How to Find a Companys BreakPoint

alright guys nobody hear me my name is Andrew and this is Zack worth breakpoint labs I would be talking about how to find a company's break point well cheesy two names in the title there but what this talks all about is essentially modern-day hacking which is very similar what we see here right there using the Force to get in the building the inspiration for this talk was really similar to the last talk you know we we talked to a lockable new to penetration testing or interested in it they always come up and say you know so I scan with the vulnerability scanner right and then I exploit it with Metasploit and I'm in right and the

reality is there's a lot more to that and that was kind of the inspiration for this talk and I think b-sides events like this are great because you can share these types of introductory material so if your senior pen tester in the room you're probably not going to be probably get bored but if you're new to this stuff interested and kind of like you know some common ways to gain a foothold in their network you might learn some pretty interesting techniques this is a quick agenda I won't go through all this here but we're going to be covering these topics Who am I my name is Andrew Niccol I do with Zach Myers here we do primal

security blog and podcast as well as work for the read to me breakpoint labs in the past we've spoken some besides events in our VA sec we just got back from besides jackson which is a really cool event doing this talk actually we're past certification junkies nowadays we've only spent our time with offensive security sir it's really waiting for their web web hacking course to come online that way say it's like next year we love Python CTFs learning and long walks on the beach Zach actually runs knapsack which if you're near Annapolis Maryland which you're not now but you can you can check it out yeah it's a two-hour drive jack some of it was like a 16 hour drive so one too

bad so yeah come out and check us out we're just a monthly meetup on meetup calm so things have changed since the 90s right guys in the 90s you know what and then in the 90s we got in with like social engineering social engineer so the social enjoying weak passwords and now we get in with social engineering weak passwords not a whole lot change right maybe USB keys instead of floppies but yes so that's that's just a little bit up there but the go like I said is to break the scan and exploit mentality just to show but there's a lot more to it and we're gonna do that by covering some examples we're not gonna dive quite

as deep into fishing as the last presenter a really cool talk that was awesome but we are going to cover like fishing since that's one of our most common techniques just at a higher level we're going to walk through web application vulnerability since we all love them we're going to talk about multicast name resolution poisoning as some S&B relay attacks which has spawned the mess of fallen scanners and then the account compromised which is inevitable one other test so just a high-level methodology I won't spend a lot of time on this slide but this is a generally our methodology one of the things we serve our customers is a focus on like so scan us scanner right run your tools

right so we like to break out just for our customer level at a high level automated testing at manual testing it helps our customers understand hey these guys are actually doing more than clicking the Scan button and that seems to be a challenge we face all the time is that we're not just running these scan tools there's a lot more behind the scenes it has to go on and it can help justify you know why it might take a certain time to do do a bit of work and then the other question I get a lot of times from people interested in pen testing or just getting started is how do we go beyond a scan so I've you know

if you've ever done osep doing the lab course if you if you're new to pen test you get in the laughs you're inevitably going to run all your NSE scripts run run we're on whatever you have you're like I've got a little data but now what do I do you're looking at it you don't know where to go next you pop some of the quick ms weights are accept zero six seven boxes and don't know where to go next well the first thing is get ready to fail right so one of that's the first thing I tell people need a pen testing is it's a lot about that's a lot of fail you get a lot of wins especially I

should get better but you know you fail a lot Aylin psyched into and then it's all about recon and mapping so flying the systems and content that others have missed that can go a long way so z-class occurs in our talk box showed it and there's also senses those are really great tools for an external perspective quick quick and dirty recon but there's also automated liquid mention automated testing run the right tool for the job and this gets more more important we talk about web technologies so you can run your you could run burp suite professional or even web inspect against the WordPress server but you might find a lot more cool vulnerabilities we can

