Enemies of the West - Neil Lines

right hello everyone thank you for coming can you all hear me okay brilliant let's start then right 20 2017 what is going on August 2016 Shadow Brokers claimed to have stolen cyber weapons over eight months they leaked exploits April 14th 2017 they leaked Microsoft exploits Ms 17010 as much impact as ms8 067 had here you go here's ms710 in action allows you to get a shell off a device very easily and the criminals never in my lifetime I don't think I've seen National newspapers every single one on the front page talk about the impact we're at War so who am I my name is Neil lines I'm involved in a range of security areas social

engineer is my favorite and I work for attitude case one may 2016 US looks set to elect their first ever female president June 2016 it was reported that networks of Democratic National Committee DNC had been compromised no proof of Russian government involvement is suspected but the world suspects Russia based hackers known as ap28 were responsible for it a month later thousands of stolen emails and attachments were published on Wikileaks the attack was carried out using fishing emails sent to political figures a lot of my facts and figures come from National newspapers I'm very interested in the media and how they sort of see things by the way this is what was used by ap28 or

it's what they use it is a fake Google fishing email that sent out to it's credential Harvest it's used to steal people's credentials remotely uh following it was reported that the DNC replaced its computer systems laptops and phones the head of the DNC resigned okay I think how many people they've got working for him I read that and I thought they're going to have thousands of people working for them did they really replace all the phones all the computers all the servers if they did that shows real fear what happened following that attack history may consider this hack responsible for losing an election emails are now mightier than the sword right we're going to look at

nation state threats today uh I'm very interested in what is a nation state threat how sophisticated are they are they replicatable um are they what we call Cutting Edge and very interesting so when you think of nation states these are your typical people we might think of Russia China Iran and North Korea what was interesting was recently Wikileaks published something that said that the CIA who we don't think of normally went to Great Lengths uh to basically disguise its own hacking as Russia China North Korea and Iran so it's the waters are slightly muddled we don't quite know when these attacks happen who's really doing it we'll never know this is something interesting that I've read in the media North Korea

theoretically apparently has 7,700 employed full-time penetration testers or hackers call them what you like uh I think that's interesting because a lot of people think of North Korea and they think are very sort of limited it capabilities well they've got 7,700 of them working in their so-called cyber Army that's a pretty big for this is something that I like uh and I've had this on other talks I've done I like this slide you'll never be able to prevent all of them everything is penetrat eventually uh I think that's right I think all you can do is you can slow them down you can help defend against it if someone wants to get in as we all know they will eventually so what

are the targets uh governments now I've added recently politicians this isn't an area I had thought about but as we all know it is an area that's been looked at all the time um medical companies they're interested in records sensitive information information that you could discredit people with information you could bribe people with uh manufacturing Retail Energy companies very interested in banking as well here's an example from the media ap28 or fancy bear as they're know back at it again uh they don't stop um hacking group linked to Russia's military has began taking aim at France's presidential candidate uh this is interesting um if you look mark March the 15th 2017 IP addresses that are associated to them have been seen

registering domains uh French domains they're targeting theoretically targeting another electoral uh campaign right a quick rundown on others uh and this was sort of last year and this year uh Ukraine power supply was hit uh Yahoo data breaches uh the DNC we know were hacked and that's a lot of money from Bangladeshi Bank was taken these are the sort things that theoretical nation states are up to okay this is something that interests me it was another statement on a TV program I saw to date no single act of cyber crime has been regarded as an act of War I think that's interesting when you look at sort of the targets that they're attacking and what they're doing

and theoretically what's going on but apparently there has been no Act of War okay so think nation state threats what do you think I'll throw this out to the audience I can't quite see it because all the lights but does anyone want to say what they think when they think State go for it anything that's going to disrupt the banking the economy your general infrastructure the ability of the government to respond brilliant it's just literally caused massive disruption to government and theoretically undermine a government um anyone else got any theories on nation state what do you think well I think what the media portray often is um the pro the best the best of the best the elite

top level of hacking you know the people you want you pentest as want to Aspire to be like that's what they kind of generally give you the impression of when you think of nation states here you go very costly massive Global attacks highly sophisticated the pros the thing was if you look at what they're actually doing they're hacking people a lot of the time using credential Harvesters and that's quite low down the Spectrum so it got me thinking and I know I've spoken on this sort of theory before at conference is but it's something that interests me I'm going to keep talking about it can a single person accomplish this are they sophisticated and what would the costs

