is where you actually a changeable firmware on legitimate USB devices and so you can reprogram them to do different things like be a network

card which windows have a vulnerability a while to go where Windows with them and take that network hard and take that as priority and just start broadcasting you know you rating credentials you know hashed over onto the CSB fine stuff like that so now it's pretty much going into okay somebody has actually compromised you and has gotten a foothold in the network yeah so assuming in the Windows Active Directory which is it's quite an assumption but it's not out of this world we find a new businesses that have started out there they don't have anything like that in their renovation it's more common with the younger businesses that we're able to build in the cloud originally didn't

deploy monolithically away a lot of organizations of a - since the seventies when they got involved in night even and in general with a lot of organizations have Active Directory it's a huge attack vector I've been on the 19 since the seventies so basically imagine that malicious individual got access to Bob's credentials as Bob saves and they were password or he could just have abouts username in hatch and the windows world didn't ask hash most of the time as if it were a clear text passwords so okay Bob's the red dot and would say there's a dummy and admin named Steve can access access to a sequel server are really interested in you know maybe it's like a

payroll database or so so we take a look at what Bob can access that means like you know what local admin rights this Bob had this bob has the ability local admin every Windows machine or in this page is just two desktops that stop on a desktop - so next based on the machines that we know that Bob can manage who's logged into those machine what are their privileges desktop one has Joe in desktop to has John and Alice sort of get somewhere so we follow that and we come whereas desktop - so now that we have we have John and Alice's potential so that could be random in the cat's got by that way so Alan and dump

their creds X memory you won't rehash dump this with those hashes or we just did first they did their token and rate although execute code as their so then we say okay what did the John that'll tie back to access to so so palace it turns out can access local admin the web server called which and so we compromised that web server log into it and we find that Mary is logged into that question so we collect Mary's cache or her credentials or impersonate her token and then we find out what's of the book groups Mary about me to do Mary's all more powerful team John and Alice were because she's a member of a sequel

admins and often if you find a member in C Gladman troop that may access to a lot of single server so it turns out that's the case here Mary can actually compromise the sequel server and it turns out that domain Avenue Steve was it was out there on that server doing some maintenance so through that chain we're able to compromise or assume the identity of a domain admin HT so we'll talk about about this later but you know there's a tool out there about five minutes okay yeah there's a tool called bloodhound that most you probably know about the beauty great packing vectors as far as where you're at in Active Directory and how to compromise

it so we've got some top five ways that you compromise internal networks so responders going I think there's one so responder works like it is in the same scenario where it only works on the local networks does the broadcast base but on network we're on the same subnet Bob exists on an attacker box at the same on the same subnet as webserver st. Mary's logged in to the web server my files calm what you're gonna pad a IP address yet so broadcast it out on the network if it's configured a security and then attacker says yeah I'm at that's cool I served that and so then you know that that predict those things credentials attempts to make a

connection to Bob and authenticate via has to be well Bob actually takes that connection agree Maisie and it's that Windows gives a higher priority to net buyers over actual DNS so if you have that violence enabled on your network it's what I just broadcast out say hey these are net buzz huh because they're not my uh server out there that can fulfill this request responders like my here right here I'm the site you're looking for just authenticate to me and then exactly passes it on to where do you want to attack yeah so you know the full path of hopping systems and a chain to get to Steve kind of gets done and what it felt

smooth as long as you have a situational awareness to know that you need to get to sequel server to get Steve but but sob relay has been around a long time enable us and be signing a lot of people recently came up without the exchange server where Microsoft Exchange is possible to send with the bail abuser the many privileges just one web request to it and exceeds we'll come back Goethe which you can relay straighter than a controller it compromise everything so another way we can see this as much now flaps but past memory use on the local admin back in the day and people built golden images the container static local admin has where

it rolled them out across the enterprise and they've never changed those local admins so in the case where it Bob compromises here desktop on your desktop to it dumps the hashes gets a local admin hash which is the same static value web server and sequencer so in that case you pop one Windows machine and you don't have access to the entire network without a cloud without the domain which of course you can get by compromising machine with a DA login so you know obviously I mention look laugh of the local I has absolute service and Windows it's fairly straightforward and easy them to roll that out to randomize your passwords and it's a huge value if

you haven't done it already another example overly permissive groups I had on the assessment recently where a user that I had compromised was a member of exchange servers group for whatever reason that group was able to go and modify objects I may be as able to actually just go and give myself da and use that next time teleports obviously there's a lot of powerful groups another another way you could do that wrong is adding a larger group into the local admin group universally across your system so the password may be different on the local admin account but if you have your domain users group joined the local admin group every system then every domain user you couldn't have been every