WP scam for example so understand what the tools you're running your scripts you're running are good at and run the appropriate tool and then the bread-and-butter is manual testing you know figuring out all the areas of these are input a lot of this is very heavy on web but understand we're how your inputs being leveraged and fuzz appropriately and then research all version specific vulnerabilities and they try to combine findings so we've got some examples we're gonna walk through for that and the final stage here is reporting we like to highlight business impact one of the questions I'll ask my customers you know what keeps you up at night what is the biggest fear or pentester alright

now that the biggest fears availability so when we pop some sensitive stuff in their network that could let us take the power down they're like oh that's the that's my biggest risk but to us we got domain admin like that's your biggest risk but to them it's it's different you know so the path to domain admin wasn't as important as taking the power down to the building so you know it all depends on you know what your customers risk level is risk threshold and understand next I'll help you shape your results so at the last presenter showed phishing works and I'm sure there's no surprise here right so nobody in here I have to convince that fishing is a great way to

gain a foothold into a network but this is more of a high level business perspective how to go out help how to go about doing a fishing engagement at least how we do it so first it starts with planning if you are allowed to get code execution and do all that fun stuff that's great but you might not always be sometimes the customers especially if they're brand new to pen test they've never done it they may just need a click analysis see how many users you click to drive that situational awareness and education sometimes you might just be gathering credentials you may not always be doing the fun code execution it all comes down to determining that rules of

engagement with your customer and figuring out what ultimately they want the goals to the assessment and then I like to determine the scenario so this helps drive home awareness and with our engagements we commonly do two types of scenarios either will replicate the common ransomware attack or malware threat which is obviously going to look bad with the domain choices and it's gonna maybe use like a UPS kind of thing like you you you know here's a shipment to pick up click this link that would actually cry work pretty well right now go to the holidays we may go targeted attack which is coining the OWA or something of that nature for the organization and then determining your

fishing domain which is key as we saw in the last presentation you know you need to make sure that you've done some homework with your with spam filters and with content filters you naturally submit your domains to web content filters like glue code you can submit your domain to be trusted as them it usually takes about 24 hours and you get your domain trusted what I usually like to do for more like a white box perspective I'll have a POC for the site and I'll test my domain with them before we fire it out to all the users it all depends on you know the particular engagement in the type of communication you've established the last thing is

email spoofing vulnerabilities and I figure out if you think you have them they may not work but it's important to test for them and leverage them if you can all too often you'll see these types of articles in place a good example of these vulnerabilities as Google Apps for work if it abates using Google Apps for work it hasn't set up the SPF and ECAM records you're vulnerable out-of-the-box and they don't do a good job at necessarily holding your hand through that process if I find an organization using Google Apps for work nine times out of 10 I can spoof through them and people trust Google's email server so it's something to think about and the

execute the engagement we'd have a full blog post there at I belong if you want to check it out so I'm not gonna go through everything here but we like to send email with Python it's just you know we we've used some of the more larger scale tools there's Lucy there's a bunch of free open-source tools and and paper tools we do it on the cheat with Python just because it's cheap and it works and Lucy you found like some of the other tools we found caulk that call buzz spam filters especially to click analysis links cuz they build a really ugly you are you URL to see you clicked it and with Python you have the

flexibility to create your own link to check your like access logs to see you click the link depending on how you're doing it but like I said three general ways we do it click analysis credential gathering or executing code three common ways we leverage phishing and then the you know inevitably the fitness CEOs reaction to opening the he house pretty bad but usually it's the IT AB and we get the CEO for some reason if you workout with you if you scope out with the customer beforehand for political reasons to CEOs email generally doesn't fall on that list but you know the IT admin does and they're always great targets because they generally have elevated privileges it's

always great actually has a situation once when we we fish the admin we got on site and our POC for the customer said like gave the admin a hard time is like man you can click their link and and logged in and I was like yeah sorry I'm the bad guy right but didn't change his passwords and stuff so we were like domain haven't stones and hey come on if he we even told them but it's all good basket again this is a higher level view of like what we do from that Linux when I talk about the campaign so although on the left you see the common malware ransomware and you know did this was