be right so we're going to look at some demos now remote to internal these are examples of stuff I've used now I've used multiple different things um Outlook you're running out of space click here to free up space or look up where your use where your files are I've used office invites for meeting WebEx invites um dating websites really really popular if I send that on a test Time arm I get credentials very very quickly retail I get credits that way very very popular depends on who you're targeting but these these work really well now what a lot of you thinking is if you see there the only way there's no attachments with these the only way that

someone's going to be exploited is if actually click for more information so if you click what happens

sort of ruined it oh no you can't sit on the board how do I move my video to the

board y drag it to there oh there we go wooo it's very click right how the hell do I press play on this right here we go I'm going have to do it quickly and you can see the response right here I've got responder going if they click on it bang we get a username we get a domain name we get a password hash now you get an error the error happens after we've got the hash now I'm not going to discuss fixing it just yet I will come up in my talk

okay so can we crack the hash a lot of people it was discussed in the very first talk earlier with the raspby p which I thought was really good um yes we can crack the hash um ages ago we released a password dictionary that took rock you and it looked at all the passwords that people generally use from pass from penetration tests that we've done and there's a lot of common things if you have Microsoft complexity enforced they're going to put an upper case because you have to have an upper case and most people put the uppercase as the first letter on their password now I know some of you here will say I never do that but the majority of people

do when you enforce a special character they will also put an explanation mark on the end or an at symbol for an a basically we took the concept of rules and uh compiled rock over and over and over again doing all these versions that rules would do but also added football teams cities names all the stuff that rules doesn't do uh and you end up with addiction it's quite quick it's a lot quicker than using rules now I don't want to BU too much about it but that date there was from a test I was on I gained eight hashes remotely doing UNC and I used crackstation and hash killer and the top thousand and all these other

dictionaries that have been released and I like to test them against Rock tastic they got nothing and then I used them with rules and they got nothing out the eight now it's not congratulations you got one out of eight that's a really low score in my mind but it did manage to reverse one which I was chuffed about which is why I've included it here and then why not rules uh rules there you go they don't add stuff uh they're very very slow if you use hashcat with a big dictionary and rules and you've got a rubbish laptop you don't have like multiple graphics cards it is just really really slow if anyone's interested in the dictionary you can

grab it from our lab's website right another example of UR andc this is going to be marginally painful isn't it

oh there we go that's good right I have a sponder going just from viewing the website we've managed to steal creds and the reason why this has happened if you look at the source code which you won't be able to see at the back so I'm going to zoom in and let you see it in a minute what we have in the source code which it's a cloned website by the way it's worth mentioning uh if you zoom in there you go it's an SMB request in the source code now IE will look at at S&B request known as UNC exploitation it will look at it in a website and go oh that's fair enough have my username have

my domain name and have my password hash I I I was shown this a couple of years back and I've been using it ever since and even today it just blows me away that it works it works really really

well okay I talk a lot about UNC so I thought for this talk let's do something a bit different just for a short period uh recently has anyone heard of Windows 10s is anyone impressed by Windows 10s it's got some good functions it's a very stripped down version of Windows it's very streamlined it's supposed to be a lot more secure it's supposed to be a lot quicker um I was reading it and I was very very interested and then I got down to the bit about the browsers it comes with and it says it comes with Edge as You' expect they're going to sell it with their own um browser but it had this bit

it's it's more secure than Chrome and Firefox and I had a number little one next to it and I thought oh here we go what's this so I'm reading it and it takes you to this NSS Labs reports so I downloaded the report as any of you can do that's the address if you want to download it um and they conduct independent Global tests measuring how effective browsers are protecting against socially engineered malware and fishing attacks well I do a lot of fishing attacks this is fair game is what I do I'm interested to see so as I said download the report I read through the report and it got 78,2 examples and it cut that down to

