Discovery - What You Look Like To An Attacker

[Music] okay right okay so there also

yes yes it's a little quiet all right is that better right so this talk is on discovery I am Vegas Strip consultant that's eternity I do a lot of times what we do is pretty much linking has a being on the company's external infrastructure and having to go and use that word game most of the bad guys are doing the exact same thing the cool thing is with the advent of book that makes a national here's a lot of researchers climbing with modernist but a lot of other stuff that we do that look values on where the letters plus one so the point of discovery pretty much one of them find out for three things we want to find out

what the printer is what domains a company Isis out there you know I found anything from a random web server the main credit sitting inside of a company that they just copied over from inside that since it was able to compromise that two random branch offices I don't secure that happen for we can tie things to the main we also look for email addresses and pretty much you know one it's using fishing for high skill level attacks are going you don't think we use a poor person's brain and will import into how we use that and it's pretty much breaking in and getting a little connections controls from the outside actually into the network so personal look at the printer

pretty much won four domains networks as I said and other resources plenty of developers you know I exactly you know some sensitive password and we like the next thing the registry I've given up or very assertive things like that security the u.s. Punky's example so the basic steps for debate hunting is pretty much we usually start off with some melon information so for example single-employer google.com we know this is their main domain will go and one of them is on it we pick out searchable things things I'll usually need me to that my goodness requested because I give you a lot of false positives but things like registration email are usually cherubim cos programs and we also use the

reversible services to actually search for something that would repeat so using Google as an example duplicitous google.com you've got the registered organization is Google policy you've got the phone number is six five one two five three zero zero zero zero and you've got the rights of human or DNS - I'm connected with home so right off the bat colleges use Beauty NS there's lots of other sites that do this so searching for or Google space LLC you get a whole list of other or sometimes if you've never think of belonging to Google such as

[Music] then we go on to going and searching for the actual register email you see we find a bunch of other different sites you know a lot of these could be jump sites they just register domain so nobody answered it's not like that and then from there this is kind of interesting searching for the phone number found court on that CX and that's actually pretty well known and a security researcher who I assume works at Google is the actual Whois information has his address all the other good stuff so we do that we finally got a big list of domains and pretty much all the every domain is quite another son and then we'll go look for some of those

and usually this consists taking public sources this nificant transparency project now enemies certainly again in an actual public like certificate is registered in a public database where any other things on that cert are also visible you could easily search bad DNS notes her expected for missus officers from just scanning on the internet and they make it all available and accepted except then we go through four servings you take a big work list I think you go you can just try them all and see whether it's on us without universe or if they are resolved to do or certainly give us a well-coordinated before that to get on the others there are so many tools to do

this ridiculous amounts of tools and pretty sure there's been one of these we beat the past month somebody else I have some news supplamine liberation my favorite is for just the rating stomach sister was very well to several different sources you know works fairly last the harvester is an old favorite photographers in all seven years I've heard great things about right so people are saying I'm all about the luster and 100 threads I can tear through the password list no time at all and sub root for us as well mass TMS is an insane amount of testing but also tends to give you a lot of false positives just assistant Missoni minutes but here's an example running the sub

lister against poor dot dot CX and actually came out with 13 different subdomains they've had google.com using go Buster and exit to the roof work safe to start firing off found something different and again all this stuff right here it's heavily developed by bug map by a bug bunny bug bounty hunter society just because this is where they should get all the money from and finding new things out on the internet so for actual network coming it's actually really similar to taking no IP so say you don't resolve it without the address it comes down you can go into a Lewis on that IP and a needed the same notes of information contact name contact emails

company name soft so forth and they use mainly Karen has a great the first who is site value search for Richmond to communities there's other area for services now the users were [Music] as you find yourself you'll find your things to look for anymore who is that some more stopping your name and you just keep building for the people eh so with random Google IP this after I press use when the pay for precision Twitter also got phone number and contact email address so going through entering looking at Google's space and I'll see can be a whole bunch of domains Aaron is kind of funny in that it's not case-sensitive but it is letter sensitive like if you search for Google

it will give you exactly what matches Google well they don't publish that you lose a welcome simply to star it gives you everything so this turned up a whole bunch of other pages and if you actually follow these through actually click through them you'll find all of it I'm hearing this that pretty much looking for other sensitive assets you can help secrets as I said before there's a lot of tools that are made specifically for searching movie in history where it all just go clone all that we must one company and go through every single iteration back for keywords like password or secret or key or anything like that top log wall so they would look for strong passwords

and you'll usually have like a junkies or use like a random thing and magic to go those out ews buckets there's a lot of programs that are useful for brute forcing buckets looking for unsecured buckets there's been a lot of people that have been like pretty much having things like database backups and stuff like this voluminous infrastructure or sitting at the counting-house birthday you can also find if you're looking because Google dorks you can find a lot of people if you have us define confidential reports I like this that are just sitting out there getting indexed but they don't realize just there it's pretty much a lot of stuff comes out of your creativity go find