actually just hyperlink image I get a lot of success with that like the last percenter said that it's just a literally href image the whole thing and if they click anywhere on the image it'll open up and you get your click analysis and the right might be just a you take the company figure out where is a legitimate login for them and then you try to mimic that login as closely as possible and this is just an HDD basic authentication prompt cheap and dirty I already mentioned the phishing domain stuff but you know I like to use one that closely matches the target you may want to register domain in advance and grow some legit concept there you have

time to get categorized appropriately maybe try to submit your domain to their web proxy if they if they allow their who have content so if they allow that and then you know you may have domains that ups - - track the package tracker com that kind of thing but it's important to test before you strike fire off or hundreds of emails you might might get to your targets and blow your blow your cover and the in the link stripped just important to test began and on the slide here if you've never done any email spoofing vulnerabilities or try to forge headers it's actually really easy and this is the steps this is the steps you can follow and you'll

have to do variations of these steps because you may be able to forge headers in step 3 but or maybe not be able to afford header and step three but you might little forge them in step 4 I'm essentially we're doing here is step 1 we're determining the mail servers - we're connecting to the servers and this is a my domain and step 3 you'll Forge the header and then step 4 you actually forged the email so in step 3 that's what the mail servers will use or that's what's gonna be presented in the outlook client they don't have to match and variations of this might get through so you may I usually do some

female scoop testing with my point of contact I just play around with some iam email see what he gets me they looked like before we decide how you know what born abilities are there and what we want to use across the board for his organization and these slides by the way are already on SlideShare single off the likely memorize or take pictures already up but that last email that's kinda what it would look like in an Outlook client you know I like to do immediate password changes required again sense of urgency right you're going to lose your email that's always very effective and they'll click and give me credits or click the link or we can execute could whatever

the rules of engagement are allowed there but this is an example as you can see outlook presents it cleanly it looks like helpdesk support but the reality was coming from a gmail just an interesting sneaky little technique because you know users don't usually expect headers and again just another look at the the possible scenarios the quick analysis we talked about that creating unique link with Python usually do a transfer gathering use social engineering toolkit which is great but Dave Kennedy does a lot of the footwork for you if you want to run your own little code PHP snippets are good especially if you're using basic authentication and then code execution empire's great for that and the last

talk did a great overview of that there's a lot of talks online we'll spend a lot of time there on that but it's great tool for jittering your payloads now moving into something very near and dear in my heart that is web application vulnerabilities I love them and hate them they're everywhere but there are a lot of fun and they tend to be a way that we can establish a foothold in your organization at least in the last two pen test this month a month and a half we've gotten in the organization through the web application which is great and the way we do that is well first we like I mentioned find the content that others have missed so

unlike Scott enumeration is key and we're going to show an example where that in the next slide we're walking through a numerating that next video but in this slide we see generally how your inputs being used and then how you might test what abilities are they are there so figuring out how your applications leveraging your input and then fuzzing appropriately can go a long way beyond just the your academics web inspector suite that kind of thing so is your input landing on the screen for example you may want to try to test for XSS that might be you Volkers maybe you can use an XSS payload in your fishing campaign right so that's kind of the nutrient put online store

data maybe like a search query or what have you sequel injection all these here won't go through them all but it's important take a step back and maybe make a mind map of the application saying what does the application allow me to do is let me upload a file for an avatar and then how is it input being leveraged and then try to fuzz appropriately sackless has a lot of good stuff does VB those kind of things can help you use these pre-built lists if you're unfamiliar but now we're going to talk about file inclusion - code execution because this is the if you're not familiar with this this is the go-to way to pick up a significant other out of

our rightful hey you know how do you massage file inclusion - shell exit code execution the call man it will work on me but um is it so sometimes file inclusion can lead to code execution sometimes it does and sometimes it's just like padding it to the screen which is not as fun but we're going to talk about a a row file inclusion example because I think a lot of times your vulnerability scanner will point this out they may find that hey there's RFI here but they're not going to show you how to like put the pieces together to spawn a shell or hit you know automate your RCE so in the example of code