991 they don't explain really the reason why they cut it down to 991 I'd like to have known but they don't and they basically conclude uh 10 pages of stuff and more stuff and more stuff and Pretty P charts uh less means better and they they concluded that edge is the best at blocking uh fishing sites and it's the quickest uh the quickest bit yeah I have seen anyone does a lot of sort of fishing or social engineering tests they'll see you register a domain and sometimes with been half an hour sometimes even less your domain gets blocked it it does happen um I tend to find that Chrome does it quicker from experience but that's just my own

opinion um but they say officially Edge is the best so I thought I'd put it to the

test playing and here you go I cloned the Microsoft website as you do you need something to lab with and to test with and I dropped a UNCC request into it remember this is the best browser at defending against um fishing attacks unc's fair game in a fishing attack I use it all the time so I refreshed the page oh I'm getting hashes instantly uh crime and Firefox aren't vulnerable to that then I'm not here to Pro a browser but they won't natively support uh Microsoft functionality in their browsers I personally think that's quite

devastating there any questions from that by the way as we go along right so we got creds what now uh this bit I love on tests I love getting creds we'll talk about shells later but I I like getting creds I like working off low and I start low and work my way up um SSL VPN Citrix environments Office 365 uh Outlook they're all very uh capable to not be protected with two Factor authentication I find regularly that they're not on tests um which is lethal because the minute you get to Main credentials using sslvpn you've got a direct connection to internal Network um you can just start an internal test and it typically takes from sending an

email 5 minutes until you're on their internal Network and then from that it typically takes 30 to 40 minutes until you da I'll get onto that later though um Citrix is always good as well Citrix allow it's kind of like a breakout test once you get onto a Citrix box because they're often kind of restrict but again there things like CB roasting which we get on to later you can become domain admin again very rapidly Office 365 not these two at the bottom obviously won't give you remote access into their internal organization but outlooks just a great one we quickly doing searches for passwords and other things people always store them in emails VPN information sometimes you can

find a little bit more in air that can help you um Office 365 gives you access to all their documents U my drive will Mount will store to their cloud and you can look through it once you've got access now this is we've been doing on test for a long time but I read this recently this is from Wikipedia Bel if anyone's interested it's about ap28 or app 28 um they will send emails with malicious links to people they get they the person goes to the website that looks legit the cloned website they input their credentials I don't know how they do it whether they're I think it's just credential Harvest from what I've seen I

don't think they're using UNC um they then use the credentials to access so five and six that interested me I just automatically thought that a nation state would be going straight in with a zero days and kind of I don't know malware of some kind but theoretically they're not okay credit where credit is due Office 365 recently I was on a test and the minute I put the credits in I thought here we go um it instantly alerted me to this popup saying it was sending a phone call to the user with a two Factory authentication pin I thought that was that was very clever I thought it's instantly now they had configured it to do that but it's one of the things

that Office 365 does offer as an additional Service uh for two Factory authentication so once you log in it will text the person immediately or email them with a pin or it'll phone them and uh from a remote perspective you try not to sort of be spotted by anyone knowing that you've just sent them a telephone call that's pretty good and also I'm not 100% sure you can easily clone that and steal those creds right now we're back on to shells so if you andc fails and you need a shell okay I've always said forget zero days um functionality functionality functionality functionality is always fun to exploit it's never going to get blocked um unlikely it's going to get

blocked and zero days cost loads of money and they're often not weaponized and they're often not stable well what's just happened over the last couple of months they're free they suddenly we're getting them all free people aren't paying for them they're being released and they're pretty incredible so I've backtracked on that now and so let's not forget about them and let's take a look at them so for people who don't know who don't read newspapers don't use internet which I know one here but quick Story the NSA owned loads of cool toys uh Shadow Brokers illegally took those toys they tried to sell them no one paid for them Shadow Brokers released them for free on the 14th of