things that look suspicious you'll want to kind of pull further and you'll find something else go down a lot of different radicals the next thing to look for our email addresses this there's also a lot of stuff not so much the bug bounty here it's not really something that the bug bounty people are we start with most bug bounties they say you're not allowed to touch the employees and employees are all except for actual attack people absolutely penetration investments that's not the case of all so there's lots of tools although the various public sources search for Google search through various documents that are on the sites that the author today that they went we go through security

breaches and while you're familiar like LinkedIn that a security breach myspace did Dropbox and they just keep on happening usually these end up in the public and we go expert infantryman into a searchable database so we could start some remained and pull up all the differentials and all the usernames at you know release you know one of those things not a big deal because it's you know like adobe everything is nobody asked encryption key all the email lists that still happen in plain text and we still use those in the other paths and then social media LinkedIn is great for getting people's

responses really so various tools the harvester is great we can spray female dresses off the web you might just write a given domain everything being various other places documents there's power to that and that will pretty much go through search for gigs PowerPoint necks xlsx files on websites that campaign download them all and then just pool and meditate against it and then there's various databases that all they do is pick user info and that's their business is documenting people's email addresses to sell back to marketers and whoever house so just as an example the sparser being run against Google obviously with Google's love dumb addresses that came mostly exist but you also find a lot of legitimate

ones this is running that exit tool I guess too long and you can see there's lots of employee names or any of that you know we first run office and ask you what your name is if you type it in a very simple doctor to say from them now has that been a today so we will make forms and stuff like that I'm up on the site and then security reaches so LinkedIn Gogi Dropbox MySpace there was actually a massive don't just release this year that's pretty much a cold like it's a collection lots and lots of responses all the hazards were be bypassed another talent that which is relatively easy to correct there's websites that

competition track the most of them and then people like me to just go and download all the crashes so I have a 99.5 percent of the plaintiff customers including my own and so this is just a look into you know for Android common this is our actual internal database that we use this is all public information ten minutes ago blink well the other takes quite a bit more to get into database form just because it's pretty sloppy data and thinks that conditioning can get it to usable but still it's all it's all pretty much there now the actual social media sites LinkedIn displays users to do with included reads of separation it's pretty well known

it's triggered a trivial to build and including health everybody goes and accepts next one with less reviews and most email addresses were a company model of had the exception of it's usually like two people that were getting economy usually at like their first name demain everybody else on some other pattern but there are sites that you can just query them to give you the pediments reference first initial last name first thing that last name so on so forth and so what we can do is we can go use my this is one that we use anticipating this account a couple months ago about 1400 connections in the Kansas City area I can see everybody like this is google.com I don't know any

Google people personally I've never remembered with anybody from Google I could see pretty much eighty-three thousand different people ladies LinkedIn and it goes up to a thousand as I have to do something clever to actually go and wrestle so with most companies I can get about 80% of their staff if I don't already have them as connections I just go well the company and just start connecting with everybody and then you know I use one one probably like one or two out of ten if that many had with me I can see everybody else and then that opens up one's work after the bunch more before you know it some of you money can be

expensive that so then okay good so we've got a whole huge list of names we build email addresses from it based on whatever pattern that we want to get vegetables now this from the bug bounty perspective else this getting into some it's illegal you're not contracted to do this everything before you have LinkedIn is kind of gray area kind of you know probably there's no times this is light touch now we're getting into the bad time stuff just saying you don't do this unless so next thing we will do is we look for a device usually one places that really use for pencils and ideally you want something where they're back to directly to death because that's going

to be going into their actual back-end domain look for web access to look for beauty and Citrix so and so forth they find all sorts of random things then we go to tri-state as a way of figuring out what valid usernames are some services are very well secured in that they give you the same message no matter what some of them like both of these ways terrible for hiding about user accounts there's usually a two to three second delay and without user account incorrect answer I'll show you in a sweetshop I can very quickly go through find out which of my accounts are actually legitimate Outlook accounts and then go and see what the actual pattern is at

that times where the pattern hat is wrong and then I went to change them all the other something got the link into the correct pattern although that's more so after to do that you actually do passwords for those of you that aren't familiar with that's what spring it's everybody knows what the resource name is right it's where you take an account until you can that doesn't work pretty much anywhere anymore because most people had you know most services have a lot we need to crank the temperature by the Connecticut Enix weekend this long for the Lord had to work passwords brain tries one weakness word against all of the pallet accounts that you have this