execution you may have like a PHP include statement and this is going to potentially the critics accuse versus a PHP echoed might just you know catch the screen so this is an examples of how sometimes it works sometimes it doesn't Elif eyes take a little normally a little more work you got to figure out where your inputs being tossed on the on the system and try to include that input and a lot of times it's like log poisoning which is a little harder than it was in the past horrifies are a lot more fun because you can point it back to a remote server and run code from that server which is great so now we're going

to walk through a scenario I had on a pen test in the past and it was awesome because it got us domain admin from the internet which is great it all came about from a resource called debug dot PHP I got an HD HTTP 200 ok so what I was actually doing was that kula ORFs intruder and I was just running through breathless and I was just you know trying to check out what content the web server doesn't want me to know about right that's not linked in the application you not necessarily something at the bottom you spider I found debug dot PHP and it gave me a 200 ok with a blank screen and I'm sitting

there like all right well great right so what's next I see just blank screen is this just this is it and with PHP code since it's you know server-side code you're not going to see the codes you don't know what's actually happening so the next thing I did was try to figure out inputs right because I want to see if I can send parameters to this resource does it do something different so essentially I went to lunch in every writer missus bedroom it's the power could lunch I started another perk intruder and I was I was actually going through parameters and the kept parameters and then I just went to lunch came back and I was inspecting my

intruder window and I saw something really cool that made me get really excited almost break my keyboard so if we look in the window which is hard to see on the screen here you'll see that there's a length everything else is 193 so everything so basically that white page and except when we get to page equals test you get 633 whatever it is and I'm like oh man so you can sort by length response length and birth to see this and if you see on the screen here attempting to bug test so it's got my page equals test there's cross-site scripting there right but that's that's boring in this instance because it also says warning

include test right so we talked about that peach being pee so I'm getting really excited because it looks as if my inputs being leveraging an include statement in an insecure manner so I will test for local file inclusion right director commercial up Etsy password all the good stuff but more importantly I'll test for our find see if I can snag it to run some code so in step one that's the request from Burt wanting it back to my bad boy box step two is actually just a Python simple HTTP server and it's grabbing code for me which is a great way to get a little webserver up in a pen test and that one dot PHP actually

is the justice system ID command and step three you see the output which is awesome so we're actually getting code execution in this debug dot PHP that had been there like fifteen years and nobody really cared it's gone for a bunch of pen tests but you know it's just one of those things that got overlooked because though automated told in find it now at this point I automated to the Python all I'm doing it a back end here is using pythons request module and just making these web requests and then grabbing my input with raw input and just shoveling into the server to run and it feels like a shell I did this a lot that ways make

fun of me fake shells but I did this is a in this instance in real life that was on a Windows system running Windows box running a system so it was just glorious at that point any time you see Peter banging on Windows I get excited and and that's it that's the what obligation portions that pastor here Zach all right so a third common way we like to get on your network is multicast name resolution poisoning and if you're not familiar with this essentially a majority the time internal networks when DNS fails it relies on a series of different protocols to try and resolve these issues and in Windows environments especially so you'll see this enabled a

lot and these protocols are called LLM minar link-local multicast name resolution androids calling them nerve for short NetBIOS and multicast dns so you'll see a lot of this traffic going on and there's a lot of ways we can do this but I'm gonna go explain a tool that's like the go-to to I start usually and every pentest as soon as I arrived on scene if I have network connectivity but by listening and intercepting and manipulating this traffic we can essentially redirect authentication and potentially capture hashes see clear text things that are going on and even man-in-the-middle some traffic so how do we do this we use a tool called responder responder is like the wreckit-ralph of internal pentesting in

my opinion essentially it's just gonna wreck your network and a lot of times I've seen this happens were like what the hell are you talking about with LM anar so we have to kind of really explain it a little bit a simply responder is a Python script that was created by I believe spider Labs and it's it's gonna basically try and aid in the abuse of these multicast protocols and poisoning them and also if you give it just a switch H it simply can just do a lot of other different things but one of them is w pad spoofing where it's going to take that web proxy auto-discovery feature a lot of times in IE it's enabled and we'll go over that a