April 2017 they released a few of them that's what followed that's the level of danger that we all saw following the release of these okay I'm being a bit nasty here but the moral story is don't leave SMB Port 445 open from the outside Ms so8 67 used to Target this so we're talking back to 2008 before 2008 people were attacking SMB from the outside how is this still open on firewalls because that's how wry apparently worked there's been people have been looking to see was it emailed in and the theory is no it was Vira worm attacking Port 445 I have no idea how any of these people who got compromised have still got Port 445

open okay before Eternal blue though people were raving about this people very very quickly forgotten this it was really like at work it was a buzz when this came out everyone was talking about it can we use it is it good is it stable right what is it it's an exploit when you do a macro you get a macro warning or if you do other things like OAS you get a warning when you're about to run it uh CV 2007 0199 catching um does this automatically upon opening it opening attachment you open a Word document automatically triggers now to dat now there are some if you're in protective mode it will still put you into protective mode and

ask you to click to come out of protective mode but it doesn't ask you to run a macro and it doesn't warn you about anything and this is why it's new and the person who discovered this exploit uh it's it's actually functionality is exploiting it's legitimate functionality that no one's figured about exploiting yet which makes it again very very interesting but this is the main thing why we all got excited you no longer got the macro warnings So in theory if they copied it from the email directly to their desktop and opened it well I've kind of told you what it does but let's have a

look there you go there's a victim machine I've got C here I'm open the word docum bang you get the error you got a session so it's pretty devastating I take it here a lot of people use metp or Metasploit but if you don't it gives us a remote access to their machine so what's happened was by opening that word document they have made a reverse connection back to us and using metas sploits framework we can control that machine

remotely the problem is with zero days uh they make headlines they're big news and AV signatures instantly come out now what I noticed with that there is some little tricks you can do to already bypass AV with it initially you could just use it and then it got picked up quite quickly and there's some little tricks you can do uh which work but they only work at the moment and they're going to get caught and they're going to get caught and they're going to get caught which is why I always think it's good to go back to functionality now arguably is macro and O A functionality they they are they exploit functionalities can everyone see the

videos okay I try and make them as big as I can but they're not always easy to see so let's look at macros first so back on the victim's machine you open a word do there you go get the warning get rid of that get the warning and eventually a power shell session goes back and says give me a session Bank you got remote connect uh access to that machine you don't obviously send people a blank document I will get to that in a minute but now let's have a look at OAS so the difference between an O I'd like to pause it here OA is an embedded object and it's functionality in Microsoft allow they allow you to an object there

you go you hit run that was the warning you get and again we get a reverse shell now what you would normally do is you'd send an email from someone and you would put reasons why you've got word attachments in there you can have any IM you like but for some reason a lot of the people out there who are using these real people using these on you know to explo people they seem to be putting Excel spreadsheets in here's your I don't know financial information here's so and so here's the internal contacts list uh so on test we like to replicate that okay final point before I go all internal uh One Word document can

contain all of them I call this like heavy weaponization and it looks ugly as hell but you can have a macro you can have an o in there you can have a UNC in there now how do you get people to uh open them to trick how do you trick them into doing it you start telling them oops something's gone wrong now all these things that that we use on tests this is what the real world's using and we just screenshot it and just add it to our that's literally just a JPEG on top there's nothing technical here originally we all looked at ways of s I can't say the word blurring out the text

I won't say off Kate because I can't say it blurring out text we looked at ways to blur out text but um there's no point why waste half a day or a Day writing something clever just use a JPEG it's what the criminals do so and here you go this is one of my favorites recruiters recruiters recruiters how many in this room are recruiters staying quiet I uh we all not just me we all get emails all the time LinkedIn invites phone calls emails saying why didn't you take my call occasionally you might get annoyed by one you think that's that's nice I like that template I'm going to use it so there at the

bottom is an O and this is when it kind of looks more believable you might have four or five of them maybe 10 of them and you'd say this job reference click here for this job reference click here people will click on them and they will press run and you will get remote access it does work and then they stop working we were using these for about two or three years I'm using them really well really happy we're like woohoo we're the best and then they literally just stop working I kept banging my head against the wall and I got fed up about it really I really got quite depressed about it it's really bad I should be happy finally

people are fixing things um the all new singing and dancing spam virus blockers dedicated anti-spam antivirus anti- fishing security appliances the uh unified fret Management Systems the fishing proxies and stuff email security devices they're good they're good they're working well they see macro or they see any kind of macro in a Word document they block it they see an O that's a good one I'm surprised they Block O they block them they don't block UNC that's worth noting UNCC is just legitimate functionality they're never going to block that um but they're very good at blocking shells and uh I was getting beat up about this I started talking to some of my colleagues and I was spoke to one of