is really really effective especially because of the 90-day has to take deposit I guarantee you everywhere organizations somebody has a password spring 2018 or a winter 2017 winter 28 or spring 18 so on so we almost always get infused and we will not valid users and pretty much every company it's actually this is a reason why this changed their guidelines to say that you don't you to expire passwords anymore because it just it trains people to make predictable and even if you know something 1000 people set their password and said that's all they gave me it gets even better with something like Outlook Web Access where we get in one person's account what privileged account is guess

anything else but now we have a global address list which gives us all of the 80 accounts and then we can pass them spray against all of those and find 20 more will that be password though who aren't even exposed anywhere on the internet this woke up before and I might have one of those persons with VPN access you get in a teepee and it's game on they're just common Hospital so you look for hopefully they enjoyed logging route points one of the useful you know how Seidel just scanning everything you use it look front necks renders getting a view their email goes a few thousand as you can kind of see where my PMS is

very server along the way you do my courts can adjust with your web servers do something like not a witness or going this so I'll just go through all the court to all the web servers you give it and just take a screenshot they you quickly just cycle through the swings Churchill and move old etc you know I'll show you an example here is just your block

[Music] so looking at differences between a paladin all accounts you can look at enter messages you can also look at time delays that you think about what you can also a lot of times look at account administration pages if they support it where you go in the penalty council says this accounts already taking the investment so here is valid Active Directory domains you can also with now on web access actually brute force the domain itself if it's like a domain /female because it's within valid domains it always gives you no delay with a ballot of an invalid user you get a three second delay so this right here I found that demain then from there you can go in and

then display all the user accounts you can see all the ones with no delay are the valid user accounts and you know wait there have all those in our small connect you know whisperers really do every two hours just so we don't walk in together and it's it's crazy out why it was that gets to look important unexpected and then you know get in places so it's basically here's an example of actually a successfully password spring we had several time to go baby this a spring 18 right here got us into this account of all the other ailments and there actually will will be here and compromised as well so conclusions there's several things that we've done

to make all this stuff a lot harder private registrations on domains make this company you do with who is and you don't get you don't get any information you know is only how they do a search for to go for the other ones and there are certain services onto the history search through the history and stuff but the more some it's private Mason use pastor policies an actual real strong Casper policies not the you know upper case lower case went on guerrilla special character be characters long changes a trade 90 days the eighty default it's a terrible master policy because it breeds predictable Testaments usually the capacity policy is something for myself checking to a white by

checking against actual black those technical is calming compromised passwords there's lots of sites that people available have I've been moment as an illicit even download that has all the most common that's where do you take against check company names checks seasons most models all that something and just fail or password change it I think it was match doing that right there these things so much what it is that we don't get into spring we have to go for actual vulnerabilities and the outside applications that's much smaller Arabic is used to factor authentication on all external endpoints there's nothing that stops us harder than this because we've done plenty of times on certain clients where we get in and then

it's like beautiful simple text message to your cell phone okay and then you know like the clock started alright just got to change his password soon it says I screaming find some ways about that to vector if you have multi-factor authentication they munch on all of your external anything while it allows Mataji in sit ranks you know your email everything else it again stop Cisco

where they maybe they just stop we'll see how that goes so as a self-starter required activity like this you see since SEO which is an index moment without their flag coming more in the foreground is but doing mobile these to do this while the other more that the census I more than a certain estate the actual transparency context because that just keeps an open circle I think they'll definitely war yeah I guess that's going to or that that would be another good way to going platinum aims of searching for actual stuff well I may be six so on the discovery of you point this is way more important that we exist does I believe these things we can assist

Sunday

[Music]

it is usually the stuff that we're attacking isn't so much things that I want the things that are actually like for example right now explicitly was you know 50 cents with ipv4 having none of that business anything at this point if with all that before stop being so prevalent as that still hanging fruit no venom only change as but one big thing like 86 is just the lactose as a huge deal works because usually I do an external assessment I pour my feelings and look for activity without eating or that's pretty easy to do I give you six suspects impossible there's just too many possible looks so using something that leaves the information of what's out there such as

PMS is much more important my skin to look your spring yep if you go into Spratt gehlbach events you see the office getting slammed with just general fell mugging attempts you couldn't do it with the same ip there is ways of going and there's lots of tools there's new one just came out Doxey proxy that will go and pretty much rotating your asthma spreads through a couple of dozen of oddities but are you attacking when a box with the spring we have uh considerations one box multiple user else what ambassador right we're not locking out accounts were not wearing any one yeah use us since my perspective is that if you're putting this hash value of the es

password balance of times need somebody that won it as something that contributors to see this is yes ask when you're putting yeah guilty account login attempt on the domain controller then you should be able to feed that endears him yeah that's we don't want to get the customers customers lying in logs its vulnerability not itself

yeah why it's not a big deal we've done the password attack go somewhere else like getting change just