little bit in another use case you can use that and capture some HTTP creds for things that are going on web traffic like I said it does man-in-the-middle attacks where it can intercept credentials being exchanged and this can lead to that pass the hash potentially if it's really old a different thing with the we through capturing password cracking or even SMB relay attacks with recover for example but by default out of off the bat responders starts in its config file a slew of different rove services as you can see up here there's a lot of different protocols and services it starts to try and capture all this different traffic that you can use them in in the middle so our first use case

is just a simple one we sit we just simply start responder we give it the interface that we want to listen on on the network just Ysidro here and if we just give it a switch F we're doing a fingerprint and fingerprint is essentially just going to try and see on the network am I seeing this traffic and can I get some information about maybe the OS maybe the post name things of that nature and from there can I also capture some of these hashes are they being passed across the network these authentication attempts and as we can see here we've captured ntlm v2 hash and with this we'll get into it but you can

sob really attack this more unlikely and it's for an administrator the second use case is w pad so we can do this by pointing at the interface once again if we do a switch B's and W we're enabling W pad and we're also enabling basic authentication so when a user tries to open they basically click on ie right we're trying to go the internet and when they do that they get prompted right here and majority of the time windows is prompting me for my creds I'll just enter it in real quick it happens a lot mindlessly doing that they enter it in and it sends to us because we created a malicious W pad server that is basically

listening and saying I'm the W pad server you know when if you if you go out to the internet check with me first and men you know send me your creds and we basically can do that by creating a W pad DAT file with just that switch W and if you can't really probe aggressively just listen on the network see if the traffic is even going on and analyze it so if you want to just prove to the point that hey I could actually probably attack this or use it to exploit your network and that's maybe not in play just do a switch ad and that's gonna analyze the network and see if you have any of this

type of traffic going on or W pad requests you know going back and forth in the network and it can really give you some kind of T your report if you know you can't export so how do we prevent this one way to prevent it is essentially disabling these protocols they're useful but they can be abused and we don't absolutely need them but they are you know they are helpful if you have a lot of hosts in your Windows environment can be pushed out with a group policy to just disable the multicast of protocols we can also enter aw pad file entry in the DNS that way it won't be broadcasting hey where's the W pad and it will be right in your

DNS records so that can't be abused either we could segment the local networks with more you know B land entries to try and prevent the impact and we can also ensure that ntlm b2 is like the top tier being used rather than we can't downgrade some land man or ntlm v1 so with that the fourth common way to be usually attack your network is SMB relay attacks so like ice show din the first use case you capture an ntlm e to hash and for the administrative use and with that basically now we can try and relay this these credentials that we captured from the challenge and response protocol exchange and we can then say all right I'm going to start in

malicious HTTP or SMB row service and from there I can try and relay that and log into their box and get code execution and that can coffee cause from this ll M&R or mdns spoofing that you get from responder or could even be caused from automated processes and that could be just things that are authenticating across the network and you don't only think about it but if there's no agent installed and they're just spraying creds across the network to try and authenticate the box and do something like a task or update or patch management or even a bone scan you know that's happening on your network and we can abuse that and it's for good but we

can as attackers use it for bad so every time I come on the scene right as a red team or an injury and I come in all happy you know we're like alright we're here to help you well we are but blue team freaks out there like we have to patch everything we have to make sure everything's configured we don't want to look bad is it's always a game of cat mouse you know and everyone thinks that were there to just abuse everything but we're not so the blue team runs necess ponder running essentially maybe I have an S and be relayed to running as well and let's say I'm targeting a host on the network well

when it's say if there's no agent installed the necess caner is going to try and do an authenticated scan more times than less and it's gonna basically try and authenticate through SMB and I could essentially just man the middle attack this and then gain code execution but I'm going to explain this a little bit further in a lab environment you guys can kind of follow along with in an example in a second so just to kind of give a high-level perspective the attacker box my Callie instance is that one or three the domain controller is about 105 oh sorry did you make it towards that one or two and the thing we're targeting is the windows client is