my friends and uh Mr Hagen 23 I'm not sure if you can see him follow him on Twitter he's a very smart guy I I talked to him a lot he said no stop messing around make him come to you I I was like what make him come to me I have to turn that off oh I can't no can't stop it okay and I was like what what do you mean make him come to me and he goes I've got like a Dropbox clone it's not drop Blox it's a clone I created myself and I send them a normal email just a link saying uh We've implemented some changes blah blah uh can you check it's working click here to

download your file and they'll go in themselves and get it and it bypasses all your email filters because it the actual payload that's in the word document they've T they've downloaded themselves it's genius absolutely genius so you said you can have a copy of it and I wanted to show everyone here it because it is genius but I don't want you to see what I use so I made a a mockup of it so here we go SharePoint online doesn't even exist users log in of course that's a credential Harvest it's also got you andc in the background so all your domain admins who take a look anyway click here I'll get back to that

in a minute click here and there you go so that bypasses all your email security filters and proxies pretty scary um the UNC thing a lot of the time when you're doing a test test or I would imagine happens in the real world if someone reports a suspect email which you do get on every single test it will be alerted very very rapidly normally uh what you find is the IT team will look at it and they'll be interested wow we're safe to just look at it right nothing can happen just from looking at a website so of course they they'll look at it and we've got UNCC embedded in it uh SMB request and we'll

snag their creds just from looking at it so even if they don't put their creds in even if they don't continue and download the file we still got a good chance of getting creds from it but if we get creds and hashes and we also get them to download it we' got a shell while winning right so now we're on to rocking internals uh with new tricks right I get asked a lot have I seen blood hound and the last couple of days people have said have you seen Death Star now uh yes yes and yes um Deathstar is very very cool what blood hound will do is it will go out and find where your domain admins are and it will

find you the quickest route to the domain admin and is definitely something that blue team should be using uh the where people have done tests on sites where their team know what they're up to um and they're really Savvy they've been using uh blood hound and colleagues aren't getting domain admin and we get domain admin so uh it's very very good and it works uh death start automates it I've only seen a couple of YouTube videos of it um I believe there's a talk about it coming up at a security conference uh but it will automate it for you you basically just right click go and it will go off and it will use Blood Hound it will then look for any or

a misconfiguration which I'll get into in a minute um and it'll use mimicat where the domain admins are and it will just return you the domain admin accounts it's bit of a right click next go it's very very scary it's obviously going to be you know obviously someone was going to write it and it's now happened um so people will start weaponizing this sort of thing they will have this knowledge and you'll start to see people using it um it looks very cool uh go uh I've just discussed that uh the gpp passwords um was group groups XML I will get to later okay that works um that will work unless people have done that update or

if they don't use a groups XML file what groups XML files are they instructions on windows that are used by group policy that contain an administrative account and the password hash um now if you use ms14 025 it doesn't stop the groups XML files that were already in there but it stops you from ever adding any more following it so you should still go back and manually delete your groups XML files that have that in but secondly if they're using Windows Server 2012 and onwards it won't work because mimic cats so there is a bit of protection at the moment for people I think it's right personally I I've pested for quite a few years now and I

think it's good to know a million ways to do things if you have sort of like two or three tricks you will get caught at some point um we're human we miss things but you don't want to miss things you want to make sure you don't miss things and you find as much as you possibly can on a test is what I think and if you go in with one or two tricks you might miss things is what I'm saying we're all still learning I did the ip6 talk earlier today and I thought that's brilliant yeah something I want to really really start focusing on in every single test uh right so the new tricks anyway

power shell uh Power shell we all know is incredible I buried my head in the sand for ages and tried to ignore power shell and hoped it would go away it's uh painful to use it's very very hard to learn to use but oh the gifts it gives you are incredible here's a great one who's heard of CB roasting brilliant brilliant KB roasting uh bought to the World by Tim maen Cur roasting basically every user on a domains every standard us with a domain account has rights to ask the domain controller for a copy of its service accounts along with its correlating password hashes now instantly alarm Bell should be going what the hell how can that be a thing it