system

yeah so attacking the network bloodhound yeah red and blue teams can use this a furor if you're tasked with defending an active directory and you haven't run bloodhound from the users you can't see paths that don't mean that you should if you're not using them for offensive work maybe you're not it's a pretty useful tool so you can quickly identify control relations between objects and indeed just a fancy way of saying that you end up with really slick graph like this from one user to domain adamant something figure out the path it's not all based on local admin now they're like this user has the right to change the password on anyone in this group to

change the password for this user who can look Latin in this machine which has a session or what they do a CRM to so they'll say this user can write to the apple of this domain which even though it's not in fact if you get domain admin you can change passwords back to what they originally were just using the hashes because a B has a ten password history so you can say oh that's what that was before I changed it nobody living here because it's back to what it was yeah that's completely backed away so no problem is I think this is a this is that classic Walmart picture someone posted so this is what it looks like if

you run this in a large large enterprise and there's Kevin Bacon [Music] so how do you fix overly permissive groups training and it's it's I hate to say that's that hard IT work though it's gonna thank you for and then you probably only get people cracking at use and intermissions you have to fix you know if the original problems that people had in the villages for but highly valuable and if you're in the middle of that kind of SSO a default credit yeah I mean like they need to get behind the firewall on a large corporate network if Isis isn't people credit attest on that school once where I got the control over their all their

thermostats from the outside music we bought credits on at elementary base where he was kind of kicked up to 200 degrees Celsius which was the max value do horrible things and then we have good policy preference files which Microsoft saw to to create this technology with a static a key that everyone knows and it's the same on everyone's networks so if you use those when we pulled a switch from those you know initiative user council to move privilege escalation and that's for if you use your policy to settle a lot of aspects also like a passwords are easily accessible so there's a power of you get GPB password powershell based commando attack on that and there's the only

problem is is if you've never changed it than the match SFX after resetting the passwords if you're using that realistically just be using laps so we have a case review of kind of how this would roll on a typical attack path so let's walk through pretty quick so we we harvest public sources and we use a we use those to create our intelligent word list right and then we use burp suite an attack of citrix server we found without an MFA in for stock once we actually prove that a compromise a citrix user we see what apps they have published when we find work so we open word and if you're not familiar citrix is

extraordinarily easy to get a command shell even though they try to provide functionality to prevent it but basically windows you open up a hat like were an open file and then the Browse hardshell or CMD or something like that you open that up and you're presented with a shell in the Citrix box with the creds of the user you want into which undoubtedly won't be local admin on citrix box or a domain admin to the network but it's a place to start with and so you craft a and craft a payload in this case PowerShell and pilot set and run it on the Citrix machine it calls back to your C - so you have

remote PowerShell Empire shell on the Citrix machine which is your foot hole so you query get some situational awareness and query for your domain that means you want to know who they are you query for domain controllers you want to know what those are and where they're at is your gonna want to hit those eventually I mean you find out where your local admin act with the user account right now you run bloodhound which gives you a path to domain item and hopefully you locate that path you take the path and dump treads on your way escalating from one user to the next each time you compromise a new machine you get new credits or a new hash you're

asking your escalating privileges on them on the way you look for more machines from each user account you get eventually you go through this process and you end up on the machine where I don't mean that where you steal their credits or impersonate their tuffets on that you say point to the domain controller and DCC hash don't them so now you have every cache of every user hopefully in the forest if you were on a child that made you may have to jump that trust but once you have the hash every user account but don't may crack those offline like I said earlier pass those with the community as if they're through tax credit or whatever one so that's

kind of a typical attack pack nothing fancy but you'd be surprised at how often that repeats itself any questions

so yeah so the question is is it worth you know trying to avoid your your certificates from being law by certificate transparency no because that's you know certificate transparency provides benefits above and beyond you know disclosing your search it's a good it's a good question that you kind of want to be involved in CT you have your search law there's really not a lot of way to nowadays kind of all major CAS log-log search when they create or so and once your internal with your internal domain is getting leaked out once your internal it's pretty easy to get that info anyway so you can just start running reverse DNS requests on the sudden you're on a different subnets

and find valid domain exactly just work your way through yeah it's also pretty common on internal ad networks to have its own transfers enabled on internal DNS servers so in some cases we could just literally zone transfer everything out of the internal domain which they get too salty the fqv is you know sorry I didn't realize you're talking about internal which I can imagine a concern in there that's a good point

Thanks [Applause]

you