the doc won't it fall so the first thing I'm going to do is I'm going to create an MSF venom I'm gonna create my malicious fire I'm going to say I want to make a meterpreter reverse shell point it back to my cow instance and I created matters one exe as you can see from there I'm gonna use my multi handler and I'm gonna set that up the same exact configuration I did with that binary make sure everything's clicking and I'm also gonna set the auto run script option so that way if this all works and pans out like I want it to I will be able to migrate to a more steady service and not lose my connection so

make sure you kind of set all these little perfect variables up from there I'm gonna open another terminal and I'm going to use SV relay acts hi this is by core security you can also use something within responder or other different you know modules or things like that and Metasploit but I like to use this to be relaxed up high and essentially what I'm going to do is I'm going to point that at my target which is that Windows client I'm targeting and I'm going to point it at that binary I created and essentially from there I then switch to my other VM my two main controller and I'm just going to say hey I just want to

do a quick tour listing on that target and by there it's making a request and sending that those that authentication to that client and from there because of that traffic going on I'm capturing that hash and I'm basically saying ntlm be to authenticate and now I've basically got a matter Pradesh L on that Windows client I was targeting so I've essentially abused the resolution of trying to say we're you know can I get to this server can I list this directory and I've abused that authentication process and now I have access to the ship over to the vows now from another perspective in a lab you could just get the free version of nessus do the same thing you start your

SMB relay you also start the same process with the multi handler and you start a scan and you're going after that target that we're targeting and then the scan process it tries to authenticate and we can do the same exact process so it doesn't always have to be from the multicast name resolution it can also be from these automated scripts in these automated tools sending authentication across the network so how do we prevent these S&B relay attacks the real way to truly prevent it is to require SMB signing that can break a lot of things in your in your network especially with you know samba and linux hopes and things of that nature but essentially

what we're doing when we do has to be signs were just digitally signing at the packet level and we're confirming the origin and the authenticity of it we could also once again disable those protocols we can create that W pad entry in our DNS we could just prevent s2b traffic out that what you should be doing altogether and we can enable EPA the extended protection and authentication with Windows systems and that's just adding icing on the cake to the authentication process all right so this is near and dear to my heart and real-life people if you ever do an internal pen test and physical is on the table and you can snoop around and look

at people's desks and just see if sticky notes are there they're their notebooks are there things are in the open and people are just by nature we have so many different things we logged into and so many different accounts and so many everything all the time it play to stay sometimes it'll be for internal apps and they'll just say here's my username and my password and you're usually not that complicated if your company doesn't have a policy in place so I'm gonna explain to you the fifth way that we commonly get into your internal network hey you know and exploit your network essentially if you run it and any kind of vulnerability standard it'll find

these things it'll find username enumeration potentially lack of automation controls which means I can brute force and knock on the door all day and lack of password complexity and I'll say these are all low findings but what we can do is we could piece together these these things and create that perfect storm to give us that account compromising from the show what we can do from there and I'm gonna explain potential ways you could do that so username enumeration a lot of times password reset features we'll see this a lot with applications it'll say you know you'll enter in something but it'll say email address not found well if it did find something you know say I just sent

you an email so now we can gather that put it in our list we have that user or that potential email login error messages a lot of times this is really hard to do if you enter in a username and it says invalid and if you enter in you know Zack - and I entered Zack one first in Zack - says you know username found or something of that nature in the error message because it's just trying to be verbose you can abuse that feature and collect user names contact us I've seen it where I had a drop-down list once and it said which admin do you want to contact out of these four and I'm

like holy crap now I have all 4 admins usernames for this and if they I could just brute force all day hopefully timing sometimes in burp when you use intruder you'll see you can rely usually on the content length and status code to really tell you if you've gotten in at all when you're doing your group course attempts or if there's any anomalies look at the timing sometimes the timing can also give it away if you got maybe a valid thing it'll take you know 15 seconds to process while if it's invalid it's you know less than a second so kind of keep that in mind use your new user registration this is also really hard -