is a thing it's legitimate it was quite complex to do um and then recently I've started using this a lot which is pos2 and I learned that um basically Powershell isn't quite as hard to use anymore this has helped teach me about Powershell and I'm sort of dipping in and out of using native Powershell but also using a framework it's a framework a lot like Metasploit but really to do Cur Ro now you literally just run that one command and it'll seconds later PPE out all the uh user accounts and the correlating password hashes now the more interesting thing about curb roasting or or should I say service account passwords is they are not uh set by

they're often set years and years and years ago because the last thing you want to do is keep changing your service accounts so they're often set well before you introduce complexity to your domain and they're often very very weak passwords and they're not set to change and they quite often in the domain admins group so to give you an idea if you start thinking Rock tastic which I do use against them but if you start thinking that level of password you're probably not going to get it start thinking more like password one word lowercase that's the level of the domain admin accounts often in these Service Groups or the service group accounts in the domain admin group right so the

quick the quick and easy win email a macro in Poss to makes the macro for you so it's really easy you literally just go BL blah blah blah blah right got my macro let's email it in uh select your implants that means it's remoted back to you so the machine has they've opened the macro and they've connected back to you uh do the curb roast get hashes hashcat rock tastic da but like I said you don't need to use da for that rock tastic for that you can use any old Dictionary what is keros why is this a thing right it provides secure user authentication with an industry standard uh intercompatibility that's a lot of

words basically it's it's dead old it was introduced in Windows 200 2K and it's still used today for compatibility reasons and it is good it's a good way of securing users right groups XML this is the other quick route right I kind of sort of mentioned it a little bit earlier but groups XML uh again any user has the rights to do this so any domain user here with your standard accounts what you do is you get an SMB share uh to the domain controller and you just go to the policies directory and then you go to the search bar at the top is what I do uh and do groups XML just do XML in the search box

and just wait and just wait for them to come metlo has a post module script um Posh has a post module well they call it post module script but they have a script for it and I'm sure Empire has I'm sure they all have dead easy to find anyone can do it now groups XML was it wasn't a was it a good idea was it it was an idea and um it was really really good until Microsoft published the ases encryption key now yeah it's something someone said gez then you can't encrypt something with as and then publish the key and then wonder what the hell's going on right so there's the key that's what was published so of course seconds

later I would imagine some real smart pentester thought I can exploit that and now they did and this is using M sploits uh script uh post script actually I use it but you can run it yourself just runs in Ruby and I'm going to walk about here no one can hear me on this microphone can I you can see that username and there's the hash protected with as which is great but they release the key so what you do is you run this one command and there you go let's get hacking with space as an explanation mark on the end uh it takes about a minute to run it's one those ones that's actually quite slow always surprises me how Slow

it is I always think it's not going to work it's ridiculous it works every single time it's going to work every time they got the key but uh yeah it takes a bit of time but it works so any standard user could do this on your domain now okay if all of this power shell stuff fails I still like to grab a interpreter shell and that's how I do it from Posh quick easy commands copy and paste in all you to do is change your IP address if your listener and bang you get yourself from interpreter shell right the filthy way to getting domain admin I'm kind of ashamed that I'm saying this but I think someone has

to say it right ip config all finds you the DC what it does it finds you the DNS servers DNS servers are very very typically I was corrected in my last talk they not have they don't have to be the DC in the windows uh domain but very typically the domain the DNS servers are the DC so ip config all will find you the DC in my mind it work for me every single time there are scripts for it you can over complicate it if you want uh ms710 to the DC I'm ashamed to say this right if it's a 2008 box it'll work congratulations you've won bang bang bang done da go home right Hecker

man basically I'm saying it's like it's a bit scrip it's a bit bit yeah it's not very skilled is it there you go this is ms710 I don't want to take away the Brilliance of the exploit but what I want to take away from it is the use of it um oh crap uh that's that's really bad timing can I reboot it I'm sorry I'm I'm very sorry I'm sorry yeah ms7 kills things that's the point it kills things everyone stay quiet about this on Twitter I've been watching Twitter's been exploding about it this is fantastic we' got ms8 again we can we can we can pone everything I've laed with it at home and

it kills things I know people have told me who've said I've used it it kills things you see a lot of that on your job clients don't like that I learned years and years and years ago try your hardest not to ever reboot a box clients don't like it right so my advice is you would you can't ignore something that's out there um if you're not doing very well on a test and you've tried absolutely everything else then I might be tempted to hit it up on a single individual users box try that way but I wouldn't go straight to a domain controller and do it right so old school way to Da I'm showing my age now non-power shell