and there's not too many ways around this but it'll tell you that username already exists because you want that username it already exists in the database it can't be used well now I know that's valid well there's a lot of things you can also look for sometimes there's easter eggs in the client-side source code and applications various error messages will give you a lot of different things you use google hacking and o cent like the previous talk said there's a lot of different things with the harvester and you can use you know we kind of Mg to really help your game with trying to get in user names and sometimes the application espada tells you PHP

bulletin board is guilty of this in the bottom right corner will tell you who walked in last WordPress is bad this it tells you in the comments it tells you in the source code the author parameter I mean there's just countless things that you can do to really enumerate these four names so once you gather these user names let's move to step two step two logins whether it's an application login or a service login I'm going to talk application here but we basically pull up that request and we're gonna try and burps repeater things manually we're just gonna say alright I knew Bob 1 is a user and I'm gonna just enter in his word and maybe variations

of hassle to see if it works if I do it 5 to 10 15 times and I get know like message like your counts lock or something's going on I'm gonna keep knocking on the door because more than likely I'll count lock out is not there so if there's no sign of automation controls send that from repeater to intruder and let's make this an automated process a lot of times if you have a CAPTCHA that can support this or the I'm not a robot a lot of people starting to see that more and more with the checkbox or like all these p.m. images works like there's a railroad is auto real Road okay you know and

basically one thing to always not overlook if you're looking at an application may be the main login is strong but maybe they're like mobile or their API doesn't have the same settings maybe the brute force those and use the same you know user names and different things of that nature to try and get into that interface and last as we know humans passwords we're terrible unfortunately unless you're at security and if your company doesn't have yeah Major Stovall if you if you don't have policies in place with your company or your organization more times unless we're gonna really just choose something simple whether it's a relative to name our dog's name or favorite football team

or I've seen it where people use their usernames to password where they use variations of password the month of the year we just saw that sticky note I kind of changed the month in the year but that was on a sticky note I saw I don't want to get probably the company name in year tons of this out there with the keyword walks and variations of it in the lane so up your game with that and you know wheat passwords are just inevitable especially on the mostess pen test receipt but there's a lot of lists out there SEC list has a lot of great things if you want to check that out I believe Mike watches last names of

Daniel meisler yeah he basically is one of the guys who basically runs the setlist program and it has a lot of great lists whether you're doing fuzzing or password lists or even things with Network intrusion it has and you can use this and I like to use it with perps intruder to do my brute-force attempts and you can also research your target and kind of get creepy and hackery and you can use tools like cool and create these that custom word lists or know that like Bob is the sysadmin he's a huge Pittsburgh Steelers fan or you know at Philadelphia Eagles fan you could try and make variations of that you know is the password and go from there so from

there as you can see with these different variables if we can piece them all together like via a username enumeration the passwords are probably weak and there's no lockout we can eventually just keep knocking on the door until we get in so as you gather these valid credentials and you get this account compromised send it to a listing of your own sorts and try it across a lot of different services but try not to lock people out at the same time it's hard so if it's connected to Active Directory a lot of times it will be lockouts so keep that in mind as well you use other things besides intruder if it's not application based like Hydra

crack math there's SMB modules of Metasploit you can use em math NSC scripts and things of that nature to also do these group course attempts always tried default creds as sad as it is we had several pens s recently where default creds are just rampant and a lot of times they say oh that's a vendor small this is not my fault it's the vendors money it's okay I mean it happens but if you can enumerate the technology and the version use that to your advantage because the creds will change over years you'll see that a lot and more and more vendors are starting to move away from people credit which is good they're just using a default

username and then they're making you enter in a password a lot of times after making you change how commonly we see a lot of shared group creds across Linux systems and we'll see a lot of shared local admin accounts across the enterprise as well so a lot of times people are trying to make things easy and just say I can log into everything I want across my Windows environment with this one account well if I get that that's the holy grail and scheme over so that's the realistic perspective of what an Hat attackers looking for so some final thoughts and tips if you're doing any kind of external reconnaissance on anything on internet use showed an in

census they both have free versions odeon has a paper version as well but essentially it's passive reconnaissance you'll have to send a single packet to the organization it's in a database you can look at it and basically get an idea of what you're up against whether it's an organization firm IP space whatever it may be and it can tell you a lot of things about port services and potential vulnerabilities like even part the need out there make sure you investigate shares when your internal I like to use enum for Linux it's simply just a Perl script that wraps genome Exe and it gives you a lot of information about the shares and it can also give you

usernames different things like that password complexity you'll tell you sometimes it's pretty cool stuff so check that one out in the lab environment if you can online content immersion like Andrew said it's a treasure chest a lot of times developers will forget or a lot of times people will think like oh okay I've locked that down it's definitely a 4 or 4 or 4 of 3 there's no way it's on my server well it happens so the point where one time you were going against the server and we found a zip file with tons and tons and tons of resumes and I think also some PII yeah and they were like holy crap that's internet-facing

I thought that was it just because they down on their web server it's just goes to show you you don't think about it but that's unlinked it's not in the sitemap but it's there so you you know use your intruder and try and find that content passwords written on sticky notes like I said yeah usually this happens it's human nature we all do this lock it up put it in a drawer or as you can I guess use one of those different things like LastPass or something of that nature if you're an advocate can you reset the password via the help desk good old social engineering this is fun if you ever can do it and you're doing

pen testing I love it it works sometimes it doesn't work sometimes sometimes I have to hang up phone half way through or I just have to say yeah come see me at my desk and you know then I have to tell the POC uh you're gonna go find Joe and think that II just wants the recess password I try I try and you're like oh I keep doing on command but I can do it in the moment so I hear but yeah can we put up and then the other things we want to do is if it's an application or anything in its custom or its you know commercial or whatever let's try to abuse Eaters

there's a lot of different things we have another talk called beyond automated testing which is all on external web and testing we've give it an other talks and that one talks a lot about feature abuse and how we can have used contact us forms and we could have used you know different things of login features and just other different things that the norm you'll see on the web and people were like this is great my users are gonna love this and then attackers won this is great I can abuse it so you'll find other things you can do with the technology and you want to really look at the functionality it's trying to perform and figure out how can i

misusing once again did you get valid credentials try them across everything but try not to a lot of people out so also keep that in mind we see that a lot like I said with Active Directory it'll you know have different rules in place with a say five bad attempts get locked out and then you know people freaking out here's some useful trainings and links we like to always just say you know if you if you go in after a certification you want to learn something new cyber e is a great site you can go to their local for us here and Maryland Maryland I think they're Columbia but we actually have some stuff on there as well they reached out to uh

Andrew and then we kind of got with them and then we create a couple session Wednesdays but they have a lot of cool stuff like if you're going after your CH or sis B or something of that nature or you want to learn how to use you know me me cats or something of that nature they teach you and it's all free so check that out if you want to do some capture the flag events in your own time phone hub pen test lab pass since the upright ups out there a lot of different things those resources and these are all hyperlink they're all SlideShare so you don't have to jot them down you can go

just click on them training we personally like office security sans security to is really good with the vivec he has a lot of good things like the pen testing Python course and he has a PowerShell one as well books there's the books talks there's tons on iron each channel all the time I think we're on potentially filming right now and tons of great talks there and like I said there's tons of great things on github as well like the sec list and then there's even the security list with fun and profit which is just a huge hub of just everything InfoSec so feel free to check all that out because you know we like to share the community and

always get better and we don't know everything and you know we always want to just the ball so if you ever want to contact us there you go we also gave our twitter handles earlier and you know we are hiring at breakpoint labs right now for a couple different positions so if you're interested feel free to let us know or just shoot us an email but you think you can you time and hopefully you learn something enjoyed it other than that thanks everybody and if you have any questions

[Applause]

thank you so hey guys so there's been one question that's been going around and that is about these the challenge coins so if you want one of the challenge coins the people who have them are the sponsors you walk next door to where they're doing the capture the flag and the wireless challenge is you can go through there you can talk about it but that's where they're at we're not selling them if you want one of the challenge coins if you're one of the collectors go over there talk to the vendors they can hook you up thanks folks