way okay so we got creds right we're cooking nope good luck uh I'm not the world's best at pesque but I'll get to that in a minute right so when I've got creds my first go-to tool obviously is meit um I like the SMB login uh very very easy to lock everyone out with this tool you learn painfully from using it but here I've set the username I set the pass very very complex password oh look at that zero who would have thought of that and Freds come on oh remote hosts I always do these videos thinking they're a good idea and regret them when I'm live they take so long come on run here we go what we're looking for is

any account with local admin rights there we go administrator lights up green like a Christmas tree makes me happy so domain user account has got local admin rights on that

box okay as I've just said local system right why does this happen and I'll get to why that's useful in a minute basically misconfigured Services shares on local machines really really common um I can't think of many tests I've done where I don't find this um there normally one or two users with local admin rights on the box I don't know there'll be a reason support will say there's a reason for it um I I came from a support background and a lot of things you do because you're firefighting you have to it's a very very hard job when we should respect them um I've been there I've done it I know why it's very

very hard to think okay now how do I secure everything you're trying to keep everything alive you're trying to keep it working it's very we're very quick to judge but it is a really really hard job right once you got local admin rights I will then fire up I'll give that big speech but I'm still happy to keep poning um P EXA

time Pier SEC gives you access to the machine if you got local admin rights on the box and you spotted that for S&B login you now know that you can Pi exec to it um very very commonly you can pce exec to it anyway normally if you run that with a single user you Pro domain user not a domain admin we're talking single standard user account here you normally find not one box but maybe four or five boxes that have got local admin rides so next thing you want to do is try and get onto those boxes so here I am I'm trying to get access to it now p6c uh used to use obviously a real

payload which it would drop to disc and Antivirus would pick it up so people used to use Ro to use shelter and Veil to get around that now it now uses Powershell uh so nothing drops the disc at all well its first choice is to use Powershell it then preferences a payload if that doesn't work so nothing drops the disc we've got the local hashes there I'll get to that in a minute it doesn't drop dis it doesn't trigger AV so none of this will get stopped by AV up to this

point right so when you try and do get system a minute ago on the video some you might spot I did get system and did hash dump I want them local hashes and I'll explain that in a minute but quite often obviously it doesn't work and uh this is the bit when I start to cry I get upset it's not going to be an easy test not going to be da in 30 minutes it's going to take a little bit longer let start doing a bit of a bit of skill here prives is an art form that I am learning um it is very hard uh there's a few easy hits a few missing patches that

you can look for but often in met exploit those payloads will instantly get picked up by AV uh Power Up is very very good back to Power Shell at that point but power up is very very good at spotting misconfigured services and things run as a local system that shouldn't be run as a local system that you can start and stop and add your payload to and then restart it but it is real skill but let's say I've gone through all those and I've achieved it I'm not having a video on this uh let's say you've achieved it and we've got the golden what I call the golden hashes the local administrator accounts now I'll

try all of them by the way I'll go back to SMB login and I'll spray them out against the sl24 against the network and I'll see what they can log into where before you might have got into two or three boxes you can now probably get into about 30 or 40 300 600,000 more boxes and at that point your opportunity to come to main admin is massively increased right update 101 so remote access remote access was achieved very easily by stealing credentials and using an sslvpn or alternatively by using a macro and we' got access to the internal Network and we're now local administrator right time to hunt out users of Interest now if you're a nation

state you probably wouldn't instantly be thinking domain admin You' probably be thinking that person we targeting so they might go hunting out a single IND indidual uh on a test personally I will go for to start with domain admin because then I can then go and hunt out everyone else really easily but I like to get this to start with uh regardless as the keys to the Castle highest privilege is on a single domain it's not Enterprise admin so they've got multiple domains you need Enterprise admin uh but it gives you access to all domain resources right rule one of Da Club nessus qualis and open F probably aren't going to help you I'm not

knocking them and I use ners personally very very good vulnerability scanner but if if you want to be pen testing you want to be you know get domain admin it's not going to find it you might find sorry you scratched your head I thought there was a question no it's not going to find you domain admin you have to find it now using the local admin hashes pass the hash is still very relevant people say it's fixed it doesn't work anymore it does still work it works fine um Microsoft do not salt the reason why it works Microsoft don't salt passwords natively uh they they can't it breaks things um and that's why they don't do it um we're

very quick to joke about it but think Linux isn't in a domain environment maybe if it was used as much in the domain environment they might have some problems as well but they can't do it um so what happens is engineer comes along builds that machine builds that machine and then these machines get cloned off it and it gets cloned over and over again because it doesn't sort the password the password that the local passwords are on that machine are the same on that machine that machine that machine that machine that machine and that machine and the dangers are Microsoft accepts the password hash uh natively you don't have to have a username and password you don't have to

crack that you can just use the password hash I always think that's quite amazing that you can do that I think it probably accepts the hash preferenced over the actual clear text password it's ironic uh criminals are starting to catch up uh 2016 reports of ransomware starting to use past the hash techniques I I haven't had been to see any research of what they're using it for I don't know what they're doing it for it's pretty dangerous uh there was no reports of one cry using it think of the dangers if W cry use that yes they got very far think about how much further they could have got they could have taken over 80% of

the internal machines um it would have been they could have it would have been de devastating anyway that was possibly a mistake on their side not to use it uh weaponized variants of that have started to come out and they getting better and better and better so anyone who doesn't patch here patch just just patch um so how can a pentester use past the hash I use this I told you I'm quite old school with my techniques S&B exec is fantastic once you've got the hash of the local admin that your no is working uh this will go out uh to all of the sl24 your how many subnets you've defined and it will try and log in and

it'll just look for domain admin for you it does what blood hound does blood hound will do exactly the same thing at this point um and this is what I call daada come out and play um typically you find a lot of domain admins uh people use it a lot um varying numbers let's say a company's got I know 30 or 40 people in their it team or 20 to 30 people in their it team you probably find six that are running things as domain admin um I'll talk about that in a minute uh when should a domain admin account be used I'll throw it out to the audience does anyone feel like saying talking when when do you

think a domain admin account should be used my friend who told me the answer to this is sitting in the audience actually he's a very smart person it's a correct answer okay I won't be mean the domain admin account should be used when you're setting up a domain and when it hits the fan and there's probably some system Engineers now who freaked and said that's wrong that's just incorrect I've had a lot of people fight me over this and say that's wrong just use it all the time I find people using it while I surfing the internet they'll Elevate their rights exactly they'll Elevate their rights with ie of all things that is vulnerable to UNC exploitation with

the domain admin account and sit there reading the Daily Mail it's it's just just know it's not okay it's not directly our job to say you can't do this but it's not it's not from a security point of view it's not right it should be used for setting up the domain and when it hits the fan now password resets installing software uh delegate of permissions thank you I put the note in a Microsoft release called delegation permissions you can give people administrative accounts that have rights to certain things they can do that but they can't do this that's the way to go right so you found da how do you exploit it uh the classic way was this

mimic cats incredible incredible uh as everyone here seeing mimic cats but let's just say some people may not of I'm going to show a video on mimic cats definitely worth it do video so one minute that's interesting I've got 120 slides to still to go right remember cats so we got a session and wo no prives required there you go it's a postcript for mimicat and run it and it pulls the password the clear text domain password they go yo complex password yo the admin very complex password um it pulls it out clear text out a memory if I've got one minute left I just want to just get to this final slide oh my mouse stops

working okay it doesn't play nicely on Windows 10 onwards uh Server 2012 and 2016 you have to do a registry tweak which requires rebooting the Box again clients don't like that criminals they'll just do it we can't do that so what do we do uh I used that recently met sploit lock out key logger I used a key logger with met years ago and it triggered AV this didn't trigger AV what it does is it waits 130 seconds and locks the machine person oh it's locked machine time to log back in you get the creds snag them it's as simple as that that works on Windows 10 Posh obviously has got cred poo which does the same

kind of thing common password choices for da they're Dreadful commonly they're Dreadful right is that wrap up time then thank you very much are there any questions [Applause] I wasn't joking I uh I always have extra material just in case right that's my Twitter account if anyone wants to send me a question are there any questions out there though feel free to drop me um DM at any time or any public Mark or question and I will respond thank you very much